Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1583478
MD5:	7274b0b15c4e6d5bbe8db5aa93c65a12
SHA1:	643418b70ee7242fb4cf797e54ec78c910d32824
SHA256:	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435
Tags:	exeuser-jstrosch
Infos:

Detection

XRed

Score:	74
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XRed

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

file.exe (PID: 7868 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7274B0B15C4E6D5BBE8DB5AA93C65A12)

._cache_file.exe (PID: 7980 cmdline: "C:\Users\user\Desktop\._cache_file.exe" MD5: DE34B1C517E0463602624BBC8294C08D)

._cache_file.exe (PID: 8028 cmdline: "C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640 MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 6632 cmdline: "C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4ECB3904-0384-4F60-9326-256C504267D7} {993172C8-4368-4578-BD0A-D6EA507F91CB} 8028 MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

Synaptics.exe (PID: 8096 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: B753207B14C635F29B2ABF64F603570A)

WerFault.exe (PID: 5616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 4648 MD5: C31336C1EFC2CCB44B4326EA793040F2)

EXCEL.EXE (PID: 8140 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

Synaptics.exe (PID: 1900 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: B753207B14C635F29B2ABF64F603570A)

SrTasks.exe (PID: 6008 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)

conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 4196 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

VC_redist.x86.exe (PID: 4868 cmdline: "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 6412 cmdline: "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 4496 cmdline: "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540 MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

cleanup

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
file.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\Synaptics\RCXDAD4.tmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\RCXDAD4.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\Documents\~$cache1	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\Users\user\Documents\~$cache1	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000008.00000003.1391518292.000000000072F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: file.exe PID: 7868	JoeSecurity_XRed	Yara detected XRed	Joe Security
Process Memory Space: Synaptics.exe PID: 8096	JoeSecurity_XRed	Yara detected XRed	Joe Security

Sigma Signatures

System Summary

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7868, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 8096, TargetFilename: C:\Users\user\AppData\Local\Temp\o8MxWXV6.xlsm

Suricata Signatures

ET MALWARE Snake Keylogger Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:29:49.306824+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49766	172.217.18.14	443	TCP
2025-01-02T20:29:49.335267+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49767	172.217.18.14	443	TCP
2025-01-02T20:29:50.362124+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49781	172.217.18.14	443	TCP
2025-01-02T20:29:50.433921+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49778	172.217.18.14	443	TCP
2025-01-02T20:29:51.425915+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49789	172.217.18.14	443	TCP
2025-01-02T20:29:51.514259+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49793	172.217.18.14	443	TCP
2025-01-02T20:29:53.390542+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49801	172.217.18.14	443	TCP
2025-01-02T20:30:00.471957+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49831	172.217.18.14	443	TCP
2025-01-02T20:30:00.480979+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49829	172.217.18.14	443	TCP
2025-01-02T20:30:01.615907+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49845	172.217.18.14	443	TCP
2025-01-02T20:30:01.708048+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49844	172.217.18.14	443	TCP
2025-01-02T20:30:02.641788+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49853	172.217.18.14	443	TCP
2025-01-02T20:30:02.740833+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49856	172.217.18.14	443	TCP
2025-01-02T20:30:03.978908+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49865	172.217.18.14	443	TCP
2025-01-02T20:30:03.989273+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49863	172.217.18.14	443	TCP
2025-01-02T20:30:05.175798+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49884	172.217.18.14	443	TCP
2025-01-02T20:30:05.176404+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49883	172.217.18.14	443	TCP
2025-01-02T20:30:06.278855+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49890	172.217.18.14	443	TCP
2025-01-02T20:30:06.286346+0100	2044887	1	A Network Trojan was detected	192.168.2.10	49891	172.217.18.14	443	TCP

ETPRO MALWARE W32.Bloat-A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:29:49.704664+0100	2832617	1	Malware Command and Control Activity Detected	192.168.2.10	49776	69.42.215.252	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe	Avira: detected
Source: file.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/SUpdate.iniZ	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/Synaptics.rarZ	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/SUpdate.iniH)	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/SSLLibrary.dlp	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/SSLLibrary.dll6	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: WORM/Delphi.Gen
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\RCXDAD4.tmp	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\RCXDAD4.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Documents\~$cache1	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\Users\user\Documents\~$cache1	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006

Found malware configuration

Source: file.exe

Malware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Synaptics\RCXDAD4.tmp	ReversingLabs: Detection: 91%
Source: C:\ProgramData\Synaptics\Synaptics.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\Documents\~$cache1	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.2% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\RCXDAD4.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\~$cache1	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FF9EB7 DecryptFileW,	6_2_00FF9EB7
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0101F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	6_2_0101F961
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FF9C99 DecryptFileW,DecryptFileW,	6_2_00FF9C99
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_00199EB7 DecryptFileW,	7_2_00199EB7
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001BF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	7_2_001BF961
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_00199C99 DecryptFileW,DecryptFileW,	7_2_00199C99
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007FF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	12_2_007FF961
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007D9C99 DecryptFileW,DecryptFileW,	12_2_007D9C99
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007D9EB7 DecryptFileW,	12_2_007D9EB7
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A0F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	25_2_00A0F961
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009E9C99 DecryptFileW,DecryptFileW,	25_2_009E9C99
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009E9EB7 DecryptFileW,	25_2_009E9EB7

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe

Window detected: MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ 2019 RUNTIME These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software except to the extent those have different terms.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE RIGHTS BELOW.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software.TERMS FOR SPECIFIC COMPONENTS.Microsoft Platforms. The software may include components from Microsoft Windows; Microsoft Windows Server; Microsoft SQL Server; Microsoft Exchange; Microsoft Office; and Microsoft SharePoint. These components are governed by separate agreements and their own product support policies as described in the Microsoft Licenses folder accompanying the software except that if license terms for those components are also included in the associated installation directory those license terms control.Third Party Components. The software may include third party components with separate legal notices or governed by other agreements as may be described in the ThirdPartyNotices file(s) accompanying the software. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notwork around any technical limitations in the software;reverse engineer decompile or disassemble the software or otherwise attempt to derive the source code for the software except and only to the extent required by third party licensing terms governing the use of certain open source components that may be included in the software;remove minimize block or modify any notices of Microsoft or its suppliers in the software; use the software in any way that is against the law; orshare publish rent or lease the software or provide the software as a stand-alone offering for others to use or transfer the software or this agreement to any third party.EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software which include restrictions on destinations end users and end use. For further information on export restrictions visit www.microsoft.com/exporting <http://www.microsoft.com/exporting>. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.APPLICABLE LAW. If you acquired the software in the United States Washing

Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\3082\license.rtf	Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\3082\license.rtf

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.10:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.10:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.10:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49883 version: TLS 1.2

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: file.exe, Synaptics.exe.4.dr, ._cache_file.exe.6.dr, VC_redist.x86.exe.12.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFCM140.i386.pdb source: mfcm140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdb source: vcamp140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdbGCTL source: msvcp140_1.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdbGCTL source: vcamp140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: msvcp140_1.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcruntime140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb source: mfc140enu.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdbGCTL source: msvcp140_2.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb source: mfc140jpn.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdb source: mfc140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdb source: msvcp140_2.dll.21.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: ._cache_file.exe, 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmp, VC_redist.x86.exe, 0000001B.00000002.2553590168.0000000062D9F000.00000002.00000001.01000000.00000014.sdmp, wixstdba.dll.27.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140RUS.i386.pdb source: mfc140rus.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdbGCTL source: mfc140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb source: mfc140cht.dll.21.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixDepCA.pdb source: 4539f1.msi.21.dr, 4539ec.msi.21.dr, 4539f8.msi.21.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140.dll

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: file.exe, 00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: [autorun]
Source: file.exe, 00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: [autorun]
Source: file.exe, 00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000008.00000003.1391518292.000000000072F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000008.00000003.1391518292.000000000072F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000008.00000003.1391518292.000000000072F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: file.exe	Binary or memory string: [autorun]
Source: file.exe	Binary or memory string: [autorun]
Source: file.exe	Binary or memory string: autorun.inf
Source: Synaptics.exe.4.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.4.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.4.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_01024315 FindFirstFileW,FindClose,	6_2_01024315
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FF993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	6_2_00FF993E
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FE3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_00FE3BC3
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_01017A87 FindFirstFileExW,	6_2_01017A87
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001C4315 FindFirstFileW,FindClose,	7_2_001C4315
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_0019993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	7_2_0019993E
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_00183BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	7_2_00183BC3
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001B7A87 FindFirstFileExW,	7_2_001B7A87
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFA65CB FindFirstFileW,FindClose,	7_2_6CFA65CB
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFB6C8C FindFirstFileExA,	7_2_6CFB6C8C
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_00804315 FindFirstFileW,FindClose,	12_2_00804315
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007D993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	12_2_007D993E
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007C3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	12_2_007C3BC3
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007F7A87 FindFirstFileExW,	12_2_007F7A87
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A14315 FindFirstFileW,FindClose,	25_2_00A14315
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009E993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	25_2_009E993E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A07A87 FindFirstFileExW,	25_2_00A07A87
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009D3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	25_2_009D3BC3
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D865CB FindFirstFileW,FindClose,	27_2_62D865CB
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D96C8C FindFirstFileExA,	27_2_62D96C8C

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: excel.exe

Memory has grown: Private usage: 2MB later: 69MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2832617 - Severity 1 - ETPRO MALWARE W32.Bloat-A Checkin : 192.168.2.10:49776 -> 69.42.215.252:80
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49766 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49793 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49778 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49801 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49781 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49789 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49829 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49831 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49845 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49856 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49883 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49865 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49884 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49891 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49844 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49853 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49890 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49767 -> 172.217.18.14:443
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.10:49863 -> 172.217.18.14:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xred.mooo.com

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

Source: Joe Sandbox View

IP Address: 69.42.215.252 69.42.215.252

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=FEdR7hJeWEf_mlWh8-hQ3QoGW_gT6l5dMMGxuI93At7n_hF_OWmLE3DjR5Bq5_qHo4Detsrdh6bt_pxK2LWTHgc9AvG3q0mQt068lhR2R5tIQ37SuRR0gpYynU27Wh5DFQOniutESzZ46wjeAGY24QGk5Wj2-ANbh0505g9eTQGxado5H9MM7s7R
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: Synaptics.exe, 00000008.00000003.1460850513.0000000005341000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.goo.glgogoogle-analytics.comleopti*.google-analytics.comicgoogle.comk-googlecommerce.comdo*.googlecommerce.comclick.ggpht.cnick.cn*.ggpht.cndaurchin.comts*.urchin.comadservyoutu.begletrayoutube.com*.youtube.comoglemusic.youtube.com-cn.*.music.youtube.comyoutubeeducation.comom equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: docs.google.com
Source: global traffic	DNS traffic detected: DNS query: xred.mooo.com
Source: global traffic	DNS traffic detected: DNS query: freedns.afraid.org
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5z3MzBh5CWJSMLaAc9xokVJiTAw5H0WY3EddfanXTXr5sNKfEKh2WaXAhLjfdU2ATOpN8goxMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:29:50 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-Q3o1z4Lx_YgEHGtF541ccA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerSet-Cookie: NID=520=FEdR7hJeWEf_mlWh8-hQ3QoGW_gT6l5dMMGxuI93At7n_hF_OWmLE3DjR5Bq5_qHo4Detsrdh6bt_pxK2LWTHgc9AvG3q0mQt068lhR2R5tIQ37SuRR0gpYynU27Wh5DFQOniutESzZ46wjeAGY24QGk5Wj2-ANbh0505g9eTQGxado5H9MM7s7R; expires=Fri, 04-Jul-2025 19:29:50 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC62-1eB0PLgNeRGX-JqtIyl8KWAjKwYiys_29SnVwbyKHKD5PXhyuHwZBjlRKpSyczAContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:29:50 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-t1O_kD5fhuvNTTuEH-Kd2A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=W0NoFjodce_TP5kLdFP2TorZ_xPldMvGtI6v-4Xj1uULVyvhjW1o9Rgya6510DA_moY1CTOLJsYcmDZZjlmiyagMreVED0ScauI8Pm8-tFuLvQDYNOPgiY42l2zgWoAfSjWIOAq4ttuOKG-aAiVHqlk6REnnB8ITx_6bqWd7hzSbPWN26HfSlA; expires=Fri, 04-Jul-2025 19:29:50 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7i3HEV__66WFH2TXjQeTECZAAUPyTn_6YCyDtJ6O9zlTXYPQJV9zG-fD2mEz00sxlTD3I4AQAContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:29:51 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-KhcuNQeLkVMs_LJqYVXvxg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerSet-Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE; expires=Fri, 04-Jul-2025 19:29:51 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5WRDgvVAeysjwUl8o153bg0cCeEQhbXb7BSOGCqTTMdsCbyfnHbt7yB47BJUNPcKLfContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:29:51 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-3urO1pCo_O9CaBn5wVQfpg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6_N0ucWUFF4uVsMo2Vbd-K6yZU_-HJQnZWNGrHg2tqfETSXegJa_ue_IZdEGGHRo72Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:29:52 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-mIujOZZrnIfMSkH2dTPB5A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7k3ISV26NGOMzZfaO5XLArsuRHx7JUYDfNDJK4v3o_ZFUoEurK9kD46QaiKTgBx_v7thTN-tMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:00 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-a9LHHoENweacfcHh6YrALQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC73zjhDeWwPA4ajUnY8rysrCC45TOjO9kc22zPJdTPrtAVQo5atuEhqQYMUxv9t4aTDMBG2m0QContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:01 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-pG6KhWSSlz4b0SVEf6YzXw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5LiTzd0r65wWfWlA26kA7Qy7sO70Pq4Ix1priYdYaYTdxAgy7CRuqy9QjB8oEpq6zqjond02cContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:01 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-LymfkKsPGnDmELP8D17P9A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7C8Sd_cEBrqaNfAnUR-gYOakNUcpxUi1WxPyphulCQ53EgRIbZL4wVUtQNKuw8b35JContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:02 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-k5PoTSE2JCOYuTJECo7jOw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5YgYg4w6BhFSsEd4emI5A65sPvT5kUaWtS_ieW38qxB13EmrQMSnxgBTlwaiifqJxHContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:02 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-2Tn4WwwHQS0RNMykTQCv7g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7T5bTv7cCwltxlfqkOEcynkp_KOhiAlINZCv6Nz9UJ09pPx5jlI7UsegoXa1OkdEEZx_ewvKcContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:03 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-GZ2oOZ7Y-xuntvOOZroKQw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC69RmWrtoKef6vbsINxgHQqBy48wC9KM2xJJttsrKA401qtYpUDL5UdPfuuE6nAt8jAContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:03 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-y-wEnPMHmN02qdZAqBja9Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5R1A6ZX40XkrpOLCSSt1tSsC3gHmh1vGXZy7T3hMgEo9Qhf88kX8PZGVLZMzMoEq9mlb_mjp8Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:04 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-UgtSo80X_hr2UziUyzKRcw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6yD2hULohi2_7AS9PS3FmbPpUfhD92lEOdfLGE9Cv-FBJhr7uoH3AIvUtX9AFSjLJC4ppzh6AContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:05 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-oWJAM_Rj5IWL-AJu3FIeTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC618Y811ZSL2hfCywhXQJLPA20a0uXv0kCEYfCBLy0tsnnqGakhzosH0__dAkZ2U-RncQNv-RYContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:06 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-KNXB0pZQu8YjhkLyqEhVhw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7V6-137Ol39RqklA_2Yzr3csLh4Un-qYpS7UIaSg0nxrLb_7O7BFuSt630X08AWPQSContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:30:06 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-aySToUy_UmdaFCTU0YuiCg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: VC_redist.x86.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: file.exe, Synaptics.exe.4.dr, ._cache_file.exe.6.dr, VC_redist.x86.exe.12.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: Synaptics.exe.4.dr	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: Synaptics.exe, 00000008.00000002.1696159678.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978Z-%K
Source: Synaptics.exe, 00000008.00000002.1696159678.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978n.
Source: Amcache.hve.24.dr	String found in binary or memory: http://upx.sf.net
Source: VC_redist.x86.exe, 0000001B.00000002.2550969012.0000000003450000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x86.exe, 0000001B.00000002.2549138233.0000000003260000.00000004.00000020.00020000.00000000.sdmp, thm.xml.27.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: Synaptics.exe.4.dr	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dlp
Source: Synaptics.exe.4.dr	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniH)
Source: Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: Synaptics.exe.4.dr	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: Synaptics.exe, 00000008.00000002.1696159678.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1460850513.0000000005341000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/.
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/4erV
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/4se
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/=
Source: Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/C/
Source: Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/user
Source: Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/google.com/
Source: Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/s
Source: Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/s/
Source: Synaptics.exe, 00000008.00000002.1721967988.000000000BE7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1717608050.000000000877E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0;
Source: file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: Synaptics.exe.4.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: Synaptics.exe.4.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download##
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$X
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&C
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(#
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)i
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-.
Source: Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-cn.n
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-servE(
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download...
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.c
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.com./
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.gl
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.net.
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.origU
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.tr
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.you
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0n
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
Source: Synaptics.exe, 00000008.00000002.1696159678.00000000007B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4R
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4Y
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5#
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6;
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6DPK
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7q
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.0000000006F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8X
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9jUH
Source: Synaptics.exe, 00000008.00000003.1460823177.0000000005399000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:CTH
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=iII
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAPPKB
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAi
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.0000000006F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBB
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBZ
Source: Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBg
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC:
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadEh
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadFA
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadH
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadInjec#6
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1492563429.000000000530A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ;
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJi
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadKc
Source: Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadLY
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadMH
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadND
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNVWZA
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.0000000006F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadO
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadOZ
Source: Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadOg
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPPKBKqJN
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPX
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPq
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQj
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQn=J
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQw
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadR
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadRC
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSKMH
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.0000000006F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUS1
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUi
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUserj6
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV#
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVB
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVFAGE
Source: Synaptics.exe, 00000008.00000003.1492563429.000000000530A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.0000000007013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW;
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadY
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_(
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadaNe
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadce-
Source: Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcg
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadco
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcom
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcr
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadctin
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd1
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddW
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddY
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddq
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade.
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade;padding-right:0
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadek
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaden
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadenetXp
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadetle
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadfD
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg.
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgleco
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhX
Source: Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhg
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadid.cK
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadiyor.
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadiyor.gp
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjC
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk;
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadl
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadleni%p.K.&
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadlleme
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.00000000007B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadme
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmeas
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmi
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn.com
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnB
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnd-px(
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadndic
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadne.cn
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadniyo
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadogle
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadogleq
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadom
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadonY
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadonten
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoo.co
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoogle
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoogle:
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp;
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadqh
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadqq
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrA
Source: Synaptics.exe, 00000008.00000003.1492563429.000000000530A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrm=
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrn
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrs
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrvice
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloads
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadsers
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt:
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadting
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtleni
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadts
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtua
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000008.00000003.1492563429.000000000530A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadua-fu
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaducati
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaducati7
Source: Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadug
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw~
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx
Source: Synaptics.exe, 00000008.00000002.1702352378.000000000535E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx&7
Source: Synaptics.exe, 00000008.00000002.1696159678.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx0
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadxY
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005337000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyor.TZ
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000793000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadz
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadzD
Source: Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~C
Source: file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: ~DF9BFAACEE61987A0E.TMP.9.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.0000000006FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1715180518.000000000709D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1702352378.0000000005312000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVTE
Source: Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadl
Source: Synaptics.exe, 00000008.00000002.1702352378.0000000005324000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadwX2
Source: Synaptics.exe, 00000008.00000002.1711758194.0000000006FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/ev
Source: Synaptics.exe.4.dr	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=8
Source: file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl
Source: Synaptics.exe.4.dr	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: ~DF9BFAACEE61987A0E.TMP.9.dr	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.10:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.10:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.10:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.10:49883 version: TLS 1.2

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: o8MxWXV6.xlsm.8.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
Source: NVWZAPQSQL.xlsm.8.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: o8MxWXV6.xlsm.8.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
Source: NVWZAPQSQL.xlsm.8.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: o8MxWXV6.xlsm.8.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
Source: NVWZAPQSQL.xlsm.8.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4539ec.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4064.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vcruntime140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4539f0.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4539f0.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4539f1.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{0FA68574-690B-4B00-89AA-B28946231449}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4C5C.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4539f8.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4539f8.msi

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\4539f0.msi

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FE6184	6_2_00FE6184
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0100C0FA	6_2_0100C0FA
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0101A3B0	6_2_0101A3B0
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0101022D	6_2_0101022D
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FEA7EF	6_2_00FEA7EF
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_01010662	6_2_01010662
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0100F919	6_2_0100F919
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FF69CC	6_2_00FF69CC
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0101A85E	6_2_0101A85E
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_01012B21	6_2_01012B21
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_01010A97	6_2_01010A97
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0101ED4C	6_2_0101ED4C
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_01012D50	6_2_01012D50
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0100FE15	6_2_0100FE15
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001969CC	7_2_001969CC
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001AC0FA	7_2_001AC0FA
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_00186184	7_2_00186184
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001B022D	7_2_001B022D
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001BA3B0	7_2_001BA3B0
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001B0662	7_2_001B0662
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_0018A7EF	7_2_0018A7EF
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001BA85E	7_2_001BA85E
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001AF919	7_2_001AF919
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001B0A97	7_2_001B0A97
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001B2B21	7_2_001B2B21
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001B2D50	7_2_001B2D50
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001BED4C	7_2_001BED4C
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001AFE15	7_2_001AFE15
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFA23E7	7_2_6CFA23E7
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFB1CFF	7_2_6CFB1CFF
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFB8500	7_2_6CFB8500
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFBD628	7_2_6CFBD628
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFB1F2E	7_2_6CFB1F2E
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFB89AE	7_2_6CFB89AE
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007EC0FA	12_2_007EC0FA
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007C6184	12_2_007C6184
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007F022D	12_2_007F022D
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007FA3B0	12_2_007FA3B0
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007F0662	12_2_007F0662
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007CA7EF	12_2_007CA7EF
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007FA85E	12_2_007FA85E
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007EF919	12_2_007EF919
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007D69CC	12_2_007D69CC
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007F0A97	12_2_007F0A97
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007F2B21	12_2_007F2B21
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007F2D50	12_2_007F2D50
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007FED4C	12_2_007FED4C
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007EFE15	12_2_007EFE15
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009FC0FA	25_2_009FC0FA
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009D6184	25_2_009D6184
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A0022D	25_2_00A0022D
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A0A3B0	25_2_00A0A3B0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A00662	25_2_00A00662
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009DA7EF	25_2_009DA7EF
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A0A85E	25_2_00A0A85E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009E69CC	25_2_009E69CC
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009FF919	25_2_009FF919
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A00A97	25_2_00A00A97
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A02B21	25_2_00A02B21
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A0ED4C	25_2_00A0ED4C
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A02D50	25_2_00A02D50
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009FFE15	25_2_009FFE15
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D823E7	27_2_62D823E7
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D989AE	27_2_62D989AE
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D9D628	27_2_62D9D628
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D91F2E	27_2_62D91F2E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D91CFF	27_2_62D91CFF
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D98500	27_2_62D98500

Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: o8MxWXV6.xlsm.8.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: NVWZAPQSQL.xlsm.8.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)

Source: Joe Sandbox View

Dropped File: 4539f4.rbf (copy) 1F9CCCA43EEF25CA44C69648124265944493FC220BCDECDB79AA28C33468B59B

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 010231C7 appears 83 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 00FE1F20 appears 53 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 0102012F appears 682 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 00FE37D3 appears 493 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 0102061A appears 34 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 00A131C7 appears 83 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 009D1F20 appears 53 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 009D37D3 appears 495 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 62D83D10 appears 82 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 00A1012F appears 685 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 62D8D536 appears 38 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 00A1061A appears 34 times
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: String function: 0080061A appears 34 times
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: String function: 0080012F appears 683 times
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: String function: 007C1F20 appears 53 times
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: String function: 008031C7 appears 85 times
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: String function: 007C37D3 appears 492 times
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: String function: 6CFAD536 appears 38 times
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: String function: 001837D3 appears 494 times
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: String function: 6CFA3D10 appears 82 times
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: String function: 001C31C7 appears 83 times
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: String function: 001C061A appears 34 times
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: String function: 001C012F appears 684 times
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: String function: 00181F20 appears 53 times

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 4648

Source: file.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: file.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCXDAD4.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: ~$cache1.8.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: mfc140deu.dll.21.dr	Static PE information: No import functions for PE file found
Source: mfc140rus.dll.21.dr	Static PE information: No import functions for PE file found
Source: mfc140esn.dll.21.dr	Static PE information: No import functions for PE file found
Source: mfc140chs.dll.21.dr	Static PE information: No import functions for PE file found
Source: mfc140fra.dll.21.dr	Static PE information: No import functions for PE file found
Source: mfc140kor.dll.21.dr	Static PE information: No import functions for PE file found
Source: mfc140ita.dll.21.dr	Static PE information: No import functions for PE file found
Source: mfc140enu.dll.21.dr	Static PE information: No import functions for PE file found
Source: mfc140cht.dll.21.dr	Static PE information: No import functions for PE file found
Source: mfc140jpn.dll.21.dr	Static PE information: No import functions for PE file found

Source: file.exe, 00000004.00000003.1316008217.0000000001365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs file.exe
Source: file.exe, 00000004.00000002.1317652632.000000000133B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameEM vs file.exe
Source: file.exe, 00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000004.00000003.1316276621.0000000001306000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameEM vs file.exe
Source: file.exe, 00000004.00000003.1316276621.0000000001306000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs file.exe
Source: ._cache_file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: ._cache_file.exe, 00000006.00000000.1292795188.000000000104E000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs file.exe
Source: ._cache_file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: ._cache_file.exe, 00000007.00000002.2543427564.00000000008C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs file.exe
Source: ._cache_file.exe, 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs file.exe
Source: ._cache_file.exe, 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamewixstdba.dll\ vs file.exe
Source: file.exe	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameb! vs file.exe
Source: ._cache_file.exe.6.dr	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal74.spre.troj.expl.evad.winEXE@20/179@6/3

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_0101FD20 FormatMessageW,GetLastError,LocalFree,

6_2_0101FD20

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FE44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	6_2_00FE44E9
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001844E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	7_2_001844E9
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007C44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	12_2_007C44E9
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009D44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	25_2_009D44E9

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_01022F23 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

6_2_01022F23

Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe

Code function: 7_2_6CFACEBD FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,

7_2_6CFACEBD

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_01006945 ChangeServiceConfigW,GetLastError,

6_2_01006945

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Desktop\._cache_file.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8096
Source: C:\ProgramData\Synaptics\Synaptics.exe	Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03

Source: C:\Users\user\Desktop\._cache_file.exe

File created: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\

Jump to behavior

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Synaptics\RCXDAD4.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: cabinet.dll	6_2_00FE1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: msi.dll	6_2_00FE1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: version.dll	6_2_00FE1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: wininet.dll	6_2_00FE1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: comres.dll	6_2_00FE1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: clbcatq.dll	6_2_00FE1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: msasn1.dll	6_2_00FE1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: crypt32.dll	6_2_00FE1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: feclient.dll	6_2_00FE1070
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Command line argument: cabinet.dll	7_2_00181070
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Command line argument: msi.dll	7_2_00181070
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Command line argument: version.dll	7_2_00181070
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Command line argument: wininet.dll	7_2_00181070
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Command line argument: comres.dll	7_2_00181070
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Command line argument: clbcatq.dll	7_2_00181070
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Command line argument: msasn1.dll	7_2_00181070
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Command line argument: crypt32.dll	7_2_00181070
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Command line argument: feclient.dll	7_2_00181070
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Command line argument: cabinet.dll	12_2_007C1070
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Command line argument: msi.dll	12_2_007C1070
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Command line argument: version.dll	12_2_007C1070
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Command line argument: wininet.dll	12_2_007C1070
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Command line argument: comres.dll	12_2_007C1070
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Command line argument: clbcatq.dll	12_2_007C1070
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Command line argument: msasn1.dll	12_2_007C1070
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Command line argument: crypt32.dll	12_2_007C1070
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Command line argument: feclient.dll	12_2_007C1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: cabinet.dll	25_2_009D1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: msi.dll	25_2_009D1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: version.dll	25_2_009D1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: wininet.dll	25_2_009D1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: comres.dll	25_2_009D1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: clbcatq.dll	25_2_009D1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: msasn1.dll	25_2_009D1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: crypt32.dll	25_2_009D1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: feclient.dll	25_2_009D1070

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4539f1.msi.21.dr, 4539ec.msi.21.dr, 4539f8.msi.21.dr

Binary or memory string: SELECT `WixDependencyProvider`.`WixDependencyProvider`, `WixDependencyProvider`.`Component_`, `WixDependencyProvider`.`ProviderKey`, `WixDependencyProvider`.`Attributes` FROM `WixDependencyProvider`SELECT `WixDependency`.`WixDependency`, `WixDependencyProvider`.`Component_`, `WixDependency`.`ProviderKey`, `WixDependency`.`MinVersion`, `WixDependency`.`MaxVersion`, `WixDependency`.`Attributes` FROM `WixDependencyProvider`, `WixDependency`, `WixDependencyRef` WHERE `WixDependency`.`WixDependency` = `WixDependencyRef`.`WixDependency_` AND `WixDependencyProvider`.`WixDependencyProvider` = `WixDependencyRef`.`WixDependencyProvider_`WixDependencyRequireFailed to initialize.Failed to initialize the registry functions.ALLUSERSFailed to ensure required dependencies for (re)installing components.WixDependencyCheckFailed to ensure absent dependents for uninstalling components.WixDependencySkipping the dependency check since no dependencies are authored.Failed to check if the WixDependency table exists.Failed to initialize the unique dependency string list.Failed to open the query view for dependencies.Failed to get WixDependency.WixDependency.Failed to get WixDependencyProvider.Component_.Skipping dependency check for %ls because the component %ls is not being (re)installed.Failed to get WixDependency.ProviderKey.Failed to get WixDependency.MinVersion.Failed to get WixDependency.MaxVersion.Failed to get WixDependency.Attributes.Failed dependency check for %ls.Failed to enumerate all of the rows in the dependency query view.Failed to create the dependency record for message %d.Unexpected message response %d from user or bootstrapper application.Failed to get the ignored dependents.ALLFailed to check if "ALL" was set in IGNOREDEPENDENCIES.Skipping the dependencies check since IGNOREDEPENDENCIES contains "ALL".WixDependencyProviderSkipping the dependents check since no dependency providers are authored.Failed to check if the WixDependencyProvider table exists.Failed to open the query view for dependency providers.Failed to get WixDependencyProvider.WixDependencyProvider.Failed to get WixDependencyProvider.Component.Skipping dependents check for %ls because the component %ls is not being uninstalled.Failed to get WixDependencyProvider.ProviderKey.Failed to get WixDependencyProvider.Attributes.Failed dependents check for %ls.Failed to enumerate all of the rows in the dependency provider query view.;IGNOREDEPENDENCIESFailed to get the string value of the IGNOREDEPENDENCIES property.Failed to create the string dictionary.Failed to ignored dependency "%ls" to the string dictionary.wixdepca.cppNot enough memory to create the message record.Failed to set the message identifier into the message record.Failed to set the number of dependencies into the message record.The dependency "%ls" is missing or is not the required version.Found dependent "%ls", name: "%ls".Failed to set the dependency key "%ls" into the message record.Failed to set the dependency name "%ls" into

Source: file.exe

ReversingLabs: Detection: 86%

Source: ._cache_file.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: ._cache_file.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: file.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe"
Source: C:\Users\user\Desktop\._cache_file.exe	Process created: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe "C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Process created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe "C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4ECB3904-0384-4F60-9326-256C504267D7} {993172C8-4368-4578-BD0A-D6EA507F91CB} 8028
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 4648
Source: unknown	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe"
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Process created: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe "C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Process created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe "C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4ECB3904-0384-4F60-9326-256C504267D7} {993172C8-4368-4578-BD0A-D6EA507F91CB} 8028	Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe"
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: msi.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: version.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: cabinet.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: msxml3.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: srclient.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: spp.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: powrprof.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: vssapi.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: vsstrace.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: umpdc.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: usoapi.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: sxproxy.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: feclient.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: iertutil.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: srpapi.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: netapi32.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: wkscli.dll
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msimg32.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: explorerframe.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: riched20.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: usp10.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msls31.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: textshaping.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

File written: C:\Users\user\AppData\Local\Temp\seCklmi.ini

Jump to behavior

Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Automated click: I agree to the license terms and conditions
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe

Window detected: Number of UI elements: 23

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: file.exe

Static file information: File size 15183872 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: file.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xdd0800

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: file.exe, Synaptics.exe.4.dr, ._cache_file.exe.6.dr, VC_redist.x86.exe.12.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFCM140.i386.pdb source: mfcm140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdb source: vcamp140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdbGCTL source: msvcp140_1.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdbGCTL source: vcamp140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: msvcp140_1.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcruntime140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb source: mfc140enu.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdbGCTL source: msvcp140_2.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb source: mfc140jpn.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdb source: mfc140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdb source: msvcp140_2.dll.21.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: ._cache_file.exe, 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmp, VC_redist.x86.exe, 0000001B.00000002.2553590168.0000000062D9F000.00000002.00000001.01000000.00000014.sdmp, wixstdba.dll.27.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140RUS.i386.pdb source: mfc140rus.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdbGCTL source: mfc140.dll.21.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb source: mfc140cht.dll.21.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixDepCA.pdb source: 4539f1.msi.21.dr, 4539ec.msi.21.dr, 4539f8.msi.21.dr

Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe

Code function: 7_2_6CFA1C04 LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

7_2_6CFA1C04

Source: ._cache_file.exe.4.dr	Static PE information: section name: .wixburn
Source: ._cache_file.exe.6.dr	Static PE information: section name: .wixburn
Source: VC_redist.x86.exe.7.dr	Static PE information: section name: .wixburn
Source: VC_redist.x86.exe.12.dr	Static PE information: section name: .wixburn
Source: mfc140.dll.21.dr	Static PE information: section name: .didat
Source: mfc140u.dll.21.dr	Static PE information: section name: .didat
Source: msvcp140.dll.21.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0100E876 push ecx; ret	6_2_0100E889
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001AE876 push ecx; ret	7_2_001AE889
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFAEE46 push ecx; ret	7_2_6CFAEE59
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 8_2_0CCA029D push cs; retf 000Ch	8_2_0CCA0A52
Source: C:\ProgramData\Synaptics\Synaptics.exe	Code function: 8_2_0CCA5324 push ebx; retf 000Ch	8_2_0CCA5326
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007EE876 push ecx; ret	12_2_007EE889
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009FE876 push ecx; ret	25_2_009FE889
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D8EE46 push ecx; ret	27_2_62D8EE59

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\~$cache1

Jump to dropped file

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140.dll

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Desktop\._cache_file.exe	Jump to dropped file
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_file.exe	File created: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 4539f6.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 4539ef.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 4539f4.rbf (copy)	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\~$cache1	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 4539f7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 4539f5.rbf (copy)	Jump to dropped file
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\RCXDAD4.tmp	Jump to dropped file

Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\RCXDAD4.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_file.exe	File created: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\~$cache1

Jump to dropped file

Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\3082\license.rtf	Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\3082\license.rtf

Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver	Jump to behavior
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765}
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765}
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765}
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765}

Source: C:\ProgramData\Synaptics\Synaptics.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 4539f6.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 4539ef.rbf (copy)	Jump to dropped file
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Dropped PE file which has not been started: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 4539f4.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 4539f7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 4539f5.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\wixstdba.dll	Jump to dropped file

Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Evaded block: after key decision

Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\._cache_file.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\._cache_file.exe	API coverage: 9.2 %
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	API coverage: 8.9 %

Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 1516	Thread sleep time: -1560000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 5516	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe TID: 4952	Thread sleep time: -290000s >= -30000s

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0101FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0101FE5Dh	6_2_0101FDC2
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0101FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0101FE56h	6_2_0101FDC2
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001BFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 001BFE5Dh	7_2_001BFDC2
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001BFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 001BFE56h	7_2_001BFDC2
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007FFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 007FFE5Dh	12_2_007FFDC2
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007FFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 007FFE56h	12_2_007FFDC2
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A0FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00A0FE5Dh	25_2_00A0FDC2
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A0FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00A0FE56h	25_2_00A0FDC2

Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	File Volume queried: C:\Windows FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_01024315 FindFirstFileW,FindClose,	6_2_01024315
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FF993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	6_2_00FF993E
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FE3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_00FE3BC3
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_01017A87 FindFirstFileExW,	6_2_01017A87
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001C4315 FindFirstFileW,FindClose,	7_2_001C4315
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_0019993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	7_2_0019993E
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_00183BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	7_2_00183BC3
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001B7A87 FindFirstFileExW,	7_2_001B7A87
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFA65CB FindFirstFileW,FindClose,	7_2_6CFA65CB
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFB6C8C FindFirstFileExA,	7_2_6CFB6C8C
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_00804315 FindFirstFileW,FindClose,	12_2_00804315
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007D993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	12_2_007D993E
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007C3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	12_2_007C3BC3
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007F7A87 FindFirstFileExW,	12_2_007F7A87
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A14315 FindFirstFileW,FindClose,	25_2_00A14315
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009E993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	25_2_009E993E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A07A87 FindFirstFileExW,	25_2_00A07A87
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009D3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	25_2_009D3BC3
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D865CB FindFirstFileW,FindClose,	27_2_62D865CB
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D96C8C FindFirstFileExA,	27_2_62D96C8C

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_0102962D VirtualQuery,GetSystemInfo,

6_2_0102962D

Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000			Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: Amcache.hve.24.dr	Binary or memory string: VMware
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.24.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.24.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.24.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.24.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.24.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBng
Source: ._cache_file.exe, 00000007.00000002.2543427564.000000000085F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.24.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: SrTasks.exe, 00000013.00000003.1731526957.0000022D7BBD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:K
Source: SrTasks.exe, 00000013.00000003.1727731438.0000022D7BC1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: Synaptics.exe, 00000008.00000002.1696159678.000000000072E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.24.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.24.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: vmci.sys
Source: ._cache_file.exe, 00000007.00000002.2543427564.000000000085F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.24.dr	Binary or memory string: vmci.syshbin`
Source: SrTasks.exe, 00000013.00000003.1731526957.0000022D7BBD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:Kn
Source: Amcache.hve.24.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.24.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.24.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.24.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.24.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.24.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.24.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.24.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.24.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: SrTasks.exe, 00000013.00000003.1732568893.0000022D7BC22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:CC
Source: Amcache.hve.24.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\._cache_file.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_0100E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_0100E625

Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe

Code function: 7_2_6CFA1C04 LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

7_2_6CFA1C04

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_01014812 mov eax, dword ptr fs:[00000030h]	6_2_01014812
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001B4812 mov eax, dword ptr fs:[00000030h]	7_2_001B4812
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFB3C07 mov eax, dword ptr fs:[00000030h]	7_2_6CFB3C07
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007F4812 mov eax, dword ptr fs:[00000030h]	12_2_007F4812
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A04812 mov eax, dword ptr fs:[00000030h]	25_2_00A04812
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D93C07 mov eax, dword ptr fs:[00000030h]	27_2_62D93C07

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_00FE38D4 GetProcessHeap,RtlAllocateHeap,

6_2_00FE38D4

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0100E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0100E188
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0100E773 SetUnhandledExceptionFilter,	6_2_0100E773
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_0100E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0100E625
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_01013BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_01013BB0
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001AE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_001AE188
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001AE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_001AE625
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001AE773 SetUnhandledExceptionFilter,	7_2_001AE773
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001B3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_001B3BB0
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFAEC77 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6CFAEC77
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFAE730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_6CFAE730
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_6CFB09E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6CFB09E7
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007EE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_007EE188
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007EE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_007EE625
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007EE773 SetUnhandledExceptionFilter,	12_2_007EE773
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007F3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_007F3BB0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009FE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_009FE188
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009FE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_009FE625
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009FE773 SetUnhandledExceptionFilter,	25_2_009FE773
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_00A03BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00A03BB0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D909E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_62D909E7
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D8E730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_62D8E730
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 27_2_62D8EC77 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_62D8EC77

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Process created: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe "C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640	Jump to behavior
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Process created: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe "C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4ECB3904-0384-4F60-9326-256C504267D7} {993172C8-4368-4578-BD0A-D6EA507F91CB} 8028	Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_010215CB InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

6_2_010215CB

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_0102393B AllocateAndInitializeSid,CheckTokenMembership,

6_2_0102393B

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_0100E9A7 cpuid

6_2_0100E9A7

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Queries volume information: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\logo.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\logo.png VolumeInformation

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_00FF4CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

6_2_00FF4CE8

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_0100E513 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_0100E513

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_00FE60BA GetUserNameW,GetLastError,

6_2_00FE60BA

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_01028733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

6_2_01028733

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 6_2_00FE508D GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

6_2_00FE508D

Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Amcache.hve.24.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XRed

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 00000008.00000003.1391518292.000000000072F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Synaptics\RCXDAD4.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Remote Access Functionality

Yara detected XRed

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 00000008.00000003.1391518292.000000000072F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Synaptics\RCXDAD4.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 6_2_00FE15E4 RpcBindingSetOption,	6_2_00FE15E4
Source: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	Code function: 7_2_001815E4 RpcBindingSetOption,	7_2_001815E4
Source: C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	Code function: 12_2_007C15E4 RpcBindingSetOption,	12_2_007C15E4
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 25_2_009D15E4 RpcBindingSetOption,	25_2_009D15E4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	41 Scripting	2 Replication Through Removable Media	3 Native API	41 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	12 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 Extra Window Memory Injection	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	21 Windows Service	1 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	21 Windows Service	1 File Deletion	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	34 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Extra Window Memory Injection	LSA Secrets	37 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	32 Masquerading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	141 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	21 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	87%	ReversingLabs	Win32.Worm.Zorex
file.exe	100%	Avira	WORM/Delphi.Gen
file.exe	100%	Avira	W2000M/Dldr.Agent.17651006
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	WORM/Delphi.Gen
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\RCXDAD4.tmp	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\RCXDAD4.tmp	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\Documents\~$cache1	100%	Avira	TR/Dldr.Agent.SH
C:\Users\user\Documents\~$cache1	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\Synaptics.exe	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\RCXDAD4.tmp	100%	Joe Sandbox ML
C:\Users\user\Documents\~$cache1	100%	Joe Sandbox ML
4539ef.rbf (copy)	0%	ReversingLabs
4539f4.rbf (copy)	0%	ReversingLabs
4539f5.rbf (copy)	0%	ReversingLabs
4539f6.rbf (copy)	0%	ReversingLabs
4539f7.rbf (copy)	0%	ReversingLabs
C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	0%	ReversingLabs
C:\ProgramData\Synaptics\RCXDAD4.tmp	92%	ReversingLabs	Win32.Worm.Zorex
C:\ProgramData\Synaptics\Synaptics.exe	87%	ReversingLabs	Win32.Worm.Zorex
C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\wixstdba.dll	0%	ReversingLabs
C:\Users\user\Desktop\._cache_file.exe	0%	ReversingLabs
C:\Users\user\Documents\~$cache1	92%	ReversingLabs	Win32.Worm.Zorex
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vcruntime140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140chs.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140cht.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140deu.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140enu.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140esn.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140fra.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140ita.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140jpn.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140kor.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140rus.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140u.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfcm140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfcm140u.dll	0%	ReversingLabs
C:\Windows\SysWOW64\vcamp140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\vcomp140.dll	0%	ReversingLabs
C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\wixstdba.dll	0%	ReversingLabs
C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe	0%	ReversingLabs
C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://xred.site50.net/syn/SUpdate.iniZ	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/Synaptics.rarZ	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/SUpdate.iniH)	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/SSLLibrary.dlp	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/SSLLibrary.dll6	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
freedns.afraid.org	69.42.215.252	true	false	high
docs.google.com	172.217.18.14	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
drive.usercontent.google.com	216.58.206.65	true	false	high
xred.mooo.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
xred.mooo.com	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://docs.google.com/C/	Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/=	Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978n.	Synaptics.exe, 00000008.00000002.1696159678.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/Synaptics.rarZ	Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	Synaptics.exe.4.dr	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978Z-%K	Synaptics.exe, 00000008.00000002.1696159678.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wixtoolset.org/schemas/thmutil/2010	VC_redist.x86.exe, 0000001B.00000002.2550969012.0000000003450000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x86.exe, 0000001B.00000002.2549138233.0000000003260000.00000004.00000020.00020000.00000000.sdmp, thm.xml.27.dr	false		high
https://docs.google.com/s	Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/.	Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/s/	Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Synaptics.exe, 00000008.00000002.1702352378.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.000000000701F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.0000000006F1E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1455237548.0000000000782000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1711758194.0000000006FE2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.24.dr	false		high
http://xred.site50.net/syn/Synaptics.rar	Synaptics.exe.4.dr	false		high
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	file.exe, Synaptics.exe.4.dr, ._cache_file.exe.6.dr, VC_redist.x86.exe.12.dr	false		high
https://docs.google.com/	Synaptics.exe, 00000008.00000002.1696159678.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000003.1460850513.0000000005341000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1696159678.0000000000761000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/google.com/	Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll6	Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	Synaptics.exe.4.dr	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	~DF9BFAACEE61987A0E.TMP.9.dr	false		high
http://xred.site50.net/syn/SUpdate.iniZ	Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=8	file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.ini	Synaptics.exe.4.dr	false		high
https://docs.google.com/user	Synaptics.exe, 00000008.00000002.1715180518.0000000007082000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dlp	file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://drive.usercontent.google.com/ev	Synaptics.exe, 00000008.00000002.1711758194.0000000006FE2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	Synaptics.exe, 00000008.00000002.1698124725.0000000002160000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/uc?id=0;	Synaptics.exe, 00000008.00000002.1721967988.000000000BE7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000008.00000002.1717608050.000000000877E000.00000004.00000010.00020000.00000000.sdmp	false		high
https://docs.google.com/4se	Synaptics.exe, 00000008.00000002.1711758194.0000000006FE2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.iniH)	file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://docs.google.com/4erV	Synaptics.exe, 00000008.00000002.1711758194.0000000006FE2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll	Synaptics.exe.4.dr	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl	file.exe, 00000004.00000003.1315791736.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsyn	VC_redist.x86.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.18.14	docs.google.com	United States	15169	GOOGLEUS	false
216.58.206.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
69.42.215.252	freedns.afraid.org	United States	17048	AWKNET-LLCUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583478
Start date and time:	2025-01-02 20:28:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal74.spre.troj.expl.evad.winEXE@20/179@6/3
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 129 Number of non-executed functions: 254
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, VSSVC.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 184.28.90.27, 52.182.143.214, 52.168.117.173, 13.107.246.45, 20.190.159.0, 173.222.162.55, 172.202.163.200
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, www.bing.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, onedscolprdcus19.centralus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
Execution Graph export aborted for target Synaptics.exe, PID 8096 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:29:46	API Interceptor	110x Sleep call for process: Synaptics.exe modified
14:30:03	API Interceptor	29x Sleep call for process: SrTasks.exe modified
14:30:16	API Interceptor	1x Sleep call for process: WerFault.exe modified
20:29:43	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe
20:30:03	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765} "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
69.42.215.252	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Open Purchase Order Summary Details-16-12-2024.vbs	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Open Purchase Order Summary Sheet.vbs	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	xyxmml.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	valyzt.msi	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	Xmrig	Browse	13.107.246.45
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	13.107.246.45
	https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690	Get hash	malicious	Unknown	Browse	13.107.246.45
	Bootxr.exe	Get hash	malicious	Xmrig	Browse	13.107.246.45
	cici.exe	Get hash	malicious	RedLine	Browse	13.107.246.45
	intro.avi.exe	Get hash	malicious	Quasar	Browse	13.107.246.45
	random(6).exe	Get hash	malicious	Stealc	Browse	13.107.246.45
freedns.afraid.org	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	69.42.215.252
	Open Purchase Order Summary Details-16-12-2024.vbs	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Open Purchase Order Summary Sheet.vbs	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	xyxmml.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	valyzt.msi	Get hash	malicious	XRed	Browse	69.42.215.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AWKNET-LLCUS	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	69.42.215.252
	Open Purchase Order Summary Details-16-12-2024.vbs	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Open Purchase Order Summary Sheet.vbs	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	69.42.215.252
	xyxmml.msi	Get hash	malicious	XRed	Browse	69.42.215.252
	valyzt.msi	Get hash	malicious	XRed	Browse	69.42.215.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	XRed	Browse	216.58.206.65 172.217.18.14
	file.exe	Get hash	malicious	XRed	Browse	216.58.206.65 172.217.18.14
	file.exe	Get hash	malicious	XRed	Browse	216.58.206.65 172.217.18.14
	file.exe	Get hash	malicious	AsyncRAT, XRed, XWorm	Browse	216.58.206.65 172.217.18.14
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	216.58.206.65 172.217.18.14
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	216.58.206.65 172.217.18.14
	Setup.exe.7z	Get hash	malicious	Unknown	Browse	216.58.206.65 172.217.18.14
	45631.exe	Get hash	malicious	Nitol	Browse	216.58.206.65 172.217.18.14
	45631.exe	Get hash	malicious	Unknown	Browse	216.58.206.65 172.217.18.14

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
4539ef.rbf (copy)	fillProxy_for_terminal_20210702_v1.0.0.exe	Get hash	malicious	Unknown	Browse
4539ef.rbf (copy)	fillProxy_for_terminal_20210702_v1.0.0.exe	Get hash	malicious	Unknown	Browse
4539f4.rbf (copy)	fillProxy_for_terminal_20210702_v1.0.0.exe	Get hash	malicious	Unknown	Browse
4539f4.rbf (copy)	fillProxy_for_terminal_20210702_v1.0.0.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

4539ef.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	141600
Entropy (8bit):	6.730918695182974
Encrypted:	false
SSDEEP:	3072:Dx2TmVYqVACERsarapgaqKSVoSkOuRoJm4t4/lAcXNt:FdbPFqjoPOuRou/lA2f
MD5:	072DA195F3C547B1584813E02E245CD8
SHA1:	EDA3A7CD19D4BB362BE37EC06290C1309962D4D4
SHA-256:	DBCB040304AC8A81E149840DEB816E1C4E5BC20487766541AA8C7C5C0629C804
SHA-512:	37BF63D59DF173D5152253CE2A4F5A2BB7DC2BF9F63BF7C379ED5BB3C9989BB782E6A836E8C6D7EBF2F927092E098FAA747F31AC4D6296194AEBCCC4EA8F68CE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fillProxy_for_terminal_20210702_v1.0.0.exe, Detection: malicious, Browse Filename: fillProxy_for_terminal_20210702_v1.0.0.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uI...'..'..'..r$..'..r"...'..r#..'.{"..'.{#..'.{$..'......'..&...'.{...'.{'..'.{...'.{%..'.Rich..'.................PE..L...\|V.^.........."!.........>............................................... ............@................................`...<....................... A......d....b..8............................b..@...............\............................text............................... ..`.data...D...........................@....idata..,...........................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................

4539f4.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4782880
Entropy (8bit):	7.048362842065633
Encrypted:	false
SSDEEP:	98304:rcQO/zACc35FeIj0v8Tu8expRWrBu2gubZkFLOAkGkzdnEVomFHKnP7z:jqie9v8CVp4Bu2gubZkFLOyomFHKnP
MD5:	4B9941864214A7BB96D3704420C2D28C
SHA1:	05ACF3D57A349DCF29BC68A7A6F0DEC6D971B940
SHA-256:	1F9CCCA43EEF25CA44C69648124265944493FC220BCDECDB79AA28C33468B59B
SHA-512:	5CB4FFE656AB0C9973A02A7055689F8B945BCFB312B6B324432A717B2C95FF89B35BF70AE553F5176921A7DFF0E8F8F357288496EDC149CB377675130C7AD38B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fillProxy_for_terminal_20210702_v1.0.0.exe, Detection: malicious, Browse Filename: fillProxy_for_terminal_20210702_v1.0.0.exe, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........%.suv.suv.suv7.v.suv7.v.suv7.v.suv...v.suv..tw.suv..qw.suv..vw.suv..pw.suv7.v.suv.stv.wuv..\|w.ruv..uw.suv...v.suv..ww.suvRich.suv........................PE..L....V.^.........."!.........b......._*......................................0I.....r.I...@A.........................-....../......./...............H. A....E.x...l@..8...........................@4..@............./.....`.-......................text.............................. ..`.data...............................@....idata...T..../..V...6/.............@..@.didat......../......./.............@....rsrc........./......./.............@..@.reloc..x.....E......(E.............@..B................................................................................................................................................................................................................................

4539f5.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5082912
Entropy (8bit):	6.8680590475042465
Encrypted:	false
SSDEEP:	98304:pwTgRb/8LXPwCVSf9qGeFgHt23653x0qfSbNa/S306FLOAkGkzdnEVomFHKnPZC:6cR87wFFqG236L0XNa/S306FLOyomFHT
MD5:	109E1488C848F17E370F3973EFDE2C38
SHA1:	7F2FEB94CF7FD1378DF4963316C7941067E7EDC0
SHA-256:	0CE7B07B16BA59AAE714495043D1CC8385691125F977B34227DBE826DA6D1EEF
SHA-512:	6C66CA88306106E07432D05AE60A0278D6619E57B1B1EAC5C1AD4B02F3DD13EA8F68FE986322877FA975077C879629E0248239C00654420353772E8287583E23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........;%.sUv.sUv.sUv..v.sUv..v.sUv..v.sUv...v.sUv..Tw.sUv..Qw.sUv..Vw.sUv..Pw.sUv..v.sUv.sTvVpUv..\w9rUv..Uw.sUv...v.sUv..Ww.sUvRich.sUv........................PE..L....V.^.........."!......2..h.......V......../...............................M.....m.N...@A............................L.....3......`4..............NM. A....J.(.....2.8............................a..@.............3.....@.2......................text...t.2.......2................. ..`.data...8.....3.......2.............@....idata..DS....3..T....3.............@..@.didat.......P4.......4.............@....rsrc........`4...... 4.............@..@.reloc..(.....J.......I.............@..B................................................................................................................................................................................................................................

4539f6.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.481840055375367
Encrypted:	false
SSDEEP:	768:7xg82UCqlWXqCVz79dzv3sG2wlv13BVO5ncylfhcsZGolyQw3n/20c6dhVbuwSy1:J2Slq7vzvvTyphcsZGBpcGhQwSwUJ0
MD5:	F46353456429BF7768968B6285D7C2FB
SHA1:	5A6A6D4DB4BBD32CD141C3CD3D4F1996F1D27084
SHA-256:	D7FA4DFD8681B10EBF04CB5C72D0F3A20EAF9C4D287CC05C973561EC8DC6A019
SHA-512:	92C1F4C4AE572DBA8409FBC51F1ACC7FE5C347AFBD0A8B4EABDD339C4F4EF91698B7487E0F4708B89FAE8D2D436644026B89EC53F16F128DA9D773BB5AFE23C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0......@.....@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

4539f7.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.4817802924170635
Encrypted:	false
SSDEEP:	1536:V8alW6KV4ueuAUnPcsZGVxIb+OvE1R4Wod:K6KpQUnPcsKIbHv+i
MD5:	A67DD2E47CAC448F5E0995FD8634FD4B
SHA1:	879F96580C33618EB4D4349DE3215A87BA132A56
SHA-256:	F371D0868A9BAD5B012AC25BDC55FBF41D7F9535ECDE1A37CB23F2732F5ED303
SHA-512:	912238A4299D50481EF3C48A0E7DBD799B29880131A9667AACD252E3BACE8CDD38F0EAA2EB2C6EE7380B8146B105F94E54F43134AFA841F70176C5F4F318D909
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0............@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Config.Msi\4539ee.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	18181
Entropy (8bit):	5.473112986766297
Encrypted:	false
SSDEEP:	192:IQX1DBRheqswU8DI0wU8DUqJnQEs4qMfpE:Is1DGwU8vwU850t
MD5:	2DAA2563BE924A9F515CF491CCAFF325
SHA1:	017991E6208EDC734C780178577B162574C7B32E
SHA-256:	64C3FB40D50836BE97C17053EE8861AE5238B83036A31911091EEF74468226BC
SHA-512:	7B25821FFE68EA8E17027D2BF9E354D71F18F9D2F74AB1671A999FB662B6E450299FA1592A245B8A8CA7DD0D3E6F9331CFB90F1F4B84A87D107B9228ABE67909
Malicious:	false
Preview:	...@IXOS.@.....@.s"Z.@.....@.....@.....@.....@.....@......&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508..vc_runtimeMinimum_x86.msi.@.....@\o...@.....@........&.{DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{E8E39D3B-4F35-36D8-B892-4B28336FE041}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{A2AA960C-FD3C-3A6D-BD6F-14933011AFB3}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{A2E7203F-60C2-3D7E-8A46-DB3D381A2CE6}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{BC0399EF-5E9D-3C7C-BFF5-5E9A95C96DAF}&

C:\Config.Msi\4539f3.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	20971
Entropy (8bit):	5.337442231991352
Encrypted:	false
SSDEEP:	384:eAK/m0Ve2SD4Qsn7aPfaExsBpEsBiF2iqQDSR2IB:eZ/m0Ve2SD4Qsn7aPfaExsHEsUF2i5Dw
MD5:	3179402140485403E26260DF2D419677
SHA1:	3862B05F6E41858411AB3F9F24C921A451CDD888
SHA-256:	69F56A7D110749FF5E26C5072B896A953A0FB719C9C8E4C1F6069B440B4BB9A2
SHA-512:	0D5587FC0A3AFAAC2E014BC0944763186E5DDE7F6474C869706ED4DF8B2F17E0441EA6F6C064AAAA70BFD2A5E2D53F2C27F88D50274F32078C00F82C6629330A
Malicious:	false
Preview:	...@IXOS.@.....@.s"Z.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{46A1EA6B-3D81-3399-8991-127F7F7AE76A}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{C94DDE19-CC70-3B9A-A6AF-5CA7340B9B9A}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{946D6FA6-49BB-3415-AD2D-4D634C432CF0}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{E533B148-A83A-3788-A763-0C6C4

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_e73781c637c020daee3de6ae263d2d0a91f2a4c_455b7b6e_c430b686-e5b3-481e-a9c3-cb586e85c1c5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1342895708749443
Encrypted:	false
SSDEEP:	192:6f8iA3VpsWI40Kks/kDzJDzqjLOA/FczxwzuiF4EZ24IO8EKDzy:0CyWWKksMJqjkKzuiF4EY4IO8zy
MD5:	F7B7F7579DEBDF2CA84EF6CAA9F6358A
SHA1:	6513BB0287A8BD3A90F9F94B1DF28F434775508E
SHA-256:	9E74D28642EA0362BB82D31DA44F9586D9D17C88779C253B5FC1A97FB23D6FD0
SHA-512:	92B10366A475AB9EE810ACBF21CAEAAEDCA1B18C63CF476281CEAD2FA1CE50D9C1553A85EBAB31A767E9DDE3FBA6AF492DE821E6D978CCD9CB7FCD403583DBCF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.3.1.9.8.0.5.8.3.1.6.7.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.3.1.9.8.1.1.4.4.1.0.6.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.3.0.b.6.8.6.-.e.5.b.3.-.4.8.1.e.-.a.9.c.3.-.c.b.5.8.6.e.8.5.c.1.c.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.9.f.7.b.d.7.-.1.8.f.d.-.4.6.f.9.-.9.b.5.a.-.7.6.f.5.f.d.f.1.5.4.e.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.a.0.-.0.0.0.1.-.0.0.1.3.-.4.c.4.2.-.3.9.a.a.4.c.5.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.9.a.1.3.7.d.5.9.3.d.d.a.9.d.1.5.8.d.c.8.b.6.b.7.7.2.0.d.e.b.0.0.0.0.1.f.0.4.!.0.0.0.0.8.a.4.0.e.8.2.8.2.2.4.f.2.2.3.6.1.b.0.9.4.9.4.a.5.5.6.a.2.0.d.b.8.2.f.c.9.7.b.9.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4381.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 2 19:30:06 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	2089108
Entropy (8bit):	1.8185463317586974
Encrypted:	false
SSDEEP:	6144:oOToKESPufHXrQkzb8+U/V5qbGwdUz4DY:rTCS0f1iwdUz4DY
MD5:	74B25ACFEF6A7BDAA30EA100E4AEB453
SHA1:	A568AE0B0BCFA39D0F9B8FD81C9460C700680FC2
SHA-256:	5D1ED2F932EDADF76904E11D86BF8A7CA5845E6F064916B25450F8276735EC06
SHA-512:	D520AB76F4B9B0DF921C60F6EE6ED74EE789B48FF85552E8E8EE49CCE7D24624B80D1151625F129A46949CBC161F3AE848A48C7CCA5A883EE00B560D4714E2F1
Malicious:	false
Preview:	MDMP..a..... .......>.vg............$...............8.......$....<.......9..............`.......8...........T...........P...D+...........=...........>..............................................................................eJ.......?......GenuineIntel............T...........#.vg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER57C6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6310
Entropy (8bit):	3.717490074182577
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+x566TYirJkfPpDA89bP1sf4lm:R6lXJQ6eYGJkfPOfX
MD5:	678CBC9A0CC018D3EEC9AA3F4FB9503C
SHA1:	EEB7F8E13B2140D09945F14C8558FAC9602CAEA5
SHA-256:	E00E77ACB6606FA9DAF181DAA3E069D19A42ABC2777B93CD9140AB104240770A
SHA-512:	3941871676887B58C0AF435C220C6D168614577EE3F456957EA34D3B1D0ABD1D491AD2DAC5AD1698B1C7202D0DAFB16A04337DF3BCDFA79CA804EA9B505EC0DD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER57F6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4580
Entropy (8bit):	4.445137789281028
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9aNWpW8VYwYm8M4JFFF++q8ZBJJ5CQNZsd:uIjfvI7s87VcJkIBCQNZsd
MD5:	5DCBB79DBFFDE30CC17581423963431A
SHA1:	E1C129A12369133F61188BBDF07E47217F41E9A1
SHA-256:	D8CC11629837122B5EAE97D555CFC14794AA4C93E49BD4DE882689B79A51D2E4
SHA-512:	3C90294D81B8B6848B7EB9BFF529A61565B2E11C8175A6ADDD0A09BC5FB8A1B2F58457F237ED84E63F519D0D2DD56A860C449CAEAA62BCBE2AF40D844D9A907F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="658712" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623 (copy)

Download File

Process:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
File Type:	Microsoft Cabinet archive data, many, 1350653 bytes, 50 files, at 0x44 +A "api_ms_win_core_console_l1_1_0.dll" +A "api_ms_win_core_datetime_l1_1_0.dll", flags 0x4, number 1, extra bytes 20 in head, 111 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	1367669
Entropy (8bit):	7.997832401624505
Encrypted:	true
SSDEEP:	24576:OawWVgz9615LBBl9NWA5852M/fzoapq0m9Oz03FOae6p4Cjd81kD0+0CCxco2iJs:OawWV+96vVBNWOMU0qhOz035e6ppNCst
MD5:	29C34C40D349C145E297B6977908E687
SHA1:	025B5CF7D6515CC6151628063752C159F41D99C7
SHA-256:	61AACFF6365DA15F2C9D0FF1C8FB2EC207D145CD9104AFA0CE663BF1542DB245
SHA-512:	BBD9F65C2619DE25F99A8BA21346D7EA46DB9EBA79FEB6039E0E86999D1EA2C9A4564FA727DDA442A69C169DBDC8A4913DF925C42B3AD7F4030A655AC01C0691
Malicious:	false
Preview:	MSCF............D...........2...................xB..........~...o....O........(P.. .api_ms_win_core_console_l1_1_0.dll..M...O....(P.. .api_ms_win_core_datetime_l1_1_0.dll..N........(P.. .api_ms_win_core_debug_l1_1_0.dll. M........(P.. .api_ms_win_core_errorhandling_l1_1_0.dll. [...9....(P.. .api_ms_win_core_file_l1_1_0.dll. M..0.....(P.. .api_ms_win_core_file_l1_2_0.dll. M..P.....(P.. .api_ms_win_core_file_l2_1_0.dll. M..p.....(P.. .api_ms_win_core_handle_l1_1_0.dll..O...{....(P.. .api_ms_win_core_heap_l1_1_0.dll..O........(P.. .api_ms_win_core_interlocked_l1_1_0.dll..O..p.....(P.. .api_ms_win_core_libraryloader_l1_1_0.dll..W..`k....(P.. .api_ms_win_core_localization_l1_2_0.dll..O..P.....(P.. .api_ms_win_core_memory_l1_1_0.dll. M..@.....(P.. .api_ms_win_core_namedpipe_l1_1_0.dll..Q..``....(P.. .api_ms_win_core_processenvironment_l1_1_0.dll..U..P.....(P.. .api_ms_win_core_processthreads_l1_1_0.dll..O..@.....(P.. .api_ms_win_core_processthreads_l1_1_1.dll..K..0X....(P.. .api_ms_win_core_

C:\ProgramData\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16 (copy)

Download File

Process:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
File Type:	Microsoft Cabinet archive data, many, 5194062 bytes, 14 files, at 0x44 +A "mfc140.dll" +A "mfc140chs.dll", flags 0x4, number 1, extra bytes 20 in head, 326 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	5211054
Entropy (8bit):	7.998080908238165
Encrypted:	true
SSDEEP:	98304:dEpMtGvCYmfjBvRxMh7vhetajX6x0XSvrTBEbwwF0XVsvufq:dElCPLBvE8xuEebw6vuy
MD5:	4FEADE30692872EAB413C1123A5F3DE4
SHA1:	B08C319BD7E01176F02D0DC3B4AA8B7C5B9A82C6
SHA-256:	2805E5CC8E477AC1D6847B3CF083A85EC463F646037B59C93CB9E3096A78B81A
SHA-512:	145956C65E193AD5309CA3C0F0BC94DFB20C6BCF73494BDE2ABC48F6495061EE727C9FAA1B97739FE3028873A540A5F17FDFFEB08D8C3A35C2CD7B3DDB088E54
Malicious:	false
Preview:	MSCF....NAO.....D...........................NAO.`B..............F... .H.......(P.. .mfc140.dll.... .H...(P.. .mfc140chs.dll. .....I...(P.. .mfc140cht.dll..)..(nJ...(P.. .mfc140deu.dll. .....K...(P.. .mfc140enu.dll. %..8.L...(P.. .mfc140esn.dll..)..X.M...(P.. .mfc140fra.dll..!..H.N...(P.. .mfc140ita.dll.....8.P...(P.. .mfc140jpn.dll.....(.P...(P.. .mfc140kor.dll.......Q...(P.. .mfc140rus.dll. .M...R...(P.. .mfc140u.dll. C..(e....(P.. .mfcm140.dll. C..H.....(P.. .mfcm140u.dll..J.%.4..CK..w....0...Q6Q..}.......[.nl....;. ...L.....H%.K.w}.<.u..y.y.....g........M6....E..}.m.=...?....?.$Q4...O..;..<8....^{........].Ov....<$.u.d..${...........i..z......s,p.....?...8..F......].~=c.{.].~=m.C.?~..A..6....O....~.h...\..v...s.l..z..'..q..=\|..l...........h.I&...j.N..Y..;.I..-*'D.....;/.Eq.....(...../SG..u..t..eO\|o.p..F.../......{t....E..g/..$.s./..v.........l.Vt.y...L....xW.e&._.i.d..Q4.c......?.=.8$...9..]..N....X>a.]..%...._g.Ng...w.5..........V........v71.~2.

C:\ProgramData\Package Cache\.unverified\vcRuntimeAdditional_x86 (copy)

Download File

Process:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\.unverified\vcRuntimeMinimum_x86 (copy)

Download File

Process:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\packages\vcRuntimeAdditional_x86\cab1.cab (copy)

Download File

Process:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
File Type:	Microsoft Cabinet archive data, many, 5194062 bytes, 14 files, at 0x44 +A "mfc140.dll" +A "mfc140chs.dll", flags 0x4, number 1, extra bytes 20 in head, 326 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	5211054
Entropy (8bit):	7.998080908238165
Encrypted:	true
SSDEEP:	98304:dEpMtGvCYmfjBvRxMh7vhetajX6x0XSvrTBEbwwF0XVsvufq:dElCPLBvE8xuEebw6vuy
MD5:	4FEADE30692872EAB413C1123A5F3DE4
SHA1:	B08C319BD7E01176F02D0DC3B4AA8B7C5B9A82C6
SHA-256:	2805E5CC8E477AC1D6847B3CF083A85EC463F646037B59C93CB9E3096A78B81A
SHA-512:	145956C65E193AD5309CA3C0F0BC94DFB20C6BCF73494BDE2ABC48F6495061EE727C9FAA1B97739FE3028873A540A5F17FDFFEB08D8C3A35C2CD7B3DDB088E54
Malicious:	false
Preview:	MSCF....NAO.....D...........................NAO.`B..............F... .H.......(P.. .mfc140.dll.... .H...(P.. .mfc140chs.dll. .....I...(P.. .mfc140cht.dll..)..(nJ...(P.. .mfc140deu.dll. .....K...(P.. .mfc140enu.dll. %..8.L...(P.. .mfc140esn.dll..)..X.M...(P.. .mfc140fra.dll..!..H.N...(P.. .mfc140ita.dll.....8.P...(P.. .mfc140jpn.dll.....(.P...(P.. .mfc140kor.dll.......Q...(P.. .mfc140rus.dll. .M...R...(P.. .mfc140u.dll. C..(e....(P.. .mfcm140.dll. C..H.....(P.. .mfcm140u.dll..J.%.4..CK..w....0...Q6Q..}.......[.nl....;. ...L.....H%.K.w}.<.u..y.y.....g........M6....E..}.m.=...?....?.$Q4...O..;..<8....^{........].Ov....<$.u.d..${...........i..z......s,p.....?...8..F......].~=c.{.].~=m.C.?~..A..6....O....~.h...\..v...s.l..z..'..q..=\|..l...........h.I&...j.N..Y..;.I..-*'D.....;/.Eq.....(...../SG..u..t..eO\|o.p..F.../......{t....E..g/..$.s./..v.........l.Vt.y...L....xW.e&._.i.d..Q4.c......?.=.8$...9..]..N....X>a.]..%...._g.Ng...w.5..........V........v71.~2.

C:\ProgramData\Package Cache\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi (copy)

Download File

Process:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\packages\vcRuntimeMinimum_x86\cab1.cab (copy)

Download File

Process:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
File Type:	Microsoft Cabinet archive data, many, 1350653 bytes, 50 files, at 0x44 +A "api_ms_win_core_console_l1_1_0.dll" +A "api_ms_win_core_datetime_l1_1_0.dll", flags 0x4, number 1, extra bytes 20 in head, 111 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	1367669
Entropy (8bit):	7.997832401624505
Encrypted:	true
SSDEEP:	24576:OawWVgz9615LBBl9NWA5852M/fzoapq0m9Oz03FOae6p4Cjd81kD0+0CCxco2iJs:OawWV+96vVBNWOMU0qhOz035e6ppNCst
MD5:	29C34C40D349C145E297B6977908E687
SHA1:	025B5CF7D6515CC6151628063752C159F41D99C7
SHA-256:	61AACFF6365DA15F2C9D0FF1C8FB2EC207D145CD9104AFA0CE663BF1542DB245
SHA-512:	BBD9F65C2619DE25F99A8BA21346D7EA46DB9EBA79FEB6039E0E86999D1EA2C9A4564FA727DDA442A69C169DBDC8A4913DF925C42B3AD7F4030A655AC01C0691
Malicious:	false
Preview:	MSCF............D...........2...................xB..........~...o....O........(P.. .api_ms_win_core_console_l1_1_0.dll..M...O....(P.. .api_ms_win_core_datetime_l1_1_0.dll..N........(P.. .api_ms_win_core_debug_l1_1_0.dll. M........(P.. .api_ms_win_core_errorhandling_l1_1_0.dll. [...9....(P.. .api_ms_win_core_file_l1_1_0.dll. M..0.....(P.. .api_ms_win_core_file_l1_2_0.dll. M..P.....(P.. .api_ms_win_core_file_l2_1_0.dll. M..p.....(P.. .api_ms_win_core_handle_l1_1_0.dll..O...{....(P.. .api_ms_win_core_heap_l1_1_0.dll..O........(P.. .api_ms_win_core_interlocked_l1_1_0.dll..O..p.....(P.. .api_ms_win_core_libraryloader_l1_1_0.dll..W..`k....(P.. .api_ms_win_core_localization_l1_2_0.dll..O..P.....(P.. .api_ms_win_core_memory_l1_1_0.dll. M..@.....(P.. .api_ms_win_core_namedpipe_l1_1_0.dll..Q..``....(P.. .api_ms_win_core_processenvironment_l1_1_0.dll..U..P.....(P.. .api_ms_win_core_processthreads_l1_1_0.dll..O..@.....(P.. .api_ms_win_core_processthreads_l1_1_1.dll..K..0X....(P.. .api_ms_win_core_

C:\ProgramData\Package Cache\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi (copy)

Download File

Process:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe

Download File

Process:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647912
Entropy (8bit):	7.215948724836638
Encrypted:	false
SSDEEP:	12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
MD5:	2F9D2B6CE54F9095695B53D1AA217C7B
SHA1:	3F54934C240F1955301811D2C399728A3E6D1272
SHA-256:	0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
SHA-512:	692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\state.rsm

Download File

Process:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
File Type:	data
Category:	dropped
Size (bytes):	862
Entropy (8bit):	2.510432260155586
Encrypted:	false
SSDEEP:	12:oZK34pgMClGttDa+xU9m4RIb7ttun2QmbBXcKYGun2Qflqbh:aKUgMClccDR8CV
MD5:	E76E514DBB820CDC852761A23EE1AAFB
SHA1:	5B34111C3F6D87E277C1EE02FA6D80E5F47774C6
SHA-256:	6819F176A0888372A91A31D0C9DC5FF8833B4BB6FBC3E85A0FBCDC4D3386FE91
SHA-512:	ACB15AA276B313B838625B7A4B9D44AA6D2EAD0F2FCE2FB3FA4B84C04E026A6E0669534C13C87972A52FFEFC087C6E59F3C0DAB5CC4FE78A8D93AE54A3AE0D4C
Malicious:	false
Preview:	K...................................................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.....................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.................................W.i.x.B.u.n.d.l.e.N.a.m.e.....B...M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....&...C.:.\.U.s.e.r.s.\.b.r.o.k.\.D.e.s.k.t.o.p.\..._.c.a.c.h.e._.f.i.l.e...e.x.e.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.F.o.l.d.e.r.........C.:.\.U.s.e.r.s.\.b.r.o.k.\.D.e.s.k.t.o.p.\.................................

C:\ProgramData\Synaptics\RCXDAD4.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	771584
Entropy (8bit):	6.636362882247521
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IFr:ansJ39LyjbJkQFMhmC+6GD92
MD5:	B753207B14C635F29B2ABF64F603570A
SHA1:	8A40E828224F22361B09494A556A20DB82FC97B9
SHA-256:	7F16106F3354A65FC749737905B77DF7BBEFA28BF8BBC966DC1F8C53FA4660F2
SHA-512:	0DD32803B95D53BADD33C0C84DF1002451090FF5F74736680E3A53A0BFC0E723EEE7D795626BC10A1FB431DE7E6E276C5A66349EF385A8B92B48425B0BDD036F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCXDAD4.tmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCXDAD4.tmp, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15183872
Entropy (8bit):	7.9774907952358145
Encrypted:	false
SSDEEP:	393216:o0d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7A:H1PpttD7yBG/QHTJtYMyke3
MD5:	7274B0B15C4E6D5BBE8DB5AA93C65A12
SHA1:	643418B70EE7242FB4CF797E54EC78C910D32824
SHA-256:	70C87AF178A804F97A312D3D8D509D5C6F4A54AC07D08BACF858E6687DE7E435
SHA-512:	241CA5EAA520A22A1C264F2FD3307C95D78FB56C2433602E42DCF9F2EB419ED2D43D40F6524A61A1D6E696375F7EA722FD502FA939D4453D88CA63AC068BE224
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..........................................@..............................................@..............................B......@....................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...@...........................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\17BDj84.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.264995118745909
Encrypted:	false
SSDEEP:	24:GgsF+0aRnSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Rn+pAZewRDK4mW
MD5:	4A8EE159F6AC3C166CF22EE8FCAD6F7B
SHA1:	BDA789F3CE374C97E80823EBE9B433CC462C1775
SHA-256:	408062F0072CAB44201FACCB0BA7A4D370785264E23A23B2F5409389E6B6918C
SHA-512:	7597FF015D211DDE3EEA4D93E9E464DACB66B7B2D1B95827E035AF0A26AB32B40BD7C84B3AB5A297F2DC84437CE160F97A7E576E5842AE4381EAE2B9F4B8FE24
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="BQlBgmk4J-kPk27qLN8jMg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\6w5xJGM.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.265529023917512
Encrypted:	false
SSDEEP:	24:GgsF+0UTzSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+5z+pAZewRDK4mW
MD5:	CC700D3904B4A5837242CCED890A4FC5
SHA1:	2D2FEB494BFE99391B05DEC59F0D2E5409155483
SHA-256:	477321B298745119FCF2DB5ED51E24D2DBDF164634E1B1F5FE54409288A74644
SHA-512:	68BF777911416C5CAAD1D1141C3A17CE7E34612C708CF2509C4B6FB39021C634380A82AA7B449DBA6F9FC20C5F4AA4B1933BD7DD472BFDEF109F5D8B4D45DD72
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ZC4LP3_LyaZIkwKoMo9lcA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\8vPuAn1.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.279925582605167
Encrypted:	false
SSDEEP:	24:GgsF+0WDSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+1D+pAZewRDK4mW
MD5:	D215E18E6E8F0A1B05747D76F347C556
SHA1:	E71851AB07A0CF075A1AF605ACA0EC0B6A47A658
SHA-256:	1F544128B385259BF49D0892EDD5B98186EC4CC9E1408A0D556EC942F08D8C0C
SHA-512:	74E8D3000E5C162CE83EF692823F7346F9D49E7B3CB2CE9275A1C7F1F7F321723CBC34E7A516FC9D6EF53AD31687657AC55879B8846D8EE8FEB8EA80E0D02B44
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="PdHBWYtOZFtOM8bKT-hEXA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\CPKSXwE.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.272263627989317
Encrypted:	false
SSDEEP:	24:GgsF+0kSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+X+pAZewRDK4mW
MD5:	3008C76D96778487A2ABF8D308F8A882
SHA1:	759D2F4E1E2F87C2A656DE36CA79C0EAD4E0B0E3
SHA-256:	6C9BD749BB78CCF91FDE60AE1C2351548C3CD6C1E3A249F0AC15072348336440
SHA-512:	41F1666B8FFFB0A1E3863D74CCC4B34220B19DDB001FFF2579EB13FCF8B8CA42FA77D3283AC6ADD9F91DBD43658270850583E3F8553A76C9D4088935A61AFFC1
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="OJgl32p_HfsjpIXOPVyR8Q">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\J32jhSD.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.269384156533963
Encrypted:	false
SSDEEP:	24:GgsF+0BPbSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK++Pb+pAZewRDK4mW
MD5:	CF48749F89745E54A55E6D16193D27E7
SHA1:	3DC2E8C23280A88F5E59708723206802657771BE
SHA-256:	D668E264804FD5D4B957F900DD74741261116418BAE093B70B0F2F456AC30EFE
SHA-512:	79173788A171B068F34D65948529C62D1CB794BB35CAA9CB7A3221EA89CB22E2BF21226A8F2DA3815A30C7C0C5AEB09AEEB417E9C326A6323144F058EE9E9AC9
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="6VStmQYx-RPjWe7GkG_kzw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\JjVIORe.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.263929831164288
Encrypted:	false
SSDEEP:	24:GgsF+0RJSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+o+pAZewRDK4mW
MD5:	31B72F16232008CF183976B3D51A79F0
SHA1:	8ABD8160193F09DF206668949CFDB94288B1CB32
SHA-256:	B2FC1D33C80904F02283DCFEDAE94258797D78269DA61178967D59DA044DAC19
SHA-512:	9FCDA3B5921923A6FDE60C342F822B57682F0FDDEDE8706106F72F34638C0A9AD011FE3ED039EE7D6C43033E85EDD68A4E87DB96857A563C7AC29F1F43772A16
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="e68YELosJk26GA-XPwruZg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\KyMiSFh.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, ASCII text, with very long lines (1024), with no line terminators
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	5.243925710636739
Encrypted:	false
SSDEEP:	12:GtRcFsMxTe+0YdMDpdK+z6XZepP5CRfqMGDZGOjqkRZNc6V2nEARBGO1RR0VpqoX:GgsF+0fSU6pepPQfkZbc6cn1BZdAe1c
MD5:	9A56482CEFD606641D9A206CF5F131F0
SHA1:	C5367395548C3F35801694C4917BB6934D43DAAC
SHA-256:	75F6DF48127BC091C39BF05671865AF8B6D724B12D0E3440F7CA48CD051D2518
SHA-512:	6E2F584EE680F4F3BA0CCECEC6421FBDB3080783FBE931BD83737A1811AFE13F6561B72936DE1074530C8D18DF2852BC1E30B120691E7A767D3DBF3FF809639E
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="D9w7IYYiIuf-hOgbbcXIKA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\LOBqwrY.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.252409865966195
Encrypted:	false
SSDEEP:	24:GgsF+0eiSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+xi+pAZewRDK4mW
MD5:	F1BFEE6A8ACD672ACB4DD85526AA160E
SHA1:	10E04A7E18A1D199BDD8556B7BBBB3B3FF7C14B8
SHA-256:	E436B55B708E90DC1FE366103D14DF2D3319E1245C71EAB2B7164BD2E22AC8CF
SHA-512:	CE4BA4831E3B0427898509C3E231261DBA7B648DDF1708EF1A26630E4FD36DAE93922E583BF835135F5FABC47EAB2B764E6566F01BA5914A50256F8E851D49BE
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="q-S4_0buUw1eRox7cTZNKw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\OujRfg1.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.256070303785585
Encrypted:	false
SSDEEP:	24:GgsF+0DbDSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+ID+pAZewRDK4mW
MD5:	76D011E88D2CB5442FBD5ED8DD0331DE
SHA1:	848716B58131B968AC2A792F81D76BB7C4B07C2F
SHA-256:	C0C96BED5A1AA16C7A3B68F34088756A6E8C5C0AB8B4C3CDFE4EC09C99505F09
SHA-512:	27A767CE3C0C671F150EF133AC080BDF2A1DBBEEA85A36B6780A071664A81F9AB2642C70CD164D32BE8CC62BFC6583B326A99B90C50F5F7B56D816287CDEA3F5
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Vm4nay9aPu4AUDetIvb50Q">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\XOrdb9Z.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.267705350336606
Encrypted:	false
SSDEEP:	24:GgsF+0RHSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+aH+pAZewRDK4mW
MD5:	17F08EEC709300805E5F78E29ED36AD2
SHA1:	94EB4F508CC340B7500F429A834C0EA30E353109
SHA-256:	2687824DC1113A95F68155D13471ECB01AFF9C90C08F5D9BDEE042842EDE154A
SHA-512:	FD95AD644021B1EB2CDF3F97B88C0BFAF6D18031D0007AB5CA81C8D8BF97B1C910873B88042F13EA6A39F7473C131DA087850A489D7BE9A97C1671942CE3B8CF
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ZF5S2CH2P6mCdw_PGgS0Mw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\b1qhCxV.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.2627371664204645
Encrypted:	false
SSDEEP:	24:GgsF+0xSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+O+pAZewRDK4mW
MD5:	B3BB714959EBBCD496518D43C6E7BA5E
SHA1:	480D7E205D366612FC22FB1E602D2A38A23BD2AD
SHA-256:	1404A0E73A6C5B07E7C4BD37F91A26E606DA9C2630C51F2247E8903A174E41E2
SHA-512:	4A655A1B7CC7CD06E11E0AEF99C7669C0C664C976A05B7C8612FC804FD64C29A7A18F91FDAB4AD945429D7E6218F61C01EE4B25A4770E7EACEF93AB1DE273188
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="GUXTXtsJu39XtGKC0i9Yog">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102142938.log

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	ASCII text, with very long lines (321), with CRLF line terminators
Category:	dropped
Size (bytes):	13707
Entropy (8bit):	5.5213066512038
Encrypted:	false
SSDEEP:	192:q0QCn41g1O1d1Z1+1M1T1CMLbqLEp/PD8L2VXlnxjF434D:q0XNMLbq6YMXlxB
MD5:	7B0D6401DC72D081D9813E1CE72C15A4
SHA1:	D09F001D4CEAA346D840D4F5FA008EDE01DE0135
SHA-256:	306F2789E0210DA0B11D41E04E20D05F1BE11438344AB0FAA04C9B1CCCFAD3C0
SHA-512:	F8A0F6E46897E6AED29639FB4CBA4F516782FFF917CBEF0060A4E99B761B51C613566CD8039C0786DA2CCE35359ED730C7BBC088F6EBB1062FF49ACF10953F32
Malicious:	false
Preview:	[1F5C:1F60][2025-01-02T14:29:37]i001: Burn v3.10.4.4718, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe..[1F5C:1F60][2025-01-02T14:29:37]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\._cache_file.exe -burn.filehandle.attached=524 -burn.filehandle.self=640'..[1F5C:1F60][2025-01-02T14:29:37]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\._cache_file.exe'..[1F5C:1F60][2025-01-02T14:29:37]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1F5C:1F60][2025-01-02T14:29:38]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102142938.log'..[1F5C:1F60][2025-01-02T14:29:38]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.25.28508'..[1F5C:1F60][2025-01-02T14:29:38]i000: Setting string variable 'Wix

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102142938_000_vcRuntimeMinimum_x86.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
Category:	dropped
Size (bytes):	134666
Entropy (8bit):	3.823862957569456
Encrypted:	false
SSDEEP:	1536:wXIhD/ROm4uhPn22rjYpQyPDcpL4LFNFGllSrU0yUVjZGhhhhhhXXr9O0A3Ng2lu:w5jjZGhhhhhhXXr9O0A4
MD5:	EC3C8985E093C539D94AE2C62A3993AF
SHA1:	EC83FC0B13A9E21E3AA9F19EF6E6CF6F1AA2F3B0
SHA-256:	1A99E2007D0DF0C8C9737D2A5445B24523D969BF4CE4691B156001C36A392AC0
SHA-512:	C4B9E8BCAEAE9B951F55B0D3C6E711517655B97059646F0FC1F2F18BF6044CDA247715C0EE1362D114AE5538F12D18E20E6BADAA318131D77D024CF2F77470AB
Malicious:	false
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.2./.0.1./.2.0.2.5. . .1.4.:.3.0.:.0.3. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.B.0.8.E.6.D.C.2.-.7.6.D.4.-.4.5.8.D.-.A.6.E.2.-.7.E.8.2.4.A.E.2.4.0.D.4.}.\...b.e.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.E.8.:.B.4.). .[.1.4.:.3.0.:.0.3.:.2.4.7.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.E.8.:.B.4.). .[.1.4.:.3.0.:.0.3.:.2.4.7.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.E.8.:.B.4.). .[.1.4.:.3.0.:.0.3.:.2.4.7.].:. ........ .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . ........ .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.2.B.C.3.B.D.4.D.-.F.A.B.A.-.4.3.9.4.-.9.3.C.7.-.9.A.C.8.2.A.2.6.3.F.E.2.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102142938_001_vcRuntimeAdditional_x86.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (411), with CRLF line terminators
Category:	dropped
Size (bytes):	146332
Entropy (8bit):	3.8237013927297014
Encrypted:	false
SSDEEP:	3072:zrqjHfMMMMMMMMMMMMM2eqPqczPSQLTLwMHrRn:Cjn
MD5:	B5D9EB2439896404D58D07B528A1D740
SHA1:	D047C3A16532DFE780E1D33AB94085E2780C0660
SHA-256:	8CEB62DC680CFCCD4C59B9E60F53C11AE9381B166815A955421956E321434BDA
SHA-512:	99F1A7B600FC9221CC0F510B85026F93FBDFF1F05C0B40A488C6E5F07A0ABCE57D9EE92495A8F6BCE6E82ED006F9D388B6643F2F3CD8D469E3253279E07B51BD
Malicious:	false
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.2./.0.1./.2.0.2.5. . .1.4.:.3.0.:.0.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.B.0.8.E.6.D.C.2.-.7.6.D.4.-.4.5.8.D.-.A.6.E.2.-.7.E.8.2.4.A.E.2.4.0.D.4.}.\...b.e.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.E.8.:.2.4.). .[.1.4.:.3.0.:.0.7.:.7.1.6.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.E.8.:.2.4.). .[.1.4.:.3.0.:.0.7.:.7.1.6.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.E.8.:.2.4.). .[.1.4.:.3.0.:.0.7.:.7.1.6.].:. ........ .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . ........ .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.0.F.A.6.8.5.7.4.-.6.9.0.B.-.4.B.0.0.-.8.9.A.A.-.B.2.8.9.4.6.2.3.1.4.4.9.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102143013.log

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3879
Entropy (8bit):	5.413215013252675
Encrypted:	false
SSDEEP:	96:Jq/PddXTAD2MFA85nBk1+L1+x1+21+G1+V1+b1+Y1+/f/qG/w/ZG/N/0G/B/YG56:SH8ny1m10171r1I1W1F1V
MD5:	7248B100254CD589A68AA53A39624576
SHA1:	FC1745DAF8CB0B0BA39CB4E99264C73CDF264D36
SHA-256:	030ED9EABF56FCC4E7DE9F032DB8CAD8B9519769B596B54B153A1C5535893F50
SHA-512:	0B7C8ACF86DE794CA54DF85A916E2B1C1448A142C11214AFB20D83076310346CBBDA0B52D1AD61F6A726D678D44A699F3280044BA7A0C4C73E497EB0ED44C8EC
Malicious:	false
Preview:	[1190:0CDC][2025-01-02T14:30:12]i001: Burn v3.10.4.4718, Windows v10.0 (Build 19045: Service Pack 0), path: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe..[1190:0CDC][2025-01-02T14:30:12]i009: Command Line: '"-burn.clean.room=C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540'..[1190:0CDC][2025-01-02T14:30:13]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102143013.log'..[1190:0CDC][2025-01-02T14:30:13]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'..[1190:0DA4][2025-01-02T14:30:13]i000: Setting version variable 'WixBundleFileVersion' to value '14.25.28508.3'..[1190:0CDC][2025-01-02T14:30:13]i100: Detect begin, 10 packages..[1190:0CDC][2025-01-02T14:30:13]i000: Setting version variable 'windows_uCRT_DetectKey' to value '10.0.19041.789'..[1190:0CDC][2025-01-

C:\Users\user\AppData\Local\Temp\jI7y3HC.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.253983376985068
Encrypted:	false
SSDEEP:	24:GgsF+0dQSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+R+pAZewRDK4mW
MD5:	97497E76509BC7BCD4BACAFA76307224
SHA1:	D151239837CA064EF22E403BFCBFC33195A85EB0
SHA-256:	22A2954AA91B99C92CCD7E09950EB29E5B6E3C26AAC6D22352D1A8B6CFDA38D6
SHA-512:	A66735CB0082B876FEA2AE583C727036C9D7E800C169AE047E0644CA6E97FC34620167074FC8A8A03B255DAF0C66408B60EA38937726FB4C7688106C905D0958
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="LL5th1j_O3w2gch3keOXnA">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\lbdRpUp.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.256735920970008
Encrypted:	false
SSDEEP:	24:GgsF+0PSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+c+pAZewRDK4mW
MD5:	448E4107050EDBBBC0A58D73A02D1A58
SHA1:	42EF1DAA74DF76B598C7F9E32BA8A9039BF0B53F
SHA-256:	CFEE7E0A96A82A3E84C2EDFDD234E3526AB6662B0B4839A6700BA4B73DBEE007
SHA-512:	A7F8C85F2744E020292678C20CAA58F4A1D2E12763BF2B6ECEF4358F78F8278B0D1A3F2A3114D120ED335310C2BAA437045BDC3E6473BD08B5B4C2158B57CA83
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Eshvm2gIF2OEMvWuDe5Tow">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\mViR1M7.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.26241384844934
Encrypted:	false
SSDEEP:	24:GgsF+0XMSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+X+pAZewRDK4mW
MD5:	13A3E5AB9E848D8D2541DCD2FC5CDE56
SHA1:	02EC357DD04943E1694E5AC3B988C635B80DB54E
SHA-256:	213D90C69FC15623B120D7A656B22EBFB2F95DBC7A86907086B0345F7E8254DA
SHA-512:	2A8B63A9B1482CCA7EFB2F1A50B0AA891902FC589A0DF03239BAD0B62879D257AC7BA6FCA45248464262F6A3D0DC85B79F782BB03A161873180CBC0C4CF8D5B0
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="YtmymVjsV7bErEMk8XgdYQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\o8MxWXV6.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\AppData\Local\Temp\seCklmi.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.241737398697338
Encrypted:	false
SSDEEP:	24:GgsF+03ISU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+OI+pAZewRDK4mW
MD5:	ADEB54CBA9F58B11887DD2928A276A67
SHA1:	803CE841B88C1FFFC4FCF486AE9C24C224A1FEB1
SHA-256:	F5A23E61B59697E5ED9264C6D95FF10E6A9D9E11F6FE6CA807D4A7D97F1ADFF6
SHA-512:	AEB42AD1FF2ACF6819616353A4AC15AF302D02F8C6754D9115140808354B9721FF6C85557FA72BEB0921F996D5183288D1CC6694A4DBE2ED03C1D9523EF229EE
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="naYebugoksRm_I9s6yoeFw">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1028\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	18127
Entropy (8bit):	4.036737741619669
Encrypted:	false
SSDEEP:	192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
MD5:	B7F65A3A169484D21FA075CCA79083ED
SHA1:	5DBFA18928529A798FF84C14FD333CB08B3377C0
SHA-256:	32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
SHA-512:	EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1028\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2980
Entropy (8bit):	6.163758160900388
Encrypted:	false
SSDEEP:	48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
MD5:	472ABBEDCBAD24DBA5B5F5E8D02C340F
SHA1:	974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
SHA-256:	8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
SHA-512:	676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ................. ......................../passive \| /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1029\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13053
Entropy (8bit):	5.125552901367032
Encrypted:	false
SSDEEP:	192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
MD5:	B408556A89FCE3B47CD61302ECA64AC9
SHA1:	AAC1CDAF085162EFF5EAABF562452C93B73370CB
SHA-256:	21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
SHA-512:	BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1029\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3333
Entropy (8bit):	5.370651462060085
Encrypted:	false
SSDEEP:	48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
MD5:	16343005D29EC431891B02F048C7F581
SHA1:	85A14C40C482D9351271F6119D272D19407C3CE9
SHA-256:	07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
SHA-512:	FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive \| /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1031\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11936
Entropy (8bit):	5.194264396634094
Encrypted:	false
SSDEEP:	192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
MD5:	C2CFA4CE43DFF1FCD200EDD2B1212F0A
SHA1:	E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
SHA-256:	F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
SHA-512:	6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1031\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3379
Entropy (8bit):	5.094097800535488
Encrypted:	false
SSDEEP:	48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
MD5:	561F3F32DB2453647D1992D4D932E872
SHA1:	109548642FB7C5CC0159BEDDBCF7752B12B264C0
SHA-256:	8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
SHA-512:	CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive \| /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1036\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11593
Entropy (8bit):	5.106817099949188
Encrypted:	false
SSDEEP:	192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
MD5:	F0FF747B85B1088A317399B0E11D2101
SHA1:	F13902A39CEAE703A4713AC883D55CFEE5F1876C
SHA-256:	4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
SHA-512:	AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1036\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3366
Entropy (8bit):	5.0912204406356905
Encrypted:	false
SSDEEP:	48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
MD5:	7B46AE8698459830A0F9116BC27DE7DF
SHA1:	D9BB14D483B88996A591392AE03E245CAE19C6C3
SHA-256:	704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
SHA-512:	FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive \| /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1040\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11281
Entropy (8bit):	5.046489958240229
Encrypted:	false
SSDEEP:	192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
MD5:	9D98044BAC59684489C4CF66C3B34C85
SHA1:	36AAE7F10A19D336C725CAFC8583B26D1F5E2325
SHA-256:	A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
SHA-512:	D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\p

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1040\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	5.019774955491369
Encrypted:	false
SSDEEP:	48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
MD5:	D90BC60FA15299925986A52861B8E5D5
SHA1:	FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
SHA-256:	0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
SHA-512:	11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive \| /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1041\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	28232
Entropy (8bit):	3.7669201853275722
Encrypted:	false
SSDEEP:	192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
MD5:	8C49936EC4CF0F64CA2398191C462698
SHA1:	CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
SHA-256:	7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
SHA-512:	4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1041\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3959
Entropy (8bit):	5.955167044943003
Encrypted:	false
SSDEEP:	96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
MD5:	DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA1:	9C719C32844F78AAE523ADB8EE42A54D019C2B05
SHA-256:	6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
SHA-512:	FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ............ ......... .........................

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1042\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	27936
Entropy (8bit):	3.871317037004171
Encrypted:	false
SSDEEP:	384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
MD5:	184D94082717E684EAF081CEC3CBA4B1
SHA1:	960B9DA48F4CDDF29E78BBAE995B52204B26D51B
SHA-256:	A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
SHA-512:	E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1042\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.985100495461761
Encrypted:	false
SSDEEP:	48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
MD5:	B3399648C2F30930487F20B50378CEC1
SHA1:	CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
SHA-256:	AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
SHA-512:	C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive \| /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1045\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13265
Entropy (8bit):	5.358483628484379
Encrypted:	false
SSDEEP:	192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
MD5:	5B9DF97FC98938BF2936437430E31ECA
SHA1:	AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
SHA-256:	8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
SHA-512:	4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1045\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3212
Entropy (8bit):	5.268378763359481
Encrypted:	false
SSDEEP:	48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
MD5:	15172EAF5C2C2E2B008DE04A250A62A1
SHA1:	ED60F870C473EE87DF39D1584880D964796E6888
SHA-256:	440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
SHA-512:	48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive \| /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1046\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10656
Entropy (8bit):	5.092962528947159
Encrypted:	false
SSDEEP:	192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
MD5:	360FC4A7FFCDB915A7CF440221AFAD36
SHA1:	009F36BBDAD5B9972E8069E53855FC656EA05800
SHA-256:	9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
SHA-512:	9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1046\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3095
Entropy (8bit):	5.150868216959352
Encrypted:	false
SSDEEP:	48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
MD5:	BE27B98E086D2B8068B16DBF43E18D50
SHA1:	6FAF34A36C8D9DE55650D0466563852552927603
SHA-256:	F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
SHA-512:	3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive \| /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1049\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	31915
Entropy (8bit):	3.6440775919653996
Encrypted:	false
SSDEEP:	384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
MD5:	A59C893E2C2B4063AE821E42519F9812
SHA1:	C00D0B11F6B25246357053F6620E57D990EFC698
SHA-256:	0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
SHA-512:	B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1049\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4150
Entropy (8bit):	5.444436038992627
Encrypted:	false
SSDEEP:	48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
MD5:	17C652452E5EE930A7F1E5E312C17324
SHA1:	59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
SHA-256:	7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
SHA-512:	53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive \| /quiet - ........... ....

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1055\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13379
Entropy (8bit):	5.214715951393874
Encrypted:	false
SSDEEP:	192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
MD5:	BD2DC15DFEE66076BBA6D15A527089E7
SHA1:	8768518F2318F1B8A3F8908A056213042A377CC4
SHA-256:	62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
SHA-512:	9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\1055\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3221
Entropy (8bit):	5.280530692056262
Encrypted:	false
SSDEEP:	48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
MD5:	DEFBEA001DC4EB66553630AC7CE47CCA
SHA1:	90CED64EC7C861F03484B5D5616FDBCDA8F64788
SHA-256:	E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
SHA-512:	B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive \| /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\2052\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	17863
Entropy (8bit):	3.9617786349452775
Encrypted:	false
SSDEEP:	192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
MD5:	3CF16377C0D1B2E16FFD6E32BF139AC5
SHA1:	D1A8C3730231D51C7BB85A7A15B948794E99BDCE
SHA-256:	E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
SHA-512:	E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\2052\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	6.135205733555905
Encrypted:	false
SSDEEP:	48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
MD5:	3D1E15DEEACE801322E222969A574F17
SHA1:	58074C83775E1A884FED6679ACF9AC78ABB8A169
SHA-256:	2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
SHA-512:	10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [..] - .......... ..................Install ........../passive \| /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\3082\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10714
Entropy (8bit):	5.122578090102117
Encrypted:	false
SSDEEP:	192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
MD5:	FBF293EE95AFEF818EAF07BB088A1596
SHA1:	BBA1991BA6459C9F19B235C43A9B781A24324606
SHA-256:	1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
SHA-512:	6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\3082\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3265
Entropy (8bit):	5.0491645049584655
Encrypted:	false
SSDEEP:	48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
MD5:	47F9F8D342C9C22D0C9636BC7362FA8F
SHA1:	3922D1589E284CE76AB39800E2B064F71123C1C5
SHA-256:	9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
SHA-512:	E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive \| /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (558), with CRLF line terminators
Category:	dropped
Size (bytes):	13122
Entropy (8bit):	3.729412080010859
Encrypted:	false
SSDEEP:	192:X0sg+QnH5zHqQHG0Hd8Hz7HE06HA0rH3FxF6OxLo3MzLa0LTnDBx7z8NkzzkvQwj:X0sBydLbmnoN10A1TpotVos
MD5:	B51EF22109AEEA9AE5190E9EF67D9476
SHA1:	FDF939DA26A1268CDF0510AA40FBCA614947C9FD
SHA-256:	1031C44505A4D8322C3BFF5BA92AE5E2C84D7041A01537D187726C9D4E862E5F
SHA-512:	27AA0612337B7473C75BA73EFAF606EE1DB13F7F633151ED5BFF7A9BB5A5AF5502EF3597AE0E95F714F5F0D19A2452413BD18E91516E696DED76C277D0BCA238
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.2. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.". .L.o.g.P.

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	9046
Entropy (8bit):	5.157073875669985
Encrypted:	false
SSDEEP:	192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
MD5:	2EABBB391ACB89942396DF5C1CA2BAD8
SHA1:	182A6F93703549290BCDE92920D37BC1DEC712BB
SHA-256:	E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
SHA-512:	20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\logo.png

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1861
Entropy (8bit):	6.868587546770907
Encrypted:	false
SSDEEP:	24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
MD5:	D6BD210F227442B3362493D046CEA233
SHA1:	FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
SHA-256:	335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
SHA-512:	464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
Malicious:	false
Preview:	.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#\|i${j$\|n~n.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.\|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2952
Entropy (8bit):	5.052095286906672
Encrypted:	false
SSDEEP:	48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
MD5:	FBFCBC4DACC566A3C426F43CE10907B6
SHA1:	63C45F9A771161740E100FAF710F30EED017D723
SHA-256:	70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
SHA-512:	063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\thm.xml

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	5.184632608060528
Encrypted:	false
SSDEEP:	96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
MD5:	F62729C6D2540015E072514226C121C7
SHA1:	C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
SHA-256:	F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
SHA-512:	CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

C:\Users\user\AppData\Local\Temp\{E948C7D5-97D7-4DA4-8725-913C8C572E5D}\.ba\wixstdba.dll

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	195600
Entropy (8bit):	6.682530937585544
Encrypted:	false
SSDEEP:	3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
MD5:	EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA1:	74862ECF349A9BEDD32699F2A7A4E00B4727543D
SHA-256:	A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
SHA-512:	45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...<..R...,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~$o8MxWXV6.xlsm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.3520167401771568
Encrypted:	false
SSDEEP:	3:xvXFz7f:9Xl
MD5:	4B86B2D21B2AC48AD3A1A46FBF1DE4D5
SHA1:	2D695349311A0DAF9B77392C04178F1BD99CCEF2
SHA-256:	22C126EA43AB2F7C80E19E857C50118A3E08A4A98BE31E2ADCFCA88C8E6C5A5D
SHA-512:	FE133E064DAF100FAD21CB4AE44AE573F66A0157A9418538FCE9744B8FB0500478EDE10B9A49E222AA21F14DCB32B384BA1B4D06402D6519EC4E645295F46B76
Malicious:	false
Preview:	.user ..b.r.o.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\~DF9BFAACEE61987A0E.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.746897789531007
Encrypted:	false
SSDEEP:	192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
MD5:	7426F318A20A187D88A6EC88BBB53BAF
SHA1:	4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
SHA-256:	9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
SHA-512:	EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\._cache_file.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14412304
Entropy (8bit):	7.995531820003883
Encrypted:	true
SSDEEP:	393216:/d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7i:/1PpttD7yBG/QHTJtYMyke9
MD5:	DE34B1C517E0463602624BBC8294C08D
SHA1:	5CE7923FFEA712468C05E7AC376DD9C29EA9F6BE
SHA-256:	AC96016F1511AE3EB5EC9DE04551146FE351B7F97858DCD67163912E2302F5D6
SHA-512:	114BCA1ECD17E419AD617A1A4341E607250BCB02626CDC0670EB60BE734BBAD1F3C84E38F077AF9A32A6B1607B8CE6E4B3641C0FAEFAA779C0FEC0D3AC022DAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............B...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\Users\user\Documents\NVWZAPQSQL.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\Documents\~$NVWZAPQSQL.xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.3520167401771568
Encrypted:	false
SSDEEP:	3:xvXFz7f:9Xl
MD5:	4B86B2D21B2AC48AD3A1A46FBF1DE4D5
SHA1:	2D695349311A0DAF9B77392C04178F1BD99CCEF2
SHA-256:	22C126EA43AB2F7C80E19E857C50118A3E08A4A98BE31E2ADCFCA88C8E6C5A5D
SHA-512:	FE133E064DAF100FAD21CB4AE44AE573F66A0157A9418538FCE9744B8FB0500478EDE10B9A49E222AA21F14DCB32B384BA1B4D06402D6519EC4E645295F46B76
Malicious:	false
Preview:	.user ..b.r.o.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\~$cache1

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771584
Entropy (8bit):	6.636362882247521
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IFr:ansJ39LyjbJkQFMhmC+6GD92
MD5:	B753207B14C635F29B2ABF64F603570A
SHA1:	8A40E828224F22361B09494A556A20DB82FC97B9
SHA-256:	7F16106F3354A65FC749737905B77DF7BBEFA28BF8BBC966DC1F8C53FA4660F2
SHA-512:	0DD32803B95D53BADD33C0C84DF1002451090FF5F74736680E3A53A0BFC0E723EEE7D795626BC10A1FB431DE7E6E276C5A66349EF385A8B92B48425B0BDD036F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\~$cache1, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\~$cache1, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	250144
Entropy (8bit):	6.698404457805156
Encrypted:	false
SSDEEP:	6144:emyq0GgZNA2UwM1vfEcgVAtP+9vIaIgVb5C/U0ZXQVSSIuVxND5S912z/VsDBZAu:eAIMogaIgyRZFuVxNkeztu
MD5:	92F00AD0D5283A6A763073E2F1E4EB58
SHA1:	70BCB3C04DDF9A07F4FA65E94FC6997E58606699
SHA-256:	17079A00DA2F4653B85C9B659088DD485BF84C0B3E5E7E80C7612CAF1EF2BEFC
SHA-512:	2A7BA56FF5B8BC7B8E7C2729C9E59E806F91188A594F306D8524B01C3752066709030F206AA1556507A90944A58D53E497F8774F90D8E8B5FBD31EEC6430FFB0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.vH,.%H,.%H,.%..G%J,.%AT;%B,.%CC.$M,.%H,.%.,.%CC.$C,.%CC.$O,.%CC.$.,.%CC.$I,.%CCW%I,.%CC.$I,.%RichH,.%........................PE..L...<W.^.........."!.........x......0........0...........................................@A........................0....K..<r.......................... A.......+...;..8............................<..@............p..8............................text............................... ..`.data....4...0...2..................@....idata.......p.......N..............@..@.rsrc................`..............@..@.reloc...+.......,...d..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	453920
Entropy (8bit):	6.66950080753057
Encrypted:	false
SSDEEP:	12288:tjBcSw+X+OLM+PBrWHPd9pGDXywWz08oumlBVhUgiW6QR7t5s03Ooc8dHkC2esrG:tjBcSw+1M+PBrWF9IWwWz08ay03Ooc87
MD5:	697220335E5C4B4126AF45F6F8207896
SHA1:	8106F2DD4665AEC0D1C652E29378EF46EA4E5801
SHA-256:	D7446822C53CF6B9E31D5610D838EBF26ED08BF7497A3E022C47FF193CCDE0BE
SHA-512:	B820735E96600A1382D4097A7638F3286335D93032152B8C85E4EA8196439DFE687E1F8309A81F13A43705A323EDA12BD69EFAC50A09048E57498CEDE4924CF0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8"2.\|C\.\|C\.\|C\....~C\.u;.jC\.\|C]..C\.w,]..C\.w,X.wC\.w,_.tC\.w,Y..C\.w,\.}C\.w,..}C\.w,^.}C\.Rich\|C\.................PE..L...AW.^.........."!.....:.......... ........P............................................@A.........................y................................. A.......;...y..8...........................Hx..@...................Tv..@....................text...29.......:.................. ..`.data...t(...P.......>..............@....idata...............V..............@..@.didat..4............j..............@....rsrc................l..............@..@.reloc...;.......<...p..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	6.817865566900363
Encrypted:	false
SSDEEP:	384:YXi/n/o+H/UgljjdJu+9WcU5gWE5d6c+pBj0HRN7ToucyHRN7rP1x4l78Ka:YknwQJVdJu1qqWNL3nKa
MD5:	511F8CF3E1C960B5AA76FDA0B845D246
SHA1:	6BA029A7C545D64C044AAAD93A3DD00702BDF44E
SHA-256:	4874449EE85BCA44BE95DEA5FAD6AC4F0F5456788C928844702CC5ED4935DD83
SHA-512:	5D0F04AD49AC91202254981CB69EE6EEAEF2C89535B5F396D03EB8BC42B786AF6DB1C3763807597DBDD3E13736B70BFBDEF9149EC45190E7DB1E03E62F939EE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................'!......y....................................................Rich....................PE..L...GW.^.........."!.........................0...............................p...........@A...........................J....@..x....P...............2.. A...`......h...8...............................@............@...............................text............................... ..`.data...H....0......."..............@....idata.......@.......$..............@..@.rsrc........P.....................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174064
Entropy (8bit):	6.871923327983383
Encrypted:	false
SSDEEP:	3072:l3ZqbqsS20jBQh6fLPbU7DuJMCIuW4vdzAY9Sx5+9:l3Zq2bQh6fL+CJMpuW4vdEY489
MD5:	57ED07CB2B239D7CF58EF98040A9B4BD
SHA1:	40BE57A54102EA5AF3D3173C8815BDF35761E5F5
SHA-256:	940FF0F7EA7149084533CF81156CAA42A05BB44656164D769DCB299ECF7A350C
SHA-512:	5459FB26218C13BFC8284E446403964D77CF27ABA51A5149FA7CD916C405811F80A93C93B1310044D586CB7C00489E3AFDDC97343CB40D945BAAEB4B80E971F3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................ORA.....=....................................Q.........Rich...........PE..L...GW.^.........."!........<...............@............................................@A.........................2..@....Q.......`...............f...A...p..P....\..8............................\..@............P...............................text....(......................... ..`.data... ....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..P....p.......H..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26400
Entropy (8bit):	6.826117601279947
Encrypted:	false
SSDEEP:	384:hlFGXZfbOwqjmeIFWiWEWu9Pc+pBj0HRN7TsHEcyHRN7rwr2l4UP:UD/OtuWLUG
MD5:	4905D449E1C36735AF33A8CF4F08895D
SHA1:	D34E3F579507F23C6B3378DA44E666B85FFF6E3B
SHA-256:	54CF497485E1247F04EF705157CAD26F2FE9D0C353D5970A6FF8E5848504C4DE
SHA-512:	6FF95EB8B191D970E145C6A6DE98370A0B464BE215A5A2DC14E98BEF03DBB886444CEEA0906DFFEFE07960CC870AF377D64AC4EAF6D9FE7E7F5E0D4A92080559
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........qT............mO......................................................................Rich............PE..L...GW.^.........."!................@........0...............................p......u.....@A.........................!../...l@..P....P..0............&.. A...`..D...D...8...............................@............@..h............................text............................... ..`.data........0......................@....idata..t....@......................@..@.rsrc...0....P......................@..@.reloc..D....`.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	274208
Entropy (8bit):	6.608613260235627
Encrypted:	false
SSDEEP:	3072:JLZNCBQSuHX5pXCcDWUE1GM6FXNQBkNo9uYKTsWycLfaMHjb3yiH:WuTDJZXiBEkuYKTVfa6
MD5:	74E8CB0C4E08C63E386F373D1D2C394D
SHA1:	4134B4A2E5BA4C72A0F8D1472D90E94D7EACBD0F
SHA-256:	75E6504A83B23A9B3D58885BFB3ED8A5C06FAB4C25139AAB83C2EC0522D2C095
SHA-512:	84BAB1D2977089AB3BAC41710FAB40AC39D2FE3B0F9FD7AA6D1E2CEDFDE004595F74A8320E21A4D313EECB407B99BAD39429C8AFA65F16698FE485C4C474CBD1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B....`@..`@..`@......`@...A..`@...E..`@...D..`@...C..`@.....`@..`A.u`@...I..`@...@..`@......`@...B..`@.Rich.`@.........................PE..L....V.^.........."!......................... ............................... ............@A........................0....=.............................. A.......W..lJ..8............................J..@............................................text...K........................... ..`.data... p... ...n..................@....idata..............................@..@.rsrc...............................@..@.reloc...W.......X..................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vcruntime140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83232
Entropy (8bit):	6.884071103046351
Encrypted:	false
SSDEEP:	1536:DbLqOxUSsdRwFUzVCNkU1jXCizVaYecbv4MUqQmFk:DaOxfsd6FUp3uhecbv4MU
MD5:	4C360F78DE1F5BAAA5F110E65FAC94B4
SHA1:	20A2E66FD577293B33BA1C9D01EF04582DEAF3A5
SHA-256:	AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
SHA-512:	C6BBA093D2E83B178A783D1DDFD1530C3ADCB623D299D56DB1B94ED34C0447E88930200BF45E5FB961F8FD7AD691310B586A7D754D7A6D7D27D58B74986A4DB8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T...............Q........q.........8...................................................Rich............................PE..L...;W.^.........."!.........................................................@......g.....@A......................................... .................. A...0..8....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\4539ec.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\4539f0.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\4539f1.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\4539f8.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4064.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	7552
Entropy (8bit):	5.634080381147283
Encrypted:	false
SSDEEP:	96:5DDpeDVDpE8rorjkFEdogLNy5J5J5J5J5J5J5J5J5AO5KvbSYYHxRRI8tlDpN8kr:5sWzLrDSHXh0eXznGYWOf
MD5:	7CF72A6CC6324D23B501F03C09EF12A1
SHA1:	FAAC16F4ADF01BC38D030930719A8783EBEED514
SHA-256:	7CF21A11E9D168D3896C20D5CD1CB68D3F71EF5A8F55D06EC5586047E2737300
SHA-512:	098B57F86126A82AF38E6BD57BC53001ACB2963491996343D3CF201CA68A0EEE6FAC10F8DF70CED628042E7B2775D6A85B554426D067E3D6DBD11C51E53C7890
Malicious:	false
Preview:	...@IXOS.@.....@.s"Z.@.....@.....@.....@.....@.....@......&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508..vc_runtimeMinimum_x86.msi.@.....@\o...@.....@........&.{DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}@.02:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X86\Version.@.......@.....@.....@......&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}...@.......@.....@.....@......&.{E8E39D3B-4F35-36D8-B892-4B28336FE041}$.C:\Windows\SysWOW64\vcruntime140.dll.@.......@.....@.....@......&.{A2AA960C-FD3C-3A6D-BD6F-14933011AFB3} .C:\Windows\SysWOW64\msvcp140.dll.@.......@.....@.....@......&.{A2E7203F-60C2-3D7E-8A46-DB3D

C:\Windows\Installer\MSI4C5C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	9668
Entropy (8bit):	5.640648258132515
Encrypted:	false
SSDEEP:	192:jivmH5xSSSLuyAV2YO8WeCUoBaOeXp33LsLNWsrJ5:jivmH5xSSguyA0YOn1mpnQZWsrJ5
MD5:	5772F69D6666ED6A0B9AEABBD92FEC96
SHA1:	B6B7B223C0DEEC9845DCE09BFFA564B77A4C3355
SHA-256:	C5FB2C94A1C197D2851AB884A055F3E98A8777E63A7DD705F19BB1B6E6C828C4
SHA-512:	17E783E46076820DF6DFEEE293428990D701274AFF95DE5D365D2F977C3A5231CB4A8BA79B0C4F04241DB5E454FEA0E548F9D7A9D03D7294363F41F157BA67F2
Malicious:	false
Preview:	...@IXOS.@.....@.s"Z.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}@.02:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X86\Version.@.......@.....@.....@......&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}..C:\Windows\SysWOW64\mfc140.dll.@.......@.....@.....@......&.{46A1EA6B-3D81-3399-8991-127F7F7AE76A}..C:\Windows\SysWOW64\mfc140u.dll.@.......@.....@.....@......&.{C94DDE19-CC70-3B9A-A6AF-5CA7340B9B9A}..C:\Windows\SysWOW64\mfcm140.dll.@.......@.....@.....@....

C:\Windows\Installer\SourceHash{0FA68574-690B-4B00-89AA-B28946231449}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.2081219491501645
Encrypted:	false
SSDEEP:	12:JSbX72FjFyXAlfLIlHuRpWBhG7777777777777777777777777ZDHFw7zpHQEQBM:JYUIwUieFHQjcF
MD5:	ADEACE6BEE919EBA4EC873791ABBA90E
SHA1:	4B5734DD92288DB8F93ECE70CC0B7D22B995459E
SHA-256:	9B6553C8318A5329C828C3BA8CEE08796F6E0414F5AF4659F91F64ACED7D534C
SHA-512:	8D8859C51493AA7EEA8B254B247E659F37339C1AC387760027F1872C48F2CE9C7E64D46A0A93418D6D80A164AA507FE43C65F19E86AB96107292957BA49C564E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.2068897069953097
Encrypted:	false
SSDEEP:	12:JSbX72FjVXAlfLIlHuRpZhG7777777777777777777777777ZDHFPZx2hs9X4KQr:J/UIwExP2hs9fcF
MD5:	7876B6FDA215A8BEFBE3D67184C8284F
SHA1:	3CCC41BB40D8CEA85A830481D930305DCB0A0E14
SHA-256:	16C99DA2D515686C2DAB75AA55A57FD9AB50566CC28BC0413E5BDC040A770233
SHA-512:	B81CB4D244D5A3AB128AC18EF02A0B91E9D60205E6FB0FC1888853B8CC09A10251E9B2476400E772E33878C0C2AA175AE68E173B209C0928BBC9BA8E8F436A7B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5222228411206007
Encrypted:	false
SSDEEP:	48:X8PhNuRc06WXi/FT5Tdj6RLBL7uSmRSWKSIVlZQc:WhN1RFTXjaLBL7uVRmJlZQc
MD5:	6FDD7AF8A63668DAFE92A76DD98C35F0
SHA1:	FC07FC5C17906FC2C4C717AAD4C9C2C9B8E493E3
SHA-256:	680EE74FCA46694680A2CBA0B2CA435FFED6B7882F522B165F15204CA6D3059E
SHA-512:	05C928DF30FB18D65026F9529F29D77729D6ED94652F5CCE985CD87DE66888F3C7016CC4B70775B7123FA6527165E5AA590B6C9240448A3A39ED7092F97196EC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	363829
Entropy (8bit):	5.365403408008309
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauH:zTtbmkExhMJCIpEm
MD5:	9A71133321B3A63C3C9CC8200FD386BA
SHA1:	44C943C9985385699374C2C6E15E34A7774E6EBE
SHA-256:	0B6F439C3A666D5CB1084BAAED85293B9B1FC9940EAE935F18C86CB72A4A6423
SHA-512:	95180D35C0C808B6CCBA90F48418D3B80F92DFFA061BD3E5275BF74BD3FAAD3A8F5FE62325759D791233467554B9BAE792DD0F07429A1167EC158EE5495981C7
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\mfc140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4782880
Entropy (8bit):	7.048362842065633
Encrypted:	false
SSDEEP:	98304:rcQO/zACc35FeIj0v8Tu8expRWrBu2gubZkFLOAkGkzdnEVomFHKnP7z:jqie9v8CVp4Bu2gubZkFLOyomFHKnP
MD5:	4B9941864214A7BB96D3704420C2D28C
SHA1:	05ACF3D57A349DCF29BC68A7A6F0DEC6D971B940
SHA-256:	1F9CCCA43EEF25CA44C69648124265944493FC220BCDECDB79AA28C33468B59B
SHA-512:	5CB4FFE656AB0C9973A02A7055689F8B945BCFB312B6B324432A717B2C95FF89B35BF70AE553F5176921A7DFF0E8F8F357288496EDC149CB377675130C7AD38B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........%.suv.suv.suv7.v.suv7.v.suv7.v.suv...v.suv..tw.suv..qw.suv..vw.suv..pw.suv7.v.suv.stv.wuv..\|w.ruv..uw.suv...v.suv..ww.suvRich.suv........................PE..L....V.^.........."!.........b......._*......................................0I.....r.I...@A.........................-....../......./...............H. A....E.x...l@..8...........................@4..@............./.....`.-......................text.............................. ..`.data...............................@....idata...T..../..V...6/.............@..@.didat......../......./.............@....rsrc........./......./.............@..@.reloc..x.....E......(E.............@..B................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140chs.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47592
Entropy (8bit):	6.147771533863041
Encrypted:	false
SSDEEP:	384:DA5dBlsNKvsXZWxdWvYbMktLiBr8uuPgldyevyBb7DVLN1Xzc+pBj0HRN7TPocyF:GdzvsXcb9tLkr8yTby97DVLBWUHui
MD5:	5EB37CFB087F972E0E9BF8CD9F216D0A
SHA1:	3FD426C91E122990E7746C415AEB3C9E6A459073
SHA-256:	9DBE835C0812D759A4461429D4FDE097BB9EC67A97F347F70C9796800DE92BA6
SHA-512:	865670D5EECF2EAB3BD17348FDCD31EC785F55F345E6048F83B346C16594535F59D68E6EE8F11453C2BD65D89440B50A54903D55E21F6DCB6C7DE79CDC2C06C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L...\|V.^.........."!.........v............................................................@.......................................... ..8s...........x...A..............8............................................................................text...............................@..@.rsrc...8s... ...t..................@..@....\|V.^........Y...8...8.......\|V.^........T...........RSDS..M.X=NK.....dH.....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140cht.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47392
Entropy (8bit):	6.180362861252495
Encrypted:	false
SSDEEP:	768:uDhffucVI4Sd7kYw4JUM3i/EhWrKpWin2vSd:YucVI4Sd4YJUM3XhWuoNKd
MD5:	40F626F56782D1C6AE773B202082CB92
SHA1:	65388EDEF5C7DC53A0040AD73D144D52FD02B7F8
SHA-256:	8056DF5651B576CFFAD288A322939049CF62C8A564CB53EEE187E2DCBDBD9BEF
SHA-512:	7F99BFB9C11E377BF5B1F526FA6015BF99E28683EEC5C52FB453F60F4C49561FE81B21A61A4783673C46A8F6D62E048609720674746057291A9F025F565822CD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.........v......................................................R.....@.......................................... ..`s...........x.. A..............8............................................................................text...............................@..@.rsrc...`s... ...t..................@..@.....V.^........Y...8...8........V.^........T...........RSDS..9....N..'q........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140deu.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76272
Entropy (8bit):	4.788610818407564
Encrypted:	false
SSDEEP:	1536:SVPidQr0UZqnn0BDvmPS6VFaGCWKZ+e0petNSaBhp0vcsjsr8gWb8C1dCuf9xtP9:SVidQr0UZqnnSvmPS6VFaGCWKZX0Whpq
MD5:	20A38BD043C56FE2882F88944A3E6E6C
SHA1:	5E154DFD410A7F8F99D11C999DD68CD0C76842F9
SHA-256:	CD305576B63458ADF41BDB70FB6EBAED8A032294851336786A5A7169F4F57B05
SHA-512:	8C706656BA722EA7A9F313F5C1DEF41FA70D7E13D59BC5A3D8F85FE5CEDC2F014DDB76E16D15C231DD08FA6D639C8C457841FF0CCECC6B0FBAC379A460EC5C66
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................0[....@.......................................... ..X................A..............8............................................................................text...............................@..@.rsrc...X.... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS2j.5,..J.#..#......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140DEU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140enu.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66336
Entropy (8bit):	4.921664492323363
Encrypted:	false
SSDEEP:	768:9VmijcBEhCgy6cAu1HLPLNqyf/nWHBNhdBU2fd5GWPoRh:9Vdzfy6cAuhPLNXf/nWHNfd/PoRh
MD5:	183B42F7ECEDB4AE4BE8E06C2981EDEF
SHA1:	906365FECC6B420C63BDB05574C79571ED4C6654
SHA-256:	5C4B666503DCABF9763610EC5AB3B19D4555A5F349DE7067D6D0F7A3E8146126
SHA-512:	B4C57C1270D2E219210AEA3145148D8DC68A95ED31A0CC026413179A73961E7215DDE9F355B20859BD19B3BDDA943B48F79F94B6F7CC7BB8F4B087CD6E7F73E4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ................. A..............8............................................................................text...............................@..@.rsrc....... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.W-.R.8@..(=.hYo....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..X....rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140esn.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75040
Entropy (8bit):	4.751545699698718
Encrypted:	false
SSDEEP:	768:5K0KnBU6gW6qg/iKuCOCF3OKWRElMRZ/IvpIfWUz1v3nl:Vwq6gW6B/iKuFm3OKWxRZ/InW1f
MD5:	D50AB1B9666BD7C9E7C134ADE3C42D1C
SHA1:	CDC5C1987689F1A0E34075CD18C692EA88C17E3A
SHA-256:	8AD53B060AA193BE6517C8C63D1855B39B6523696C617C0764822DB131E78F22
SHA-512:	489D6E0346168381066F0D372E1AD3CBC66FFD3B1F07DC80B76441DCD231563803EF940A96F93270F2BCC82A35F4793EE4B6AD6F4A15A4DAB25ACA343CB693BE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... .................. A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS+..Ti.F.........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ESN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140fra.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76272
Entropy (8bit):	4.7728351522639585
Encrypted:	false
SSDEEP:	768:W26iNYajZELOtYFmNRYxAaTafCp5eQYZmZUjyyyyyyyyyyyyyyyUGQFUbWTVNerP:WNuqLOt6A2SCHu0joPwsM
MD5:	D58A56D308276A6323EDF45A704C443B
SHA1:	445244F7D875A04B8612E04CA1CACDC7D5275B0F
SHA-256:	22FB670A0C08110F12D9268BBC5F015E5344CD0EA61CF414F2BE4A05B3396478
SHA-512:	AB26805F0FF25ABB934B12F668E0FB5B462D27450673653251BB2B55656DDC4BCBBFA4C12445FAB46AB110E4C28B5F0A156A27D9DAB6CCC1F67748237FDFF8C0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................s....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.....}.L...0...f....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140FRA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140ita.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	74224
Entropy (8bit):	4.770796960519436
Encrypted:	false
SSDEEP:	768:3QE6XaCyqbK15MsOwgDGxNIlW3jSCQQQjeqS1hDDg1UWTVfW5f+rWGg:3Qass5MsOwgSxNIlW3GoiTIF+yn
MD5:	B9C956ED374FFCDBA4C08C3720D1DB53
SHA1:	380CB5C40863E19D690177278C442EF2D10EFA01
SHA-256:	3C9809576B7811C9F2167AE45722C54C73926E133C5BC6B688A6C1846E9EB295
SHA-512:	4BF3FF88AC69131F6C6C23D2B492D7EEB5315259B9465F0316910B7E48FA94D16BC81D1395FE63E01C1B2E527EA8AB1B09561866FCF9EA40BE96E646F3E083A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSk.8.#pJ..`\|........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ITA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140jpn.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55792
Entropy (8bit):	5.94964592117223
Encrypted:	false
SSDEEP:	768:VpxanVn/TsfJxsr10/eu9RHreFKpWzziDpI2:Vpcnp/TsguntoXyS2
MD5:	8CDEEEB4F6DC317140C9725D26EA4894
SHA1:	154C83C29AE78C37D24F181D30F0B677E5FA8CA4
SHA-256:	C85FAD3BE1ADB9007045FFB7226F340AA5E14FB35D44DD0177641BD410C9FEA8
SHA-512:	8B3F9CC4CF2C7118276CD8BF8605F6FA2F83A8D479873BABF98DF6C46E27C86A144B289D97D3026C1B2B2384C5938B6C05E78B33AFA1A485D5866AEA083ECB21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................9+....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.y@b$..@.>.8Z.......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140kor.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54768
Entropy (8bit):	6.1159324346768695
Encrypted:	false
SSDEEP:	768:fjVQO54LQTNdtUaHqNA3B2I7CvqXWfQNOWho:fjZ51TNdXqNAx2I7CvqmKOWho
MD5:	628CE133C7CDE15B08CC4C07646E7E2E
SHA1:	C6623E5E01DD83C89F96D540BD3D696C324533D2
SHA-256:	854EFA87200BDD5F2FB3B6E65CC43DFC8109A84887201093BAE5EA848271F639
SHA-512:	D79CFAA24A9556702794053CBBDD2B3E9468CB98D2991999ACB344E1ADAF19D7D1DCC204C83DC255E84B362DDCC31CE0B1617374BAC1C3CFB2911169DE802014
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................~....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.x).6JwK.>H..$.o....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140KOR.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..@~...rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140rus.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72176
Entropy (8bit):	5.322279857085589
Encrypted:	false
SSDEEP:	768:rAv/gFXOv00iqNWTMHVhtZgFckD9uAWqMB:K6XOv0EhTW+q+
MD5:	76A39F21CC452E2A7040A78792318982
SHA1:	4EB98EAD87D9DAEB3E2D96127FFBE3727C3E2264
SHA-256:	696DDA39E8DF5BE1006E937BECE2DA07441E8C2BD79760C739922B557A7B9385
SHA-512:	9FA307E5B3FD510619298577E7FD3E036D632B11861A04FB739E4D1443F1EC530EE1E9C9018900A164162074873C50C676EB1477EFB31F3E215C779F48096B00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSnS...^9@.4.TQ..X....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140RUS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..H....rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5082912
Entropy (8bit):	6.8680590475042465
Encrypted:	false
SSDEEP:	98304:pwTgRb/8LXPwCVSf9qGeFgHt23653x0qfSbNa/S306FLOAkGkzdnEVomFHKnPZC:6cR87wFFqG236L0XNa/S306FLOyomFHT
MD5:	109E1488C848F17E370F3973EFDE2C38
SHA1:	7F2FEB94CF7FD1378DF4963316C7941067E7EDC0
SHA-256:	0CE7B07B16BA59AAE714495043D1CC8385691125F977B34227DBE826DA6D1EEF
SHA-512:	6C66CA88306106E07432D05AE60A0278D6619E57B1B1EAC5C1AD4B02F3DD13EA8F68FE986322877FA975077C879629E0248239C00654420353772E8287583E23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........;%.sUv.sUv.sUv..v.sUv..v.sUv..v.sUv...v.sUv..Tw.sUv..Qw.sUv..Vw.sUv..Pw.sUv..v.sUv.sTvVpUv..\w9rUv..Uw.sUv...v.sUv..Ww.sUvRich.sUv........................PE..L....V.^.........."!......2..h.......V......../...............................M.....m.N...@A............................L.....3......`4..............NM. A....J.(.....2.8............................a..@.............3.....@.2......................text...t.2.......2................. ..`.data...8.....3.......2.............@....idata..DS....3..T....3.............@..@.didat.......P4.......4.............@....rsrc........`4...... 4.............@..@.reloc..(.....J.......I.............@..B................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfcm140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.481840055375367
Encrypted:	false
SSDEEP:	768:7xg82UCqlWXqCVz79dzv3sG2wlv13BVO5ncylfhcsZGolyQw3n/20c6dhVbuwSy1:J2Slq7vzvvTyphcsZGBpcGhQwSwUJ0
MD5:	F46353456429BF7768968B6285D7C2FB
SHA1:	5A6A6D4DB4BBD32CD141C3CD3D4F1996F1D27084
SHA-256:	D7FA4DFD8681B10EBF04CB5C72D0F3A20EAF9C4D287CC05C973561EC8DC6A019
SHA-512:	92C1F4C4AE572DBA8409FBC51F1ACC7FE5C347AFBD0A8B4EABDD339C4F4EF91698B7487E0F4708B89FAE8D2D436644026B89EC53F16F128DA9D773BB5AFE23C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0......@.....@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfcm140u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.4817802924170635
Encrypted:	false
SSDEEP:	1536:V8alW6KV4ueuAUnPcsZGVxIb+OvE1R4Wod:K6KpQUnPcsKIbHv+i
MD5:	A67DD2E47CAC448F5E0995FD8634FD4B
SHA1:	879F96580C33618EB4D4349DE3215A87BA132A56
SHA-256:	F371D0868A9BAD5B012AC25BDC55FBF41D7F9535ECDE1A37CB23F2732F5ED303
SHA-512:	912238A4299D50481EF3C48A0E7DBD799B29880131A9667AACD252E3BACE8CDD38F0EAA2EB2C6EE7380B8146B105F94E54F43134AFA841F70176C5F4F318D909
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0............@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\vcamp140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362272
Entropy (8bit):	6.480079655173682
Encrypted:	false
SSDEEP:	6144:TNdn9nbqWFEijveDAHlreqc7Bd0o+Sb9mut1EFnceq0CR0y5M+:j9uAeMBMBio+Sb9mut1EF1qi+
MD5:	766A806CF675EBFC1BCD8766D446692A
SHA1:	71A60564596341323B8544C46A63164974570216
SHA-256:	F59EEFB0DAF0CDD646C5B522BC14B13BCEA57A1ECD567E7A0B930AA5EAA2EC2F
SHA-512:	86B06DED1DBF3399ABEAB86C36268AD061CC19AFEF4F694EFE7F5584959F7551E803361A456EEDC2596440617EF28A7BAA6E34CFA6ABB3EC94D8E54D59FD9F01
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...AN..AN..AN...N..AN..@O..AN..DO..AN..EO..AN..BO..AN...N..AN..@N2.AN..HO..AN..AO..AN...N..AN...N..AN..CO..ANRich..AN........................PE..L....V.^.........."!................@3.......................................p......C.....@A........................@s..47......@.......8$...........F.. A...0...>...g..8....................h.......h..@...............\|............................text...t........................... ..`.data....*.......(..................@....idata..............................@..@.rsrc...8$.......&..................@..@.reloc...>...0...@..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\vcomp140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	141600
Entropy (8bit):	6.730918695182974
Encrypted:	false
SSDEEP:	3072:Dx2TmVYqVACERsarapgaqKSVoSkOuRoJm4t4/lAcXNt:FdbPFqjoPOuRou/lA2f
MD5:	072DA195F3C547B1584813E02E245CD8
SHA1:	EDA3A7CD19D4BB362BE37EC06290C1309962D4D4
SHA-256:	DBCB040304AC8A81E149840DEB816E1C4E5BC20487766541AA8C7C5C0629C804
SHA-512:	37BF63D59DF173D5152253CE2A4F5A2BB7DC2BF9F63BF7C379ED5BB3C9989BB782E6A836E8C6D7EBF2F927092E098FAA747F31AC4D6296194AEBCCC4EA8F68CE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uI...'..'..'..r$..'..r"...'..r#..'.{"..'.{#..'.{$..'......'..&...'.{...'.{'..'.{...'.{%..'.Rich..'.................PE..L...\|V.^.........."!.........>............................................... ............@................................`...<....................... A......d....b..8............................b..@...............\............................text............................... ..`.data...D...........................@....idata..,...........................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1028\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	18127
Entropy (8bit):	4.036737741619669
Encrypted:	false
SSDEEP:	192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
MD5:	B7F65A3A169484D21FA075CCA79083ED
SHA1:	5DBFA18928529A798FF84C14FD333CB08B3377C0
SHA-256:	32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
SHA-512:	EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1028\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2980
Entropy (8bit):	6.163758160900388
Encrypted:	false
SSDEEP:	48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
MD5:	472ABBEDCBAD24DBA5B5F5E8D02C340F
SHA1:	974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
SHA-256:	8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
SHA-512:	676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ................. ......................../passive \| /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1029\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13053
Entropy (8bit):	5.125552901367032
Encrypted:	false
SSDEEP:	192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
MD5:	B408556A89FCE3B47CD61302ECA64AC9
SHA1:	AAC1CDAF085162EFF5EAABF562452C93B73370CB
SHA-256:	21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
SHA-512:	BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1029\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3333
Entropy (8bit):	5.370651462060085
Encrypted:	false
SSDEEP:	48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
MD5:	16343005D29EC431891B02F048C7F581
SHA1:	85A14C40C482D9351271F6119D272D19407C3CE9
SHA-256:	07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
SHA-512:	FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive \| /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1031\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11936
Entropy (8bit):	5.194264396634094
Encrypted:	false
SSDEEP:	192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
MD5:	C2CFA4CE43DFF1FCD200EDD2B1212F0A
SHA1:	E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
SHA-256:	F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
SHA-512:	6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1031\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3379
Entropy (8bit):	5.094097800535488
Encrypted:	false
SSDEEP:	48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
MD5:	561F3F32DB2453647D1992D4D932E872
SHA1:	109548642FB7C5CC0159BEDDBCF7752B12B264C0
SHA-256:	8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
SHA-512:	CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive \| /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1036\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11593
Entropy (8bit):	5.106817099949188
Encrypted:	false
SSDEEP:	192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
MD5:	F0FF747B85B1088A317399B0E11D2101
SHA1:	F13902A39CEAE703A4713AC883D55CFEE5F1876C
SHA-256:	4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
SHA-512:	AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1036\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3366
Entropy (8bit):	5.0912204406356905
Encrypted:	false
SSDEEP:	48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
MD5:	7B46AE8698459830A0F9116BC27DE7DF
SHA1:	D9BB14D483B88996A591392AE03E245CAE19C6C3
SHA-256:	704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
SHA-512:	FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive \| /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1040\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11281
Entropy (8bit):	5.046489958240229
Encrypted:	false
SSDEEP:	192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
MD5:	9D98044BAC59684489C4CF66C3B34C85
SHA1:	36AAE7F10A19D336C725CAFC8583B26D1F5E2325
SHA-256:	A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
SHA-512:	D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\p

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1040\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	5.019774955491369
Encrypted:	false
SSDEEP:	48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
MD5:	D90BC60FA15299925986A52861B8E5D5
SHA1:	FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
SHA-256:	0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
SHA-512:	11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive \| /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1041\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	28232
Entropy (8bit):	3.7669201853275722
Encrypted:	false
SSDEEP:	192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
MD5:	8C49936EC4CF0F64CA2398191C462698
SHA1:	CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
SHA-256:	7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
SHA-512:	4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1041\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3959
Entropy (8bit):	5.955167044943003
Encrypted:	false
SSDEEP:	96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
MD5:	DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA1:	9C719C32844F78AAE523ADB8EE42A54D019C2B05
SHA-256:	6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
SHA-512:	FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ............ ......... .........................

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1042\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	27936
Entropy (8bit):	3.871317037004171
Encrypted:	false
SSDEEP:	384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
MD5:	184D94082717E684EAF081CEC3CBA4B1
SHA1:	960B9DA48F4CDDF29E78BBAE995B52204B26D51B
SHA-256:	A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
SHA-512:	E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1042\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.985100495461761
Encrypted:	false
SSDEEP:	48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
MD5:	B3399648C2F30930487F20B50378CEC1
SHA1:	CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
SHA-256:	AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
SHA-512:	C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive \| /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1045\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13265
Entropy (8bit):	5.358483628484379
Encrypted:	false
SSDEEP:	192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
MD5:	5B9DF97FC98938BF2936437430E31ECA
SHA1:	AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
SHA-256:	8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
SHA-512:	4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1045\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3212
Entropy (8bit):	5.268378763359481
Encrypted:	false
SSDEEP:	48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
MD5:	15172EAF5C2C2E2B008DE04A250A62A1
SHA1:	ED60F870C473EE87DF39D1584880D964796E6888
SHA-256:	440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
SHA-512:	48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive \| /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1046\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10656
Entropy (8bit):	5.092962528947159
Encrypted:	false
SSDEEP:	192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
MD5:	360FC4A7FFCDB915A7CF440221AFAD36
SHA1:	009F36BBDAD5B9972E8069E53855FC656EA05800
SHA-256:	9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
SHA-512:	9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1046\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3095
Entropy (8bit):	5.150868216959352
Encrypted:	false
SSDEEP:	48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
MD5:	BE27B98E086D2B8068B16DBF43E18D50
SHA1:	6FAF34A36C8D9DE55650D0466563852552927603
SHA-256:	F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
SHA-512:	3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive \| /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1049\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	31915
Entropy (8bit):	3.6440775919653996
Encrypted:	false
SSDEEP:	384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
MD5:	A59C893E2C2B4063AE821E42519F9812
SHA1:	C00D0B11F6B25246357053F6620E57D990EFC698
SHA-256:	0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
SHA-512:	B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1049\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4150
Entropy (8bit):	5.444436038992627
Encrypted:	false
SSDEEP:	48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
MD5:	17C652452E5EE930A7F1E5E312C17324
SHA1:	59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
SHA-256:	7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
SHA-512:	53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive \| /quiet - ........... ....

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1055\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13379
Entropy (8bit):	5.214715951393874
Encrypted:	false
SSDEEP:	192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
MD5:	BD2DC15DFEE66076BBA6D15A527089E7
SHA1:	8768518F2318F1B8A3F8908A056213042A377CC4
SHA-256:	62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
SHA-512:	9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\1055\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3221
Entropy (8bit):	5.280530692056262
Encrypted:	false
SSDEEP:	48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
MD5:	DEFBEA001DC4EB66553630AC7CE47CCA
SHA1:	90CED64EC7C861F03484B5D5616FDBCDA8F64788
SHA-256:	E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
SHA-512:	B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive \| /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\2052\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	17863
Entropy (8bit):	3.9617786349452775
Encrypted:	false
SSDEEP:	192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
MD5:	3CF16377C0D1B2E16FFD6E32BF139AC5
SHA1:	D1A8C3730231D51C7BB85A7A15B948794E99BDCE
SHA-256:	E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
SHA-512:	E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\2052\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	6.135205733555905
Encrypted:	false
SSDEEP:	48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
MD5:	3D1E15DEEACE801322E222969A574F17
SHA1:	58074C83775E1A884FED6679ACF9AC78ABB8A169
SHA-256:	2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
SHA-512:	10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [..] - .......... ..................Install ........../passive \| /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\3082\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10714
Entropy (8bit):	5.122578090102117
Encrypted:	false
SSDEEP:	192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
MD5:	FBF293EE95AFEF818EAF07BB088A1596
SHA1:	BBA1991BA6459C9F19B235C43A9B781A24324606
SHA-256:	1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
SHA-512:	6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\3082\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3265
Entropy (8bit):	5.0491645049584655
Encrypted:	false
SSDEEP:	48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
MD5:	47F9F8D342C9C22D0C9636BC7362FA8F
SHA1:	3922D1589E284CE76AB39800E2B064F71123C1C5
SHA-256:	9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
SHA-512:	E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive \| /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (558), with CRLF line terminators
Category:	dropped
Size (bytes):	13122
Entropy (8bit):	3.729412080010859
Encrypted:	false
SSDEEP:	192:X0sg+QnH5zHqQHG0Hd8Hz7HE06HA0rH3FxF6OxLo3MzLa0LTnDBx7z8NkzzkvQwj:X0sBydLbmnoN10A1TpotVos
MD5:	B51EF22109AEEA9AE5190E9EF67D9476
SHA1:	FDF939DA26A1268CDF0510AA40FBCA614947C9FD
SHA-256:	1031C44505A4D8322C3BFF5BA92AE5E2C84D7041A01537D187726C9D4E862E5F
SHA-512:	27AA0612337B7473C75BA73EFAF606EE1DB13F7F633151ED5BFF7A9BB5A5AF5502EF3597AE0E95F714F5F0D19A2452413BD18E91516E696DED76C277D0BCA238
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.2. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.". .L.o.g.P.

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\license.rtf

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	9046
Entropy (8bit):	5.157073875669985
Encrypted:	false
SSDEEP:	192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
MD5:	2EABBB391ACB89942396DF5C1CA2BAD8
SHA1:	182A6F93703549290BCDE92920D37BC1DEC712BB
SHA-256:	E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
SHA-512:	20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\logo.png

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1861
Entropy (8bit):	6.868587546770907
Encrypted:	false
SSDEEP:	24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
MD5:	D6BD210F227442B3362493D046CEA233
SHA1:	FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
SHA-256:	335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
SHA-512:	464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
Malicious:	false
Preview:	.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#\|i${j$\|n~n.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.\|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\thm.wxl

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2952
Entropy (8bit):	5.052095286906672
Encrypted:	false
SSDEEP:	48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
MD5:	FBFCBC4DACC566A3C426F43CE10907B6
SHA1:	63C45F9A771161740E100FAF710F30EED017D723
SHA-256:	70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
SHA-512:	063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\thm.xml

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	5.184632608060528
Encrypted:	false
SSDEEP:	96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
MD5:	F62729C6D2540015E072514226C121C7
SHA1:	C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
SHA-256:	F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
SHA-512:	CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.ba\wixstdba.dll

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	195600
Entropy (8bit):	6.682530937585544
Encrypted:	false
SSDEEP:	3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
MD5:	EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA1:	74862ECF349A9BEDD32699F2A7A4E00B4727543D
SHA-256:	A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
SHA-512:	45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...<..R...,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647912
Entropy (8bit):	7.215948724836638
Encrypted:	false
SSDEEP:	12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
MD5:	2F9D2B6CE54F9095695B53D1AA217C7B
SHA1:	3F54934C240F1955301811D2C399728A3E6D1272
SHA-256:	0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
SHA-512:	692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\cab54A5CABBE7274D8A22EB58060AAB7623

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Microsoft Cabinet archive data, many, 1350653 bytes, 50 files, at 0x44 +A "api_ms_win_core_console_l1_1_0.dll" +A "api_ms_win_core_datetime_l1_1_0.dll", flags 0x4, number 1, extra bytes 20 in head, 111 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	1367669
Entropy (8bit):	7.997832401624505
Encrypted:	true
SSDEEP:	24576:OawWVgz9615LBBl9NWA5852M/fzoapq0m9Oz03FOae6p4Cjd81kD0+0CCxco2iJs:OawWV+96vVBNWOMU0qhOz035e6ppNCst
MD5:	29C34C40D349C145E297B6977908E687
SHA1:	025B5CF7D6515CC6151628063752C159F41D99C7
SHA-256:	61AACFF6365DA15F2C9D0FF1C8FB2EC207D145CD9104AFA0CE663BF1542DB245
SHA-512:	BBD9F65C2619DE25F99A8BA21346D7EA46DB9EBA79FEB6039E0E86999D1EA2C9A4564FA727DDA442A69C169DBDC8A4913DF925C42B3AD7F4030A655AC01C0691
Malicious:	false
Preview:	MSCF............D...........2...................xB..........~...o....O........(P.. .api_ms_win_core_console_l1_1_0.dll..M...O....(P.. .api_ms_win_core_datetime_l1_1_0.dll..N........(P.. .api_ms_win_core_debug_l1_1_0.dll. M........(P.. .api_ms_win_core_errorhandling_l1_1_0.dll. [...9....(P.. .api_ms_win_core_file_l1_1_0.dll. M..0.....(P.. .api_ms_win_core_file_l1_2_0.dll. M..P.....(P.. .api_ms_win_core_file_l2_1_0.dll. M..p.....(P.. .api_ms_win_core_handle_l1_1_0.dll..O...{....(P.. .api_ms_win_core_heap_l1_1_0.dll..O........(P.. .api_ms_win_core_interlocked_l1_1_0.dll..O..p.....(P.. .api_ms_win_core_libraryloader_l1_1_0.dll..W..`k....(P.. .api_ms_win_core_localization_l1_2_0.dll..O..P.....(P.. .api_ms_win_core_memory_l1_1_0.dll. M..@.....(P.. .api_ms_win_core_namedpipe_l1_1_0.dll..Q..``....(P.. .api_ms_win_core_processenvironment_l1_1_0.dll..U..P.....(P.. .api_ms_win_core_processthreads_l1_1_0.dll..O..@.....(P.. .api_ms_win_core_processthreads_l1_1_1.dll..K..0X....(P.. .api_ms_win_core_

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\cabB3E1576D1FEFBB979E13B1A5379E0B16

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Microsoft Cabinet archive data, many, 5194062 bytes, 14 files, at 0x44 +A "mfc140.dll" +A "mfc140chs.dll", flags 0x4, number 1, extra bytes 20 in head, 326 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	5211054
Entropy (8bit):	7.998080908238165
Encrypted:	true
SSDEEP:	98304:dEpMtGvCYmfjBvRxMh7vhetajX6x0XSvrTBEbwwF0XVsvufq:dElCPLBvE8xuEebw6vuy
MD5:	4FEADE30692872EAB413C1123A5F3DE4
SHA1:	B08C319BD7E01176F02D0DC3B4AA8B7C5B9A82C6
SHA-256:	2805E5CC8E477AC1D6847B3CF083A85EC463F646037B59C93CB9E3096A78B81A
SHA-512:	145956C65E193AD5309CA3C0F0BC94DFB20C6BCF73494BDE2ABC48F6495061EE727C9FAA1B97739FE3028873A540A5F17FDFFEB08D8C3A35C2CD7B3DDB088E54
Malicious:	false
Preview:	MSCF....NAO.....D...........................NAO.`B..............F... .H.......(P.. .mfc140.dll.... .H...(P.. .mfc140chs.dll. .....I...(P.. .mfc140cht.dll..)..(nJ...(P.. .mfc140deu.dll. .....K...(P.. .mfc140enu.dll. %..8.L...(P.. .mfc140esn.dll..)..X.M...(P.. .mfc140fra.dll..!..H.N...(P.. .mfc140ita.dll.....8.P...(P.. .mfc140jpn.dll.....(.P...(P.. .mfc140kor.dll.......Q...(P.. .mfc140rus.dll. .M...R...(P.. .mfc140u.dll. C..(e....(P.. .mfcm140.dll. C..H.....(P.. .mfcm140u.dll..J.%.4..CK..w....0...Q6Q..}.......[.nl....;. ...L.....H%.K.w}.<.u..y.y.....g........M6....E..}.m.=...?....?.$Q4...O..;..<8....^{........].Ov....<$.u.d..${...........i..z......s,p.....?...8..F......].~=c.{.].~=m.C.?~..A..6....O....~.h...\..v...s.l..z..'..q..=\|..l...........h.I&...j.N..Y..;.I..-*'D.....;/.Eq.....(...../SG..u..t..eO\|o.p..F.../......{t....E..g/..$.s./..v.........l.Vt.y...L....xW.e&._.i.d..Q4.c......?.=.8$...9..]..N....X>a.]..%...._g.Ng...w.5..........V........v71.~2.

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\vcRuntimeAdditional_x86

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\vcRuntimeMinimum_x86

Download File

Process:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe

Download File

Process:	C:\Users\user\Desktop\._cache_file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647912
Entropy (8bit):	7.215948724836638
Encrypted:	false
SSDEEP:	12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
MD5:	2F9D2B6CE54F9095695B53D1AA217C7B
SHA1:	3F54934C240F1955301811D2C399728A3E6D1272
SHA-256:	0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
SHA-512:	692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\Windows\Temp\~DF39A64ECAB61DE812.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5222228411206007
Encrypted:	false
SSDEEP:	48:X8PhNuRc06WXi/FT5Tdj6RLBL7uSmRSWKSIVlZQc:WhN1RFTXjaLBL7uVRmJlZQc
MD5:	6FDD7AF8A63668DAFE92A76DD98C35F0
SHA1:	FC07FC5C17906FC2C4C717AAD4C9C2C9B8E493E3
SHA-256:	680EE74FCA46694680A2CBA0B2CA435FFED6B7882F522B165F15204CA6D3059E
SHA-512:	05C928DF30FB18D65026F9529F29D77729D6ED94652F5CCE985CD87DE66888F3C7016CC4B70775B7123FA6527165E5AA590B6C9240448A3A39ED7092F97196EC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3E5148FECA94F2B1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.219871962020937
Encrypted:	false
SSDEEP:	48:pe1uLs4vFXiiT5zdj6RLBL7uSmRSWKSIVlZQc:c1O3TnjaLBL7uVRmJlZQc
MD5:	6B51069CEA815F3C35D0EDDC5587BB98
SHA1:	0F345CAE9294C24DA66354981AC69969FEF9FDD9
SHA-256:	C6734CF09985A65836AC09A422CF6E5332B9F6B77AACBBFEE1B5DB736C65A10C
SHA-512:	ACE1A9E71B18780D1452CC2C8E6E613CCF82D4B6B2D6F21DCE5E3BBBE70050EA6502E4FFA22C87907788ED73B7118F3C941C54F5BCF8394B95D537080EDDAE1F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF418E7859AAF80E4E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5166332236753435
Encrypted:	false
SSDEEP:	48:k8PhNuRc06WXikwFT5mVdmF6rkjSmRSWKSIgZQ:7hN1WwFTMmFQkjVRmMZQ
MD5:	408F0F1B4D2D9756B8459B92000C164E
SHA1:	5DDB49B928C93A6F9B8C526EA8E9A92F1758B1DF
SHA-256:	1C50F6CFC1EE6275868872176928A4636628AC6DA608232FF91CD1D9A0E6A371
SHA-512:	87B7D259F02DA00CA2906FCCC1B8432B48F35CA9F4B41F42EFDA1B7FE05DD848F21BEF2460D23932058D932C629C5A90BEED8F679AF06DB424C0B5F58C5988F6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF579FC77923438427.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF66B7CA452A1FAE9D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.219871962020937
Encrypted:	false
SSDEEP:	48:pe1uLs4vFXiiT5zdj6RLBL7uSmRSWKSIVlZQc:c1O3TnjaLBL7uVRmJlZQc
MD5:	6B51069CEA815F3C35D0EDDC5587BB98
SHA1:	0F345CAE9294C24DA66354981AC69969FEF9FDD9
SHA-256:	C6734CF09985A65836AC09A422CF6E5332B9F6B77AACBBFEE1B5DB736C65A10C
SHA-512:	ACE1A9E71B18780D1452CC2C8E6E613CCF82D4B6B2D6F21DCE5E3BBBE70050EA6502E4FFA22C87907788ED73B7118F3C941C54F5BCF8394B95D537080EDDAE1F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6BA362F1DBDE173C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2161670766784427
Encrypted:	false
SSDEEP:	48:qk1u1s4vFXiQZT5GVdmF6rkjSmRSWKSIgZQ:X1gtZTcmFQkjVRmMZQ
MD5:	055300ECA4504A563BC2F038D6BE6C69
SHA1:	8D93937B8D819D09BB9B0E552DCD5E95CFFD4ACF
SHA-256:	112B090488A3A1BFACC86A33CFB1BA48A8E47149A604F4D62C77938FCC06C695
SHA-512:	ED843915470465371797F8C1360C764137DB9514EEBAA161B3838D56A24CA130F28DFFCAB0A91500092BFC16232A3F6FB27293D7D3CE80D7E275A66C93507940
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6CF39A4C23F26334.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.10315420318511248
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKOJSDBsJp8z8JEM9TEkuL1dQO6iGYcBlIVky6l80t/:50i8n0itFzDHFw7zpHQEQBp801
MD5:	60ACE1ED3D1052DD04B59CF080FFE8F9
SHA1:	130ECD05D54CA74F36D0B75F565E5A7B216CACBE
SHA-256:	084EF06277D865635F060799E85D33CEFAAE0B0465DDD17559853DA5481A10B5
SHA-512:	151457DECAED8CF0B1E07A67960D7E9E35A50A091BBB9D06E7350F2AE6C898FF2C8893ABB2643315E2098157FF7FB4A3CD53F992A7EC1B3EA544E756F426B21B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6D3885B20DE53AEF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8F0511FA38CFBCAC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF983CB13E4425F4B8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.12339056272392972
Encrypted:	false
SSDEEP:	24:tlZYrYsjipVvipVsS0W1VPgNlGrJq+PdMCl4FMClmVjLmcj:tlZEdS9SmRSWaqgdmF6H
MD5:	1E620EC807BA0A4C61AA17E2A965086C
SHA1:	900C3F628D839FAD2923CF60EBBE36FFD6C711E7
SHA-256:	53467DAAB28D4CECAA4051EFF7879C862396B1A57769789A4174ACD69CC41D0D
SHA-512:	FCECE7C30DF036C02B06EF24E631454664961AD5B87B2A7D9B70CDACFEBCF2ED346A1AA7FBEEAF8B791A70AEC09A83B42A4D8C8D71E9022AC5AF64CB73E0D202
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB2486A805DEF12C9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.101966517312601
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKOP1/x2I2M9R9X4IOxkQliVky6lJl0t/:50i8n0itFzDHFPZx2hs9X4KQDr01
MD5:	4C576594FA66D0DC4C7A6A7AE5F90728
SHA1:	501FA73B78162CE60B28F7010F01F19C7DAC0832
SHA-256:	A75EB9D68001602F6E03987E09472D3C25851AA318AE58DB08C085E4E81D5F2E
SHA-512:	D10BE1817CB6B1004614FB05DB54FDC2DFE732C7F15934E0D0E2242D313FC61254F60B34F587D9D731A7A52EDB3394635143C249082E9E68C7F38CBFFE35E0D6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB29D42D16AFB8A24.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB2A17C5CD3C6530B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBC831C0669A0D9DE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5222228411206007
Encrypted:	false
SSDEEP:	48:X8PhNuRc06WXi/FT5Tdj6RLBL7uSmRSWKSIVlZQc:WhN1RFTXjaLBL7uVRmJlZQc
MD5:	6FDD7AF8A63668DAFE92A76DD98C35F0
SHA1:	FC07FC5C17906FC2C4C717AAD4C9C2C9B8E493E3
SHA-256:	680EE74FCA46694680A2CBA0B2CA435FFED6B7882F522B165F15204CA6D3059E
SHA-512:	05C928DF30FB18D65026F9529F29D77729D6ED94652F5CCE985CD87DE66888F3C7016CC4B70775B7123FA6527165E5AA590B6C9240448A3A39ED7092F97196EC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBD65D2F3CD2E1596.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2161670766784427
Encrypted:	false
SSDEEP:	48:qk1u1s4vFXiQZT5GVdmF6rkjSmRSWKSIgZQ:X1gtZTcmFQkjVRmMZQ
MD5:	055300ECA4504A563BC2F038D6BE6C69
SHA1:	8D93937B8D819D09BB9B0E552DCD5E95CFFD4ACF
SHA-256:	112B090488A3A1BFACC86A33CFB1BA48A8E47149A604F4D62C77938FCC06C695
SHA-512:	ED843915470465371797F8C1360C764137DB9514EEBAA161B3838D56A24CA130F28DFFCAB0A91500092BFC16232A3F6FB27293D7D3CE80D7E275A66C93507940
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC23F2058BF3AD677.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC36C176B2D572344.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2161670766784427
Encrypted:	false
SSDEEP:	48:qk1u1s4vFXiQZT5GVdmF6rkjSmRSWKSIgZQ:X1gtZTcmFQkjVRmMZQ
MD5:	055300ECA4504A563BC2F038D6BE6C69
SHA1:	8D93937B8D819D09BB9B0E552DCD5E95CFFD4ACF
SHA-256:	112B090488A3A1BFACC86A33CFB1BA48A8E47149A604F4D62C77938FCC06C695
SHA-512:	ED843915470465371797F8C1360C764137DB9514EEBAA161B3838D56A24CA130F28DFFCAB0A91500092BFC16232A3F6FB27293D7D3CE80D7E275A66C93507940
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC6C4F6BBAD2033AF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCDA7F126F2EEA6DB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.219871962020937
Encrypted:	false
SSDEEP:	48:pe1uLs4vFXiiT5zdj6RLBL7uSmRSWKSIVlZQc:c1O3TnjaLBL7uVRmJlZQc
MD5:	6B51069CEA815F3C35D0EDDC5587BB98
SHA1:	0F345CAE9294C24DA66354981AC69969FEF9FDD9
SHA-256:	C6734CF09985A65836AC09A422CF6E5332B9F6B77AACBBFEE1B5DB736C65A10C
SHA-512:	ACE1A9E71B18780D1452CC2C8E6E613CCF82D4B6B2D6F21DCE5E3BBBE70050EA6502E4FFA22C87907788ED73B7118F3C941C54F5BCF8394B95D537080EDDAE1F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE44EBC5720CEF996.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE797B20FA0E8E75E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.125711047043211
Encrypted:	false
SSDEEP:	24:2LLZQcpDYaazipVvipVsS0W1VPgNlGrX+GdMCltLbMClmVj1LFGm1LF:4ZQctVmS9SmRSW6Jdj6RLBL
MD5:	A3AD37DD83FFA3FA355480AC159E6590
SHA1:	0EF08DC7CE1E58DF07FD0FFA2292DA87082ECECE
SHA-256:	906F2CEF73D840B1E1A6ACE363328934AC99450C7FAFA272C4AB094DEA9C3EA1
SHA-512:	41ECBCDC54C7223FCD6392F3C894297D6F014695111FFC08C07B72D00F7BE4F39DA1B911FD95757041EDBE058FFF0E3B9F5D876923D68B2E539659B3CD6C2CAB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF5C313A4B3424BDA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5166332236753435
Encrypted:	false
SSDEEP:	48:k8PhNuRc06WXikwFT5mVdmF6rkjSmRSWKSIgZQ:7hN1WwFTMmFQkjVRmMZQ
MD5:	408F0F1B4D2D9756B8459B92000C164E
SHA1:	5DDB49B928C93A6F9B8C526EA8E9A92F1758B1DF
SHA-256:	1C50F6CFC1EE6275868872176928A4636628AC6DA608232FF91CD1D9A0E6A371
SHA-512:	87B7D259F02DA00CA2906FCCC1B8432B48F35CA9F4B41F42EFDA1B7FE05DD848F21BEF2460D23932058D932C629C5A90BEED8F679AF06DB424C0B5F58C5988F6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFB60B075AD801063.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFF06DEEC431B6047.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.2959964892155735
Encrypted:	false
SSDEEP:	6144:p41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+IpmBMZJh1VjH:+1/YCW2AoQ0NiWpwMHrVD
MD5:	AA281687EB2B5C259704B2F832EE5F03
SHA1:	65BAE116E136053AD9F34AD6E9743EF01E19305E
SHA-256:	6AD115509655AD3C4CAB2EE8D4B58D4D7D9AF431D551B4DEE44003B6A102EB48
SHA-512:	68474609B5205786A9999631FEA4CD47706D6964E450ACD323A04C6F2DB1B2490AE0080BBBF482933615D1C232BE95675C71470E918105D0C8DFE9EB1786678A
Malicious:	false
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm&..L]...............................................................................................................................................................................................................................................................................................................................................X..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9774907952358145
TrID:	Win32 Executable (generic) a (10002005/4) 92.57% Win32 Executable Borland Delphi 7 (665061/41) 6.16% Windows ActiveX control (116523/4) 1.08% Win32 Executable Delphi generic (14689/80) 0.14% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	file.exe
File size:	15'183'872 bytes
MD5:	7274b0b15c4e6d5bbe8db5aa93c65a12
SHA1:	643418b70ee7242fb4cf797e54ec78c910d32824
SHA256:	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435
SHA512:	241ca5eaa520a22a1c264f2fd3307c95d78fb56c2433602e42dcf9f2eb419ed2d43d40f6524a61a1d6e696375f7ea722fd502fa939d4453d88ca63ac068be224
SSDEEP:	393216:o0d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7A:H1PpttD7yBG/QHTJtYMyke3
TLSH:	2AE63333B2904037D6B309379D6AF2241D3DFB152F24595EB7E8AD4C5F392822AB6253
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x49ab80
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	332f7ce65ead0adfb3d35147033aabe9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0049A778h
call 00007F2E4072973Dh
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F2E4077D085h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, 0049ABE0h
call 00007F2E4077CC84h
mov ecx, dword ptr [0049DBDCh]
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, dword ptr [00496590h]
call 00007F2E4077D074h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F2E4077D0E8h
call 00007F2E4072721Bh
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0000	0x2a42	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0xdd0740	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa5000	0xa980	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0xa4018	0x21	.rdata
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa4000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x99bec	0x99c00	33fbe30e8a64654287edd1bf05ae7c8c	False	0.5141641260162602	data	6.572957870355296	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9b000	0x2e54	0x3000	1f5e19e7d20c1d128443d738ac7bc610	False	0.453125	data	4.854620797809023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x9e000	0x11e5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa0000	0x2a42	0x2c00	21ff53180b390dc06e3a1adf0e57a073	False	0.3537819602272727	data	4.919333216027082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa3000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa4000	0x39	0x200	a92cf494c617731a527994013429ad97	False	0.119140625	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	0.7846201577093705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xa5000	0xa980	0xaa00	dcd1b1c3f3d28d444920211170d1e8e6	False	0.5899816176470588	data	6.674124985579511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0xdd0740	0xdd0800	9a0296585b2d399a9526197b6ec43713	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xb0dc8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0xb0efc	0x134	data			0.4642857142857143
RT_CURSOR	0xb1030	0x134	data			0.4805194805194805
RT_CURSOR	0xb1164	0x134	data			0.38311688311688313
RT_CURSOR	0xb1298	0x134	data			0.36038961038961037
RT_CURSOR	0xb13cc	0x134	data			0.4090909090909091
RT_CURSOR	0xb1500	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0xb1634	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1804	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0xb19e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1bb8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0xb1d88	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0xb1f58	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0xb2128	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0xb22f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb24c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0xb2698	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb2868	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0xb2950	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.12453095684803002
RT_ICON	0xb39f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 8192	Turkish	Turkey	0.2101313320825516
RT_DIALOG	0xb4aa0	0x52	data			0.7682926829268293
RT_STRING	0xb4af4	0x358	data			0.3796728971962617
RT_STRING	0xb4e4c	0x428	data			0.37406015037593987
RT_STRING	0xb5274	0x3a4	data			0.40879828326180256
RT_STRING	0xb5618	0x3bc	data			0.33472803347280333
RT_STRING	0xb59d4	0x2d4	data			0.4654696132596685
RT_STRING	0xb5ca8	0x334	data			0.42804878048780487
RT_STRING	0xb5fdc	0x42c	data			0.42602996254681647
RT_STRING	0xb6408	0x1f0	data			0.4213709677419355
RT_STRING	0xb65f8	0x1c0	data			0.44419642857142855
RT_STRING	0xb67b8	0xdc	data			0.6
RT_STRING	0xb6894	0x320	data			0.45125
RT_STRING	0xb6bb4	0xd8	data			0.5879629629629629
RT_STRING	0xb6c8c	0x118	data			0.5678571428571428
RT_STRING	0xb6da4	0x268	data			0.4707792207792208
RT_STRING	0xb700c	0x3f8	data			0.37598425196850394
RT_STRING	0xb7404	0x378	data			0.41103603603603606
RT_STRING	0xb777c	0x380	data			0.35379464285714285
RT_STRING	0xb7afc	0x374	data			0.4061085972850679
RT_STRING	0xb7e70	0xe0	data			0.5535714285714286
RT_STRING	0xb7f50	0xbc	data			0.526595744680851
RT_STRING	0xb800c	0x368	data			0.40940366972477066
RT_STRING	0xb8374	0x3fc	data			0.34901960784313724
RT_STRING	0xb8770	0x2fc	data			0.36649214659685864
RT_STRING	0xb8a6c	0x354	data			0.31572769953051644
RT_RCDATA	0xb8dc0	0x44	data			0.8676470588235294
RT_RCDATA	0xb8e04	0x10	data			1.5
RT_RCDATA	0xb8e14	0xdbea10	PE32 executable (GUI) Intel 80386, for MS Windows			0.7639369964599609
RT_RCDATA	0xe77824	0x3	ASCII text, with no line terminators	Turkish	Turkey	3.6666666666666665
RT_RCDATA	0xe77828	0x3c00	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Turkish	Turkey	0.54296875
RT_RCDATA	0xe7b428	0x64c	data			0.5998759305210918
RT_RCDATA	0xe7ba74	0x153	Delphi compiled form 'TFormVir'			0.7522123893805309
RT_RCDATA	0xe7bbc8	0x47d3	Microsoft Excel 2007+	Turkish	Turkey	0.8675150921846957
RT_GROUP_CURSOR	0xe8039c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xe803b0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xe803c4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xe803d8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xe803ec	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xe80400	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xe80414	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0xe80428	0x14	data	Turkish	Turkey	1.1
RT_VERSION	0xe8043c	0x304	data	Turkish	Turkey	0.42875647668393785

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegNotifyChangeKeyValue, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, AdjustTokenPrivileges
kernel32.dll	lstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReadFile, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, BeginUpdateResourceA
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAsciiEx, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyExA, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
ole32.dll	CLSIDFromString
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
shell32.dll	ShellExecuteExA, ExtractIconExW
wininet.dll	InternetGetConnectedState, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
advapi32.dll	OpenSCManagerA, CloseServiceHandle
wsock32.dll	WSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
netapi32.dll	Netbios

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T20:29:49.306824+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49766	172.217.18.14	443	TCP
2025-01-02T20:29:49.335267+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49767	172.217.18.14	443	TCP
2025-01-02T20:29:49.704664+0100	2832617	ETPRO MALWARE W32.Bloat-A Checkin	1	192.168.2.10	49776	69.42.215.252	80	TCP
2025-01-02T20:29:50.362124+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49781	172.217.18.14	443	TCP
2025-01-02T20:29:50.433921+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49778	172.217.18.14	443	TCP
2025-01-02T20:29:51.425915+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49789	172.217.18.14	443	TCP
2025-01-02T20:29:51.514259+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49793	172.217.18.14	443	TCP
2025-01-02T20:29:53.390542+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49801	172.217.18.14	443	TCP
2025-01-02T20:30:00.471957+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49831	172.217.18.14	443	TCP
2025-01-02T20:30:00.480979+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49829	172.217.18.14	443	TCP
2025-01-02T20:30:01.615907+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49845	172.217.18.14	443	TCP
2025-01-02T20:30:01.708048+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49844	172.217.18.14	443	TCP
2025-01-02T20:30:02.641788+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49853	172.217.18.14	443	TCP
2025-01-02T20:30:02.740833+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49856	172.217.18.14	443	TCP
2025-01-02T20:30:03.978908+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49865	172.217.18.14	443	TCP
2025-01-02T20:30:03.989273+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49863	172.217.18.14	443	TCP
2025-01-02T20:30:05.175798+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49884	172.217.18.14	443	TCP
2025-01-02T20:30:05.176404+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49883	172.217.18.14	443	TCP
2025-01-02T20:30:06.278855+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49890	172.217.18.14	443	TCP
2025-01-02T20:30:06.286346+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.10	49891	172.217.18.14	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:29:48.179733992 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:48.179769993 CET	443	49766	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:48.179950953 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:48.179992914 CET	443	49767	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:48.180015087 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:48.180039883 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:48.293273926 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:48.293294907 CET	443	49766	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:48.293335915 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:48.293359041 CET	443	49767	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:48.926248074 CET	443	49766	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:48.926331043 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:48.927043915 CET	443	49766	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:48.927143097 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:48.946912050 CET	443	49767	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:48.946990967 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:48.949771881 CET	443	49767	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:48.949846983 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.002142906 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.002159119 CET	443	49767	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.002403975 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.002420902 CET	443	49766	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.002420902 CET	443	49767	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.002473116 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.002687931 CET	443	49766	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.002820015 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.006042004 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.006099939 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.047331095 CET	443	49766	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.051322937 CET	443	49767	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.092327118 CET	49776	80	192.168.2.10	69.42.215.252
Jan 2, 2025 20:29:49.097071886 CET	80	49776	69.42.215.252	192.168.2.10
Jan 2, 2025 20:29:49.097199917 CET	49776	80	192.168.2.10	69.42.215.252
Jan 2, 2025 20:29:49.097685099 CET	49776	80	192.168.2.10	69.42.215.252
Jan 2, 2025 20:29:49.102499962 CET	80	49776	69.42.215.252	192.168.2.10
Jan 2, 2025 20:29:49.306830883 CET	443	49766	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.306945086 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.306971073 CET	443	49766	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.307252884 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.307415009 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.307459116 CET	443	49766	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.307595968 CET	49766	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.308403015 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.308424950 CET	443	49778	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.308660030 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.309349060 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.309359074 CET	443	49778	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.319334030 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:49.319375992 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:49.319500923 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:49.319998980 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:49.320014000 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:49.335299015 CET	443	49767	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.335378885 CET	443	49767	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.335397959 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.335529089 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.335599899 CET	49767	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.335616112 CET	443	49767	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.336239100 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:49.336285114 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:49.336436033 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.336467981 CET	443	49781	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.336493969 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:49.336512089 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.337081909 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:49.337096930 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:49.337320089 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.337333918 CET	443	49781	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.704570055 CET	80	49776	69.42.215.252	192.168.2.10
Jan 2, 2025 20:29:49.704663992 CET	49776	80	192.168.2.10	69.42.215.252
Jan 2, 2025 20:29:49.961985111 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:49.962069988 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:49.967294931 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:49.967317104 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:49.967605114 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:49.967653036 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:49.968410969 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:49.978149891 CET	443	49781	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.978233099 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.978902102 CET	443	49781	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.978970051 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.982922077 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.982933998 CET	443	49781	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.983155966 CET	443	49781	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:49.983218908 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.983701944 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:49.995891094 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:49.996473074 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.001873016 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.001880884 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.002213001 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.002269030 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.003163099 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.011326075 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.031342030 CET	443	49781	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.043328047 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.051268101 CET	443	49778	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.051362038 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.052047014 CET	443	49778	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.052092075 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.055913925 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.055921078 CET	443	49778	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.056158066 CET	443	49778	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.056214094 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.056714058 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.103328943 CET	443	49778	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.362138033 CET	443	49781	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.362211943 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.362231970 CET	443	49781	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.362277985 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.362737894 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.362778902 CET	443	49781	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.362881899 CET	49781	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.363799095 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.363845110 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.363910913 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.364270926 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.364281893 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.372685909 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.372733116 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.372750044 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.372771978 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.372783899 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.372821093 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.372827053 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.372836113 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.372855902 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.372873068 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.383166075 CET	49779	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.383183956 CET	443	49779	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.384011030 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.384049892 CET	443	49790	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.384165049 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.384465933 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.384483099 CET	443	49790	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.433909893 CET	443	49778	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.434040070 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.434293032 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.434334040 CET	443	49778	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.434395075 CET	49778	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.435458899 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.435498953 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.435564041 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.436397076 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:50.436410904 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:50.547099113 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.547161102 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.547262907 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.547283888 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.547326088 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.548484087 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.548532963 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.548535109 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.548579931 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.565412998 CET	49780	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.565443993 CET	443	49780	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.568223953 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.568262100 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:50.568439007 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.569190025 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:50.569202900 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.011753082 CET	443	49790	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.011859894 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.013216019 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.013226032 CET	443	49790	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.013700008 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.013705015 CET	443	49790	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.040381908 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.040482044 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.042649031 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.042695999 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.081752062 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.081856966 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.082511902 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.082564116 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.085410118 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.085438967 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.085798025 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.085855961 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.091316938 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.135332108 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.155843973 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.155858040 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.156167984 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.156375885 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.157195091 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.199338913 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.241063118 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.241131067 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.314937115 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.314956903 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.315241098 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.315247059 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.425945997 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.426073074 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.426088095 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.426175117 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.427381992 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.427439928 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.427520990 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.427668095 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.514245987 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.514355898 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.516999960 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.517040968 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.517060995 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.517081976 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.523101091 CET	443	49790	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.523138046 CET	443	49790	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.523175955 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.523210049 CET	443	49790	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.523225069 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.523252010 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.523255110 CET	443	49790	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.523298979 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.585709095 CET	49789	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:51.585741997 CET	443	49789	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:51.586685896 CET	49790	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.586719036 CET	443	49790	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.621644974 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.621680975 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.621752024 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.626679897 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.626693010 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.674988031 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.675040960 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.675048113 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.675065994 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.675085068 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.675127983 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.675136089 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.675147057 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:51.675168991 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:51.675199986 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:52.109863043 CET	49793	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:52.109895945 CET	443	49793	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:52.232970953 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:52.233007908 CET	443	49801	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:52.233233929 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:52.236407995 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:52.236419916 CET	443	49801	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:52.297719955 CET	49802	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:52.297744036 CET	443	49802	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:52.297806978 CET	49802	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:52.319976091 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:52.320050001 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:52.497596025 CET	49795	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:52.497628927 CET	443	49795	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:52.498356104 CET	49804	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:52.498383999 CET	443	49804	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:52.499180079 CET	49804	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:52.500163078 CET	49804	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:52.500176907 CET	443	49804	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:52.539084911 CET	49802	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:52.539114952 CET	443	49802	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:52.550014019 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:52.550029993 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:52.550211906 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:52.550216913 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:52.882590055 CET	443	49801	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:52.882663965 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:53.035002947 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:53.035063982 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:53.035075903 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:53.035085917 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:53.035098076 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:53.035157919 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:53.035162926 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:53.035331011 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:53.035717010 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:53.035757065 CET	443	49800	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:53.035804987 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:53.096359968 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:53.096370935 CET	443	49801	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:53.098789930 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:53.098795891 CET	443	49801	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:53.110129118 CET	49804	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:53.110137939 CET	49802	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:53.110165119 CET	49800	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:53.390549898 CET	443	49801	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:53.390609026 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:53.390630960 CET	443	49801	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:53.390685081 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:53.391731024 CET	443	49801	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:53.391783953 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:53.391798019 CET	443	49801	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:53.391839981 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:59.389297962 CET	49829	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:59.389343977 CET	443	49829	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:59.389457941 CET	49801	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:59.389481068 CET	443	49801	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:59.389489889 CET	49829	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:59.391047955 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:59.391083956 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:59.391192913 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:59.391410112 CET	49831	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:59.391418934 CET	443	49831	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:59.391478062 CET	49831	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:59.391828060 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:29:59.391839027 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:29:59.392293930 CET	49829	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:59.392328978 CET	443	49829	172.217.18.14	192.168.2.10
Jan 2, 2025 20:29:59.392479897 CET	49831	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:29:59.392498016 CET	443	49831	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.089822054 CET	443	49831	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.089888096 CET	49831	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.090585947 CET	443	49831	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.090631008 CET	49831	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.091411114 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.091551065 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.100341082 CET	443	49829	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.100429058 CET	49829	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.101094961 CET	443	49829	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.101154089 CET	49829	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.144630909 CET	49831	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.144706011 CET	443	49831	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.145004034 CET	443	49831	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.145426035 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.145453930 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.145467997 CET	49831	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.145857096 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.148174047 CET	49831	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.148214102 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.148303986 CET	49829	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.148332119 CET	443	49829	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.148572922 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.148680925 CET	443	49829	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.148742914 CET	49829	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.149235010 CET	49829	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.191337109 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.191339016 CET	443	49829	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.191354036 CET	443	49831	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.471970081 CET	443	49831	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.472639084 CET	443	49831	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.472747087 CET	49831	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.473603010 CET	49831	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.473634005 CET	443	49831	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.474397898 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.474436045 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.474507093 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.474644899 CET	49844	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.474689960 CET	443	49844	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.474760056 CET	49844	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.474967957 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.474984884 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.475225925 CET	49844	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.475240946 CET	443	49844	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.480992079 CET	443	49829	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.482192039 CET	443	49829	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.482302904 CET	49829	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.482450008 CET	49829	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.482465029 CET	443	49829	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.482959986 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.483000994 CET	443	49845	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.483202934 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.483411074 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:00.483427048 CET	443	49845	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:00.516567945 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.516629934 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.516638041 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.516670942 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.516690969 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.516726971 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.516736031 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.516865969 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.526622057 CET	49830	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.526649952 CET	443	49830	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.527405024 CET	49847	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.527468920 CET	443	49847	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:00.527831078 CET	49847	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.528043032 CET	49847	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:00.528072119 CET	443	49847	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.128923893 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.128995895 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.137784958 CET	443	49845	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.137892962 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.147569895 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.147583961 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.147949934 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.147960901 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.148474932 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.148483038 CET	443	49845	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.149267912 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.149274111 CET	443	49845	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.167030096 CET	443	49847	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.167124033 CET	49847	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.181972027 CET	49847	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.182010889 CET	443	49847	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.182327986 CET	49847	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.182347059 CET	443	49847	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.217823982 CET	443	49844	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.221401930 CET	49844	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.232790947 CET	49844	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.232808113 CET	443	49844	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.233122110 CET	49844	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.233129978 CET	443	49844	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.569885969 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.569936037 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.569960117 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.569983959 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.569998026 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.570028067 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.570033073 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.570043087 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.570084095 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.571979046 CET	49843	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.572002888 CET	443	49843	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.615923882 CET	443	49845	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.616015911 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.617299080 CET	443	49845	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.617341995 CET	443	49845	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.617397070 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.617494106 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.617506027 CET	443	49845	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.617517948 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.617592096 CET	49845	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.618350983 CET	49853	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.618398905 CET	443	49853	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.618506908 CET	49853	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.618880987 CET	49853	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.618894100 CET	443	49853	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.635315895 CET	49854	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.635334969 CET	443	49854	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.635488033 CET	49854	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.640477896 CET	49854	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.640495062 CET	443	49854	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.708055019 CET	443	49844	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.710423946 CET	443	49844	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.710556984 CET	49844	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.711065054 CET	49844	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.711080074 CET	443	49844	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.711105108 CET	49844	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.711184978 CET	49844	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.712080956 CET	49856	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.712140083 CET	443	49856	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.712233067 CET	49856	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.712492943 CET	49856	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:01.712507963 CET	443	49856	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:01.720721006 CET	443	49847	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.720769882 CET	443	49847	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.720865965 CET	443	49847	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.720896006 CET	49847	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.720957041 CET	49847	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.721894026 CET	49847	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.721956968 CET	443	49847	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.722426891 CET	49857	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.722457886 CET	443	49857	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:01.722515106 CET	49857	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.722732067 CET	49857	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:01.722744942 CET	443	49857	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.257194042 CET	443	49853	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.257287979 CET	49853	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.268817902 CET	443	49854	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.268881083 CET	49854	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.278424978 CET	49853	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.278430939 CET	443	49853	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.282447100 CET	49853	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.282453060 CET	443	49853	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.301424980 CET	49854	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.301436901 CET	443	49854	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.303270102 CET	49854	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.303278923 CET	443	49854	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.349500895 CET	443	49856	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.349575996 CET	49856	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.355756044 CET	443	49857	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.355820894 CET	49857	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.408030033 CET	49856	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.408045053 CET	443	49856	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.408416033 CET	49856	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.408421993 CET	443	49856	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.408890009 CET	49857	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.408906937 CET	443	49857	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.409027100 CET	49857	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.409034014 CET	443	49857	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.641803026 CET	443	49853	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.642628908 CET	443	49853	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.642729044 CET	49853	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.685538054 CET	443	49854	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.685580015 CET	443	49854	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.685671091 CET	443	49854	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.685714006 CET	49854	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.685760975 CET	49854	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.740847111 CET	443	49856	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.741751909 CET	443	49856	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.741909027 CET	49856	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.826781988 CET	443	49857	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.826823950 CET	443	49857	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.826921940 CET	443	49857	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.826967001 CET	49857	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.827029943 CET	49857	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.934220076 CET	49853	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.934258938 CET	443	49853	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.934990883 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.935046911 CET	443	49863	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.935146093 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.935924053 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.935940981 CET	443	49863	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.938169956 CET	49854	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.938200951 CET	443	49854	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.938838959 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.938890934 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.939192057 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.939444065 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.939455986 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.940026999 CET	49856	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.940042973 CET	443	49856	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.940843105 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.940884113 CET	443	49865	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.941122055 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.941333055 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:02.941344023 CET	443	49865	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:02.955442905 CET	49857	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.955468893 CET	443	49857	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.985456944 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.985513926 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:02.985572100 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.990556955 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:02.990585089 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:03.598798037 CET	443	49865	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.599324942 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.600131989 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.600143909 CET	443	49865	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.600534916 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.600541115 CET	443	49865	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.602720976 CET	443	49863	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.602813005 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.603140116 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.603147030 CET	443	49863	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.603282928 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.603287935 CET	443	49863	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.603807926 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:03.603873968 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:03.605493069 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:03.605505943 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:03.605658054 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:03.605667114 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:03.641026974 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:03.641344070 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:03.661484003 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:03.661500931 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:03.661678076 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:03.661684036 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:03.978900909 CET	443	49865	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.979026079 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.979048014 CET	443	49865	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.979124069 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.979949951 CET	443	49865	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.979993105 CET	443	49865	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.980015039 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.980035067 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.989264011 CET	443	49863	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.989609957 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.989633083 CET	443	49863	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.989679098 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.990499973 CET	443	49863	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.990540981 CET	443	49863	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:03.990542889 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:03.990592957 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.024621010 CET	49865	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.024655104 CET	443	49865	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.024835110 CET	49879	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.024866104 CET	443	49879	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.024926901 CET	49879	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.025177956 CET	49879	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.025186062 CET	443	49879	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.045834064 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.045887947 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.045911074 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.045929909 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.045953035 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.045974016 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.045978069 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.045990944 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.046027899 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.050798893 CET	49863	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.050825119 CET	443	49863	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.051758051 CET	49880	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.051784992 CET	443	49880	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.052073956 CET	49880	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.052331924 CET	49880	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.052341938 CET	443	49880	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.055989981 CET	49864	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.056000948 CET	443	49864	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.057389975 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.057423115 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.057559967 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.058350086 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.058360100 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.069328070 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.069367886 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.069439888 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.069458008 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.069559097 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.069695950 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.069737911 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.069768906 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.069782972 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.071615934 CET	49868	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.071623087 CET	443	49868	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.072457075 CET	49882	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.072495937 CET	443	49882	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.072668076 CET	49882	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.072860003 CET	49882	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.072881937 CET	443	49882	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.146449089 CET	49879	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.146475077 CET	49880	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.147021055 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.147042990 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.147094965 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.148535013 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.148549080 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.149032116 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.149054050 CET	443	49884	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.149108887 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.150187016 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.150198936 CET	443	49884	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.705382109 CET	443	49882	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.705684900 CET	49882	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.707061052 CET	49882	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.707113028 CET	443	49882	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.708755970 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.708812952 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.710691929 CET	49882	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.710705996 CET	443	49882	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.711585999 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.711597919 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.711833000 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:04.711838961 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:04.784512043 CET	443	49884	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.784583092 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.785109997 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.785171986 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.785276890 CET	443	49884	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.785489082 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.785900116 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.785948038 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.791198969 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.791208982 CET	443	49884	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.791488886 CET	443	49884	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.791549921 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.792248011 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.795619011 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.795646906 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.796303034 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.796370983 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.797427893 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:04.835329056 CET	443	49884	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:04.839342117 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.135080099 CET	443	49882	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.135112047 CET	443	49882	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.135195017 CET	49882	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.135205984 CET	443	49882	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.135649920 CET	49882	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.151185989 CET	49882	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.151216030 CET	443	49882	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.175791979 CET	443	49884	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.176237106 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.176244020 CET	443	49884	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.176290989 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.176418066 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.176469088 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.176496983 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.176536083 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.176954031 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.176994085 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.176995993 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.177031040 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.235997915 CET	49884	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.236032963 CET	443	49884	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.236916065 CET	49889	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.236958027 CET	443	49889	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.237071037 CET	49889	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.237448931 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.237476110 CET	443	49890	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.237565041 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.238205910 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.238214970 CET	443	49890	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.238270044 CET	49883	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.238296986 CET	443	49883	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.238972902 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.239007950 CET	443	49891	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.239145041 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.241723061 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.241738081 CET	443	49891	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.269915104 CET	49889	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.269943953 CET	443	49889	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.291512966 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.291569948 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.291604996 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.291625977 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.291642904 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.291670084 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.291673899 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.291699886 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.291753054 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.293837070 CET	49881	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.293850899 CET	443	49881	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.294495106 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.294549942 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.294605970 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.297919989 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.297946930 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.865715981 CET	443	49890	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.865890026 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.878297091 CET	443	49891	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.878377914 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.914201975 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.914217949 CET	443	49890	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.914458036 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.914463997 CET	443	49890	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.915721893 CET	443	49889	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.915908098 CET	49889	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.916371107 CET	49889	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.916374922 CET	443	49889	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.916527987 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.916544914 CET	443	49891	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.916546106 CET	49889	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.916549921 CET	443	49889	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.916807890 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:05.916815042 CET	443	49891	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:05.935695887 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.935781956 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.937659979 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.937674999 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:05.937850952 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:05.937855959 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:06.278820038 CET	443	49890	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:06.278938055 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:06.278951883 CET	443	49890	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:06.279026031 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:06.279138088 CET	443	49890	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:06.279177904 CET	443	49890	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:06.279189110 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:06.279217005 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:06.286341906 CET	443	49891	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:06.286535978 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:06.287046909 CET	443	49891	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:06.287084103 CET	443	49891	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:06.287183046 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:06.358541012 CET	443	49889	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:06.358592033 CET	443	49889	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:06.358666897 CET	49889	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:06.358699083 CET	443	49889	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:06.358711958 CET	443	49889	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:06.358772039 CET	49889	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:06.517419100 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:06.517467022 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:06.517483950 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:06.517520905 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:06.517539978 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:06.517555952 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:06.517563105 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:06.517584085 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:06.517597914 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:06.517625093 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:18.224664927 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.224664927 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.224694967 CET	443	49891	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:18.224967003 CET	49891	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.225625038 CET	49890	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.225651026 CET	443	49890	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:18.227406025 CET	49977	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.227438927 CET	443	49977	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:18.227564096 CET	49978	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.227595091 CET	443	49978	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:18.227776051 CET	49978	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.227777004 CET	49977	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.228580952 CET	49893	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:18.228602886 CET	443	49893	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:18.229473114 CET	49889	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:18.229542971 CET	443	49889	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:18.230674028 CET	49977	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.230695963 CET	443	49977	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:18.231333017 CET	49978	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.231347084 CET	443	49978	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:18.231939077 CET	49980	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:18.231957912 CET	443	49980	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:18.232096910 CET	49980	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:18.232348919 CET	49980	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:18.232353926 CET	443	49980	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:18.871851921 CET	443	49978	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:18.871983051 CET	49978	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.877798080 CET	443	49977	172.217.18.14	192.168.2.10
Jan 2, 2025 20:30:18.878115892 CET	49977	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:18.878876925 CET	443	49980	216.58.206.65	192.168.2.10
Jan 2, 2025 20:30:18.881325006 CET	49980	443	192.168.2.10	216.58.206.65
Jan 2, 2025 20:30:19.705744982 CET	80	49776	69.42.215.252	192.168.2.10
Jan 2, 2025 20:30:19.707233906 CET	49776	80	192.168.2.10	69.42.215.252
Jan 2, 2025 20:30:21.324316025 CET	49977	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:21.325848103 CET	49776	80	192.168.2.10	69.42.215.252
Jan 2, 2025 20:30:21.326787949 CET	49978	443	192.168.2.10	172.217.18.14
Jan 2, 2025 20:30:21.332752943 CET	49980	443	192.168.2.10	216.58.206.65

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:29:48.167270899 CET	55179	53	192.168.2.10	1.1.1.1
Jan 2, 2025 20:29:48.173806906 CET	53	55179	1.1.1.1	192.168.2.10
Jan 2, 2025 20:29:49.056503057 CET	60098	53	192.168.2.10	1.1.1.1
Jan 2, 2025 20:29:49.066581964 CET	53	60098	1.1.1.1	192.168.2.10
Jan 2, 2025 20:29:49.084305048 CET	55779	53	192.168.2.10	1.1.1.1
Jan 2, 2025 20:29:49.091583967 CET	53	55779	1.1.1.1	192.168.2.10
Jan 2, 2025 20:29:49.311330080 CET	53022	53	192.168.2.10	1.1.1.1
Jan 2, 2025 20:29:49.318073034 CET	53	53022	1.1.1.1	192.168.2.10
Jan 2, 2025 20:29:59.401935101 CET	52039	53	192.168.2.10	1.1.1.1
Jan 2, 2025 20:29:59.410660982 CET	53	52039	1.1.1.1	192.168.2.10
Jan 2, 2025 20:30:05.241297007 CET	50577	53	192.168.2.10	1.1.1.1
Jan 2, 2025 20:30:05.249196053 CET	53	50577	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 20:29:48.167270899 CET	192.168.2.10	1.1.1.1	0x8bdc	Standard query (0)	docs.google.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:29:49.056503057 CET	192.168.2.10	1.1.1.1	0x6cc6	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:29:49.084305048 CET	192.168.2.10	1.1.1.1	0x5f00	Standard query (0)	freedns.afraid.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:29:49.311330080 CET	192.168.2.10	1.1.1.1	0x351d	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:29:59.401935101 CET	192.168.2.10	1.1.1.1	0xb2cc	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:30:05.241297007 CET	192.168.2.10	1.1.1.1	0xc478	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 20:29:37.462280989 CET	1.1.1.1	192.168.2.10	0xe13b	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 20:29:37.462280989 CET	1.1.1.1	192.168.2.10	0xe13b	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:29:48.173806906 CET	1.1.1.1	192.168.2.10	0x8bdc	No error (0)	docs.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:29:49.066581964 CET	1.1.1.1	192.168.2.10	0x6cc6	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:29:49.091583967 CET	1.1.1.1	192.168.2.10	0x5f00	No error (0)	freedns.afraid.org		69.42.215.252	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:29:49.318073034 CET	1.1.1.1	192.168.2.10	0x351d	No error (0)	drive.usercontent.google.com		216.58.206.65	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:29:59.410660982 CET	1.1.1.1	192.168.2.10	0xb2cc	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:30:05.249196053 CET	1.1.1.1	192.168.2.10	0xc478	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:30:51.380831957 CET	1.1.1.1	192.168.2.10	0xbd9e	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 20:30:51.380831957 CET	1.1.1.1	192.168.2.10	0xbd9e	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

docs.google.com

drive.usercontent.google.com

freedns.afraid.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49776	69.42.215.252	80	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:29:49.097685099 CET	154	OUT	GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1 User-Agent: MyApp Host: freedns.afraid.org Cache-Control: no-cache
Jan 2, 2025 20:29:49.704570055 CET	243	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 02 Jan 2025 19:29:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Cache: MISS Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fERROR: Could not authenticate.0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49767	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:49 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:29:49 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:49 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-aFZU_b2fAVWxhqLfX0x5dw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49766	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:49 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:29:49 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:49 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-SUbzP0-SxPXAuWbTrrj1qQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49779	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:49 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-02 19:29:50 UTC	1602	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5z3MzBh5CWJSMLaAc9xokVJiTAw5H0WY3EddfanXTXr5sNKfEKh2WaXAhLjfdU2ATOpN8goxM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:50 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-Q3o1z4Lx_YgEHGtF541ccA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=FEdR7hJeWEf_mlWh8-hQ3QoGW_gT6l5dMMGxuI93At7n_hF_OWmLE3DjR5Bq5_qHo4Detsrdh6bt_pxK2LWTHgc9AvG3q0mQt068lhR2R5tIQ37SuRR0gpYynU27Wh5DFQOniutESzZ46wjeAGY24QGk5Wj2-ANbh0505g9eTQGxado5H9MM7s7R; expires=Fri, 04-Jul-2025 19:29:50 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:29:50 UTC	1602	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6e 61 59 65 62 75 67 6f 6b 73 52 6d 5f 49 39 73 36 79 6f 65 46 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="naYebugoksRm_I9s6yoeFw">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-01-02 19:29:50 UTC	50	IN	Data Raw: 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: is server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49781	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:49 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:29:50 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:50 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-HxbAYhtDACGXoCVMS6oSIQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49780	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:49 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-02 19:29:50 UTC	1593	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC62-1eB0PLgNeRGX-JqtIyl8KWAjKwYiys_29SnVwbyKHKD5PXhyuHwZBjlRKpSyczA Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:50 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-t1O_kD5fhuvNTTuEH-Kd2A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=W0NoFjodce_TP5kLdFP2TorZ_xPldMvGtI6v-4Xj1uULVyvhjW1o9Rgya6510DA_moY1CTOLJsYcmDZZjlmiyagMreVED0ScauI8Pm8-tFuLvQDYNOPgiY42l2zgWoAfSjWIOAq4ttuOKG-aAiVHqlk6REnnB8ITx_6bqWd7hzSbPWN26HfSlA; expires=Fri, 04-Jul-2025 19:29:50 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:29:50 UTC	1593	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 36 56 53 74 6d 51 59 78 2d 52 50 6a 57 65 37 47 6b 47 5f 6b 7a 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="6VStmQYx-RPjWe7GkG_kzw">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-01-02 19:29:50 UTC	59	IN	Data Raw: 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: und on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49778	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:50 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:29:50 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:50 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-WVBsUury_8-oHgMdXu8Www' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49790	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:51 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-02 19:29:51 UTC	1601	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7i3HEV__66WFH2TXjQeTECZAAUPyTn_6YCyDtJ6O9zlTXYPQJV9zG-fD2mEz00sxlTD3I4AQA Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:51 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-KhcuNQeLkVMs_LJqYVXvxg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE; expires=Fri, 04-Jul-2025 19:29:51 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:29:51 UTC	1601	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5a 46 35 53 32 43 48 32 50 36 6d 43 64 77 5f 50 47 67 53 30 4d 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ZF5S2CH2P6mCdw_PGgS0Mw">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-01-02 19:29:51 UTC	51	IN	Data Raw: 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: his server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49789	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:51 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:29:51 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:51 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-BWb2nOjStVLhE51nyqegjw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49793	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:51 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:29:51 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:51 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-qhm5Rt-9jlJoUSsVo97SQw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49795	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:51 UTC	388	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=FEdR7hJeWEf_mlWh8-hQ3QoGW_gT6l5dMMGxuI93At7n_hF_OWmLE3DjR5Bq5_qHo4Detsrdh6bt_pxK2LWTHgc9AvG3q0mQt068lhR2R5tIQ37SuRR0gpYynU27Wh5DFQOniutESzZ46wjeAGY24QGk5Wj2-ANbh0505g9eTQGxado5H9MM7s7R
2025-01-02 19:29:51 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5WRDgvVAeysjwUl8o153bg0cCeEQhbXb7BSOGCqTTMdsCbyfnHbt7yB47BJUNPcKLf Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:51 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-3urO1pCo_O9CaBn5wVQfpg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:29:51 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2025-01-02 19:29:51 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 65 36 38 59 45 4c 6f 73 4a 6b 32 36 47 41 2d 58 50 77 72 75 5a 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="e68YELosJk26GA-XPwruZg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2025-01-02 19:29:51 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49800	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:52 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:29:53 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6_N0ucWUFF4uVsMo2Vbd-K6yZU_-HJQnZWNGrHg2tqfETSXegJa_ue_IZdEGGHRo72 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:52 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-mIujOZZrnIfMSkH2dTPB5A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:29:53 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2025-01-02 19:29:53 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6c 42 69 69 58 48 4a 49 68 6a 59 51 4e 57 61 44 47 31 66 4c 6e 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="lBiiXHJIhjYQNWaDG1fLnA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2025-01-02 19:29:53 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49801	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:29:53 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:29:53 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:29:53 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-6otxtXgROIxbyDArGb-Rkg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49831	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:00 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:00 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:00 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-leLo31EYI64QIs5hwXG2Nw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49830	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:00 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:00 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7k3ISV26NGOMzZfaO5XLArsuRHx7JUYDfNDJK4v3o_ZFUoEurK9kD46QaiKTgBx_v7thTN-tM Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:00 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-a9LHHoENweacfcHh6YrALQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:00 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2025-01-02 19:30:00 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4f 4a 67 6c 33 32 70 5f 48 66 73 6a 70 49 58 4f 50 56 79 52 38 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="OJgl32p_HfsjpIXOPVyR8Q">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2025-01-02 19:30:00 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49829	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:00 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:00 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:00 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-pELVZEk3T8ntf9nKamQBCw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	49843	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:01 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:01 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC73zjhDeWwPA4ajUnY8rysrCC45TOjO9kc22zPJdTPrtAVQo5atuEhqQYMUxv9t4aTDMBG2m0Q Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:01 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-pG6KhWSSlz4b0SVEf6YzXw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:01 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2025-01-02 19:30:01 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 47 55 58 54 58 74 73 4a 75 33 39 58 74 47 4b 43 30 69 39 59 6f 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="GUXTXtsJu39XtGKC0i9Yog">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2025-01-02 19:30:01 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	49845	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:01 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:01 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:01 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-ZLPv-gTXC1MS-a4OL0R7pQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	49847	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:01 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:01 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5LiTzd0r65wWfWlA26kA7Qy7sO70Pq4Ix1priYdYaYTdxAgy7CRuqy9QjB8oEpq6zqjond02c Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:01 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-LymfkKsPGnDmELP8D17P9A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:01 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2025-01-02 19:30:01 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 45 73 68 76 6d 32 67 49 46 32 4f 45 4d 76 57 75 44 65 35 54 6f 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="Eshvm2gIF2OEMvWuDe5Tow">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2025-01-02 19:30:01 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	49844	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:01 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:01 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:01 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-4rw8xfdsz6LNgRAv5YHOAw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.10	49853	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:02 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:02 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:02 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-LeUhjilHDH-u9hfU98p1FA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.10	49854	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:02 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:02 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7C8Sd_cEBrqaNfAnUR-gYOakNUcpxUi1WxPyphulCQ53EgRIbZL4wVUtQNKuw8b35J Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:02 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-k5PoTSE2JCOYuTJECo7jOw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:02 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2025-01-02 19:30:02 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 71 2d 53 34 5f 30 62 75 55 77 31 65 52 6f 78 37 63 54 5a 4e 4b 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="q-S4_0buUw1eRox7cTZNKw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2025-01-02 19:30:02 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.10	49856	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:02 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:02 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:02 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce--lVkmGXiIcVdf0GrxVck_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.10	49857	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:02 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:02 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5YgYg4w6BhFSsEd4emI5A65sPvT5kUaWtS_ieW38qxB13EmrQMSnxgBTlwaiifqJxH Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:02 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-2Tn4WwwHQS0RNMykTQCv7g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:02 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2025-01-02 19:30:02 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 42 51 6c 42 67 6d 6b 34 4a 2d 6b 50 6b 32 37 71 4c 4e 38 6a 4d 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="BQlBgmk4J-kPk27qLN8jMg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2025-01-02 19:30:02 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.10	49865	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:03 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:03 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:03 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-sE-hi4ePmtDbltrLcOmkhg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.10	49863	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:03 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:03 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:03 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-Z3KuJyglFGp01DWYYCYlUg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.10	49864	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:03 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:04 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7T5bTv7cCwltxlfqkOEcynkp_KOhiAlINZCv6Nz9UJ09pPx5jlI7UsegoXa1OkdEEZx_ewvKc Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:03 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-GZ2oOZ7Y-xuntvOOZroKQw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:04 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2025-01-02 19:30:04 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 56 6d 34 6e 61 79 39 61 50 75 34 41 55 44 65 74 49 76 62 35 30 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="Vm4nay9aPu4AUDetIvb50Q">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2025-01-02 19:30:04 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.10	49868	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:03 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:04 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC69RmWrtoKef6vbsINxgHQqBy48wC9KM2xJJttsrKA401qtYpUDL5UdPfuuE6nAt8jA Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:03 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-y-wEnPMHmN02qdZAqBja9Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:04 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2025-01-02 19:30:04 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 59 74 6d 79 6d 56 6a 73 56 37 62 45 72 45 4d 6b 38 58 67 64 59 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="YtmymVjsV7bErEMk8XgdYQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2025-01-02 19:30:04 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.10	49882	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:04 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:05 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5R1A6ZX40XkrpOLCSSt1tSsC3gHmh1vGXZy7T3hMgEo9Qhf88kX8PZGVLZMzMoEq9mlb_mjp8 Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:04 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-UgtSo80X_hr2UziUyzKRcw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:05 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2025-01-02 19:30:05 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5a 43 34 4c 50 33 5f 4c 79 61 5a 49 6b 77 4b 6f 4d 6f 39 6c 63 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="ZC4LP3_LyaZIkwKoMo9lcA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2025-01-02 19:30:05 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.10	49881	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:04 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:05 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6yD2hULohi2_7AS9PS3FmbPpUfhD92lEOdfLGE9Cv-FBJhr7uoH3AIvUtX9AFSjLJC4ppzh6A Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:05 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-oWJAM_Rj5IWL-AJu3FIeTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:05 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2025-01-02 19:30:05 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 50 64 48 42 57 59 74 4f 5a 46 74 4f 4d 38 62 4b 54 2d 68 45 58 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="PdHBWYtOZFtOM8bKT-hEXA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2025-01-02 19:30:05 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.10	49884	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:04 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:05 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:05 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-1Kn44Zi7hI44Axy-c2cqeQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.10	49883	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:04 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:05 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:05 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-0qwkCsYHXpceFyn1pFW3Ng' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.10	49890	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:05 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:06 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:06 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-YycjgNE9JLLib9Hqk7XBVQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.10	49889	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:05 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:06 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC618Y811ZSL2hfCywhXQJLPA20a0uXv0kCEYfCBLy0tsnnqGakhzosH0__dAkZ2U-RncQNv-RY Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:06 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-KNXB0pZQu8YjhkLyqEhVhw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:06 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2025-01-02 19:30:06 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 44 39 77 37 49 59 59 69 49 75 66 2d 68 4f 67 62 62 63 58 49 4b 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="D9w7IYYiIuf-hOgbbcXIKA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2025-01-02 19:30:06 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.10	49891	172.217.18.14	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:05 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:30:06 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:06 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-CJC2jkoTAg3wndNFlAsMyQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.10	49893	216.58.206.65	443	8096	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:30:05 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=nglP2aBnAPfAMq5rpp4Q0RGzIQc4pxC626CwsB9hkrCMDDMD55WiFgHGf_WcSO9BPcnOQuCGaru7EleXXouWyXAhi4RcEuZhGnM6c1BEt0vKu6KUxZHCq2tns3L7zfeXPWnDzqDAPwJrKQubQ2Xp8Xfxpf2zihuxrsjnKtJszQpcloRKTdQGVTE
2025-01-02 19:30:06 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7V6-137Ol39RqklA_2Yzr3csLh4Un-qYpS7UIaSg0nxrLb_7O7BFuSt630X08AWPQS Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:30:06 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-aySToUy_UmdaFCTU0YuiCg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:30:06 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2025-01-02 19:30:06 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4c 4c 35 74 68 31 6a 5f 4f 33 77 32 67 63 68 33 6b 65 4f 58 6e 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="LL5th1j_O3w2gch3keOXnA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2025-01-02 19:30:06 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Target ID:	4
Start time:	14:29:35
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	15'183'872 bytes
MD5 hash:	7274B0B15C4E6D5BBE8DB5AA93C65A12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.1279132261.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:29:36
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\._cache_file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\._cache_file.exe"
Imagebase:	0xfe0000
File size:	14'412'304 bytes
MD5 hash:	DE34B1C517E0463602624BBC8294C08D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	14:29:37
Start date:	02/01/2025
Path:	C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{F52E087A-53A6-4D4D-BEAE-A40DD36C6E5E}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640
Imagebase:	0x180000
File size:	647'912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:29:39
Start date:	02/01/2025
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	B753207B14C635F29B2ABF64F603570A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000008.00000003.1391518292.000000000072F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:29:40
Start date:	02/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x780000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	14:29:44
Start date:	02/01/2025
Path:	C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{B08E6DC2-76D4-458D-A6E2-7E824AE240D4}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4ECB3904-0384-4F60-9326-256C504267D7} {993172C8-4368-4578-BD0A-D6EA507F91CB} 8028
Imagebase:	0x7c0000
File size:	647'912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	14:29:53
Start date:	02/01/2025
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe"
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	B753207B14C635F29B2ABF64F603570A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:30:02
Start date:	02/01/2025
Path:	C:\Windows\System32\SrTasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Imagebase:	0x7ff774fa0000
File size:	59'392 bytes
MD5 hash:	2694D2D28C368B921686FE567BD319EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:30:02
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:30:03
Start date:	02/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff74fb60000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	14:30:05
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 4648
Imagebase:	0x780000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	14:30:12
Start date:	02/01/2025
Path:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce
Imagebase:	0x9d0000
File size:	647'912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	14:30:12
Start date:	02/01/2025
Path:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe"
Imagebase:	0x9d0000
File size:	647'912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	14:30:12
Start date:	02/01/2025
Path:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
Imagebase:	0x9d0000
File size:	647'912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00FE508D Relevance: 44.1, APIs: 5, Strings: 20, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00FE510F

Part of subcall function 010203F0: InitializeCriticalSection.KERNEL32(0104B60C,?,00FE511B,00000000,?,?,?,?,?,?), ref: 01020407

Part of subcall function 00FE1209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00FE5137,00000000,?), ref: 00FE1247
Part of subcall function 00FE1209: GetLastError.KERNEL32(?,?,?,00FE5137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00FE1251

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00FE517D

Part of subcall function 01020CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 01020CF2

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00FE520F
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00FE5219
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FE549B

Strings

Setup, xrefs: 00FE53FC
Failed to initialize Regutil., xrefs: 00FE51C1
Failed to run per-machine mode., xrefs: 00FE5364
Failed to initialize COM., xrefs: 00FE5189
Failed to get OS info., xrefs: 00FE5247
Failed to run untrusted mode., xrefs: 00FE53AE
Failed to run embedded mode., xrefs: 00FE533C
Invalid run mode., xrefs: 00FE52F1
Failed to run RunOnce mode., xrefs: 00FE5314
Failed to run per-user mode., xrefs: 00FE538C
Failed to parse command line., xrefs: 00FE513D
Failed to initialize engine state., xrefs: 00FE5164
Failed to initialize Cryputil., xrefs: 00FE519E
Failed to initialize XML util., xrefs: 00FE51F1
engine.cpp, xrefs: 00FE523D
Failed to initialize core., xrefs: 00FE52BB
3.10.4.4718, xrefs: 00FE527C
_Failed, xrefs: 00FE53F7
Failed to initialize Wiutil., xrefs: 00FE51D9
txt, xrefs: 00FE53F2

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.10.4.4718$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
API String ID: 3262001429-867073019
Opcode ID: d4de36eacdc72d99e839b8bd4a126a8fee2d49843ec44c25d49ab1fc34e679b5
Instruction ID: befa91e47698fd3f44c46e52547f128dd20dfb5aa32f1a5f608e181e28833dfb
Opcode Fuzzy Hash: d4de36eacdc72d99e839b8bd4a126a8fee2d49843ec44c25d49ab1fc34e679b5
Instruction Fuzzy Hash: B0B1E572D40B799BDB32AF66CC45BEE73B5AF04B15F0400D9F948B6240DA749E80AF91

Function 01022F23 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,010234DF,00000000,?,00000000), ref: 01022F3D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0100BDED,?,00FE52FD,?,00000000,?), ref: 01022F49
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 01022F89
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 01022F95
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 01022FA0
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 01022FAA
CoCreateInstance.OLE32(0104B6C8,00000000,00000001,0102B808,?,?,?,?,?,?,?,?,?,?,?,0100BDED), ref: 01022FE5
ExitProcess.KERNEL32 ref: 01023094

Strings

IsWow64Process, xrefs: 01022F83
Wow64EnableWow64FsRedirection, xrefs: 01022F97
Wow64RevertWow64FsRedirection, xrefs: 01022FA2
kernel32.dll, xrefs: 01022F2D
xmlutil.cpp, xrefs: 01022F6D
Wow64DisableWow64FsRedirection, xrefs: 01022F8F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: c49bafc1662f476e16e36ce6dec857a5600796c177163db81f044db93bc279d9
Instruction ID: dc1233251499f2a32f45e884e5e65c3242242ed31104c4d901fed3a5f642ab83
Opcode Fuzzy Hash: c49bafc1662f476e16e36ce6dec857a5600796c177163db81f044db93bc279d9
Instruction Fuzzy Hash: 6D41C871A00325ABDB71DFA9C894F6E7BE5FF48710F1140A9F985EB241D77AD9008BA0

Function 00FE1070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE33D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00FE10DD,?,00000000), ref: 00FE33F8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00FE10F6

Part of subcall function 00FE1174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00FE111A,cabinet.dll,00000009,?,?,00000000), ref: 00FE1185
Part of subcall function 00FE1174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,00FE111A,cabinet.dll,00000009,?,?,00000000), ref: 00FE1190
Part of subcall function 00FE1174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00FE119E
Part of subcall function 00FE1174: GetLastError.KERNEL32(?,?,?,?,00FE111A,cabinet.dll,00000009,?,?,00000000), ref: 00FE11B9
Part of subcall function 00FE1174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00FE11C1
Part of subcall function 00FE1174: GetLastError.KERNEL32(?,?,?,?,00FE111A,cabinet.dll,00000009,?,?,00000000), ref: 00FE11D6

CloseHandle.KERNEL32(?,?,?,?,0102B4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 00FE1131

Strings

feclient.dll, xrefs: 00FE10D1
msi.dll, xrefs: 00FE10A0
crypt32.dll, xrefs: 00FE10CA
msasn1.dll, xrefs: 00FE10C3
version.dll, xrefs: 00FE10A7
clbcatq.dll, xrefs: 00FE10BC
comres.dll, xrefs: 00FE10B5
cabinet.dll, xrefs: 00FE1099
wininet.dll, xrefs: 00FE10AE

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 18a3b9c7bf5d2950572bdf9e5bfa61061e4fee73e5e26e448c16a3b83ea0dfe1
Instruction ID: ea3050c27eb0c24608e194ebea9cdd53ad9c518cdc0d60f54c4fc1cd5edb44f2
Opcode Fuzzy Hash: 18a3b9c7bf5d2950572bdf9e5bfa61061e4fee73e5e26e448c16a3b83ea0dfe1
Instruction Fuzzy Hash: EA215671900259ABDB109FA6DC45BEEBBB8FF45724F504115FA50B7280DB345904DBA4

Function 00FF9EB7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to copy working folder., xrefs: 00FF9F12
Failed create working folder., xrefs: 00FF9EEA
Failed to calculate working folder to ensure it exists., xrefs: 00FF9ED4

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 19d40724714a83bad003b09c236ad93adc22da92ed9fd83fb2c6b343c9731969
Instruction ID: f9ab4322689b81dab72a28c8569ec19c544cd0f9aabe37f3fb00e79d356cb362
Opcode Fuzzy Hash: 19d40724714a83bad003b09c236ad93adc22da92ed9fd83fb2c6b343c9731969
Instruction Fuzzy Hash: 2E018832D0822DBB8B325A56CC05DBF7B78DF90720B104156FA44A6265DBB69F40B6D0

Function 00FE38D4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 84591521af01089b44a926f5aa3c0c3812f58343c6ce956033e62d9c3d76c8f3
Instruction ID: dd5a3fe3d80ad2d95a42aa318d8a61c75397ecb18f722d31e5340991f3709ce3
Opcode Fuzzy Hash: 84591521af01089b44a926f5aa3c0c3812f58343c6ce956033e62d9c3d76c8f3
Instruction Fuzzy Hash: 4AC08C331A020CABCF206FF8EC0FC9A3BACEB687027A48400F945C3104CA3EE0148B60

Function 00FEF86E Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

button, xrefs: 00FEFB9F
Failed to get @Register., xrefs: 00FEF9FA
Classification, xrefs: 00FEFD6C
Failed to get @HelpTelephone., xrefs: 00FEFAB3
Comments, xrefs: 00FEFB33
Failed to get @HelpLink., xrefs: 00FEFA8E
Failed to get @Department., xrefs: 00FEFD18
DisableModify, xrefs: 00FEFB80
Failed to get @Tag., xrefs: 00FEF8F4
Failed to get @Name., xrefs: 00FEFD5E
AboutUrl, xrefs: 00FEFAC1
Manufacturer, xrefs: 00FEFCDD
UpdateUrl, xrefs: 00FEFAE6
Failed to parse @Version: %ls, xrefs: 00FEF94F
Failed to get @Contact., xrefs: 00FEFB72
Failed to get @Version., xrefs: 00FEF92E
Failed to select Update node., xrefs: 00FEFCC6
Failed to select ARP node., xrefs: 00FEF9D9
Failed to get @ProductFamily., xrefs: 00FEFD3D
Failed to set registration paths., xrefs: 00FEFD92
Department, xrefs: 00FEFD01
Failed to get @ExecutableName., xrefs: 00FEF991
Failed to get @PerMachine., xrefs: 00FEF9AF
DisplayVersion, xrefs: 00FEFA2D
yes, xrefs: 00FEFBC0
Contact, xrefs: 00FEFB5B
HelpTelephone, xrefs: 00FEFA9C
DisableRemove, xrefs: 00FEFC53
Update, xrefs: 00FEFCA8
Version, xrefs: 00FEF91B
Failed to get @ParentDisplayName., xrefs: 00FEFB22
Register, xrefs: 00FEF9E7
Name, xrefs: 00FEFD4B
Publisher, xrefs: 00FEFA52
Failed to get @Manufacturer., xrefs: 00FEFCF0
Failed to parse related bundles, xrefs: 00FEF90D
Failed to get @Comments., xrefs: 00FEFB4A
Failed to get @AboutUrl., xrefs: 00FEFAD8
Registration, xrefs: 00FEF888
Arp, xrefs: 00FEF9BD
HelpLink, xrefs: 00FEFA77
ProviderKey, xrefs: 00FEF95D
Failed to get @Publisher., xrefs: 00FEFA69
Failed to parse software tag., xrefs: 00FEFC9A
registration.cpp, xrefs: 00FEFC11
PerMachine, xrefs: 00FEF99C
Failed to get @UpdateUrl., xrefs: 00FEFAFD
Failed to get @ProviderKey., xrefs: 00FEF970
Invalid modify disabled type: %ls, xrefs: 00FEFC1E
ExecutableName, xrefs: 00FEF97E
ParentDisplayName, xrefs: 00FEFB0B
Failed to get @Classification., xrefs: 00FEFD7F
Failed to get @DisplayVersion., xrefs: 00FEFA44
Failed to get @DisableModify., xrefs: 00FEFC42
Failed to get @DisplayName., xrefs: 00FEFA1F
Tag, xrefs: 00FEF8E1
Failed to select registration node., xrefs: 00FEF8A6
DisplayName, xrefs: 00FEFA08
ProductFamily, xrefs: 00FEFD26
Failed to get @Id., xrefs: 00FEF8D3
Failed to get @DisableRemove., xrefs: 00FEFC6A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 0-2956246334
Opcode ID: 0496b126a083f2fd86d4aed17528053982d40cfa8f299b62fe34f683ef02c519
Instruction ID: 20e9f5b682fd60ad1fd3159e3047fb3a31f3ab7e7084a70117bb24a9da2e791a
Opcode Fuzzy Hash: 0496b126a083f2fd86d4aed17528053982d40cfa8f299b62fe34f683ef02c519
Instruction Fuzzy Hash: 53E1C933E807B6BBCB219A62CC41EED7E68AB58720F614679FC90BE150D7B15D14B780

Function 00FEB389 Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 565
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 00FEB3FF
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00FEB44C
GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 00FEB452
ReadFile.KERNELBASE(00000000,00FE435C,00000040,?,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00FEB49A
GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 00FEB4A0
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00FEB4FD
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00FEB503
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00FEB54C
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00FEB552
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00FEB5C3
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00FEB5C9

Strings

PE, xrefs: 00FEB594
Failed to read section info., xrefs: 00FEB895
(, xrefs: 00FEB719
Failed to allocate buffer for section info., xrefs: 00FEB7E0
Failed to read complete section info., xrefs: 00FEB8C1
Failed to read image section header, index: %u, xrefs: 00FEBAA8
PE Header from file didn't match PE Header in memory., xrefs: 00FEBA0D
Failed to read section info, unsupported version: %08x, xrefs: 00FEB8F1
Failed to read signature size., xrefs: 00FEB692
Failed to seek past optional headers., xrefs: 00FEB6E7
Failed to allocate memory for container sizes., xrefs: 00FEB9CF
Failed to find valid DOS image header in buffer., xrefs: 00FEBAE7
Failed to read signature offset., xrefs: 00FEB643
Failed to seek to NT header., xrefs: 00FEB52E
Failed to read NT header., xrefs: 00FEB57D
Failed to read section info, data to short: %u, xrefs: 00FEB7A6
4, xrefs: 00FEB780
section.cpp, xrefs: 00FEB420, 00FEB473, 00FEB4C1, 00FEB524, 00FEB573, 00FEB5EA, 00FEB639, 00FEB688, 00FEB6DD, 00FEB794, 00FEB7D4, 00FEB826, 00FEB88B, 00FEB8B5, 00FEB8DC, 00FEB9C3, 00FEBA03, 00FEBA22, 00FEBA5F, 00FEBA9D, 00FEBAC0, 00FEBADB
Failed to read complete image section header, index: %u, xrefs: 00FEBA71
.wix, xrefs: 00FEB72C
Failed to seek to start of file., xrefs: 00FEB47D
Failed to find valid NT image header in buffer., xrefs: 00FEBACC
burn, xrefs: 00FEB734
Failed to read DOS header., xrefs: 00FEB4CB
Failed to find Burn section., xrefs: 00FEBA2E
Failed to get total size of bundle., xrefs: 00FEB91F
Failed to open handle to engine process path., xrefs: 00FEB42A
Failed to seek to section info., xrefs: 00FEB5F4, 00FEB830

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$Pointer$Read
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 2600052162-695169583
Opcode ID: 419de13472549df854d60cbbd3610933bdeb9ba3c0ae476db23375a3fbed4c79
Instruction ID: 0ff41418bee504967da0c8b2f9569c110efe85a7ce922ec64f3cd2e15d97a10d
Opcode Fuzzy Hash: 419de13472549df854d60cbbd3610933bdeb9ba3c0ae476db23375a3fbed4c79
Instruction Fuzzy Hash: 9E12D572E40375ABEB309A26CC85FAB76A8EF05710F104169FD49FB240D7759D40DBA1

Function 00FECCB6 Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,00FE5355,00000000,0102CA64,00FE533D,00000000), ref: 00FECDEC

Strings

Failed to get @FileSize., xrefs: 00FED0A4
Failed to get @DownloadUrl., xrefs: 00FED0E3
payload.cpp, xrefs: 00FECD38
Failed to get @Packaging., xrefs: 00FED10C
Failed to to find container: %ls, xrefs: 00FED07F
Failed to allocate memory for payload structs., xrefs: 00FECD42
Failed to select payload nodes., xrefs: 00FECCE4
DownloadUrl, xrefs: 00FECED2
Payload, xrefs: 00FECCD1
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 00FED0AB
Invalid value for @Packaging: %ls, xrefs: 00FED0F9
Failed to get @LayoutOnly., xrefs: 00FED090
CertificateRootPublicKeyIdentifier, xrefs: 00FECF36
Failed to get @Catalog., xrefs: 00FED0CE
Failed to get @CertificateRootThumbprint., xrefs: 00FED0C0
CertificateRootThumbprint, xrefs: 00FECF73
Hash, xrefs: 00FECFB0
Failed to get @FilePath., xrefs: 00FED113
Failed to get next node., xrefs: 00FED121
Failed to parse @FileSize., xrefs: 00FED09A
external, xrefs: 00FECE1A
FileSize, xrefs: 00FECEFB
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 00FED0B2
Failed to get payload node count., xrefs: 00FECD09
Failed to get @Container., xrefs: 00FED086
SourcePath, xrefs: 00FECEA9
Failed to find catalog., xrefs: 00FED0C7
Container, xrefs: 00FECE44
LayoutOnly, xrefs: 00FECE86
Failed to get @SourcePath., xrefs: 00FED0EA
Failed to hex decode @CertificateRootThumbprint., xrefs: 00FED0B9
Failed to get @Id., xrefs: 00FED11A
embedded, xrefs: 00FECDFE
Failed to get @Hash., xrefs: 00FED0DC
Failed to hex decode the Payload/@Hash., xrefs: 00FED0D5
Catalog, xrefs: 00FECFE5
Packaging, xrefs: 00FECDBF
FilePath, xrefs: 00FECDA4
download, xrefs: 00FECDDE

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$download$embedded$external$payload.cpp
API String ID: 1171520630-3127305756
Opcode ID: 392ce2e0f7977b0d67a7d00e16cf0cbeb74ae2939cbcef655e54afe4627cbad0
Instruction ID: 30a32c03220a98bd7ee9735c7a779126669566657aba3cf75ecd9efe8ab7dce1
Opcode Fuzzy Hash: 392ce2e0f7977b0d67a7d00e16cf0cbeb74ae2939cbcef655e54afe4627cbad0
Instruction Fuzzy Hash: E5C1F732D412B6BFDB219A52CD01EAEB674AF04BA0F240269F940BF590C7799D01F791

Function 01000A77 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 288
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,01000621,?,?), ref: 01000A85
GetLastError.KERNEL32(?,?,?,00000000,00000000,?,01000621,?,?), ref: 01000A92
WaitForSingleObject.KERNEL32(?,?,?,?,?,00000000,00000000,?,01000621,?,?), ref: 01000ACE
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,01000621,?,?), ref: 01000AD8

Strings

Failed to wait for begin operation event., xrefs: 01000B06
Invalid operation for this state., xrefs: 01000B79
cabextract.cpp, xrefs: 01000AB6, 01000AFC, 01000B41, 01000B6D, 01000CBE, 01000D2B, 01000D7D, 01000DC2, 01000E16
Failed to create file: %ls, xrefs: 01000D38
Failed to set file pointer to beginning of file., xrefs: 01000E20
Failed to allocate buffer for stream., xrefs: 01000CC8
Failed to set operation complete event., xrefs: 01000AC0
Failed to reset begin operation event., xrefs: 01000B4B
Failed to set end of file., xrefs: 01000DCC
Failed to copy stream name: %ls, xrefs: 01000BB7
Failed to set file pointer to end of file., xrefs: 01000D87

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3600396749-2104912459
Opcode ID: c524a5249e1fe79b6950759244c3d9884212a658b5a337fae6813d963276a0c1
Instruction ID: 39125ab61894cfef2fdc440d67f7416b1924337fb427634a6d571dd1a6fb663b
Opcode Fuzzy Hash: c524a5249e1fe79b6950759244c3d9884212a658b5a337fae6813d963276a0c1
Instruction Fuzzy Hash: 3E91F472B40721BBF7326A7A8D49B663AD8FF04790F014225FD86FB594D769DC0086E4

Function 00FE4C33 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FE33D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00FE10DD,?,00000000), ref: 00FE33F8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00FE4E3A
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00FE4E49
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00FE4E58
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00FE4E63

Strings

Failed to append %ls, xrefs: 00FE4D16
Failed to get path for current process., xrefs: 00FE4C7D
%ls %ls, xrefs: 00FE4D4F
burn.clean.room, xrefs: 00FE4CD8
-%ls="%ls", xrefs: 00FE4CE0
Failed to append original command line., xrefs: 00FE4D63
Failed to allocate full command-line., xrefs: 00FE4D88
Failed to launch clean room process: %ls, xrefs: 00FE4DF1
Failed to cache to clean room., xrefs: 00FE4CBC
engine.cpp, xrefs: 00FE4DE4
"%ls" %ls, xrefs: 00FE4D74
burn.filehandle.self, xrefs: 00FE4D3F
Failed to allocate parameters for unelevated process., xrefs: 00FE4CF4
D, xrefs: 00FE4DA3
burn.filehandle.attached, xrefs: 00FE4D11
Failed to wait for clean room process: %ls, xrefs: 00FE4E1D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3884789274-2391192076
Opcode ID: ec9596e220e0669ffe4f125f74236399101d6d38903c0966e9f156ea5c0bebca
Instruction ID: 0ba881703c56a250466a29a245e1a8500b13607b8cc04a96fcbf19bd0b54a665
Opcode Fuzzy Hash: ec9596e220e0669ffe4f125f74236399101d6d38903c0966e9f156ea5c0bebca
Instruction Fuzzy Hash: 37716432D0127AABDF219BA6CC41EEFBB78EF04720F114259F954B7250D7746A01ABE1

Function 00FF7337 Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get unique temporary folder for bootstrapper application., xrefs: 00FF75BC
WixBundleSourceProcessPath, xrefs: 00FF74E6
Failed to open manifest stream., xrefs: 00FF73B8
Failed to get manifest stream from container., xrefs: 00FF73D9
Failed to overwrite the %ls built-in variable., xrefs: 00FF74C9
WixBundleElevated, xrefs: 00FF74B3, 00FF74C4
Failed to set source process folder variable., xrefs: 00FF7533
WixBundleOriginalSource, xrefs: 00FF7547
Failed to set source process path variable., xrefs: 00FF74F7
Failed to load catalog files., xrefs: 00FF75FD
Failed to parse command line., xrefs: 00FF7474
WixBundleSourceProcessFolder, xrefs: 00FF7522
Failed to set original source variable., xrefs: 00FF7558
Failed to initialize variables., xrefs: 00FF737E
Failed to load manifest., xrefs: 00FF73F5
Failed to get source process folder from path., xrefs: 00FF7513
Failed to open attached UX container., xrefs: 00FF739B
Failed to initialize internal cache functionality., xrefs: 00FF758D
Failed to extract bootstrapper application payloads., xrefs: 00FF75DD

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
API String ID: 32694325-252221001
Opcode ID: 85e1ad4d182c32cb5f7f82cc887ec68f07abf21acf21f3cfbd47568f1283782f
Instruction ID: 4b74bc0ca3d336773a19c4ee9bbbffb923c037228f9b1c06315bfdffedac3d7a
Opcode Fuzzy Hash: 85e1ad4d182c32cb5f7f82cc887ec68f07abf21acf21f3cfbd47568f1283782f
Instruction Fuzzy Hash: AB916472E44B1EBADB12AAA5CC41EFEF76CBF04714F040226F605E7150D774AA44A7D0

Function 00FF84C4 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 205
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00FE4CB6,?,?,00000000,00FE4CB6,00000000), ref: 00FF8507
GetLastError.KERNEL32 ref: 00FF8514
CloseHandle.KERNELBASE(00000000,?,00000000,0102B4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FF86F6

Strings

Failed to create engine file at path: %ls, xrefs: 00FF8545
Failed to seek to checksum in exe header., xrefs: 00FF85F9
msi.dll, xrefs: 00FF8608
Failed to copy engine from: %ls to: %ls, xrefs: 00FF859C
cache.cpp, xrefs: 00FF8538, 00FF85EF, 00FF8656, 00FF86C5
Failed to seek to signature table in exe header., xrefs: 00FF8660
Failed to zero out original data offset., xrefs: 00FF86E8
Failed to update signature offset., xrefs: 00FF8615
Failed to seek to beginning of engine file: %ls, xrefs: 00FF856D
Failed to seek to original data in exe burn section header., xrefs: 00FF86CF
cabinet.dll, xrefs: 00FF866F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 2528220319-1976062716
Opcode ID: 3b5d3889495ca1e8423dcb03674a78440cae6e4edae6c33becdfd502995a337f
Instruction ID: ea9caadc58fd8bc28140259ca88b33387ab262032db7daa00d364f3195489d08
Opcode Fuzzy Hash: 3b5d3889495ca1e8423dcb03674a78440cae6e4edae6c33becdfd502995a337f
Instruction Fuzzy Hash: F351F6B2E403397BE7216A698C49FBB369CEF44B50F110129FE41EB194EB65CC01A7E5

Function 00FF80AE Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00FE5381), ref: 00FF8104

Part of subcall function 0102076C: OpenProcessToken.ADVAPI32(?,00000008,?,00FE52B5,00000000,?,?,?,?,?,?,?,00FF74AB,00000000), ref: 0102078A
Part of subcall function 0102076C: GetLastError.KERNEL32(?,?,?,?,?,?,?,00FF74AB,00000000), ref: 01020794
Part of subcall function 0102076C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00FF74AB,00000000), ref: 0102081D

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00FF812A
GetLastError.KERNEL32 ref: 00FF8134
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00FF81B1
GetLastError.KERNEL32 ref: 00FF81BB

Strings

Failed to get temp path for working folder., xrefs: 00FF81E9
Failed to create working folder guid., xrefs: 00FF8207
%ls%ls\, xrefs: 00FF824C
Failed to copy working folder path., xrefs: 00FF827F
Failed to convert working folder guid into string., xrefs: 00FF823A
Failed to ensure windows path for working folder ended in backslash., xrefs: 00FF817F
cache.cpp, xrefs: 00FF8158, 00FF81DF, 00FF8230
Failed to append bundle id on to temp path for working folder., xrefs: 00FF8264
Failed to concat Temp directory on windows path for working folder., xrefs: 00FF81A1
4Mw, xrefs: 00FF81B1
Failed to get windows path for working folder., xrefs: 00FF8162
Temp\, xrefs: 00FF8189

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$Process$CloseCurrentDirectoryHandleOpenPathTempTokenWindows
String ID: 4Mw$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 348923985-1835725942
Opcode ID: 9c38ad1f68f3a0a94aeba0bf85a1ca0d4cf63f6619607103af01bfe27b782b17
Instruction ID: 27b272c8904712ce89842e405d949c8f4369aa8113b2b1f269b1a05ae8b4dd09
Opcode Fuzzy Hash: 9c38ad1f68f3a0a94aeba0bf85a1ca0d4cf63f6619607103af01bfe27b782b17
Instruction Fuzzy Hash: 96410972E40728B7EB30AAA58C4DFBB73ACAF40750F100155FE45EB140EB3A9E4556A5

Function 00FE7503 Relevance: 33.4, APIs: 1, Strings: 21, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00FF7378,00FE52B5,00000000,00FE533D), ref: 00FE7523

Strings

0, xrefs: 00FE753D
WixBundleSourceProcessPath, xrefs: 00FE7D6D
WixBundleInstalled, xrefs: 00FE7D12
$, xrefs: 00FE7C54
WixBundleElevated, xrefs: 00FE7D2E
Date, xrefs: 00FE7642
WixBundleExecutePackageAction, xrefs: 00FE7CCE
WixBundleProviderKey, xrefs: 00FE7D5A
WixBundleTag, xrefs: 00FE7D99
WixBundleAction, xrefs: 00FE7C90
', xrefs: 00FE77E2
InstallerName, xrefs: 00FE76F8
WixBundleActiveParent, xrefs: 00FE7D47
WixBundleForcedRestartPackage, xrefs: 00FE7CF0
LogonUser, xrefs: 00FE77B2
WixBundleSourceProcessFolder, xrefs: 00FE7D86
WixBundleVersion, xrefs: 00FE7DAC
InstallerVersion, xrefs: 00FE771E
Failed to add built-in variable: %ls., xrefs: 00FE7DF0
#, xrefs: 00FE759C
WixBundleExecutePackageCacheFolder, xrefs: 00FE7CAC

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion
API String ID: 32694325-826827252
Opcode ID: 7997151564c9db9b0321fbfeb4355cb2358e73be366996910257c0b473f51800
Instruction ID: 8217d1e7344244254d6313d6ab26370ee988a553ae45864fb74a6b0638967e4d
Opcode Fuzzy Hash: 7997151564c9db9b0321fbfeb4355cb2358e73be366996910257c0b473f51800
Instruction Fuzzy Hash: 2D3218B0D257798BDB65CF5AC9887CDBAB8BB49B04F5081DAE14CA6211D7B00B84DF84

Function 01000E43 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 01000E65
CoUninitialize.COMBASE ref: 010010D9

Strings

Failed to wait for begin operation event., xrefs: 01001054
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 01000FC0
<the>.cab, xrefs: 01000F05
Invalid operation for this state., xrefs: 010010BD
Failed to initialize COM., xrefs: 01000E71
Failed to initialize cabinet.dll., xrefs: 01000EE7
cabextract.cpp, xrefs: 01000EDB, 01000FFF, 0100104A, 01001087, 010010B3
Failed to set operation complete event., xrefs: 01001009
Failed to reset begin operation event., xrefs: 01001091

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: fd1b9398e5e189eb9845c927488f621e3b7f5c31826b50aa284bf73cace1fe58
Instruction ID: 353c4824246c4c7b2972e19b4e7c37aeb061e0cf0fe3df3821cb2f30365dfffa
Opcode Fuzzy Hash: fd1b9398e5e189eb9845c927488f621e3b7f5c31826b50aa284bf73cace1fe58
Instruction Fuzzy Hash: FD513736B80762E7F32356668C45B7B76949B40760F12026DFCC2BF6C8D7AA8D0096D1

Function 00FE41D2 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00FE515E,?,?,00000000,?,?), ref: 00FE41FE
InitializeCriticalSection.KERNEL32(000000D0,?,?,00FE515E,?,?,00000000,?,?), ref: 00FE4207
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00FE515E,?,?,00000000,?,?), ref: 00FE424D
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00FE515E,?,?,00000000,?,?), ref: 00FE4257
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00FE515E,?,?,00000000,?,?), ref: 00FE426B
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00FE515E,?,?,00000000,?,?), ref: 00FE427B
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00FE515E,?,?,00000000,?,?), ref: 00FE42CB
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00FE515E,?,?,00000000,?,?), ref: 00FE42D5
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00FE515E,?,?,00000000,?,?), ref: 00FE42E9
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00FE515E,?,?,00000000,?,?), ref: 00FE42F9

Strings

engine.cpp, xrefs: 00FE4390, 00FE43BC
Missing required parameter for switch: %ls, xrefs: 00FE439F
burn.filehandle.self, xrefs: 00FE42C6, 00FE42CE, 00FE42D3, 00FE42D4, 00FE42F4, 00FE43C6
Failed to initialize engine section., xrefs: 00FE4362
Failed to parse file handle: '%ls', xrefs: 00FE437D
burn.filehandle.attached, xrefs: 00FE4248, 00FE4250, 00FE4255, 00FE4256, 00FE4276, 00FE439A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: 6927ff3ba1e16813118f122ed4ebfada2bbd549f51c5fced2f7db1bcd51f184f
Instruction ID: 2904e62d6d15f5927a8bf3cec25c2b418e5c5f50cc5b9b068a7c7224d84d4621
Opcode Fuzzy Hash: 6927ff3ba1e16813118f122ed4ebfada2bbd549f51c5fced2f7db1bcd51f184f
Instruction Fuzzy Hash: 9051D571A00266BFC7249F6ADC86FAA7768FF04720F10011AF658DB250DBB4B950E7A4

Function 00FEC129 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 128
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00FEC319,00FE52FD,?,?,00FE533D), ref: 00FEC170
GetLastError.KERNEL32(?,00FEC319,00FE52FD,?,?,00FE533D,00FE533D,00000000,?,00000000), ref: 00FEC181
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00FEC319,00FE52FD,?,?,00FE533D,00FE533D,00000000,?), ref: 00FEC1D0
GetCurrentProcess.KERNEL32(000000FF,00000000,?,00FEC319,00FE52FD,?,?,00FE533D,00FE533D,00000000,?,00000000), ref: 00FEC1D6
DuplicateHandle.KERNELBASE(00000000,?,00FEC319,00FE52FD,?,?,00FE533D,00FE533D,00000000,?,00000000), ref: 00FEC1D9
GetLastError.KERNEL32(?,00FEC319,00FE52FD,?,?,00FE533D,00FE533D,00000000,?,00000000), ref: 00FEC1E3
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00FEC319,00FE52FD,?,?,00FE533D,00FE533D,00000000,?,00000000), ref: 00FEC235
GetLastError.KERNEL32(?,00FEC319,00FE52FD,?,?,00FE533D,00FE533D,00000000,?,00000000), ref: 00FEC23F

Strings

feclient.dll, xrefs: 00FEC232
crypt32.dll, xrefs: 00FEC231
Failed to open file: %ls, xrefs: 00FEC1B2
Failed to open container., xrefs: 00FEC28B
container.cpp, xrefs: 00FEC1A5, 00FEC207, 00FEC263
Failed to duplicate handle to container: %ls, xrefs: 00FEC214
Failed to move file pointer to container offset., xrefs: 00FEC26D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 9b0021217d4423471e4b93b5cc2041aa04809ec5661787aeb62eaa199f6cc289
Instruction ID: 2497226cba187c2eaa559f56b83033a3b10eae33a129b6e7d1cc89a3a63a0e9a
Opcode Fuzzy Hash: 9b0021217d4423471e4b93b5cc2041aa04809ec5661787aeb62eaa199f6cc289
Instruction Fuzzy Hash: 0641E632240351ABEB209E6BDC88F577BF9EBC5760F214119FD48DB251DA75D802DBA0

Function 010229B3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FE37EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00FE3829
Part of subcall function 00FE37EA: GetLastError.KERNEL32 ref: 00FE3833

Part of subcall function 01024932: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0102495A

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 010229FD
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 01022A20
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 01022A43
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 01022A66
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 01022A89
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 01022AAC
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 01022ACF

Strings

Msi.dll, xrefs: 010229C5
MsiDetermineApplicablePatchesW, xrefs: 01022A07
MsiGetPatchInfoExW, xrefs: 01022A4D
MsiSetExternalUIRecord, xrefs: 01022A93
MsiSourceListAddSourceExW, xrefs: 01022AB6
MsiGetProductInfoExW, xrefs: 01022A70
MsiDeterminePatchSequenceW, xrefs: 010229F2
MsiEnumProductsExW, xrefs: 01022A2A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: b9f7c9ed3dafb90da14b3989b2044e32ec6ebcdf63a9a7dc511c300cbfdbbd94
Instruction ID: 36d2d590ae240468db28a8b5a181da2d545e3287400cc1ec3d79c9686f1c90df
Opcode Fuzzy Hash: b9f7c9ed3dafb90da14b3989b2044e32ec6ebcdf63a9a7dc511c300cbfdbbd94
Instruction Fuzzy Hash: F9311EF8642218AFDB28DF29EAD2A293BB5F74D600740442EE489D6248E77FD800DF40

Function 01001484 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 103COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00FEC285,?,00000000,?,00FEC319), ref: 010014BB
GetLastError.KERNEL32(?,00FEC285,?,00000000,?,00FEC319,00FE52FD,?,?,00FE533D,00FE533D,00000000,?,00000000), ref: 010014C4

Strings

Failed to create begin operation event., xrefs: 010014F2
Failed to create operation complete event., xrefs: 01001538
Failed to copy file name., xrefs: 010014A6
cabextract.cpp, xrefs: 010014E8, 0100152E, 0100157A
Failed to create extraction thread., xrefs: 01001584
Failed to wait for operation complete., xrefs: 01001597
wininet.dll, xrefs: 0100149A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 9448a642fe9bb5cae79efca4d05fcc9723264b752ee1f964ad7438148d1568d4
Instruction ID: b9c9d2c2430e9d1e79daac87cb87eb72411535bfe2bf980f9c6e39dca0d58bc7
Opcode Fuzzy Hash: 9448a642fe9bb5cae79efca4d05fcc9723264b752ee1f964ad7438148d1568d4
Instruction Fuzzy Hash: FD21E3B2B40726FAF323267A5C85F6775DCEB447A0F010226FCC6EB180E669DD0086E5

Function 0101FBAD Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 0101FBD5
GetProcAddress.KERNEL32(SystemFunction041), ref: 0101FBE7
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 0101FC2A
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0101FC3E
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 0101FC76
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0101FC8A

Strings

cryputil.cpp, xrefs: 0101FC5F
AdvApi32.dll, xrefs: 0101FBB4
SystemFunction041, xrefs: 0101FBD7
CryptProtectMemory, xrefs: 0101FC1F
SystemFunction040, xrefs: 0101FBCA
Crypt32.dll, xrefs: 0101FC0B
CryptUnprotectMemory, xrefs: 0101FC6B

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: 820dd135c26d871ff534bf2ab55dd9996116ae04a186dc6e4919c1dc8ef535d3
Instruction ID: 32d01a4eac8eaf0b01dca4dff09ddeb873fc0398ea11eb5c86d0f1b0c7ed25eb
Opcode Fuzzy Hash: 820dd135c26d871ff534bf2ab55dd9996116ae04a186dc6e4919c1dc8ef535d3
Instruction Fuzzy Hash: DB2171F9A403279BD7316B2B9F85B26B9D0AB01750F060135ECC0EB119E76FD8049BD0

Function 01000627 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 01000657
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0100066F
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 01000674
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 01000677
GetLastError.KERNEL32(?,?), ref: 01000681
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 010006F0
GetLastError.KERNEL32(?,?), ref: 010006FD

Strings

Failed to add virtual file pointer for cab container., xrefs: 010006D6
<the>.cab, xrefs: 01000650
Failed to duplicate handle to cab container., xrefs: 010006AF
cabextract.cpp, xrefs: 010006A5, 01000721
Failed to open cabinet file: %hs, xrefs: 0100072E

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 9805b1fffb3380ce663526738b6a188db66dec95c2edcd881c611496b8acccd4
Instruction ID: 8298a02203e488089a1352d7a1218db6635e1823b08f4d188c6f85d6492297c7
Opcode Fuzzy Hash: 9805b1fffb3380ce663526738b6a188db66dec95c2edcd881c611496b8acccd4
Instruction Fuzzy Hash: A331F572A01335FBEB325A6A8C48F9B7BADFF086A0F210115FC89E7140C7259D0087E4

Function 00FF6859 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00FE4D0B,?,?), ref: 00FF6879
GetCurrentProcess.KERNEL32(?,00000000,?,?,00FE4D0B,?,?), ref: 00FF687F
DuplicateHandle.KERNELBASE(00000000,?,?,00FE4D0B,?,?), ref: 00FF6882
GetLastError.KERNEL32(?,?,00FE4D0B,?,?), ref: 00FF688C
CloseHandle.KERNEL32(000000FF,?,00FE4D0B,?,?), ref: 00FF6905

Strings

Failed to duplicate file handle for attached container., xrefs: 00FF68BA
core.cpp, xrefs: 00FF68B0
%ls -%ls=%u, xrefs: 00FF68D9
Failed to append the file handle to the command line., xrefs: 00FF68ED
burn.filehandle.attached, xrefs: 00FF68D2

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-4196573879
Opcode ID: 0c1290f03ea8fb32ac39752db90429f6ec4f98cb1aa783ab91eb85995fed04e8
Instruction ID: d0df7f8c005114bc6dc55337a090a2e3526466bb5337f4e3474da100f7859572
Opcode Fuzzy Hash: 0c1290f03ea8fb32ac39752db90429f6ec4f98cb1aa783ab91eb85995fed04e8
Instruction Fuzzy Hash: 18119631A40329FBDB20ABB99D09A9A7BACEF05B70F200359F951EB1E0D7759D019790

Function 0102992E Relevance: 15.1, APIs: 10, Instructions: 124libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE ref: 0102992E
GetLastError.KERNEL32 ref: 0102993A
DloadReleaseSectionWriteAccess.DELAYIMP ref: 01029969
RaiseException.KERNEL32(C06D007E,?,00000001,?), ref: 0102997A
FreeLibrary.KERNEL32(00000000), ref: 01029994
GetProcAddress.KERNEL32(00000000,?), ref: 010299FC
GetLastError.KERNEL32 ref: 01029A08
DloadReleaseSectionWriteAccess.DELAYIMP ref: 01029A37
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 01029A48
DloadReleaseSectionWriteAccess.DELAYIMP ref: 01029A7F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AccessDloadReleaseSectionWrite$ErrorExceptionLastLibraryRaise$AddressFreeLoadProc
String ID:
API String ID: 202095176-0
Opcode ID: 034d5ce494344d95b91ff3ead5ca568a4a6a0ee78b526667b46d55eef084b5c5
Instruction ID: 504e4479b7b89c13454e70c141c51ad05ab445932c68e2356fcd910d82932995
Opcode Fuzzy Hash: 034d5ce494344d95b91ff3ead5ca568a4a6a0ee78b526667b46d55eef084b5c5
Instruction Fuzzy Hash: 3E416A75A0023AAFDB32DFA9D884AADB7B4FF44724F5140A9E981A7301DB759940CB90

Function 00FF6915 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 00FF694B
CloseHandle.KERNEL32(00000000), ref: 00FF69BB

Strings

Failed to append the file handle to the obfuscated command line., xrefs: 00FF69A9
burn.filehandle.self, xrefs: 00FF695C, 00FF698E
%ls -%ls=%u, xrefs: 00FF6963, 00FF6995
Failed to append the file handle to the command line., xrefs: 00FF6977

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: 9e78b695f4fce40f2d32b1c4ea4ee3ba42a01c01c2e7efd5cbd7ff8ce13914d0
Instruction ID: 9d5cbe29278b99ba03cae31a447463f1ce4083b62bc5d98a44eefd0f1ee38129
Opcode Fuzzy Hash: 9e78b695f4fce40f2d32b1c4ea4ee3ba42a01c01c2e7efd5cbd7ff8ce13914d0
Instruction Fuzzy Hash: D2110B326006187BC7305A699C45F6B77ACDF49B30F110354FE64FB2F1DAB499119691

Function 0102076C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,00FE52B5,00000000,?,?,?,?,?,?,?,00FF74AB,00000000), ref: 0102078A
GetLastError.KERNEL32(?,?,?,?,?,?,?,00FF74AB,00000000), ref: 01020794
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00FF74AB,00000000), ref: 010207C6
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00FF74AB,00000000), ref: 0102081D

Strings

procutil.cpp, xrefs: 0102080B

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Token$CloseErrorHandleInformationLastOpenProcess
String ID: procutil.cpp
API String ID: 3370771294-1178289305
Opcode ID: c72c5cecbcabce9ce663553b601d1953f442ec0f3983f0bb9ef9e01cced749b0
Instruction ID: 4e5c660df30574ad6a09453ea3de9a97567774604ca34db90f6c76d45dab97b3
Opcode Fuzzy Hash: c72c5cecbcabce9ce663553b601d1953f442ec0f3983f0bb9ef9e01cced749b0
Instruction Fuzzy Hash: 9B21C372E00328EBDB219E998848A9EFBE8EF44710F118166FD85E7154E2758E00DBD0

Function 0102343B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0102344A
InterlockedIncrement.KERNEL32(0104B6D8), ref: 01023467
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,0104B6C8,?,?,?,?,?,?), ref: 01023482
CLSIDFromProgID.OLE32(MSXML.DOMDocument,0104B6C8,?,?,?,?,?,?), ref: 0102348E

Strings

Msxml2.DOMDocument, xrefs: 0102347D
MSXML.DOMDocument, xrefs: 01023489

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 42e7101498e62cd21cf0d5d645cd715d667965b396227547ecb47880d50f0278
Instruction ID: fe9f2124db788cb40899dcf54522a9b3cfbc29abfd4ac97dffd907cf5eeb5d92
Opcode Fuzzy Hash: 42e7101498e62cd21cf0d5d645cd715d667965b396227547ecb47880d50f0278
Instruction Fuzzy Hash: 96F0A7B874023557D7324AA6AC4DF173EA4BB89B64F1004A9EDC4D9148D75EE4418BA0

Function 01024932 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0102495A
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 01024989
GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 010249B3
GetLastError.KERNEL32(00000000,0102B790,?,?,?,00000000,00000000,00000000), ref: 010249F4
GlobalFree.KERNEL32(00000000), ref: 01024A28

Strings

fileutil.cpp, xrefs: 01024978, 010249D1

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: df40a6f259d87b62b64bfd59978004f35e3ca5994a4ea61187ab5d3b8ffdae15
Instruction ID: b122770d620e2213071ef57f20774ae63daf68c0e5d7e81c488e3f76af2be96a
Opcode Fuzzy Hash: df40a6f259d87b62b64bfd59978004f35e3ca5994a4ea61187ab5d3b8ffdae15
Instruction Fuzzy Hash: F021B975A00739ABD722ABA98C44EEFBBA8EF85360F114156FD85E7201E735DD00C6E0

Function 010007E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 0100088A
GetLastError.KERNEL32(?,?,?), ref: 01000894

Strings

cabextract.cpp, xrefs: 010008B8
Failed to move file pointer 0x%x bytes., xrefs: 010008C5
Invalid seek type., xrefs: 01000820

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 2fbea21eb0434f99ebfd32739b26fdac64ec5712ad29fd450b7243ee003f65c8
Instruction ID: 298380efc433675ffd5c1e7a4ac0bcbe6a1dddf486fbe179c267d4fbb6bef9b0
Opcode Fuzzy Hash: 2fbea21eb0434f99ebfd32739b26fdac64ec5712ad29fd450b7243ee003f65c8
Instruction Fuzzy Hash: 2C31B471A0061AFFEB15DE69CC84EA9B7A9FF04650F00822AFD95D7690D731EA108BD0

Function 00FE4013 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00FE533D,00FE53B5,00000000,00000000,?,00FF9EE4,00000000,00000000,00FE533D,00000000,00FE52B5,00000000,?,?,00FED4AC,00FE533D), ref: 00FE4021
GetLastError.KERNEL32(?,00FF9EE4,00000000,00000000,00FE533D,00000000,00FE52B5,00000000,?,?,00FED4AC,00FE533D,00000000,00000000), ref: 00FE402F
CreateDirectoryW.KERNEL32(00FE533D,00FE53B5,00FE5381,?,00FF9EE4,00000000,00000000,00FE533D,00000000,00FE52B5,00000000,?,?,00FED4AC,00FE533D,00000000), ref: 00FE4097
GetLastError.KERNEL32(?,00FF9EE4,00000000,00000000,00FE533D,00000000,00FE52B5,00000000,?,?,00FED4AC,00FE533D,00000000,00000000), ref: 00FE40A1

Strings

dirutil.cpp, xrefs: 00FE40CF

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: f7474d9a3d7749eede0ea09cba4d06d64372c6a552f4a222c2fc4f971ed6d184
Instruction ID: 9b791b7278010394bf06a50f0e1bda8ec33f15ecf38c7be5c74b02c17bb9a1b6
Opcode Fuzzy Hash: f7474d9a3d7749eede0ea09cba4d06d64372c6a552f4a222c2fc4f971ed6d184
Instruction Fuzzy Hash: DD11B436A002B1ABEB311AA35C44B7BB694EF54B70F61413DFF46EB140D669AC11B2E1

Function 00FE55B6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,00FE648B,00FE648B,?,00FE554A,?,?,00000000), ref: 00FE55F2
GetLastError.KERNEL32(?,00FE554A,?,?,00000000,?,00000000,00FE648B,?,00FE7DDC,?,?,?,?,?), ref: 00FE5621

Strings

variable.cpp, xrefs: 00FE5645
Failed to compare strings., xrefs: 00FE564F
version.dll, xrefs: 00FE55E4

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-4228644734
Opcode ID: 6eaea98ba8359314a73ced1c1ba62adaae98dc5d8611f0a2d7db1754c7ba9305
Instruction ID: c781f9dfbc9d1c48d00efab78ef811a1d920ebc0e625dca78313cedfd77ac7f8
Opcode Fuzzy Hash: 6eaea98ba8359314a73ced1c1ba62adaae98dc5d8611f0a2d7db1754c7ba9305
Instruction Fuzzy Hash: 8C210833A04625AFC7148FADCD44A6AB7A4EF49B74F710319FC15EB290DA71EE019790

Function 0100074E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0100114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,0100077D,?,?,?), ref: 01001177
Part of subcall function 0100114F: GetLastError.KERNEL32(?,0100077D,?,?,?), ref: 01001181

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 0100078B
GetLastError.KERNEL32 ref: 01000795

Strings

Failed to read during cabinet extraction., xrefs: 010007C3
cabextract.cpp, xrefs: 010007B9

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 12e33822879c233d6f8fabb48d99371c484bb3687d5b73138aa59a6381f7cd99
Instruction ID: e525078261fc63430766d290a873a8338f49415d8097f1e6da99a3b791fb8279
Opcode Fuzzy Hash: 12e33822879c233d6f8fabb48d99371c484bb3687d5b73138aa59a6381f7cd99
Instruction Fuzzy Hash: 96010072A00224FBEB219FA9DC04E9A7BACFF08760F110219FD49E7640C735DA108BE0

Function 0100114F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,0100077D,?,?,?), ref: 01001177
GetLastError.KERNEL32(?,0100077D,?,?,?), ref: 01001181

Strings

Failed to move to virtual file pointer., xrefs: 010011AF
cabextract.cpp, xrefs: 010011A5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 5daa9a43d91fbc4780d67afdda3eea7ff2f0549b3b0905494cc25c55018fd994
Instruction ID: e6c0c673e79f996109f4808b48172b89ed3bb8a7e7ba0f7c0f7ce536a28cf2e9
Opcode Fuzzy Hash: 5daa9a43d91fbc4780d67afdda3eea7ff2f0549b3b0905494cc25c55018fd994
Instruction Fuzzy Hash: E801A236640736BBE7221A6A9C08EC7BF99EF416B0B118229FD4896590D735D820CBD4

Function 01023DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 01023E5E
GetLastError.KERNEL32 ref: 01023EC1

Strings

fileutil.cpp, xrefs: 01023EE5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: eb5b4978637582d2ffe24323838d1b55ccbd4ba585dc6739eb2f4d6327f97e16
Instruction ID: f45c4c462c4684efb21e42fdaac7ccad98b6026909e258c3a71638a9375d979c
Opcode Fuzzy Hash: eb5b4978637582d2ffe24323838d1b55ccbd4ba585dc6739eb2f4d6327f97e16
Instruction Fuzzy Hash: 7F415471E002799BDF21CE58C8407EAB7E5FF48751F0041D6E989EB280D7B99DC88B91

Function 01024CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,01023E85,?,?,?), ref: 01024D12
GetLastError.KERNEL32(?,?,01023E85,?,?,?), ref: 01024D1C

Strings

fileutil.cpp, xrefs: 01024D44

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: 0db37ca97a5837bfd6d8c574050af2a933930d4446bd0e13b57183910f67a9f7
Instruction ID: a93a18e80a7e1bcfad152abc85d419d58e79bdec94214c726e4e92094b42297d
Opcode Fuzzy Hash: 0db37ca97a5837bfd6d8c574050af2a933930d4446bd0e13b57183910f67a9f7
Instruction Fuzzy Hash: A6F0A472A01239BBD721DEAACC48EDFBBADFB44661F510156FD45D7000E631ED0086E1

Function 010247D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00FF8564,00000000,00000000,00000000,00000000,00000000), ref: 010247EB
GetLastError.KERNEL32(?,?,?,00FF8564,00000000,00000000,00000000,00000000,00000000), ref: 010247F5

Strings

fileutil.cpp, xrefs: 01024819

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: c71ecfd9fcdb9d8be8857ab0620ed1817f4eae5fecb609ce158bac0d6b42baa7
Instruction ID: 823b004ca24b69fa8c121d8119293b8ead4f91d1c59c97a5fe1d3bcdddc5722b
Opcode Fuzzy Hash: c71ecfd9fcdb9d8be8857ab0620ed1817f4eae5fecb609ce158bac0d6b42baa7
Instruction Fuzzy Hash: D4F08171A00269AFAB219F99CC08DAB7FE8EF04650B014159FD05D7210E671DC10D7E0

Function 00FE37EA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00FE3829
GetLastError.KERNEL32 ref: 00FE3833
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 00FE389B

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 37cfc664c01ea4ec47c1c1d9f359b9e95fe75693c198ae1cbb55de36d2880874
Instruction ID: 33b5af28812725b92b4473fcad31a7b413565bbd3f29c2c4e7cf69916df0fcef
Opcode Fuzzy Hash: 37cfc664c01ea4ec47c1c1d9f359b9e95fe75693c198ae1cbb55de36d2880874
Instruction Fuzzy Hash: F92186B7D0136967EB209FA59C4DF9A77ACAF04720F1501A5FD04E7241E634DF449BA0

Function 00FE3999 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00FE3B34,00000000,?,00FE1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00FE13B7), ref: 00FE39A3
RtlFreeHeap.NTDLL(00000000,?,00FE3B34,00000000,?,00FE1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00FE13B7,000001C7,00000100), ref: 00FE39AA
GetLastError.KERNEL32(?,00FE3B34,00000000,?,00FE1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00FE13B7,000001C7,00000100,?), ref: 00FE39B4

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 5a3ee31ac6eda8b1df74bddfedb01e7a633f8baa0bcebddbfb6b5a5aa0964e0a
Instruction ID: a8cd934e2ea3e11ba67fa0306fbb465126e617a66ffd317e67c05fa2498e0910
Opcode Fuzzy Hash: 5a3ee31ac6eda8b1df74bddfedb01e7a633f8baa0bcebddbfb6b5a5aa0964e0a
Instruction Fuzzy Hash: 4CD01232A002346787302EFA580C697BF9CEF456A17514021FD45D2104D62E881097F5

Function 01020E3F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

Strings

regutil.cpp, xrefs: 01020E8A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 4d70a324341f804186ee812f5d5bf45678a142809e7a0b3e17615b1b6d2fbb3c
Instruction ID: a403e1b31227b9bbf33265c03f0b240eae9fd928ea252d32b70dd283e60d006d
Opcode Fuzzy Hash: 4d70a324341f804186ee812f5d5bf45678a142809e7a0b3e17615b1b6d2fbb3c
Instruction Fuzzy Hash: D6F0ECB27013396BEF2549564C04BAB7DC5DF456B0F018228FD89DA251E236CC10D3D0

Function 00FE3A72 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,?,00FE227D,?,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000), ref: 00FE3A86
RtlReAllocateHeap.NTDLL(00000000,?,00FE227D,?,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE3A8D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: a6b0a4ea5e36c1b6d2a699a48a9c5c0df53119a95828045639a1bc53b9cb8d8c
Instruction ID: ff88af2bdcd0ea76139060427f70e4bfed101ae436e3bdb3923f72a07eccab20
Opcode Fuzzy Hash: a6b0a4ea5e36c1b6d2a699a48a9c5c0df53119a95828045639a1bc53b9cb8d8c
Instruction Fuzzy Hash: 1AD0123215024DEBCF205FE8DC0EDAE3BACEB587127648405F955C2104C63EE4609B60

Function 01023499 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 010234CE

Part of subcall function 01022F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,010234DF,00000000,?,00000000), ref: 01022F3D
Part of subcall function 01022F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0100BDED,?,00FE52FD,?,00000000,?), ref: 01022F49

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: bce31f23b21906bfbd365ebd47300a446826afd7ef608d5b1882727d52843157
Instruction ID: 6beaa2994318abfdffa862a15b35ee6c51e4d2e8b24e922c940f5bfb41f03879
Opcode Fuzzy Hash: bce31f23b21906bfbd365ebd47300a446826afd7ef608d5b1882727d52843157
Instruction Fuzzy Hash: 50310A76E006299BCB11DFA8C884ADEFBF8EF08750F01456AED15EB310D675AD058BA0

Function 01025728 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,0104AAA0,00000000,80070490,010B9CF0,?,00FF890E,WiX\Burn,PackageCache,00000000,0104AAA0,00000000,00000000,80070490), ref: 01025782

Part of subcall function 01020F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 01020FE4
Part of subcall function 01020F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0102101F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 242b9078aa6665137a5d091844026eb54ceb27a37a1bfbfd5e9a60381e9dcacf
Instruction ID: b1ae7a0cc69c6c27b31077b420485884738ba36637720a50310cf8c483df81fa
Opcode Fuzzy Hash: 242b9078aa6665137a5d091844026eb54ceb27a37a1bfbfd5e9a60381e9dcacf
Instruction Fuzzy Hash: 4011CA7684013AEBDF326E98EC849EDFBA9FB14220B150279EE8127110C3354D50D6D4

Function 00FE34C5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00FF89CA,0000001C,80070490,00000000,00000000,80070490), ref: 00FE34E5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 70ba1bdcbc41c509a031dc3ad38ae9870590b6224f155ce8aa6912977d7d079b
Instruction ID: f831528db6cf61402808f8b9025e42059d1eef1cfe9c12c464eb221fc18fca26
Opcode Fuzzy Hash: 70ba1bdcbc41c509a031dc3ad38ae9870590b6224f155ce8aa6912977d7d079b
Instruction Fuzzy Hash: 04E012722012657BA6026E735C0DDEB7B9CEF057507008061FE40D7040E675E950A7B0

Non-executed Functions

Function 00FEA7EF Relevance: 170.4, APIs: 29, Strings: 68, Instructions: 688COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00FEB01A

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

CompareStringW.KERNEL32(0000007F,00000000,0102CA64,000000FF,DirectorySearch,000000FF,0102CA64,Condition,feclient.dll,0102CA64,Variable,?,0102CA64,0102CA64,?,?), ref: 00FEA927
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 00FEA97C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 00FEA998
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 00FEA9BC
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 00FEAA0F
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00FEAA29
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 00FEAA51
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 00FEAA8F
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 00FEAAAE
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 00FEAACD
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 00FEAB8B
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 00FEABA5

Part of subcall function 010231C7: VariantInit.OLEAUT32(?), ref: 010231DD
Part of subcall function 010231C7: SysAllocString.OLEAUT32(?), ref: 010231F9
Part of subcall function 010231C7: VariantClear.OLEAUT32(?), ref: 01023280
Part of subcall function 010231C7: SysFreeString.OLEAUT32(00000000), ref: 0102328B

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 00FEAC04
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 00FEAC26
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00FEAC46
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 00FEAD1E
SysFreeString.OLEAUT32(?), ref: 00FEAEFC

Strings

directory, xrefs: 00FEAD11
assignment, xrefs: 00FEAE2B
Win64, xrefs: 00FEAB5B
value, xrefs: 00FEAB98
version, xrefs: 00FEAA1C, 00FEAC39, 00FEADD9
DirectorySearch, xrefs: 00FEA918
Failed to get @ComponentId., xrefs: 00FEAF84
numeric, xrefs: 00FEABF5
Failed to get search node count., xrefs: 00FEA843
ProductCode, xrefs: 00FEAC82, 00FEAD5A, 00FEAE74
Condition, xrefs: 00FEA8F7
language, xrefs: 00FEADF5
clbcatq.dll, xrefs: 00FEA938, 00FEA9CB, 00FEAC81, 00FEAE73
Type, xrefs: 00FEA954, 00FEA9E7, 00FEAB40, 00FEACC0, 00FEADC0, 00FEAEAA
comres.dll, xrefs: 00FEACA4, 00FEAD59, 00FEAD89, 00FEAE8E
Failed to get @ProductCode., xrefs: 00FEAFBC
Failed to get Value attribute., xrefs: 00FEAF3A
cabinet.dll, xrefs: 00FEABB8
Failed to get @VariableType., xrefs: 00FEAF62
Failed to get @ExpandEnvironment., xrefs: 00FEAF4E
Failed to get next node., xrefs: 00FEAFE9
Unexpected element name: %ls, xrefs: 00FEAFCB
Failed to select search nodes., xrefs: 00FEA81E
Path, xrefs: 00FEA939, 00FEA9CC
HKCU, xrefs: 00FEAAA1
Key, xrefs: 00FEAB02
Variable, xrefs: 00FEA8DC
Invalid value for @Type: %ls, xrefs: 00FEAF9F
FileSearch, xrefs: 00FEA9AF
Failed to get Key attribute., xrefs: 00FEAF6C
exists, xrefs: 00FEA96D, 00FEAA00, 00FEAB7C
Invalid value for @VariableType: %ls, xrefs: 00FEAF5B
ComponentId, xrefs: 00FEACA5
Failed to get @Condition., xrefs: 00FEAF26
search.cpp, xrefs: 00FEA871
HKCR, xrefs: 00FEAA80
Value, xrefs: 00FEAB1D
HKLM, xrefs: 00FEAAC0
wininet.dll, xrefs: 00FEAB01
msi.dll, xrefs: 00FEAB5A
Failed to get @Root., xrefs: 00FEAF7D
MsiComponentSearch, xrefs: 00FEAC5F
Failed to allocate memory for search structs., xrefs: 00FEA87B
MsiFeatureSearch, xrefs: 00FEAE51
RegistrySearch, xrefs: 00FEAA44
version.dll, xrefs: 00FEAB1C
Failed to get Win64 attribute., xrefs: 00FEAF44
Failed to get @Path., xrefs: 00FEAF30
MsiProductSearch, xrefs: 00FEAD37
Failed to get @UpgradeCode., xrefs: 00FEAF8B
Failed to get @Type., xrefs: 00FEAFAE
Failed to get @ProductCode or @UpgradeCode., xrefs: 00FEAF92
feclient.dll, xrefs: 00FEA8F6
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch, xrefs: 00FEA80B
keyPath, xrefs: 00FEACD9
FeatureId, xrefs: 00FEAE8F
ExpandEnvironment, xrefs: 00FEABB9
Root, xrefs: 00FEAA67
HKU, xrefs: 00FEAADF
Failed to get @Variable., xrefs: 00FEAFDB
Failed to get @Id., xrefs: 00FEAFE2
Failed to get @FeatureId., xrefs: 00FEAFB5
string, xrefs: 00FEAC19
VariableType, xrefs: 00FEABDC
state, xrefs: 00FEACF5, 00FEAE11, 00FEAEC3
Invalid value for @Root: %ls, xrefs: 00FEAF76
path, xrefs: 00FEA98B, 00FEAA38
UpgradeCode, xrefs: 00FEAD8A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
API String ID: 2748437055-1695159631
Opcode ID: c28c08b13abe2413df9bd46e8e4c25f1df31cf5324bd8f7263329d3405c6dbe1
Instruction ID: e7a64c92ed9ba12d446c0d32aeb13f7f2f92c7e05a1d06b858621d2b835cdcd8
Opcode Fuzzy Hash: c28c08b13abe2413df9bd46e8e4c25f1df31cf5324bd8f7263329d3405c6dbe1
Instruction Fuzzy Hash: C8220871D882B6BEDB218B56CC45EAEBE65AF05730F304325F470BA1D0D770AE40E692

Function 00FE3BC3 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 311fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00FE3C3F
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3C52
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00FE3C9D
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3CA7
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00FE3CF5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3CFF
FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00FE3D52
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3D63
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00FE3E3D
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00FE3E51
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00FE3E78
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00FE3E9B
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00FE3EB4
FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00FE3EC4
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3ED9
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3F08
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3F2A
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3F4C
RemoveDirectoryW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00FE3F63
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3F6D
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00FE3F93
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3FAE
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 00FE3FE4

Strings

dirutil.cpp, xrefs: 00FE3C75, 00FE3EF9
DEL, xrefs: 00FE3E6C
4Mw, xrefs: 00FE3CF5
*.*, xrefs: 00FE3D2B

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: 4Mw$*.*$DEL$dirutil.cpp
API String ID: 1544372074-3821523967
Opcode ID: 4d26356aec32cf688d3223ee7ded5928978b2f8432bdd3fabb8141a238260f22
Instruction ID: ae309c8a830ef884d5ba4f88c29c013a9e22def6e2237deceafdabc070247811
Opcode Fuzzy Hash: 4d26356aec32cf688d3223ee7ded5928978b2f8432bdd3fabb8141a238260f22
Instruction Fuzzy Hash: 0DB1F072E01275AAEB315A768C4CBE6B7F5EF44720F1102A5ED08F7190D7768E80EB90

Function 010215CB Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0102166B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01021675
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 010216C2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 010216C8
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 01021702
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01021708
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 01021748
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0102174E
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 0102178E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 01021794
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 010217D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 010217DA
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 010218BD
LocalFree.KERNEL32(?), ref: 010219DC

Strings

srputil.cpp, xrefs: 01021696

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CreateKnownWell$DescriptorEntriesFreeInitializeLocalSecurity
String ID: srputil.cpp
API String ID: 3627156773-4105181634
Opcode ID: 2e3a844f60e34f1b5523af6fced55d87bb34d223b70280fee51f7adbc7e332d9
Instruction ID: 50d9ee6cae6157610be386fe63ac54238d4995cf712701a40247b01460c2ee6c
Opcode Fuzzy Hash: 2e3a844f60e34f1b5523af6fced55d87bb34d223b70280fee51f7adbc7e332d9
Instruction Fuzzy Hash: 41B14571D40329ABEB319EA58D84BEAB7FCEB08740F0141A6FD49F7140E6759D848BA4

Function 0100C0FA Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 364COMMON

Download Yara Rule

Strings

Failed to allocate space for burn payload inside of related bundle struct, xrefs: 0100C186
Failed to copy local source path for pseudo bundle., xrefs: 0100C203
pseudobundle.cpp, xrefs: 0100C141, 0100C17A, 0100C269, 0100C475
Failed to copy filename for pseudo bundle., xrefs: 0100C1DF
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 0100C40C
Failed to copy version for pseudo bundle., xrefs: 0100C4D0
Failed to copy install arguments for related bundle package, xrefs: 0100C34C
Failed to copy uninstall arguments for related bundle package, xrefs: 0100C3EB
Failed to append relation type to repair arguments for related bundle package, xrefs: 0100C3B9
Failed to copy key for pseudo bundle., xrefs: 0100C30A
Failed to copy cache id for pseudo bundle., xrefs: 0100C327
Failed to allocate memory for pseudo bundle payload hash., xrefs: 0100C275
Failed to copy display name for pseudo bundle., xrefs: 0100C4F2
Failed to append relation type to install arguments for related bundle package, xrefs: 0100C371
Failed to copy download source for pseudo bundle., xrefs: 0100C231
Failed to copy repair arguments for related bundle package, xrefs: 0100C398
Failed to copy key for pseudo bundle payload., xrefs: 0100C1BB
Failed to allocate memory for dependency providers., xrefs: 0100C481
-%ls, xrefs: 0100C114
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 0100C14D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: 03cdd240c65f7f8fcf3b0801036808bf062bae2e8691d347172607d468365d5f
Instruction ID: 73be14885eea52c1469331e5ed939e294e97296db9b528b7f72a48bd42b0e924
Opcode Fuzzy Hash: 03cdd240c65f7f8fcf3b0801036808bf062bae2e8691d347172607d468365d5f
Instruction Fuzzy Hash: 75C106B1A00646BBFB578E69CE41E6A77D8BF48710F0143A9FD85EB241DB34ED009791

Function 00FF69CC Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 358synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00FED39D: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00FF6E4B,000000B8,00000000,?,00000000,7707B390), ref: 00FED3AC
Part of subcall function 00FED39D: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 00FED3BB
Part of subcall function 00FED39D: LeaveCriticalSection.KERNEL32(000000D0,?,00FF6E4B,000000B8,00000000,?,00000000,7707B390), ref: 00FED3D0

ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 00FF6D9A
CloseHandle.KERNEL32(00000000), ref: 00FF6DA3
CloseHandle.KERNEL32(00FE4740,?,00000000,?,00000000,00000001,00000000), ref: 00FF6DC0

Strings

Failed to register bundle., xrefs: 00FF6C00
crypt32.dll, xrefs: 00FF6CD2
Failed to cache engine to working directory., xrefs: 00FF6B7F
core.cpp, xrefs: 00FF6A9C, 00FF6C76
Another per-machine setup is already executing., xrefs: 00FF6BD9
Failed while caching, aborting execution., xrefs: 00FF6CA8
Engine cannot start apply because it is busy with another action., xrefs: 00FF6A2F
Failed to elevate., xrefs: 00FF6BA5
UX aborted apply begin., xrefs: 00FF6AA6
Another per-user setup is already executing., xrefs: 00FF6AF1
Failed to create cache thread., xrefs: 00FF6C80
Failed to set initial apply variables., xrefs: 00FF6B18

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCriticalHandleSection$CompareEnterExchangeInterlockedLeaveMutexRelease
String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 322611130-4292671789
Opcode ID: 479aeefdc2f678afcc8378dd80536e8174f687d1badc3cc429e1100311f8e45a
Instruction ID: ceea6a4f4e638850fc774f906623a55ce44f12e3e08c07b2037c183f14a2741f
Opcode Fuzzy Hash: 479aeefdc2f678afcc8378dd80536e8174f687d1badc3cc429e1100311f8e45a
Instruction Fuzzy Hash: 46C1AE72E0161EBFDB199BA0CC45BFEB7A8FF04315F00422AF615E6160DF34A954AB90

Function 00FE44E9 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 137COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00FE4512
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00FE4519
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00FE4523
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00FE4573
GetLastError.KERNEL32 ref: 00FE457D
CloseHandle.KERNEL32(?), ref: 00FE4677

Strings

Failed to schedule restart., xrefs: 00FE4662
engine.cpp, xrefs: 00FE4547, 00FE45A1, 00FE45EF, 00FE4658
Failed to adjust token to add shutdown privileges., xrefs: 00FE45F9
Failed to get shutdown privilege LUID., xrefs: 00FE45AB
Failed to get process token., xrefs: 00FE4551
SeShutdownPrivilege, xrefs: 00FE4566

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
API String ID: 4232854991-1583736410
Opcode ID: e87ab66e51e502042d01ee479540f8e0b4a20579cc5aee5a63f7581b766c05bd
Instruction ID: fc558f2aac88ce5c68c112e78699edd7285bfd3ac61277f6621aaebfa32ba3a9
Opcode Fuzzy Hash: e87ab66e51e502042d01ee479540f8e0b4a20579cc5aee5a63f7581b766c05bd
Instruction Fuzzy Hash: A341E672B40325ABFB306EB69C89BBBB698EB01750F11012DFE46F7140D6299D0097E5

Function 00FF4CE8 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 161pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00FF4D16
GetLastError.KERNEL32(?,00000000,?,?,00FE442A,?), ref: 00FF4D1F
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,00FE442A,?), ref: 00FF4DC0
GetLastError.KERNEL32(?,00FE442A,?), ref: 00FF4DCD
CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,00FE442A,?), ref: 00FF4E93
LocalFree.KERNEL32(00000000,?,00FE442A,?), ref: 00FF4EC1

Strings

D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00FF4D11
pipe.cpp, xrefs: 00FF4D43, 00FF4DF1, 00FF4E77
\\.\pipe\%ls, xrefs: 00FF4D77
\\.\pipe\%ls.Cache, xrefs: 00FF4E14
Failed to allocate full name of pipe: %ls, xrefs: 00FF4D8D
Failed to create pipe: %ls, xrefs: 00FF4DFE, 00FF4E84
Failed to allocate full name of cache pipe: %ls, xrefs: 00FF4E2A
Failed to create the security descriptor for the connection event and pipe., xrefs: 00FF4D4D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: DescriptorErrorLastSecurity$CloseConvertCreateFreeHandleLocalNamedPipeString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 3065245045-3253666091
Opcode ID: ac24555f9bd2071cfa7a2c647710e48f26c3af43c5f78eaa3312620b383c837f
Instruction ID: ed2225674b11d35a11ecc741d4f788f3ee5186a44b5c3e6e5379780484b9ac47
Opcode Fuzzy Hash: ac24555f9bd2071cfa7a2c647710e48f26c3af43c5f78eaa3312620b383c837f
Instruction Fuzzy Hash: D6519571E40319BFEB219EA5DC85BAFB7A8EF04710F104129FE50FA190D3795E409A90

Function 0101F961 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,00FF9CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 0101F9C6
GetLastError.KERNEL32 ref: 0101F9D0
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 0101FA0D
GetLastError.KERNEL32 ref: 0101FA17
CryptDestroyHash.ADVAPI32(00000000), ref: 0101FAC9
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0101FAE0
GetLastError.KERNEL32 ref: 0101FAFB
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 0101FB33
GetLastError.KERNEL32 ref: 0101FB3D
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 0101FB76
GetLastError.KERNEL32 ref: 0101FB84

Strings

cryputil.cpp, xrefs: 0101FAB0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CryptErrorLast$Hash$Context$AcquireCreateDestroyFileParamPointerRelease
String ID: cryputil.cpp
API String ID: 1716956426-2185294990
Opcode ID: 9b32fcfc132d801dc48f9e5cb8c34530182d746fbc1fd9154d07eb58df4b8be9
Instruction ID: ab231a95a699da2be145a0fdf03bcc2a465e215b78ce2a4cfe15078f19b1c8d9
Opcode Fuzzy Hash: 9b32fcfc132d801dc48f9e5cb8c34530182d746fbc1fd9154d07eb58df4b8be9
Instruction Fuzzy Hash: 1151D772E40325ABFB329E658C44BEA77E8FB08741F1141A5FE89E6144D37D8D848BE4

Function 00FF9C99 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON

Download Yara Rule

Strings

Failed to transfer working path to unverified path for payload: %ls., xrefs: 00FF9D9F
Failed to concat complete cached path., xrefs: 00FF9CEF
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 00FF9DC6
Failed to get cached path for package with cache id: %ls, xrefs: 00FF9CC3
copying, xrefs: 00FF9E27
Failed to create unverified path., xrefs: 00FF9D69
Failed to reset permissions on unverified cached payload: %ls, xrefs: 00FF9DEC
moving, xrefs: 00FF9E2C, 00FF9E34
Failed to move verified file to complete payload path: %ls, xrefs: 00FF9E68

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: 734d6431608d2eaaa85112eb52319a7f1190d24da612c23835a1a85e870e1301
Instruction ID: 5480972f02aa61e948ea8fe4e7a8c1638b835525d029a700358e7685c13cc437
Opcode Fuzzy Hash: 734d6431608d2eaaa85112eb52319a7f1190d24da612c23835a1a85e870e1301
Instruction Fuzzy Hash: 2C519E32D4422EBBDF226B90CC42FEEBA76AF14710F204195FA4075170E7B64A61BB95

Function 00FE6184 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 00FE61D2
GetLastError.KERNEL32 ref: 00FE61DC

Strings

variable.cpp, xrefs: 00FE6200
Failed to get OS info., xrefs: 00FE620A
Failed to set variant value., xrefs: 00FE6314

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-1971907631
Opcode ID: 01c12dec438ff21718c4931287531b3791d3480cc3d99f12b8f57218243b0706
Instruction ID: 940d86d3754ba7606052bda5f3635ef241c83487b8cc204217d23cb59cb3007f
Opcode Fuzzy Hash: 01c12dec438ff21718c4931287531b3791d3480cc3d99f12b8f57218243b0706
Instruction Fuzzy Hash: E2418472E0426CABDB30DAAACC45FEE7BB8EB99750F10019AF545E7140D6349E81DB90

Function 0101FDC2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0104B60C,00000000,?,?,?,?,01001014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0101FDF0
GetCurrentProcessId.KERNEL32(00000000,?,01001014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0101FE00
GetCurrentThreadId.KERNEL32 ref: 0101FE09
GetLocalTime.KERNEL32(8007139F,?,01001014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 0101FE1F
LeaveCriticalSection.KERNEL32(0104B60C,?,00000000,00000000,0000FDE9), ref: 0101FF12

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 0101FEB9

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: d0666d513a9230163daa80f03bede487de6c3935312134872bee11e4b245bcc4
Instruction ID: bebcff1cdfbd418c93dff1a4314bfddb1ce7f5b5b739bf3b023b7b208821e87a
Opcode Fuzzy Hash: d0666d513a9230163daa80f03bede487de6c3935312134872bee11e4b245bcc4
Instruction Fuzzy Hash: A64184B5D0021AABDB209FA8DC44ABEB7F5AB08B11F104069FA81E2154D73D8D44CBA1

Function 00FF993E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,*.*,?,?,?,00000000,.unverified,?), ref: 00FF99ED
lstrlenW.KERNEL32(?), ref: 00FF9A14
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF9A74
FindClose.KERNEL32(00000000), ref: 00FF9A7F

Part of subcall function 00FE3BC3: GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00FE3C3F
Part of subcall function 00FE3BC3: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00FE3C52

Strings

.unverified, xrefs: 00FF9981
*.*, xrefs: 00FF99C7

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: 23911091fc5d0e32ecdfe48051ae5772a051832130a790d605f7111578dc6d30
Instruction ID: b414455c877bd3591569dff9ea18d12a4c44a36472fbb732a36bbc34d55b57a4
Opcode Fuzzy Hash: 23911091fc5d0e32ecdfe48051ae5772a051832130a790d605f7111578dc6d30
Instruction Fuzzy Hash: ED419231D0456DAEDB31AB60DC48BFAB7B8AF44711F5001E5E608E10A0EBB98EC4EF14

Function 01028733 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 01028788
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 0102879A

Strings

feclient.dll, xrefs: 01028762
crypt32.dll, xrefs: 01028758
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 01028771
%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 010287E3

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: 73ac7b7ab26d2ed1758b7fe46419e1ac6d24e61600849f0487b781bad4b5c4ee
Instruction ID: 8110c0f45ce659592d82e09da68319439fcd2b198044cb6b71d0780e8c153df3
Opcode Fuzzy Hash: 73ac7b7ab26d2ed1758b7fe46419e1ac6d24e61600849f0487b781bad4b5c4ee
Instruction Fuzzy Hash: 2721FCA6900128BAD7249B969C45FBBB3FCEB48B11F10445AF985D6080E638AE84D770

Function 0101A85E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0101A9A4

Strings

1#IND, xrefs: 0101BB9C
1#SNAN, xrefs: 0101BBA3
1#INF, xrefs: 0101BBB1
1#QNAN, xrefs: 0101BBAA

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2620ad76a27757fa33800b71cee87a7fd245a868a3a576f33daeb2691306640c
Instruction ID: 4cd4c6603e5fe1098e1e708d4f07687b1260a9986b3be3bcd3057d0d88411904
Opcode Fuzzy Hash: 2620ad76a27757fa33800b71cee87a7fd245a868a3a576f33daeb2691306640c
Instruction Fuzzy Hash: 53C24971E056288FDB65CE28DD807EAB7F5EB44305F1441EAD88DE7249E778AE818F40

Function 00FE60BA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00FE60EA
GetLastError.KERNEL32 ref: 00FE60F4

Strings

variable.cpp, xrefs: 00FE6112
Failed to get the user name., xrefs: 00FE611C
Failed to set variant value., xrefs: 00FE6138

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: 3c5af8add1590b76e1d61f43f4dc2371ba221d68146f64209aed11ed551cbfc8
Instruction ID: 50de7673f1c7412fd244ff3720373aac71b1e6469fbe9fa2b5ee6080ef4e4c99
Opcode Fuzzy Hash: 3c5af8add1590b76e1d61f43f4dc2371ba221d68146f64209aed11ed551cbfc8
Instruction Fuzzy Hash: 09014932A003396BD722EAA6DC08BEF77A8DB20760F10016AFC44E7141EA389E0457D0

Function 0101FD20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,00000000,00000000,00000000,00000000,?,00000000,?,?,010203EC,?,00000000,?,?,00000001), ref: 0101FD3F
GetLastError.KERNEL32(?,010203EC,?,00000000,?,?,00000001,?,00FE5523,?,?,00000000,?,?,00FE528D,00000002), ref: 0101FD4B
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,010203EC,?,00000000,?,?,00000001,?,00FE5523,?,?), ref: 0101FDB3

Strings

logutil.cpp, xrefs: 0101FD69

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: 6b28af7cf2f94a09c10e2e263b6d8c7084b1a15ba343053e6676cff64de3b80e
Instruction ID: 441239ac6376f716cd0836e1df5f8f14fa421ff53c11a359c92b4499c5a0d624
Opcode Fuzzy Hash: 6b28af7cf2f94a09c10e2e263b6d8c7084b1a15ba343053e6676cff64de3b80e
Instruction Fuzzy Hash: 6311013160021AFBDB22AF94CC05EFE3B6AFF44710F814059FD5196028D7798A20D7A0

Function 01006945 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,010068EF,00000000,00000003), ref: 0100695C
GetLastError.KERNEL32(?,010068EF,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,01006CE1,?), ref: 01006966

Strings

msuengine.cpp, xrefs: 0100698A
Failed to set service start type., xrefs: 01006994

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuengine.cpp
API String ID: 1456623077-1628545019
Opcode ID: 09ef17ccf426caf9c37f9fd0d8080b4649c588d23cbff496fef7248f448bc76d
Instruction ID: 17e9cdf1655c100c3fce0db19fa9ca1bed7598c0fecedcc639171064614f8b36
Opcode Fuzzy Hash: 09ef17ccf426caf9c37f9fd0d8080b4649c588d23cbff496fef7248f448bc76d
Instruction Fuzzy Hash: BFF0303264833576AA2129AA5C09A877AC8DB016B0F214325FD68E61D4DA1A991093E5

Function 01013BB0 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 01013CA8
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 01013CB2
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 01013CBF

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6f1bb72632aeca9e7ee67db1df44a0749bd2585865a3530a9ab3e7f9b26749fa
Instruction ID: a008d98ed8f24c8c17cd333bdd8031954c2f9aef62755dc9e04ba0cc81775d13
Opcode Fuzzy Hash: 6f1bb72632aeca9e7ee67db1df44a0749bd2585865a3530a9ab3e7f9b26749fa
Instruction Fuzzy Hash: BD31E57490121DABDB21DF68D9887CCBBB8BF08310F5045EAE84CA7290E7349B858F44

Function 01014812 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,010147E8,00000000,01047CF8,0000000C,0101493F,00000000,00000002,00000000), ref: 01014833
TerminateProcess.KERNEL32(00000000,?,010147E8,00000000,01047CF8,0000000C,0101493F,00000000,00000002,00000000), ref: 0101483A
ExitProcess.KERNEL32 ref: 0101484C

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cf5525c67dd41c7cd4e4b49f25ea9111828a320ae3cc19a5d12ca12390a89bd1
Instruction ID: 3b4514ca1adfe43823e6de0fa15620e639d76eb5673259c06374af501e935082
Opcode Fuzzy Hash: cf5525c67dd41c7cd4e4b49f25ea9111828a320ae3cc19a5d12ca12390a89bd1
Instruction Fuzzy Hash: 6DE08C31000289AFCF216F14D808AAE3F69FF41341F680064FC848B139CB3EE942CB80

Function 01017A87 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 01017B51

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: ca299b1bbf4f3bcdd09195f37cc0e145eb68030d0f7935a0710b453cd0b74d0f
Instruction ID: e36e7e8f88c391d361b555c8ea591758a3b1ca1f5883a9d97f61eacc330a2d61
Opcode Fuzzy Hash: ca299b1bbf4f3bcdd09195f37cc0e145eb68030d0f7935a0710b453cd0b74d0f
Instruction Fuzzy Hash: 764147725002196BDB249FBCDC88EBB7BB8FBC4314F5042A8FA45C7184E6359E81CB60

Function 0101A3B0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5ef6380223df80c09fbffff4406c54564286920eb9de1bd108dda9bf4439f2
Instruction ID: d31c9a52debb6b145a3bc6b8ca30c160569cee085387ec394a9421e20595cbc6
Opcode Fuzzy Hash: eb5ef6380223df80c09fbffff4406c54564286920eb9de1bd108dda9bf4439f2
Instruction Fuzzy Hash: 2F023B71E01219DFDF15CFA9C8806ADBBF1FF88324F1581AAD959E7285D734AA41CB80

Function 0102393B Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01023AC9: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,0102396A,?), ref: 01023B3A

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0102398E
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0102399F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: 4b2d20354dceb765c3c8e27869bf947ac4e9391883b2c5cbc929a18eec3f9ccf
Instruction ID: 82965a3f028285dab167e78547f285eb69e7030d35b954dce771a186a0df6272
Opcode Fuzzy Hash: 4b2d20354dceb765c3c8e27869bf947ac4e9391883b2c5cbc929a18eec3f9ccf
Instruction Fuzzy Hash: 45113071A0021AABDB20DFA5DC84AAEBBF8FF08304F50046DE585AA180D7789A44CB55

Function 01024315 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(01008FFA,?,000002C0,00000000,00000000), ref: 01024350
FindClose.KERNEL32(00000000), ref: 0102435C

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6d7fc57db53cd601a00093e165f665952ec6e64e14307ef6597622f9e8d69213
Instruction ID: e404de3541977cf14eb6bc6f0452f04cb868fe157b718781cc74e0e9cfc74caa
Opcode Fuzzy Hash: 6d7fc57db53cd601a00093e165f665952ec6e64e14307ef6597622f9e8d69213
Instruction Fuzzy Hash: 8D01F972A00218ABDB30EEB9DD8DDAAF7ACEBC5315F400195E988C3280D7345E4DC760

Function 01012B21 Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 01012C91
comres.dll, xrefs: 01012CC8, 01012CE1, 01012D09, 01012D34

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID: 0$comres.dll
API String ID: 0-3030269839
Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction ID: 8d50f67a2ca65129c09637cb684a168c594e6f2096a4376d60b93497a948f212
Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction Fuzzy Hash: 76517A606007495BEB795EAC88D5BFE3BC5FB52340F380589D7C2DB28ED21DD5418356

Function 0101ED4C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0101ED47,?,?,00000008,?,?,0101E9E7,00000000), ref: 0101EF79

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6e4602ddc62bb780bcde77e57dd64fc1f2edafb9f4b05828936fbe1991f7c6bd
Instruction ID: 63ae71bdc9886ecd0ea26bb54a6f638a068ae60d871db8e0ad0bf00043f51697
Opcode Fuzzy Hash: 6e4602ddc62bb780bcde77e57dd64fc1f2edafb9f4b05828936fbe1991f7c6bd
Instruction Fuzzy Hash: 6CB108321106099FE756CF2CC48AB697BE0FF45364F258698E9D9CF2A5C339E991CB40

Function 0100E773 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002E77F,0100DEF8), ref: 0100E778

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f947830583641a40a142afd4690ab6825e6aa181a5a7a7c4b47988a6bd293776
Instruction ID: 284212d36f415b1623fd78e46ed1d933ef40cc2e02465271a77cfc0d6f762f76
Opcode Fuzzy Hash: f947830583641a40a142afd4690ab6825e6aa181a5a7a7c4b47988a6bd293776
Instruction Fuzzy Hash:

Function 01010662 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 65ec8d68d5510dbf9aac820720ceba2b74184f6fd0312d85bf6f63508bca7b75
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 78C1843220916309EBAE467D943417EBEE16F926B131A579DF4F3CB1CDEE28C1A4D610

Function 01010A97 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: d6e3dbca16fc857eb1abd554cfaa0151cca004c9544468d868e7d770bfe0faf1
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 4AC196322051A309EBAE4A7DD47417EBEE16B926B130A579DF4F3CB1CDEE28D1A4C510

Function 0101022D Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 1199f88809d945b530a72fce18760d628b5692441e13d99d8c6c38be89c5a918
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: EEC196322051630AEFAD467D947417FBEE16B916B131A57ADF4F3CB0CDEE28C1A49610

Function 0100FE15 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c20266c0579e298b4430cd975c6cf248544309960922f9d66c93b2bbc0d0b417
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: D1C174322050A30AEFAE467D943417EBEE16F926B131A579DF4F3CB1CDEE28D1A49510

Function 01012D50 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a546bd8df8a44261f9962746ce7e356d0a74b64ffcfd53c8550aebf465f470c6
Instruction ID: 3e3b4f9bfd0c85cca99cd53ad31df7e278a5748839aeed606cafeb35d4f4c474
Opcode Fuzzy Hash: a546bd8df8a44261f9962746ce7e356d0a74b64ffcfd53c8550aebf465f470c6
Instruction Fuzzy Hash: 1D617C712007095BEEB8696C88A4BFE37D5EB51300F7409ADEAC3DF2CDDA1D99828355

Function 00FE15E4 Relevance: .2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a171f11b9a6d05646ec5af85c1ae303124031ce04bcd527b034c517c0aead239
Instruction ID: 265e7866626b8127fc6c5eebcacd8d5ce7ebd6b5c222c1bc27820cd073d68773
Opcode Fuzzy Hash: a171f11b9a6d05646ec5af85c1ae303124031ce04bcd527b034c517c0aead239
Instruction Fuzzy Hash: C751AD76901299ABDF21CE57C884EEE7769BB44730F19821AFC159B280D734ED50EBA0

Function 00FEFE26 Relevance: 81.0, APIs: 1, Strings: 45, Instructions: 476registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000,?,?,?), ref: 00FF0409

Strings

UninstallString, xrefs: 00FF02F2, 00FF0308
Publisher, xrefs: 00FF009C, 00FF00AF
/modify, xrefs: 00FF02E1, 00FF02E9
BundleTag, xrefs: 00FEFFCA, 00FEFFCF
%s,0, xrefs: 00FF000F
SystemComponent, xrefs: 00FF0290, 00FF02A3
BundlePatchCode, xrefs: 00FEFF43, 00FEFF4B
Comments, xrefs: 00FF01A2, 00FF01B5
BundleCachePath, xrefs: 00FEFECE, 00FEFED3
DisplayIcon, xrefs: 00FF000A, 00FF0014
ModifyPath, xrefs: 00FF021D, 00FF0233
URLInfoAbout, xrefs: 00FF010E, 00FF0121
EstimatedSize, xrefs: 00FF0385, 00FF038A, 00FF0399
"%ls" %ls, xrefs: 00FF02ED
3.10.4.4718, xrefs: 00FEFFE2
HelpLink, xrefs: 00FF00C2, 00FF00D5
QuietUninstallString, xrefs: 00FF02B5, 00FF02CB
/uninstall, xrefs: 00FF02DC
BundleDetectCode, xrefs: 00FEFF25, 00FEFF2D
"%ls" /modify, xrefs: 00FF0218
NoModify, xrefs: 00FF01F3, 00FF0206
NoRemove, xrefs: 00FF026B, 00FF027E
Failed to register the bundle dependency key., xrefs: 00FF03BC
Failed to cache bundle from path: %ls, xrefs: 00FEFE81
%hu.%hu.%hu.%hu, xrefs: 00FEFF85
Failed to update resume mode., xrefs: 00FF03D6
Failed to write %ls value., xrefs: 00FF039A
ParentDisplayName, xrefs: 00FF015A, 00FF016D
ParentKeyName, xrefs: 00FF017A, 00FF018D
BundleUpgradeCode, xrefs: 00FEFEE9, 00FEFEF1
EngineVersion, xrefs: 00FEFFEC, 00FEFFF1
NoElevateOnModify, xrefs: 00FF023F, 00FF0252
Failed to write software tags., xrefs: 00FF032E
Failed to create registration key., xrefs: 00FEFEAE
"%ls" /uninstall /quiet, xrefs: 00FF02B0
BundleProviderKey, xrefs: 00FEFFA9, 00FEFFAE
%hs, xrefs: 00FEFFE7
DisplayVersion, xrefs: 00FF0069, 00FF007C
DisplayName, xrefs: 00FF0043, 00FF0056
URLUpdateInfo, xrefs: 00FF0134, 00FF0147
Contact, xrefs: 00FF01CA, 00FF01DD
Failed to write update registration., xrefs: 00FF034E
HelpTelephone, xrefs: 00FF00E8, 00FF00FB
BundleVersion, xrefs: 00FEFF61, 00FEFF8A
BundleAddonCode, xrefs: 00FEFF07, 00FEFF0F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.10.4.4718$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString
API String ID: 3535843008-3978993339
Opcode ID: 7f2aeec05fbe40508860f821a518ec6ec03f81fee5ad004d659ba680defe8209
Instruction ID: 65ecb99edb6154bb0635323a56ee0df3774b2fcd99f1a15d603112773dfde5d5
Opcode Fuzzy Hash: 7f2aeec05fbe40508860f821a518ec6ec03f81fee5ad004d659ba680defe8209
Instruction Fuzzy Hash: 68F1E532A41A3AFBCB125A55CC01FBDB6A9BF50710F154254FE80BA672DB71AD20B7D0

Function 00FE834D Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00FE533D,?,00000000,80070490,?,?,?,?,?,?,?,?,0100BF87,?,00FE533D,?), ref: 00FE837E
LeaveCriticalSection.KERNEL32(00FE533D,?,?,?,?,?,?,?,?,0100BF87,?,00FE533D,?,00FE533D,00FE533D,Chain), ref: 00FE86DB

Strings

Failed to change variant type., xrefs: 00FE86B1
Failed to get @Hidden., xrefs: 00FE86BF
Initializing hidden variable '%ls', xrefs: 00FE8548
version, xrefs: 00FE8503
Failed to get @Persisted., xrefs: 00FE86B8
Attempt to set built-in variable value: %ls, xrefs: 00FE869F
Failed to insert variable '%ls'., xrefs: 00FE859D
numeric, xrefs: 00FE8493
Failed to set variant value., xrefs: 00FE8666
Type, xrefs: 00FE847A
Persisted, xrefs: 00FE8421
Failed to get @Type., xrefs: 00FE865F
Failed to get next node., xrefs: 00FE86CD
Hidden, xrefs: 00FE8406
Initializing string variable '%ls' to value '%ls', xrefs: 00FE84F1
Failed to find variable value '%ls'., xrefs: 00FE86A9
Variable, xrefs: 00FE8388
Initializing numeric variable '%ls' to value '%ls', xrefs: 00FE84B9
Failed to set variant encryption, xrefs: 00FE8674
Invalid value for @Type: %ls, xrefs: 00FE864F
Failed to set value of variable: %ls, xrefs: 00FE867E
Failed to select variable nodes., xrefs: 00FE839B
Failed to get @Value., xrefs: 00FE866D
Initializing version variable '%ls' to value '%ls', xrefs: 00FE852A
variable.cpp, xrefs: 00FE8690
Failed to get @Id., xrefs: 00FE86C6
string, xrefs: 00FE84CE
Value, xrefs: 00FE843C
Failed to get variable node count., xrefs: 00FE83B8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-1614826165
Opcode ID: d04ca21b61d71f998c08caf9d9f6bc61d045cc5f7fe31a4678e9dd1024f5b8d2
Instruction ID: 72a150264e958ae9a7f6acd5e6a48b38b5d17dde962fa194d2f229e507bb0c64
Opcode Fuzzy Hash: d04ca21b61d71f998c08caf9d9f6bc61d045cc5f7fe31a4678e9dd1024f5b8d2
Instruction Fuzzy Hash: 30B1F972D40269BBDF11FB96CD05EEEBB75AF14760F200255F8497B290CB719E01AB90

Function 01006A85 Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 377COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00FFBBCA,00000007,?,?,?), ref: 01006AD9

Part of subcall function 010209BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00FE5D8F,00000000), ref: 010209CF
Part of subcall function 010209BB: GetProcAddress.KERNEL32(00000000), ref: 010209D6
Part of subcall function 010209BB: GetLastError.KERNEL32(?,?,?,00FE5D8F,00000000), ref: 010209ED

CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 01006EC9
CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 01006EDD

Strings

Failed to get cached path for package: %ls, xrefs: 01006BB5
"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 01006C2E
Failed to append log path to MSU command-line., xrefs: 01006C8D
Failed to append log switch to MSU command-line., xrefs: 01006C6F
Failed to allocate WUSA.exe path., xrefs: 01006B6C
Failed to wait for executable to complete: %ls, xrefs: 01006E58
Failed to get action arguments for MSU package., xrefs: 01006B8F
Failed to build MSU path., xrefs: 01006BEE
Failed to get process exit code., xrefs: 01006DE5
Failed to find System32 directory., xrefs: 01006B4E
D, xrefs: 01006CF4
Failed to format MSU uninstall command., xrefs: 01006C42
WixBundleExecutePackageCacheFolder, xrefs: 01006BC4, 01006EF5
2, xrefs: 01006D6C
SysNative\, xrefs: 01006B23
/log:, xrefs: 01006C5B
wusa.exe, xrefs: 01006B59
Bootstrapper application aborted during MSU progress., xrefs: 01006E0D
Failed to find Windows directory., xrefs: 01006B18
msuengine.cpp, xrefs: 01006D46, 01006DDB, 01006E03
Failed to append SysNative directory., xrefs: 01006B36
Failed to ensure WU service was enabled to install MSU package., xrefs: 01006CE7
Failed to format MSU install command., xrefs: 01006C15
"%ls" "%ls" /quiet /norestart, xrefs: 01006C01
Failed to CreateProcess on path: %ls, xrefs: 01006D53
Failed to determine WOW64 status., xrefs: 01006AEB

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuengine.cpp$wusa.exe
API String ID: 1400713077-4261965642
Opcode ID: 64a3a45cb720c87722ee7878a954cc9ebbaa40c43823c29d2424736a031a6182
Instruction ID: 06a7d571fee170139317fc394ac69aefd2553551680762a02b514de9ff91ab64
Opcode Fuzzy Hash: 64a3a45cb720c87722ee7878a954cc9ebbaa40c43823c29d2424736a031a6182
Instruction Fuzzy Hash: 23D1B770A0030AAFFF12AFE9CC85EEE7BB9AF04704F404079F685A6191D7B69D509B51

Function 010272F4 Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 340COMMON

Download Yara Rule

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 01027407
SysFreeString.OLEAUT32(00000000), ref: 010275D0
SysFreeString.OLEAUT32(00000000), ref: 0102766D

Strings

(, xrefs: 010275AB
link, xrefs: 0102739C, 0102757E
@, xrefs: 01027576
updated, xrefs: 010274AE
author, xrefs: 01027345, 010274D6
generator, xrefs: 010273FA
icon, xrefs: 0102741E
subtitle, xrefs: 01027476
atomutil.cpp, xrefs: 01027321, 01027657
logo, xrefs: 0102745A
entry, xrefs: 0102737F, 01027548
category, xrefs: 01027362, 0102750F
title, xrefs: 01027492

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-2592408802
Opcode ID: 1894585f3196d5341c8c0f67cf0cba0c302f42a0fcd67e8e35ec794e6226411e
Instruction ID: 23ba3080ce5e7b55f97bc41795cc9432db5a87c23247bcab4e4da25c3d14d839
Opcode Fuzzy Hash: 1894585f3196d5341c8c0f67cf0cba0c302f42a0fcd67e8e35ec794e6226411e
Instruction Fuzzy Hash: 31B1C971944236FBDB219B58CC85FAEBAB8AF15720F600355F5A0AB2D1DB71EE40C790

Function 01026FB7 Relevance: 45.8, APIs: 11, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,01043C78,000000FF,?,?,?), ref: 0102707E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 010270A3
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 010270C3
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 010270DF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 01027107
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 01027123
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 0102715C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 01027195

Part of subcall function 01026BF6: SysFreeString.OLEAUT32(00000000), ref: 01026D2F
Part of subcall function 01026BF6: SysFreeString.OLEAUT32(00000000), ref: 01026D71

SysFreeString.OLEAUT32(00000000), ref: 01027219
SysFreeString.OLEAUT32(00000000), ref: 010272C9

Strings

feclient.dll, xrefs: 010270B0
msi.dll, xrefs: 01026FE1
link, xrefs: 0102701C, 010271C7
updated, xrefs: 010270F9
author, xrefs: 01026FE2, 01027115
(, xrefs: 010271F4
version.dll, xrefs: 01026FDD
published, xrefs: 010270D1
clbcatq.dll, xrefs: 010270EC
cabinet.dll, xrefs: 01026FFA
atomutil.cpp, xrefs: 010272B6
content, xrefs: 01027187
category, xrefs: 01026FFF, 0102714E
summary, xrefs: 01027095
title, xrefs: 010270B5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-4294603148
Opcode ID: a4221672c37e9ed282e1272fd23caf791ac2204a386db20f44daf6f1a8d61733
Instruction ID: 570c0ac05b7c8a4507dc7d1273fa64a62aa31f9c0687df2af1e55bfda3e6df71
Opcode Fuzzy Hash: a4221672c37e9ed282e1272fd23caf791ac2204a386db20f44daf6f1a8d61733
Instruction Fuzzy Hash: 3AA1E575904236FBDB219B98CC41FAD7778AF26720F200399F9A0AB1D1D771EA14CB90

Function 00FF52E3 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 222filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,0102B4F0,?,00000000,?,00FE442A,?,0102B4F0), ref: 00FF5304
GetCurrentProcessId.KERNEL32(?,00FE442A,?,0102B4F0), ref: 00FF530F
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF5346
ConnectNamedPipe.KERNEL32(?,00000000,?,00FE442A,?,0102B4F0), ref: 00FF535B
GetLastError.KERNEL32(?,00FE442A,?,0102B4F0), ref: 00FF5365
Sleep.KERNEL32(00000064,?,00FE442A,?,0102B4F0), ref: 00FF5396
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF53B9
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF53D4
WriteFile.KERNEL32(?,00FE442A,0102B4F0,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF53EF
WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF540A
ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF5425
GetLastError.KERNEL32(?,00FE442A,?,0102B4F0), ref: 00FF547D
GetLastError.KERNEL32(?,00FE442A,?,0102B4F0), ref: 00FF54B1
GetLastError.KERNEL32(?,00FE442A,?,0102B4F0), ref: 00FF54E5
GetLastError.KERNEL32(?,00FE442A,?,0102B4F0), ref: 00FF557B

Strings

Failed to wait for child to connect to pipe., xrefs: 00FF5473
Failed to reset pipe to blocking., xrefs: 00FF5574
pipe.cpp, xrefs: 00FF5469, 00FF549D, 00FF54D1, 00FF5505, 00FF5539, 00FF556A, 00FF559B
crypt32.dll, xrefs: 00FF53D2
Failed to write secret length to pipe., xrefs: 00FF5543
Failed to set pipe to non-blocking., xrefs: 00FF55A5
Failed to write our process id to pipe., xrefs: 00FF54DB
Failed to write secret to pipe., xrefs: 00FF550F
Failed to read ACK from pipe., xrefs: 00FF54A7

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
API String ID: 2944378912-2047837012
Opcode ID: 49cd52f619a8a95585853fad4e4753e347a69de5585c7ef563f2b026cad980bd
Instruction ID: cc81b80ce4603d4b823c8e58c9e8ce6209d766816d116b9cb78a5c364a2ad2b7
Opcode Fuzzy Hash: 49cd52f619a8a95585853fad4e4753e347a69de5585c7ef563f2b026cad980bd
Instruction Fuzzy Hash: 1061FC72E40729ABE720DAB9CC45BBAB6ECEF04B50F214125FF45EB150D6798D0097E1

Function 00FEA311 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FEA356
_MREFOpen@16.MSPDB140-MSVCRT ref: 00FEA37C
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 00FEA666

Strings

Failed to clear variable., xrefs: 00FEA3D4
Failed to format key string., xrefs: 00FEA361
Registry key not found. Key = '%ls', xrefs: 00FEA3B0
Unsupported registry key value type. Type = '%u', xrefs: 00FEA506
Failed to read registry value., xrefs: 00FEA5F4
Failed to query registry key value., xrefs: 00FEA4D8
Failed to query registry key value size., xrefs: 00FEA454
Failed to format value string., xrefs: 00FEA387
Failed to allocate string buffer., xrefs: 00FEA565
Failed to set variable., xrefs: 00FEA629
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00FEA418
Failed to open registry key., xrefs: 00FEA3E9
search.cpp, xrefs: 00FEA44A, 00FEA47D, 00FEA4CE, 00FEA5D1
Failed to allocate memory registry value., xrefs: 00FEA487
Failed to get expand environment string., xrefs: 00FEA5DB
Failed to change value type., xrefs: 00FEA60D
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00FEA63E

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: 1f6526af99b356b732331bd7c1a830c4e9f739021eff00ad2c9820b983a2d0fb
Instruction ID: 52980c4df42bbf7c9e7add0589aeddb66e5dc7c4dd634b28ab636a4a7b7c0d9d
Opcode Fuzzy Hash: 1f6526af99b356b732331bd7c1a830c4e9f739021eff00ad2c9820b983a2d0fb
Instruction Fuzzy Hash: 65A1EA72D80769FBDF229AA6CC45FEE7AA9AF04310F144125FD04BA150D775EE00A7A2

Function 0100D22C Relevance: 44.0, APIs: 10, Strings: 15, Instructions: 276processCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 0100D2A7
StringFromGUID2.OLE32(?,?,00000027), ref: 0100D2D0
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 0100D3BC
GetLastError.KERNEL32(?,?,?,?), ref: 0100D3C6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 0100D45B
GetExitCodeProcess.KERNEL32(?,?), ref: 0100D485
GetLastError.KERNEL32(?,?,?,?), ref: 0100D493
GetLastError.KERNEL32(?,?,?,?), ref: 0100D4CB

Part of subcall function 0100D12C: WaitForSingleObject.KERNEL32(?,000000FF,774D30B0,00000000,?,?,?,?,0100D439,?), ref: 0100D145
Part of subcall function 0100D12C: ReleaseMutex.KERNEL32(?,?,?,?,0100D439,?), ref: 0100D161
Part of subcall function 0100D12C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0100D1A4
Part of subcall function 0100D12C: ReleaseMutex.KERNEL32(?), ref: 0100D1BB
Part of subcall function 0100D12C: SetEvent.KERNEL32(?), ref: 0100D1C4

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 0100D580
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 0100D598

Strings

Failed to process netfx chainer message., xrefs: 0100D43F
Failed to wait for netfx chainer process to complete, xrefs: 0100D4F9
NetFxChainer.cpp, xrefs: 0100D2E5, 0100D3EA, 0100D4B7, 0100D4EF
Failed to convert netfx chainer guid into string., xrefs: 0100D2EF
D, xrefs: 0100D3A1
%ls /pipe %ls, xrefs: 0100D373
Failed to allocate event name., xrefs: 0100D333
Failed to allocate section name., xrefs: 0100D311
NetFxSection.%ls, xrefs: 0100D2FD
Failed to create netfx chainer., xrefs: 0100D352
Failed to get netfx return code., xrefs: 0100D4C1
NetFxEvent.%ls, xrefs: 0100D31F
Failed to create netfx chainer guid., xrefs: 0100D2B4
Failed to CreateProcess on path: %ls, xrefs: 0100D3F5
Failed to allocate netfx chainer arguments., xrefs: 0100D387

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastWait$CloseCreateHandleMutexObjectProcessReleaseSingle$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 2531618940-1825855094
Opcode ID: 54055684853496aa0937f8c9a882eec404de4746625b72196a8c8a02b63283fa
Instruction ID: 2ef43195af01b98ed5a0326c954a5ec54505d940a23e32ac01767894757fb213
Opcode Fuzzy Hash: 54055684853496aa0937f8c9a882eec404de4746625b72196a8c8a02b63283fa
Instruction Fuzzy Hash: 60A1B271E00328AFEB229AE5CD45BEEB7B8AF04310F104169FE49F7181D7759A448FA1

Function 00FE567D Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,00FE99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 00FE56A2
lstrlenW.KERNEL32(00000000,?,00FE99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 00FE56AC
_wcschr.LIBVCRUNTIME ref: 00FE58B4
LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,00FE99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 00FE5B56

Strings

Failed to allocate buffer for format string., xrefs: 00FE56CA
Failed to get variable name., xrefs: 00FE5998
Failed to determine variable visibility: '%ls'., xrefs: 00FE5946
Failed to get formatted length., xrefs: 00FE5A6D
Failed to allocate variable array., xrefs: 00FE5991
Failed to allocate string., xrefs: 00FE5AD1
Failed to allocate record., xrefs: 00FE5917
Failed to format record., xrefs: 00FE5B1A
Failed to format placeholder string., xrefs: 00FE5963
Failed to set record format string., xrefs: 00FE59DD
*****, xrefs: 00FE5820
variable.cpp, xrefs: 00FE590A, 00FE592B, 00FE5984, 00FE59D0, 00FE5A60, 00FE5A95, 00FE5B0D
Failed to append placeholder., xrefs: 00FE5959
Failed to append string., xrefs: 00FE5728
Failed to set variable value., xrefs: 00FE596D
[%d], xrefs: 00FE586F
Failed to copy string., xrefs: 00FE5B3A
Failed to set record string., xrefs: 00FE5AA2
Failed to reallocate variable array., xrefs: 00FE5938

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: f203534ec768d59872b6051b51d518d04b7de0198209b47a8563e05e2136c934
Instruction ID: 9db1c02c4dee0a816db5fe39c2de1d205a94abaae74854cc77598138597fcffa
Opcode Fuzzy Hash: f203534ec768d59872b6051b51d518d04b7de0198209b47a8563e05e2136c934
Instruction Fuzzy Hash: CDF1D6B2D00769EFDB119FA6CC41AAF77A5EF44B64F11412AFD05AB240D7349E01EBA0

Function 0100CC24 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 235synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,0100D34C,?,?,?), ref: 0100CC6A
GetLastError.KERNEL32(?,?,0100D34C,?,?,?), ref: 0100CC77
ReleaseMutex.KERNEL32(?), ref: 0100CEDF

Strings

%ls_mutex, xrefs: 0100CD18
NetFxChainer.cpp, xrefs: 0100CC46, 0100CC98, 0100CCFD, 0100CD6C, 0100CDBE, 0100CE06
Failed to create mutex: %ls, xrefs: 0100CD79
Failed to create event: %ls, xrefs: 0100CD0A
Failed to MapViewOfFile for %ls., xrefs: 0100CE13
%ls_send, xrefs: 0100CCA9
failed to allocate memory for mutex name, xrefs: 0100CD2C
Failed to memory map cabinet file: %ls, xrefs: 0100CDCB
Failed to allocate memory for NetFxChainer struct., xrefs: 0100CC50
failed to allocate memory for event name, xrefs: 0100CCBD
failed to copy event name to shared memory structure., xrefs: 0100CE3D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: 6606925a783c8a6a0899f9393a0a085bda3c50d98b2295f0dd80486f1f7aa4e0
Instruction ID: 3c2c06ba5d68862c3bc297ae888eba21918e24591771ce8a0e266563ed90e127
Opcode Fuzzy Hash: 6606925a783c8a6a0899f9393a0a085bda3c50d98b2295f0dd80486f1f7aa4e0
Instruction Fuzzy Hash: EA71E5B2A40751BFF3229B6A8D48F9B7AE8FF05350F114265FD44AB281D7359D00C6E4

Function 00FEE936 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 010231C7: VariantInit.OLEAUT32(?), ref: 010231DD
Part of subcall function 010231C7: SysAllocString.OLEAUT32(?), ref: 010231F9
Part of subcall function 010231C7: VariantClear.OLEAUT32(?), ref: 01023280
Part of subcall function 010231C7: SysFreeString.OLEAUT32(00000000), ref: 0102328B

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,0102CA64,?,?,Action,?,?,?,00000000,00FE533D), ref: 00FEEA07
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 00FEEA51

Strings

Failed to get RelatedBundle nodes, xrefs: 00FEE966
RelatedBundle, xrefs: 00FEE944
Invalid value for @Action: %ls, xrefs: 00FEEB46
Failed to get RelatedBundle element count., xrefs: 00FEE98B
Upgrade, xrefs: 00FEEA44
Failed to resize Upgrade code array in registration, xrefs: 00FEEB29
Patch, xrefs: 00FEEAD1
Failed to resize Detect code array in registration, xrefs: 00FEEB22
version.dll, xrefs: 00FEEA64
comres.dll, xrefs: 00FEEA1A
cabinet.dll, xrefs: 00FEEAAE
Failed to resize Addon code array in registration, xrefs: 00FEEB30
Action, xrefs: 00FEE9C4
Failed to resize Patch code array in registration, xrefs: 00FEEB37
Failed to get @Id., xrefs: 00FEEB56
Failed to get next RelatedBundle element., xrefs: 00FEEB64
Failed to get @Action., xrefs: 00FEEB5D
Addon, xrefs: 00FEEA8E
Detect, xrefs: 00FEE9F8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: 77e79a39a00c3e3aa851ad2aefecacf6a6353cf3a7b5ae801f46267391f87ff9
Instruction ID: 517ac8fdad2e371d5a77ddf7cba931f4235c206387fbb2a2973f6eb8a6dfc589
Opcode Fuzzy Hash: 77e79a39a00c3e3aa851ad2aefecacf6a6353cf3a7b5ae801f46267391f87ff9
Instruction Fuzzy Hash: E571D231E04266BBCB10DE52DC41EAEB7B8FF49724F204358E852AB680D730EE10DB90

Function 00FE8E48 Relevance: 37.2, APIs: 8, Strings: 13, Instructions: 433COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,560102DB,00000001,?,00FE9801,?,00000000,00000000), ref: 00FE8E8D

Strings

-, xrefs: 00FE8FF1
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00FE910C
NOT, xrefs: 00FE91A7
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00FE8F6F
condition.cpp, xrefs: 00FE8F5C, 00FE9027, 00FE909C, 00FE90F9, 00FE923A, 00FE927A, 00FE92B5
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 00FE928D
@, xrefs: 00FE8E93
Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00FE92C8
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 00FE90AF
Failed to set symbol value., xrefs: 00FE8F35
AND, xrefs: 00FE9187
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00FE924D
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00FE903A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: StringType
String ID: -$@$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-3640792234
Opcode ID: 2b51ad61bf7c0908af8473c4f71f7d45ef4806ceff7473a7fca22c699325ee76
Instruction ID: 987fb9f0b0d261125801bb2ad8f5f4eb4356d2ebfad9a081afccba21668b5fe4
Opcode Fuzzy Hash: 2b51ad61bf7c0908af8473c4f71f7d45ef4806ceff7473a7fca22c699325ee76
Instruction Fuzzy Hash: CAE14572908291EFDB219F56C888BBA7B69EB05720F244085F9459F185C7F5CEC1E7A0

Function 00FF44E7 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 181fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,00FF49FE,0102B4D8,?,feclient.dll,00000000,?,?), ref: 00FF44FE
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,00FF49FE,0102B4D8,?,feclient.dll,00000000,?,?), ref: 00FF451F
GetLastError.KERNEL32(?,00FF49FE,0102B4D8,?,feclient.dll,00000000,?,?), ref: 00FF4525
WriteFile.KERNEL32(feclient.dll,?,00000004,00FF49FE,00000000,?,00FF49FE,0102B4D8,?,feclient.dll,00000000,?,?), ref: 00FF468E
GetLastError.KERNEL32(?,00FF49FE,0102B4D8,?,feclient.dll,00000000,?,?), ref: 00FF4698

Strings

feclient.dll, xrefs: 00FF44ED, 00FF451D, 00FF451E, 00FF45B2, 00FF4637, 00FF468D
pipe.cpp, xrefs: 00FF4549, 00FF4574, 00FF45DD, 00FF4615, 00FF4662, 00FF46BC, 00FF46FC
Failed to allocate buffer for verification secret., xrefs: 00FF459C
Verification secret from parent is too big., xrefs: 00FF4580
Verification secret from parent does not match., xrefs: 00FF4621
Failed to read verification process id from parent pipe., xrefs: 00FF466C
Failed to read size of verification secret from parent pipe., xrefs: 00FF4553
Failed to read verification secret from parent pipe., xrefs: 00FF45E7
msasn1.dll, xrefs: 00FF4636
Verification process id from parent does not match., xrefs: 00FF4708
Failed to inform parent process that child is running., xrefs: 00FF46C6

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$CurrentProcessReadWrite
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 3008747291-452622383
Opcode ID: 93f60d3f339f537a3b7f7acc4acab33cdc2f138c6efc2437a88359aae8a7fa52
Instruction ID: af1ad844dc726aee363252af1a62370c265cabd1c489c939242634f5103e9f8b
Opcode Fuzzy Hash: 93f60d3f339f537a3b7f7acc4acab33cdc2f138c6efc2437a88359aae8a7fa52
Instruction Fuzzy Hash: 4651EA72E40329BBE7219A968C85FBFB6ACAF45710F210119FF41FB150D7789E00A6E5

Function 010025AF Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON

Download Yara Rule

Strings

netfx4, xrefs: 010026C8
DetectCondition, xrefs: 010025C7
Failed to get @UninstallArguments., xrefs: 0100261C
RepairArguments, xrefs: 0100262D
Failed to get @RepairArguments., xrefs: 0100263E
Failed to get @InstallArguments., xrefs: 010025FA
UninstallArguments, xrefs: 0100260B
Failed to parse exit codes., xrefs: 010026BF
none, xrefs: 010026E9
burn, xrefs: 01002693
Invalid protocol type: %ls, xrefs: 0100270F
Repairable, xrefs: 0100264F
InstallArguments, xrefs: 010025E9
Failed to get @Protocol., xrefs: 01002727
Failed to parse command lines., xrefs: 0100273B
Failed to get @Repairable., xrefs: 01002668
Protocol, xrefs: 01002676
Failed to get @DetectCondition., xrefs: 010025D8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: 0b3b1683ec7851962cd360cf5d18c8855e832718f63fb2617aa4e56f51693416
Instruction ID: 4a8b2bfec0cef3932a7510deeedb7e181421aa9ee8b29134407fdf05f66e33b6
Opcode Fuzzy Hash: 0b3b1683ec7851962cd360cf5d18c8855e832718f63fb2617aa4e56f51693416
Instruction Fuzzy Hash: 9141D432B84636F6EA2761658C49FAAA55C7B64B30F200315FED5FF2D1CB65A90082A1

Function 01001970 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 01001A77
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 01001A95

Strings

Failed to get @Code., xrefs: 01001B57
exeengine.cpp, xrefs: 010019F8
error, xrefs: 01001A88
Type, xrefs: 01001A4F
forceReboot, xrefs: 01001AC2
ExitCode, xrefs: 0100197E
Failed to get @Type., xrefs: 01001B76
Failed to get exit code node count., xrefs: 010019C2
scheduleReboot, xrefs: 01001AA4
Failed to get next node., xrefs: 01001B7D
Code, xrefs: 01001AE4
Failed to allocate memory for exit code structs., xrefs: 01001A02
Invalid exit code type: %ls, xrefs: 01001B66
Failed to select exit code nodes., xrefs: 0100199D
Failed to parse @Code value: %ls, xrefs: 01001B50
success, xrefs: 01001A68

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
API String ID: 2664528157-1714101571
Opcode ID: d4d815abd14a194f35167e44b2964a78c2ab297018a094b47a15f664de552354
Instruction ID: 8bde861694caa85f6395782e12dbf2650f2336a2ab34c0a7e70743d16fb8704e
Opcode Fuzzy Hash: d4d815abd14a194f35167e44b2964a78c2ab297018a094b47a15f664de552354
Instruction Fuzzy Hash: B6610931E04626BBEB12DB55CC41EAEBBB8EF44720F204259F994AF2D1DB71DA40C790

Function 00FEF09D Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 180registryCOMMON

Download Yara Rule

APIs

Part of subcall function 010239CD: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 01023A1A

RegCloseKey.ADVAPI32(00000000,?,00020006,00020006,00000000,?,?,00000002,00000000,?,00000000,00000001,00000002), ref: 00FEF2CB

Part of subcall function 01021344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,00FEF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 01021359

Strings

Failed to write Installed value., xrefs: 00FEF143
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00FEF0FA
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00FEF0AE
Resume, xrefs: 00FEF10F
Failed to write run key value., xrefs: 00FEF1C8
Failed to format resume command line for RunOnce., xrefs: 00FEF186
Failed to write resume command line value., xrefs: 00FEF1EA
BundleResumeCommandLine, xrefs: 00FEF1D5, 00FEF267
burn.runonce, xrefs: 00FEF167
Failed to create run key., xrefs: 00FEF1AA
Failed to delete run key value., xrefs: 00FEF25A
Installed, xrefs: 00FEF132
Failed to delete resume command line value., xrefs: 00FEF2A7
"%ls" /%ls, xrefs: 00FEF172
registration.cpp, xrefs: 00FEF250, 00FEF29D
Failed to write Resume value., xrefs: 00FEF120

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.runonce$registration.cpp
API String ID: 2348918689-3140388177
Opcode ID: 076448dfa88dd8c845e8ec70f075181ddcc036b2503f3684dbc35579d2ece5be
Instruction ID: 74313ae26393ff040ea8a32f364eb5d0b9d19187c956a6f823840649cdbda3c7
Opcode Fuzzy Hash: 076448dfa88dd8c845e8ec70f075181ddcc036b2503f3684dbc35579d2ece5be
Instruction Fuzzy Hash: 7051E436E407AAFBDF216EA6CC41BAE76A9AF04750F014139FE40FA150D779DD14A6C0

Function 01027FEC Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,000002C0), ref: 01028019
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 01028034
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 010280D7
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,00000018,0102B508,00000000), ref: 01028116
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 01028169
CompareStringW.KERNEL32(0000007F,00000000,0102B508,000000FF,true,000000FF), ref: 01028187
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 010281BF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 01028303

Strings

enclosure, xrefs: 010282F1
upgrade, xrefs: 010280C9
version, xrefs: 01028108, 010281B1
application, xrefs: 01028026
apuputil.cpp, xrefs: 01028226
true, xrefs: 01028179
type, xrefs: 0102805F
exclusive, xrefs: 0102815B
http://appsyndication.org/2006/appsyn, xrefs: 0102800C

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: 146c9e94dfebdcaaed8332c712fbf7bda66af69015af6cac3bd296b89604df81
Instruction ID: d97af0eb4b64250cef01267ae0a20e2a69cda79eae5e988df3d202da42b653fb
Opcode Fuzzy Hash: 146c9e94dfebdcaaed8332c712fbf7bda66af69015af6cac3bd296b89604df81
Instruction Fuzzy Hash: 50B1D075904322ABDB618F58CC81F5A77F5AB04730F24865AFAA8DB2D2DB75E840CB00

Function 010276A1 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 210COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 01027703
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 01027727
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 01027746
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 0102777D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 01027798
SysFreeString.OLEAUT32(00000000), ref: 010277C3
SysFreeString.OLEAUT32(00000000), ref: 01027842
SysFreeString.OLEAUT32(00000000), ref: 0102788E

Strings

feclient.dll, xrefs: 01027734
msi.dll, xrefs: 0102782A
href, xrefs: 0102771A
length, xrefs: 01027739
msasn1.dll, xrefs: 0102787C
type, xrefs: 0102778B
version.dll, xrefs: 010277A7
comres.dll, xrefs: 01027750
title, xrefs: 01027770
rel, xrefs: 010276F4

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$Compare$Free
String ID: comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-3944986760
Opcode ID: f277bc98ef8f0fae17a5cb52078847d8c9b0c5ebdb56172f1f916e63ad2c04c6
Instruction ID: 70ea76b6f90ece843011eb9b8a2ed71ae021ef7c3158cbb6cd91e0e2be529c19
Opcode Fuzzy Hash: f277bc98ef8f0fae17a5cb52078847d8c9b0c5ebdb56172f1f916e63ad2c04c6
Instruction Fuzzy Hash: 23716235900129FBDF25DB94CC84EEEBBB8FF14720F2042A5E965A7190D7319A00DB90

Function 01009BB3 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 230threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,0100BA53,00000001), ref: 01009C18
GetLastError.KERNEL32(?,0100BA53,00000001), ref: 01009D88
GetExitCodeThread.KERNEL32(00000001,00000000,?,0100BA53,00000001), ref: 01009DC8
GetLastError.KERNEL32(?,0100BA53,00000001), ref: 01009DD2

Strings

Failed to execute dependency action., xrefs: 01009D08
Failed to execute EXE package., xrefs: 01009C4F
Failed to wait for cache check-point., xrefs: 01009DB9
Failed to execute MSI package., xrefs: 01009C78
Failed to get cache thread exit code., xrefs: 01009E03
Failed to execute MSP package., xrefs: 01009C9D
Failed to load compatible package on per-machine package., xrefs: 01009D2E
Cache thread exited unexpectedly., xrefs: 01009E14
Failed to execute compatible package action., xrefs: 01009D45
Failed to execute package provider registration action., xrefs: 01009CE9
Failed to execute MSU package., xrefs: 01009CCD
Invalid execute action., xrefs: 01009E23
apply.cpp, xrefs: 01009DAC, 01009DF6

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: f6a61298a91b831ecac7d51e007a66e60f3be22a438b8c200ca564fca56f038b
Instruction ID: 5bff3de8a159249c7623f6dd13befeef6474eedac9224fbaf837dd360b40a615
Opcode Fuzzy Hash: f6a61298a91b831ecac7d51e007a66e60f3be22a438b8c200ca564fca56f038b
Instruction Fuzzy Hash: DA719F70E4035AEFEB16DF65C944EBEB7F8EB44714F11416AF889A7281D370AE008B90

Function 0100CA34 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 173processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(774C8FB0,00000002,00000000), ref: 0100CA40

Part of subcall function 00FF4B96: UuidCreate.RPCRT4(?), ref: 00FF4BC9

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,010021A5,?,?,00000000,?,?,?), ref: 0100CB1E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 0100CB28
GetProcessId.KERNEL32(010021A5,?,?,00000000,?,?,?,?), ref: 0100CB60

Part of subcall function 00FF52E3: lstrlenW.KERNEL32(?,?,00000000,?,0102B4F0,?,00000000,?,00FE442A,?,0102B4F0), ref: 00FF5304
Part of subcall function 00FF52E3: GetCurrentProcessId.KERNEL32(?,00FE442A,?,0102B4F0), ref: 00FF530F
Part of subcall function 00FF52E3: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF5346
Part of subcall function 00FF52E3: ConnectNamedPipe.KERNEL32(?,00000000,?,00FE442A,?,0102B4F0), ref: 00FF535B
Part of subcall function 00FF52E3: GetLastError.KERNEL32(?,00FE442A,?,0102B4F0), ref: 00FF5365
Part of subcall function 00FF52E3: Sleep.KERNEL32(00000064,?,00FE442A,?,0102B4F0), ref: 00FF5396
Part of subcall function 00FF52E3: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF53B9
Part of subcall function 00FF52E3: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF53D4
Part of subcall function 00FF52E3: WriteFile.KERNEL32(?,00FE442A,0102B4F0,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF53EF
Part of subcall function 00FF52E3: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,00FE442A,?,0102B4F0), ref: 00FF540A

Part of subcall function 01020917: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00FE4E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 01020927
Part of subcall function 01020917: GetLastError.KERNEL32(?,?,00FE4E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 01020935

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,0100C992,?,?,?,?,?,00000000,?,?,?,?), ref: 0100CBE4
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,0100C992,?,?,?,?,?,00000000,?,?,?,?), ref: 0100CBF3
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,0100C992,?,?,?,?,?,00000000,?,?,?), ref: 0100CC0A

Strings

Failed to wait for embedded executable: %ls, xrefs: 0100CBC7
Failed to create embedded pipe., xrefs: 0100CACA
%ls -%ls %ls %ls %u, xrefs: 0100CAE3
Failed to wait for embedded process to connect to pipe., xrefs: 0100CB82
Failed to create embedded process at path: %ls, xrefs: 0100CB56
Failed to process messages from embedded message., xrefs: 0100CBA7
burn.embedded, xrefs: 0100CADB
Failed to allocate embedded command., xrefs: 0100CAF7
Failed to create embedded pipe name and client token., xrefs: 0100CAA3
embedded.cpp, xrefs: 0100CB49

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
API String ID: 875070380-3803182736
Opcode ID: 8b009dd62763b73ffe1d7c080c5d8211b00e95a51ab4bb891278596cfe3a893d
Instruction ID: 2eed538422fa47a29858698a56cf6710046896e04e1ea8f47a20742a66625039
Opcode Fuzzy Hash: 8b009dd62763b73ffe1d7c080c5d8211b00e95a51ab4bb891278596cfe3a893d
Instruction Fuzzy Hash: 89518F72D4021DBBEF22EBA4CD41FEEBBB8AF04710F100265FA40B6191D7759A419BD1

Function 01027E36 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,?,01028320,00000001,?), ref: 01027E56
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,01028320,00000001,?), ref: 01027E71
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,01028320,00000001,?), ref: 01027E8C
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,01028320,00000001,?), ref: 01027EF8
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,01028320,00000001,?), ref: 01027F1C
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,01028320,00000001,?), ref: 01027F40
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,01028320,00000001,?), ref: 01027F60
lstrlenW.KERNEL32(006C0064,?,01028320,00000001,?), ref: 01027F7B

Strings

algorithm, xrefs: 01027EEF
msi.dll, xrefs: 01027E50
sha1, xrefs: 01027F37
sha256, xrefs: 01027F57
apuputil.cpp, xrefs: 01027F93
name, xrefs: 01027E83
md5, xrefs: 01027F13
digest, xrefs: 01027E68
http://appsyndication.org/2006/appsyn, xrefs: 01027E49

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-2492263259
Opcode ID: 35cf53f42812c37da495186034c173eb2a791e15da7a067a313aa00ec38ed07a
Instruction ID: 3a242ca2733e7edd569c0d9c7616ae5d057bc2aefd8794fa31232f6bffbcf8e3
Opcode Fuzzy Hash: 35cf53f42812c37da495186034c173eb2a791e15da7a067a313aa00ec38ed07a
Instruction Fuzzy Hash: DA51D271648222BBEF714F05CC86F26BB65AB15730F304354FAB4AE6D5C766EC8087A0

Function 00FE9F2B Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 216COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FE9FA3

Strings

Failed to get product info., xrefs: 00FEA0D5
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 00FEA035
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00FEA141
Language, xrefs: 00FE9F8C
Failed to enumerate related products for upgrade code., xrefs: 00FE9FDE
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 00FEA062
AssignmentType, xrefs: 00FE9F7E
Unsupported product search type: %u, xrefs: 00FE9F6B
Failed to format GUID string., xrefs: 00FE9FAE
Failed to set variable., xrefs: 00FEA12E
Failed to copy upgrade code., xrefs: 00FEA003
Product or related product not found: %ls, xrefs: 00FEA08E
VersionString, xrefs: 00FE9F93, 00FEA01E, 00FEA034, 00FEA048, 00FEA061, 00FEA075
State, xrefs: 00FE9F85
Failed to change value type., xrefs: 00FEA10F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: 650dc4835e69806e2b06ec24d5e317b29b1e45b68f8a2f8d0791ba61de70c728
Instruction ID: 5eb66b9e486c262da31d39b10667dbdecfe74f937618d026edbf9b75b2f7a4f6
Opcode Fuzzy Hash: 650dc4835e69806e2b06ec24d5e317b29b1e45b68f8a2f8d0791ba61de70c728
Instruction Fuzzy Hash: F9612B33D442A9BBCB119EEACD45EDE7B79EB44710F200165F604BB250D272EE40B792

Function 0100DC0D Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 204stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,01009751,75C08550,?,?,00000000,?,?,?,00000001,00000000,?), ref: 0100DC28

Strings

Failed to set callback interface for BITS job., xrefs: 0100DD60
Falied to start BITS job., xrefs: 0100DDE0
Failed to create BITS job., xrefs: 0100DCB7
Failed to copy download URL., xrefs: 0100DC6F
Failed to initialize BITS job callback., xrefs: 0100DD49
Failed to set credentials for BITS job., xrefs: 0100DCD6
Failed to create BITS job callback., xrefs: 0100DD3B
Failed to complete BITS job., xrefs: 0100DDD2
Failed while waiting for BITS download., xrefs: 0100DDD9
Failed to add file to BITS job., xrefs: 0100DCF5
bitsengine.cpp, xrefs: 0100DC3E, 0100DD31
Invalid BITS engine URL: %ls, xrefs: 0100DC4A
Failed to download BITS job., xrefs: 0100DDBF

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
API String ID: 1659193697-2382896028
Opcode ID: b7f7447d155c1e1bb44a4c4e73c4af4be9a53e7b9c370a08fee549cb958e54f2
Instruction ID: d0199c119d94f51f311dda832023263f415b3252a4b0c3115bbdb9bd03099072
Opcode Fuzzy Hash: b7f7447d155c1e1bb44a4c4e73c4af4be9a53e7b9c370a08fee549cb958e54f2
Instruction Fuzzy Hash: 2E61C475A00215EBEB13BFD4D885EAE7BB4AF04B10F11415AFD84AF295D771DD008BA1

Function 00FEEBB2 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 173COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00FEED40

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

SysFreeString.OLEAUT32(?), ref: 00FEECF8

Strings

Failed to get @Regid., xrefs: 00FEED93
SoftwareTag, xrefs: 00FEEBC1
Failed to select software tag nodes., xrefs: 00FEEBE2
Failed to convert SoftwareTag text to UTF-8, xrefs: 00FEED75
Failed to allocate memory for software tag structs., xrefs: 00FEEC3F
Regid, xrefs: 00FEEC8E
Failed to get @Path., xrefs: 00FEED89
Filename, xrefs: 00FEEC73
Failed to get next node., xrefs: 00FEEDA7
Failed to get software tag count., xrefs: 00FEEC07
Path, xrefs: 00FEECA6
Failed to get @Filename., xrefs: 00FEED9D
Failed to get SoftwareTag text., xrefs: 00FEED7F
registration.cpp, xrefs: 00FEEC35

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$registration.cpp
API String ID: 336948655-1068704183
Opcode ID: 0be332b448946fb67371cc6013d0974734732d2bae25e42b44dbbad32561b9dc
Instruction ID: 7305d8e5998e44e7dee6fe591eddda7e9448a2bdc94bf49ddf8ec002e3bc8aee
Opcode Fuzzy Hash: 0be332b448946fb67371cc6013d0974734732d2bae25e42b44dbbad32561b9dc
Instruction Fuzzy Hash: 39519135E0136AABDB219F56DC85EAEBBB8BF48710F104569F846AF250D770DE00A790

Function 00FF4933 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 155sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 00FF498D
GetLastError.KERNEL32 ref: 00FF499B
Sleep.KERNEL32(00000064), ref: 00FF49BF

Strings

feclient.dll, xrefs: 00FF49F2, 00FF4A8D, 00FF4AA1, 00FF4AE5
Failed to allocate name of parent pipe., xrefs: 00FF4959
Failed to open parent pipe: %ls, xrefs: 00FF49E5
Failed to verify parent pipe: %ls, xrefs: 00FF4A07
pipe.cpp, xrefs: 00FF49D8, 00FF4ADB
\\.\pipe\%ls, xrefs: 00FF4945
Failed to open companion process with PID: %u, xrefs: 00FF4AE7
\\.\pipe\%ls.Cache, xrefs: 00FF4A20
Failed to allocate name of parent cache pipe., xrefs: 00FF4A34

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
API String ID: 408151869-3212458075
Opcode ID: 9dfe15806f37fef5c7f796198adc99fb4740aa9ea3e650d049af2a97ce6d1844
Instruction ID: 2945e1a18aa2ef8f26838ec1c631c8cd869855fcbe329874bcb65f6bea2b2e0b
Opcode Fuzzy Hash: 9dfe15806f37fef5c7f796198adc99fb4740aa9ea3e650d049af2a97ce6d1844
Instruction Fuzzy Hash: 7D41EA32E80735BBDB315AA59C45B6B7668EF00720F210225FE51FA1E0D77DAD10A6D8

Function 00FEF410 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00FF0348,InstallerVersion,InstallerVersion,00000000,00FF0348,InstallerName,InstallerName,00000000,00FF0348,Date,InstalledDate,00000000,00FF0348,LogonUser), ref: 00FEF5BE

Part of subcall function 01021392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00FEF1C2,00000000,?,00020006), ref: 010213C5

Strings

Publisher, xrefs: 00FEF4CA, 00FEF4DD
ThisVersionInstalled, xrefs: 00FEF46A, 00FEF47D
PackageName, xrefs: 00FEF48A, 00FEF49D
PublishingGroup, xrefs: 00FEF4F2, 00FEF505
Failed to write %ls value., xrefs: 00FEF5A7
Date, xrefs: 00FEF554
ReleaseType, xrefs: 00FEF515, 00FEF51A, 00FEF529
InstallerName, xrefs: 00FEF56F, 00FEF574, 00FEF575, 00FEF585
InstalledBy, xrefs: 00FEF52F, 00FEF548
Failed to get the formatted key path for update registration., xrefs: 00FEF432
Failed to create the key for update registration., xrefs: 00FEF45E
LogonUser, xrefs: 00FEF534
PackageVersion, xrefs: 00FEF4AA, 00FEF4BD
InstallerVersion, xrefs: 00FEF58C, 00FEF591, 00FEF592, 00FEF5A2
InstalledDate, xrefs: 00FEF54F, 00FEF568

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: 38d0c642df36ac51b57c98e6e6c7418570551d4867fbe61b2ef562f338cb3aad
Instruction ID: c61475e2a92ee12df2846dbe2e20f09822df999a186ac31712ba4884972d5a4b
Opcode Fuzzy Hash: 38d0c642df36ac51b57c98e6e6c7418570551d4867fbe61b2ef562f338cb3aad
Instruction Fuzzy Hash: E041CE32E417B5BBDB235A53CD02EBE7A6AAF60B10F154168F8807F251D7709E18F680

Function 00FFE563 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 135registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 00FFE5AE
RegisterClassW.USER32(?), ref: 00FFE5DA
GetLastError.KERNEL32 ref: 00FFE5E5
CreateWindowExW.USER32(00000080,01039CC4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00FFE64C
GetLastError.KERNEL32 ref: 00FFE656
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00FFE6F4

Strings

WixBurnMessageWindow, xrefs: 00FFE5D3, 00FFE6EF
uithread.cpp, xrefs: 00FFE609, 00FFE67A
Failed to create window., xrefs: 00FFE684
Failed to register window., xrefs: 00FFE613
Unexpected return value from message pump., xrefs: 00FFE6DF

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 3b6788a3abf53f29e363ec785ff750bf373d46f4b12125a5e082e160a831cc21
Instruction ID: 66b55f964c6443e121ce5c2eb856e130b4e683b820afcd1726138982ae4a51a8
Opcode Fuzzy Hash: 3b6788a3abf53f29e363ec785ff750bf373d46f4b12125a5e082e160a831cc21
Instruction Fuzzy Hash: B9418872A00218ABDB309FA5DC44BEABFE8FF18760F204125FE45EA160D7759D00DBA5

Function 0100C517 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON

Download Yara Rule

Strings

Failed to allocate space for burn payload inside of related bundle struct, xrefs: 0100C78A
Failed to copy key for passthrough pseudo bundle payload., xrefs: 0100C768
pseudobundle.cpp, xrefs: 0100C54B, 0100C744, 0100C77E
Failed to recreate command-line arguments., xrefs: 0100C7E6
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 0100C84F
Failed to copy related arguments for passthrough bundle package, xrefs: 0100C825
Failed to copy download source for passthrough pseudo bundle., xrefs: 0100C732
Failed to copy key for passthrough pseudo bundle., xrefs: 0100C72B
Failed to copy local source path for passthrough pseudo bundle., xrefs: 0100C75A
Failed to copy filename for passthrough pseudo bundle., xrefs: 0100C761
Failed to copy cache id for passthrough pseudo bundle., xrefs: 0100C7A8
Failed to allocate memory for pseudo bundle payload hash., xrefs: 0100C750
Failed to copy install arguments for passthrough bundle package, xrefs: 0100C805
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 0100C557

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: 71ce4eb9269395bba0ea00721bc9571582b395557f569785a5b5fb1a1e163f43
Instruction ID: 459a78b64fbe73a6dfa0ae448f4a57dda05aeb05e6c9fc8800c205c05f1e75b3
Opcode Fuzzy Hash: 71ce4eb9269395bba0ea00721bc9571582b395557f569785a5b5fb1a1e163f43
Instruction Fuzzy Hash: E4B16A75A00606EFEB52DF29C980F59BBA5BF48710F004299FD58AF362D735E910DB90

Function 0100678F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 150serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,01006CE1,?), ref: 010067C8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,01006CE1,?,?,?), ref: 010067D5
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,01006CE1,?,?,?), ref: 0100681D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,01006CE1,?,?,?), ref: 01006829
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,01006CE1,?,?,?), ref: 01006863
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,01006CE1,?,?,?), ref: 0100686D
CloseServiceHandle.ADVAPI32(00000000), ref: 01006924
CloseServiceHandle.ADVAPI32(?), ref: 0100692E

Strings

msuengine.cpp, xrefs: 010067F9, 0100684D, 01006891
wuauserv, xrefs: 01006817
Failed to open WU service., xrefs: 01006857
Failed to open service control manager., xrefs: 01006803
Failed to query status of WU service., xrefs: 0100689B
Failed to read configuration for WU service., xrefs: 010068D4
Failed to mark WU service to start on demand., xrefs: 010068F5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
API String ID: 971853308-301359130
Opcode ID: e4c9cd1123c3d32246386a6c3927c7e7102fcb71f07a2d43f1513bcad5f74fd9
Instruction ID: c37a457a198dda8fa2eece2c0912fc6c45909568a11f645f9011bb7e12fc189b
Opcode Fuzzy Hash: e4c9cd1123c3d32246386a6c3927c7e7102fcb71f07a2d43f1513bcad5f74fd9
Instruction Fuzzy Hash: F341A771B00315ABFB229AB98C84AEE77E9EB44750F514529FD45FB280DA36DD1087A0

Function 00FEB106 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 136COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,00FEB9F7,00000008,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00FEB10E
GetLastError.KERNEL32(?,00FEB9F7,00000008,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 00FEB11A
_memcmp.LIBVCRUNTIME ref: 00FEB1C2

Strings

burn, xrefs: 00FEB1E9
Failed to find valid DOS image header in buffer., xrefs: 00FEB17B
Failed to find Burn section., xrefs: 00FEB230
Failed to read section info, data to short: %u, xrefs: 00FEB212
section.cpp, xrefs: 00FEB13E, 00FEB16F, 00FEB19A, 00FEB203, 00FEB224, 00FEB24D, 00FEB28D
Failed to get module handle to process., xrefs: 00FEB148
Bundle guid didn't match the guid in the PE Header in memory., xrefs: 00FEB299
Failed to find valid NT image header in buffer., xrefs: 00FEB1A6
Failed to read section info, unsupported version: %08x, xrefs: 00FEB25C
.wixburn, xrefs: 00FEB1BC
.wix, xrefs: 00FEB1E1

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorHandleLastModule_memcmp
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 3888311042-926796631
Opcode ID: 5cb14a6216367f6a7f4605e48b0ad61e8530ad7d9af1228afbb316d545b960b1
Instruction ID: 96f7f8adeeaef3a980892882462b35a109e60406ce88f10edab956689c3e2490
Opcode Fuzzy Hash: 5cb14a6216367f6a7f4605e48b0ad61e8530ad7d9af1228afbb316d545b960b1
Instruction Fuzzy Hash: A1412332684371A7D7222A57DC86F6B3261AF41B70F25402EFE466F540D778D901A3A6

Function 00FF39FD Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 128COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 00FF3A51
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 00FF3A5B
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 00FF3AC4
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 00FF3ACB

Strings

crypt32.dll, xrefs: 00FF3A10
%u\, xrefs: 00FF3AE5
Failed to copy temp folder., xrefs: 00FF3B7A
logging.cpp, xrefs: 00FF3A7F
Failed to format session id as a string., xrefs: 00FF3AF9
Failed to get length of session id string., xrefs: 00FF3B1D
Failed to get length of temp folder., xrefs: 00FF3AB5
4Mw, xrefs: 00FF3A51
Failed to get temp folder., xrefs: 00FF3A89

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Process$CurrentErrorLastPathSessionTemp
String ID: 4Mw$%u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
API String ID: 1726527325-2352143114
Opcode ID: 6f5b1d1be81ee1da8965d3e6d27b2de2fbd62d44ba8a604223c780cf32895e43
Instruction ID: 3f850df2451138c8824a6b07a6df5ec70579555ed1cfca4730542181e3db3327
Opcode Fuzzy Hash: 6f5b1d1be81ee1da8965d3e6d27b2de2fbd62d44ba8a604223c780cf32895e43
Instruction Fuzzy Hash: 5741D472D8023DABDB30AA658C89FEAB7BCEF54710F100195FE08A7150D6749F809BE0

Function 00FF2DDC Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 303COMMON

Download Yara Rule

Strings

feclient.dll, xrefs: 00FF30BB
crypt32.dll, xrefs: 00FF2E0E
Failed to add the package provider key "%ls" to the planned list., xrefs: 00FF3107
%ls;%ls, xrefs: 00FF2EDE
plan.cpp, xrefs: 00FF311D
Failed to create string array from ancestors., xrefs: 00FF2E1A
Failed to copy ancestors and self to related bundle ancestors., xrefs: 00FF2EF6
UX aborted plan related bundle., xrefs: 00FF3127
Failed to lookup the bundle ID in the ancestors dictionary., xrefs: 00FF30F0
Failed to create dictionary from ancestors array., xrefs: 00FF2E46
Failed to copy self to related bundle ancestors., xrefs: 00FF312E
Unexpected relation type encountered during plan: %d, xrefs: 00FF30FE

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID: %ls;%ls$Failed to add the package provider key "%ls" to the planned list.$Failed to copy ancestors and self to related bundle ancestors.$Failed to copy self to related bundle ancestors.$Failed to create dictionary from ancestors array.$Failed to create string array from ancestors.$Failed to lookup the bundle ID in the ancestors dictionary.$UX aborted plan related bundle.$Unexpected relation type encountered during plan: %d$crypt32.dll$feclient.dll$plan.cpp
API String ID: 0-794096528
Opcode ID: 00f22785764a13183a15b435682d7cd4e9f3595ecebb03984f0a680572041c86
Instruction ID: e4b93c6d8260b17a24d2aa9ac4d22ba531d8035e9563ed2a3b1bd2ca804aea3e
Opcode Fuzzy Hash: 00f22785764a13183a15b435682d7cd4e9f3595ecebb03984f0a680572041c86
Instruction Fuzzy Hash: 83B1E571D0061AEFCB15DF65CC41EBABBB5FF45310F10416AEA04AB260DB31AA90EB90

Function 00FEA17D Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FEA1A8
_MREFOpen@16.MSPDB140-MSVCRT ref: 00FEA204
RegQueryValueExW.ADVAPI32(000002C0,00000000,00000000,000002C0,00000000,00000000,000002C0,?,00000000,00000000,?,00000000,00000101,000002C0,000002C0,?), ref: 00FEA226
RegCloseKey.ADVAPI32(00000000,00000000,00000000,000002C0,00000100,00000000,000002C0), ref: 00FEA300

Strings

Failed to set variable., xrefs: 00FEA2B8
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00FEA275
Failed to format key string., xrefs: 00FEA1B3
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 00FEA2D8
Registry key not found. Key = '%ls', xrefs: 00FEA291
search.cpp, xrefs: 00FEA25B
Failed to query registry key value., xrefs: 00FEA265
Failed to open registry key. Key = '%ls', xrefs: 00FEA2C2
Failed to format value string., xrefs: 00FEA20F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: c1aaadbb324bacbdf6c8902710bb7e750b6381f95899a96e014aaab1a220f0c7
Instruction ID: c6adef6728277e90d1d8cbb05d788fdfaafb612ab7502057a9a781ea709f715f
Opcode Fuzzy Hash: c1aaadbb324bacbdf6c8902710bb7e750b6381f95899a96e014aaab1a220f0c7
Instruction Fuzzy Hash: 50411B32E80264BBDF216E96CC06FED7B65EF04710F204169FD48B9291D7769D00A792

Function 00FE67E5 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 00FE6835
GetLastError.KERNEL32 ref: 00FE683F
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 00FE6882
GetLastError.KERNEL32 ref: 00FE688C
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 00FE699D

Strings

RtlGetVersion, xrefs: 00FE6877
Failed to locate RtlGetVersion., xrefs: 00FE68BA
variable.cpp, xrefs: 00FE6863, 00FE68B0
ntdll, xrefs: 00FE682F
Failed to locate NTDLL., xrefs: 00FE686D
Failed to get OS info., xrefs: 00FE68DD
Failed to set variant value., xrefs: 00FE6981

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
API String ID: 3057421322-109962352
Opcode ID: 8e118c45bce8778a255184346b827a4616cc21864e59002ea8231f7ae2731451
Instruction ID: d61606ee048bebc10c70e898c0944aa809224c6438b422d48bb3489792681876
Opcode Fuzzy Hash: 8e118c45bce8778a255184346b827a4616cc21864e59002ea8231f7ae2731451
Instruction Fuzzy Hash: D741B272E0027C9BEB319B668D497EEB7E4EB18750F100199F888F6181D7398E54DB90

Function 00FE47E9 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 128memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,00FE535E,?,?,?,?), ref: 00FE481A
GetLastError.KERNEL32(?,?,?,00FE535E,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FE482B
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FE4968
CloseHandle.KERNEL32(?,?,?,?,00FE535E,?,?,?,?,?,?,?,?,?,?,?), ref: 00FE4971

Strings

Failed to connect to unelevated process., xrefs: 00FE4810
engine.cpp, xrefs: 00FE484F, 00FE4898
Failed to pump messages from parent process., xrefs: 00FE493C
Failed to set elevated pipe into thread local storage for logging., xrefs: 00FE48A2
Failed to create the message window., xrefs: 00FE48C6
Failed to allocate thread local storage for logging., xrefs: 00FE4859
comres.dll, xrefs: 00FE48D7

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
API String ID: 687263955-1790235126
Opcode ID: 639c6f1a56dc8b95e9c3fcc483e9e8f6adf34ba3f1f1acf6f948512ad6461d4d
Instruction ID: 99e83550a4202ac05d16f0a6899fcf921ae4190ac24d08d3d7e73378d0210df1
Opcode Fuzzy Hash: 639c6f1a56dc8b95e9c3fcc483e9e8f6adf34ba3f1f1acf6f948512ad6461d4d
Instruction Fuzzy Hash: 8241B973A00665BBDB219AA6CC85FEBB7ACFF04710F10022AFA45E7110DB74B95097E1

Function 00FE7E7C Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 214COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000), ref: 00FE7E99
LeaveCriticalSection.KERNEL32(?,?,?), ref: 00FE80C1

Strings

feclient.dll, xrefs: 00FE7F74, 00FE7FCA, 00FE800B
Failed to get numeric., xrefs: 00FE8093
Failed to write variable name., xrefs: 00FE80A8
Failed to write variable value as number., xrefs: 00FE806B
Failed to get string., xrefs: 00FE808C
Unsupported variable type., xrefs: 00FE807E
Failed to write variable value type., xrefs: 00FE80A1
Failed to write variable value as string., xrefs: 00FE8085
Failed to write literal flag., xrefs: 00FE809A
Failed to write variable count., xrefs: 00FE7EB4
Failed to write included flag., xrefs: 00FE80AF
Failed to get version., xrefs: 00FE8072

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: fe5310224d2b106c5d36688ad45bd2471fd4a6f51426025a39cefa6e27cb5a84
Instruction ID: 14142c940ff365d4b332a12041c02912f987b1e65a987f505a2ac4e1262d6a82
Opcode Fuzzy Hash: fe5310224d2b106c5d36688ad45bd2471fd4a6f51426025a39cefa6e27cb5a84
Instruction Fuzzy Hash: 0961F632C006AAEFCB22FEA6CD40BAE7B64FF043A4F104155FA4567150CB35DD5AAB91

Function 00FF95AC Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,00FFA63D,?,00000000,?,?,0100B049), ref: 00FF95C7
GetLastError.KERNEL32(?,00FFA63D,?,00000000,?,?,0100B049,?,00000000,?,00000000,?,?,0100B049,?), ref: 00FF95D7
CloseHandle.KERNEL32(?,0100B049,00000001,00000003,000007D0,?,?,0100B049,?), ref: 00FF96E4

Strings

Copying, xrefs: 00FF9679
Failed to move %ls to %ls, xrefs: 00FF96BC
Failed to verify payload hash: %ls, xrefs: 00FF966F
%ls payload from working path '%ls' to path '%ls', xrefs: 00FF968F
Failed to open payload in working path: %ls, xrefs: 00FF9606
cache.cpp, xrefs: 00FF95FB
Failed to copy %ls to %ls, xrefs: 00FF96D2
Failed to verify payload signature: %ls, xrefs: 00FF9632
Moving, xrefs: 00FF9686, 00FF968E

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 2528220319-1604654059
Opcode ID: 9f52c55c2ef81213b3121078687480ccfeffc899d1b1903874528537dd32f577
Instruction ID: c1abd0ff5075453aabec5a08bfc59cd327789f89bdd4e3676b89f34a245dd2c4
Opcode Fuzzy Hash: 9f52c55c2ef81213b3121078687480ccfeffc899d1b1903874528537dd32f577
Instruction Fuzzy Hash: 1231C7B2E443397BDB322A268C49F7B395CDF91F60F010119FE45EA2A0D6E59D00A6E5

Function 00FF3E47 Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF3955: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00FF3E61,feclient.dll,?,00000000,?,?,?,00FE4A0C), ref: 00FF39F1

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00FE4A0C,?,?,0102B478,?,00000001,00000000,00000000), ref: 00FF3EF8

Strings

feclient.dll, xrefs: 00FF3E5B, 00FF3F08
Setup, xrefs: 00FF3EA5
crypt32.dll, xrefs: 00FF3E9E, 00FF3F03, 00FF3F0B, 00FF3F72, 00FF3FAC, 00FF3FED, 00FF400C, 00FF404A, 00FF4074
Failed to get non-session specific TEMP folder., xrefs: 00FF3FA2
log, xrefs: 00FF3E9F
Failed to get current directory., xrefs: 00FF3EDA
Failed to copy full log path to prefix., xrefs: 00FF405B
Failed to copy log extension to extension., xrefs: 00FF403D
msasn1.dll, xrefs: 00FF400E, 00FF404F
Failed to copy log path to prefix., xrefs: 00FF401A
Failed to open log: %ls, xrefs: 00FF3F74
clbcatq.dll, xrefs: 00FF4031

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: e143294f9cccce990dccf18d8d1cec437d672656a9f7336531012f8fb87cf1c4
Instruction ID: ff39056fca326791489d4dfee468d84ffdc61c75db2d19895af3912493932cc7
Opcode Fuzzy Hash: e143294f9cccce990dccf18d8d1cec437d672656a9f7336531012f8fb87cf1c4
Instruction Fuzzy Hash: 7B61C471E0022ABBDB259F34CC45B7B77B8EF10350B144169FA05DB1A0EB75EE90A791

Function 00FE6C5D Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 167COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,00FE533D,00000000,00000001), ref: 00FE6C6E

Part of subcall function 00FE55B6: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,00FE648B,00FE648B,?,00FE554A,?,?,00000000), ref: 00FE55F2
Part of subcall function 00FE55B6: GetLastError.KERNEL32(?,00FE554A,?,?,00000000,?,00000000,00FE648B,?,00FE7DDC,?,?,?,?,?), ref: 00FE5621

LeaveCriticalSection.KERNEL32(00000001,?,00000001), ref: 00FE6E02

Strings

Failed to find variable value '%ls'., xrefs: 00FE6C89
Setting string variable '%ls' to value '%ls', xrefs: 00FE6D96
Setting numeric variable '%ls' to value %lld, xrefs: 00FE6DA3
variable.cpp, xrefs: 00FE6CF1
Failed to set value of variable: %ls, xrefs: 00FE6DEA
Attempt to set built-in variable value: %ls, xrefs: 00FE6CFC
Unsetting variable '%ls', xrefs: 00FE6DBE
Failed to insert variable '%ls'., xrefs: 00FE6CB3
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00FE6E14
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00FE6D79
Setting hidden variable '%ls', xrefs: 00FE6D2C

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 3d144fc60be52eca3b648b8081a1c98d2d5ce3fec95142ef0a5ffd9ff6b2f933
Instruction ID: fde535e965e06da855fd9fe1399824239e83cf781a771574cab34eda5efd20f9
Opcode Fuzzy Hash: 3d144fc60be52eca3b648b8081a1c98d2d5ce3fec95142ef0a5ffd9ff6b2f933
Instruction Fuzzy Hash: E1512571A002ADA7CB309E16CD4DF6B7769EBB5754F60011DF884EA281C271DD41EBE1

Function 00FF2A60 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00FF2ACD

Strings

Failed to check for remaining dependents during planning., xrefs: 00FF2C73
crypt32.dll, xrefs: 00FF2B18, 00FF2C16, 00FF2D0B, 00FF2D80
Failed to create the string dictionary., xrefs: 00FF2B06
Failed to add self-dependent to ignore dependents., xrefs: 00FF2B51
Failed to allocate registration action., xrefs: 00FF2B36
Failed to add registration action for self dependent., xrefs: 00FF2D9E
Failed to add registration action for dependent related bundle., xrefs: 00FF2DD5
Failed to add dependents ignored from command-line., xrefs: 00FF2B82
Failed to add dependent bundle provider key to ignore dependents., xrefs: 00FF2C37
wininet.dll, xrefs: 00FF2D1E

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: 85258e09efd6162da32366b1d719973d6157ab6c56b9d6a15e1bbbadef282092
Instruction ID: a1ae9938b049086f498b9c335f7e78ba3800973a271248160a3c0a3724039f31
Opcode Fuzzy Hash: 85258e09efd6162da32366b1d719973d6157ab6c56b9d6a15e1bbbadef282092
Instruction Fuzzy Hash: 45B19E31A0062AEFCBA5DF54C841BBE7BA5FF54720F008169EA04AB261D774D951EFD0

Function 00FE49DF Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00FE4B5E
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FE4B6F

Strings

Failed to check global conditions, xrefs: 00FE4A43
Failed while running , xrefs: 00FE4B24
Failed to set registration variables., xrefs: 00FE4AD8
Failed to set action variables., xrefs: 00FE4ABE
Failed to open log., xrefs: 00FE4A12
WixBundleLayoutDirectory, xrefs: 00FE4AEF
Failed to create the message window., xrefs: 00FE4A92
Failed to set layout directory variable to value provided from command-line., xrefs: 00FE4B00
Failed to query registration., xrefs: 00FE4AA8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 03ae23f6b466c26df46bbd64687108c3fd44aeb9b898f2a796c1dc15b2fd02b7
Instruction ID: 24d86878b204fc9a08de3e5259f23d14490869e46969fcdc621b1c4808c50b9c
Opcode Fuzzy Hash: 03ae23f6b466c26df46bbd64687108c3fd44aeb9b898f2a796c1dc15b2fd02b7
Instruction Fuzzy Hash: 6F41E572A406AABACB266E22CC45FBBB75CFF44760F00022DF904A6160E764FD10B7D1

Function 00FFEDFE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 00FFEE1B
LeaveCriticalSection.KERNEL32(?), ref: 00FFEF48

Strings

Failed to copy the arguments., xrefs: 00FFEEDA
Failed to copy the id., xrefs: 00FFEEAD
Engine is active, cannot change engine state., xrefs: 00FFEE36
EngineForApplication.cpp, xrefs: 00FFEF29
Failed to post launch approved exe message., xrefs: 00FFEF33
UX requested unknown approved exe with id: %ls, xrefs: 00FFEE7B

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: 76cf7c534f3f25e9155bdbdc166cae7cfad173a9ffc957b1a425cc7811ab606c
Instruction ID: 546154b922d21e601bf8e6129a7ba13e891c3eb77837d1e5aad49d69082c8598
Opcode Fuzzy Hash: 76cf7c534f3f25e9155bdbdc166cae7cfad173a9ffc957b1a425cc7811ab606c
Instruction Fuzzy Hash: 8D31F532A40329AFDB219F65DC45E6B77A8EF44720B158025FE44EB2B0D775DD00A790

Function 00FF9496 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,00FFA5CE,?,00000000,?,?,0100B041), ref: 00FF94B1
GetLastError.KERNEL32(?,00FFA5CE,?,00000000,?,?,0100B041,?,00000000,?,00000000,?,?,0100B041,?), ref: 00FF94BF
CloseHandle.KERNEL32(?,0100B041,00000001,00000003,000007D0,?,?,0100B041,?), ref: 00FF959E

Strings

Copying, xrefs: 00FF9533
Failed to move %ls to %ls, xrefs: 00FF9576
cache.cpp, xrefs: 00FF94E3
Failed to copy %ls to %ls, xrefs: 00FF958C
%ls container from working path '%ls' to path '%ls', xrefs: 00FF9549
Failed to open container in working path: %ls, xrefs: 00FF94EE
Failed to verify container hash: %ls, xrefs: 00FF9520
Moving, xrefs: 00FF9540, 00FF9548

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 2528220319-1187406825
Opcode ID: 0d521663ed2bd89ef0cfc43a797cf71d508773491017956618357135abb14076
Instruction ID: b370bbefd3e596ff8f660d1a47ae6496ca72b6821d0e7e6bd85df91491ee7b08
Opcode Fuzzy Hash: 0d521663ed2bd89ef0cfc43a797cf71d508773491017956618357135abb14076
Instruction Fuzzy Hash: 1A2126B2A803397BE732192A8C45F7B369DDF95B60F180118FE45BE2D0D3E19D00A6E5

Function 00FE6E5A Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00FE6E89
LeaveCriticalSection.KERNEL32(?), ref: 00FE7095

Strings

Failed to read variable included flag., xrefs: 00FE7085
Failed to read variable literal flag., xrefs: 00FE7070
Failed to set variable., xrefs: 00FE7069
Failed to read variable name., xrefs: 00FE707E
Failed to read variable value as string., xrefs: 00FE7062
Unsupported variable type., xrefs: 00FE705B
Failed to set variable value., xrefs: 00FE7048
Failed to read variable value as number., xrefs: 00FE704F
Failed to read variable count., xrefs: 00FE6EA9
Failed to read variable value type., xrefs: 00FE7077

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: da9b532b50025ff4809f49bb4cf87c8112ebf0d9bef259abf4731999f814aaf9
Instruction ID: d3b8e489cba071a3ae1cafac2d6d75f89edbdc91136085d84b6123163204c28f
Opcode Fuzzy Hash: da9b532b50025ff4809f49bb4cf87c8112ebf0d9bef259abf4731999f814aaf9
Instruction Fuzzy Hash: 80719572C052AEBBDF21EEA6CC44FEEBB79EB14750F104125FA10A6190D735DE05AB90

Function 010243A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 247fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 01024425
GetLastError.KERNEL32 ref: 0102443B
GetFileSizeEx.KERNEL32(00000000,?), ref: 01024486
GetLastError.KERNEL32 ref: 01024490
CloseHandle.KERNEL32(?), ref: 01024650

Strings

fileutil.cpp, xrefs: 010243C6, 0102446F, 010244B0, 01024633

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: fileutil.cpp
API String ID: 3555958901-2967768451
Opcode ID: 70c1dfccd9884cb5e6ff53c645575cebc6cc83cd87580c1f29e85f55533b59bb
Instruction ID: 5bff8b501bebb9465bea606340b57b2a685e516fdc8d49286904b6f366ac8f47
Opcode Fuzzy Hash: 70c1dfccd9884cb5e6ff53c645575cebc6cc83cd87580c1f29e85f55533b59bb
Instruction Fuzzy Hash: 1A710671A00235EBEB329E6D8C48B6F76E8EF44750F114269FDD5EB280E679CD008B91

Function 00FE2DE0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001,00000000,00000000), ref: 00FE2E7A
GetLastError.KERNEL32 ref: 00FE2E84
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00FE2F1F
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00FE2FAD
GetLastError.KERNEL32 ref: 00FE2FBA
Sleep.KERNEL32(00000064), ref: 00FE2FCC
CloseHandle.KERNEL32(?), ref: 00FE302C

Strings

pathutil.cpp, xrefs: 00FE2EA8
4Mw, xrefs: 00FE2E7A
%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00FE2F7D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4Mw$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-721117420
Opcode ID: d8b5ed7a00c1b95d24bacc2777b6fa59d66a06ff2cad9f26b191927cd5d80a45
Instruction ID: 0db4604e4062d1ff8c378779b4ab8ea5bed2822187803ed0c665f8e72a60a1fc
Opcode Fuzzy Hash: d8b5ed7a00c1b95d24bacc2777b6fa59d66a06ff2cad9f26b191927cd5d80a45
Instruction Fuzzy Hash: 6B716372E41279ABDB719FA5DC4CBEAB7B8AB08710F110195FE05E7190E7349E809B60

Function 00FF4B96 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 00FF4BC9
StringFromGUID2.OLE32(?,?,00000027), ref: 00FF4BF8
UuidCreate.RPCRT4(?), ref: 00FF4C43
StringFromGUID2.OLE32(?,?,00000027), ref: 00FF4C6F

Strings

BurnPipe.%s, xrefs: 00FF4C24
pipe.cpp, xrefs: 00FF4C09, 00FF4C56
Failed to convert pipe guid into string., xrefs: 00FF4C15
Failed to allocate pipe secret., xrefs: 00FF4C98
Failed to allocate pipe name., xrefs: 00FF4C38
Failed to create pipe guid., xrefs: 00FF4BD6

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: d38870f5309a6488497b70102c064ae405b6eead45aab77ba7774f28af8838bd
Instruction ID: 9827bdb298dffd0badbc94b12c54e9058c2814e18f80523f1b5164c891a0cb4b
Opcode Fuzzy Hash: d38870f5309a6488497b70102c064ae405b6eead45aab77ba7774f28af8838bd
Instruction Fuzzy Hash: 9A416272E0531CABDB20DAE5D945AEFB7B8AF54710F204129EA05EF250E674A904DB90

Function 00FE5F14 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 105timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00FE5F3F
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00FE5F53
GetLastError.KERNEL32 ref: 00FE5F65
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 00FE5FB8
GetLastError.KERNEL32 ref: 00FE5FC2

Strings

Failed to get the Date., xrefs: 00FE5FE6
variable.cpp, xrefs: 00FE5F7F, 00FE5FDC
Failed to get the required buffer length for the Date., xrefs: 00FE5F89
Failed to set variant value., xrefs: 00FE5FFF
Failed to allocate the buffer for the Date., xrefs: 00FE5FA0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: 08e000069c5e244c0804e68c949f87a5320edfb825e87b1a6819c6abfb75a79b
Instruction ID: 5f21e038596cc2f3f942bc0b4bcb4c58a43873d2717b42a5b11ad80d42638de8
Opcode Fuzzy Hash: 08e000069c5e244c0804e68c949f87a5320edfb825e87b1a6819c6abfb75a79b
Instruction Fuzzy Hash: 9631C972E4077ABBDB21AAE6CC45FAFB7A9AB04764F100129FA41F7140D9749D0097A1

Function 00FFE82A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 99threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00FE5386,?,?), ref: 00FFE84A
GetLastError.KERNEL32(?,00FE5386,?,?), ref: 00FFE857
CreateThread.KERNEL32(00000000,00000000,00FFE563,?,00000000,00000000), ref: 00FFE8B0
GetLastError.KERNEL32(?,00FE5386,?,?), ref: 00FFE8BD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00FE5386,?,?), ref: 00FFE8F8
CloseHandle.KERNEL32(00000000,?,00FE5386,?,?), ref: 00FFE917
CloseHandle.KERNEL32(?,?,00FE5386,?,?), ref: 00FFE924

Strings

uithread.cpp, xrefs: 00FFE878, 00FFE8DE
Failed to create initialization event., xrefs: 00FFE882
Failed to create the UI thread., xrefs: 00FFE8E8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 635acc94ddd4bb6dbeab419dad6deea11f37622ab2d2b59d60a167d98e052f8f
Instruction ID: 22a1b26cb22591579a47d225ea8d95acd6b78640f0af39d5e10bf02682830602
Opcode Fuzzy Hash: 635acc94ddd4bb6dbeab419dad6deea11f37622ab2d2b59d60a167d98e052f8f
Instruction Fuzzy Hash: A4315471E40319BFEB219EA99D84AAFB7ECEF08350F11412AFD05E7150D6759E009BA1

Function 00FFE3F4 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00FE5386,?,?), ref: 00FFE415
GetLastError.KERNEL32(?,?,00FE5386,?,?), ref: 00FFE422
CreateThread.KERNEL32(00000000,00000000,00FFE177,00000000,00000000,00000000), ref: 00FFE481
GetLastError.KERNEL32(?,?,00FE5386,?,?), ref: 00FFE48E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00FE5386,?,?), ref: 00FFE4C9
CloseHandle.KERNEL32(?,?,?,00FE5386,?,?), ref: 00FFE4DD
CloseHandle.KERNEL32(?,?,?,00FE5386,?,?), ref: 00FFE4EA

Strings

splashscreen.cpp, xrefs: 00FFE443, 00FFE4AF
Failed to create UI thread., xrefs: 00FFE4B9
Failed to create modal event., xrefs: 00FFE44D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: 81a36a2faac125eb7a9befcaa0cb662c37e3e67588d771e33f1b27f8dd8b3ec9
Instruction ID: c5fc7fc47230f94484555a66aaff7de4ae183434d677c169eafab890bcee88d1
Opcode Fuzzy Hash: 81a36a2faac125eb7a9befcaa0cb662c37e3e67588d771e33f1b27f8dd8b3ec9
Instruction Fuzzy Hash: CF318175D00319BBEB21DFAA8C45AAFBBF8EF85710F10412AFD14E3150D6744A009BA1

Function 01001224 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,774D2F60,?,?,00FE52FD,00FE52B5,00000000,00FE533D), ref: 01001249
GetLastError.KERNEL32 ref: 0100125C
GetExitCodeThread.KERNEL32(0102B478,?), ref: 0100129E
GetLastError.KERNEL32 ref: 010012AC
ResetEvent.KERNEL32(0102B450), ref: 010012E7
GetLastError.KERNEL32 ref: 010012F1

Strings

Failed to get extraction thread exit code., xrefs: 010012DD
Failed to reset operation complete event., xrefs: 01001322
Failed to wait for operation complete event., xrefs: 0100128D
cabextract.cpp, xrefs: 01001280, 010012D0, 01001315

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: b13494afb9a5fcd13dab105e31f23d79ffe372b6e7823d6e2f25e219b16d0642
Instruction ID: 7d40629c579c89ab998e47f44f60e8c0207bda421a340b8c68231be7b80ccb51
Opcode Fuzzy Hash: b13494afb9a5fcd13dab105e31f23d79ffe372b6e7823d6e2f25e219b16d0642
Instruction Fuzzy Hash: 6021C1B1700304EFFB259A3A8D4AABE77E8EB45710F10412EF9C7E6190E639DA009B14

Function 01001341 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(685479F6,00FE533D,00000000,?,00FEC06D,00FE533D,00FE52B5,00000000,?,00FF763B,?,00FE5565,00FE5371,00FE5371,00000000,?), ref: 0100135E
GetLastError.KERNEL32(?,00FEC06D,00FE533D,00FE52B5,00000000,?,00FF763B,?,00FE5565,00FE5371,00FE5371,00000000,?,00FE5381,FFF9E89D,00FE5381), ref: 01001368
WaitForSingleObject.KERNEL32(85F08BFF,000000FF,?,00FEC06D,00FE533D,00FE52B5,00000000,?,00FF763B,?,00FE5565,00FE5371,00FE5371,00000000,?,00FE5381), ref: 010013A2
GetLastError.KERNEL32(?,00FEC06D,00FE533D,00FE52B5,00000000,?,00FF763B,?,00FE5565,00FE5371,00FE5371,00000000,?,00FE5381,FFF9E89D,00FE5381), ref: 010013AC
CloseHandle.KERNEL32(85F08BFF,00FE5381,00FE533D,00000000,?,00FEC06D,00FE533D,00FE52B5,00000000,?,00FF763B,?,00FE5565,00FE5371,00FE5371,00000000), ref: 010013F7
CloseHandle.KERNEL32(685479F6,00FE5381,00FE533D,00000000,?,00FEC06D,00FE533D,00FE52B5,00000000,?,00FF763B,?,00FE5565,00FE5371,00FE5371,00000000), ref: 01001406
CloseHandle.KERNEL32(0102BA60,00FE5381,00FE533D,00000000,?,00FEC06D,00FE533D,00FE52B5,00000000,?,00FF763B,?,00FE5565,00FE5371,00FE5371,00000000), ref: 01001415

Strings

Failed to wait for thread to terminate., xrefs: 010013DA
cabextract.cpp, xrefs: 0100138C, 010013D0
Failed to set begin operation event., xrefs: 01001396

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-226982402
Opcode ID: 0392fa9698c98923190c7d1f4321994a22fbe50fbce3199c9a0f47186601cde7
Instruction ID: 0c3c2364e7d76e7c3d8848660e74d3eb6bd39129bbe4f72b9a30c90168d69637
Opcode Fuzzy Hash: 0392fa9698c98923190c7d1f4321994a22fbe50fbce3199c9a0f47186601cde7
Instruction Fuzzy Hash: 7C219132200700DBF7325A2ADC89B6777F5FB84712F11462DE5CA929A0DB79E441DA24

Function 00FED5C0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?,00FE46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00FE5386,?,?), ref: 00FED5CD
GetLastError.KERNEL32(?,00FE46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00FE5386,?,?), ref: 00FED5DA
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00FED612
GetLastError.KERNEL32(?,00FE46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00FE5386,?,?), ref: 00FED61E

Strings

Failed to load UX DLL., xrefs: 00FED605
userexperience.cpp, xrefs: 00FED5FB, 00FED63F
BootstrapperApplicationCreate, xrefs: 00FED60C
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00FED649
Failed to create UX., xrefs: 00FED662
wininet.dll, xrefs: 00FED5F8, 00FED63C, 00FED667

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
API String ID: 1866314245-1140179540
Opcode ID: a5237b1318a81c27109e0cefbadabf92d2c7c780e368b8fe66accc474cd79d40
Instruction ID: 39d6d55c145040a697fe325867107155ae04d31a7f1f2758a1b5d37f7159812d
Opcode Fuzzy Hash: a5237b1318a81c27109e0cefbadabf92d2c7c780e368b8fe66accc474cd79d40
Instruction Fuzzy Hash: 9F11E932A40772ABEB315A6A9C04F5737E4DF057A0F11412EFD89EB540D625DC009BD4

Function 00FF91F7 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 223COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 00FF9297
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 00FF92BB

Strings

Failed to allocate memory, xrefs: 00FF9268
Failed to get file hash., xrefs: 00FF92E5
Could not verify file %ls., xrefs: 00FF9400
Could not close verify handle., xrefs: 00FF944E
Failed to encode file hash., xrefs: 00FF934A
cache.cpp, xrefs: 00FF92DB, 00FF93F3, 00FF9444
0, xrefs: 00FF9357
Failed to allocate string., xrefs: 00FF932D
$, xrefs: 00FF9396

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-4263581490
Opcode ID: a6af0981f067257600dc54f9834d7966bb70ec6d0dccf32c5b28650ca5e42ee9
Instruction ID: 729d6c753ca2b0f578859a8185693a4f8bc3c3014280ef67ee0e893f25609591
Opcode Fuzzy Hash: a6af0981f067257600dc54f9834d7966bb70ec6d0dccf32c5b28650ca5e42ee9
Instruction Fuzzy Hash: 65718472D0422DABDB11DBA5CC41BEEB7F8AF08710F11422AEE05F7290E7749D019BA0

Function 00FFE31B Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00FFE326
DefWindowProcW.USER32(?,00000082,?,?), ref: 00FFE364
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00FFE371
SetWindowLongW.USER32(?,000000EB,?), ref: 00FFE380
DefWindowProcW.USER32(?,?,?,?), ref: 00FFE38E
CreateCompatibleDC.GDI32(?), ref: 00FFE39A
SelectObject.GDI32(00000000,00000000), ref: 00FFE3AB
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00FFE3CD
SelectObject.GDI32(00000000,00000000), ref: 00FFE3D5
DeleteDC.GDI32(00000000), ref: 00FFE3D8
PostQuitMessage.USER32(00000000), ref: 00FFE3E6

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: 000f42f705d89def6ccb4118d46b5645eab9867d08411fa07b04638befebfbce
Instruction ID: c2a474d827ccb543ba8d66a79c4a6b7a38b7e14e62b16538cafdc7a1f173e049
Opcode Fuzzy Hash: 000f42f705d89def6ccb4118d46b5645eab9867d08411fa07b04638befebfbce
Instruction Fuzzy Hash: B021AF32104118BFCB355F68DC4CE7B3FA9EF49321B258618FB56971B0D6768810EB61

Function 00FF9F36 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 220COMMON

Download Yara Rule

Strings

Failed to combine layout source with source., xrefs: 00FFA0A0
WixBundleLastUsedSource, xrefs: 00FF9F9D
Failed to get bundle layout directory property., xrefs: 00FFA083
Failed to combine last source with source., xrefs: 00FFA00C
WixBundleOriginalSource, xrefs: 00FF9FB3
Failed to copy source path., xrefs: 00FFA113
WixBundleLayoutDirectory, xrefs: 00FFA068
Failed to get current process directory., xrefs: 00FF9FEF

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: cd2f70da6ab1b8674843992ee149a08d6c2cbfe29d8065e221f2d806aae7a648
Instruction ID: 925df34efac5f2159c8df1c2e912aec9a90b01e3961ea9004382464bb11abfc4
Opcode Fuzzy Hash: cd2f70da6ab1b8674843992ee149a08d6c2cbfe29d8065e221f2d806aae7a648
Instruction Fuzzy Hash: E97151B1D0422DAEDB12DFA5DC41AFEB7B9AF08310F110129EA05B7260DB759D40AB61

Function 00FE3083 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000040,00000000,00000000), ref: 00FE30C7
GetLastError.KERNEL32 ref: 00FE30D1
ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FE3129
GetLastError.KERNEL32 ref: 00FE3133
GetFullPathNameW.KERNEL32(00000000,00000040,00000000,00000000,00000000,00000040,00000000,00000000), ref: 00FE31EC
GetLastError.KERNEL32 ref: 00FE31F6
GetFullPathNameW.KERNEL32(00000000,00000007,00000000,00000000,00000000,00000007), ref: 00FE324D
GetLastError.KERNEL32 ref: 00FE3257

Strings

pathutil.cpp, xrefs: 00FE30F5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: pathutil.cpp
API String ID: 1547313835-741606033
Opcode ID: 21f10ec9f32d839b731fb10f489c9daa26e30db1b5d5846832acd9e2a252a436
Instruction ID: b553185f81971e4258cb2aeaa500968065da5f60e92f4ba252c4f17e728a9570
Opcode Fuzzy Hash: 21f10ec9f32d839b731fb10f489c9daa26e30db1b5d5846832acd9e2a252a436
Instruction Fuzzy Hash: 16618132E00269ABDB319AA68C4DBAE7BE8EF44750F114165FE45E7150E739DF00AB90

Function 01026BF6 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,774CDFD0,?,01027172,?,?), ref: 01026C4C
SysFreeString.OLEAUT32(00000000), ref: 01026CB7
SysFreeString.OLEAUT32(00000000), ref: 01026D2F
SysFreeString.OLEAUT32(00000000), ref: 01026D71

Strings

scheme, xrefs: 01026C5F
label, xrefs: 01026C3E
term, xrefs: 01026C7F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$Free$Compare
String ID: label$scheme$term
API String ID: 1324494773-4117840027
Opcode ID: d5330354029ab89da02c53bc8944913817ca9d74afbd4d863d4a2bb366254a55
Instruction ID: 8b964a011166b4521b8abcd52b04823e5fa83d379e4664a0a06eb63c2acd722e
Opcode Fuzzy Hash: d5330354029ab89da02c53bc8944913817ca9d74afbd4d863d4a2bb366254a55
Instruction Fuzzy Hash: 27513D75D0122DFBDB21DF94C844FAEBBB8EF04721F2042A9E951AB190D732AE40DB50

Function 00FECABE Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,?,000000FF,00FE5381,?,00FE52B5,00000000,00FE5381,FFF9E89D,00FE5381,00FE53B5,00FE533D,?), ref: 00FECB15

Strings

Failed to get directory portion of local file path, xrefs: 00FECBEE
payload.cpp, xrefs: 00FECC16
Payload was not found in container: %ls, xrefs: 00FECC22
Failed to ensure directory exists, xrefs: 00FECBE7
Failed to concat file paths., xrefs: 00FECBF5
Failed to extract file., xrefs: 00FECBE0
Failed to get next stream., xrefs: 00FECBFC
Failed to find embedded payload: %ls, xrefs: 00FECB41

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: 6422362d4ec5706b40e7e0dea596352be492d70b012ec3c5d8fd48fefd10ddb9
Instruction ID: 1265de074a1992f2f54c6074e3c6b31bd8bd2acfed015fc0c83a241d46a52b51
Opcode Fuzzy Hash: 6422362d4ec5706b40e7e0dea596352be492d70b012ec3c5d8fd48fefd10ddb9
Instruction Fuzzy Hash: AB41D432D002A9EFCF25DE4ACC82AAEB775BF40720F204169F915AB250C3749D42EBD0

Function 00FE4690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00FE46B5
GetCurrentThreadId.KERNEL32 ref: 00FE46BB

Part of subcall function 00FFFC51: new.LIBCMT ref: 00FFFC58

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FE4749

Strings

Failed to load UX., xrefs: 00FE46FE
Failed to start bootstrapper application., xrefs: 00FE4717
engine.cpp, xrefs: 00FE4795
Failed to create engine for UX., xrefs: 00FE46D5
Unexpected return value from message pump., xrefs: 00FE479F
wininet.dll, xrefs: 00FE46E8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 5374a50f58f42167aff63610c7ad027db0c3a7bb8026f768dce6c98c8a37f705
Instruction ID: 0375460a3c69263209839ee7c1e8e7ce759a96bd8a54eb1a976a64cb64815f6c
Opcode Fuzzy Hash: 5374a50f58f42167aff63610c7ad027db0c3a7bb8026f768dce6c98c8a37f705
Instruction Fuzzy Hash: 2D41A372A00269BFE714DAA6CC85EBAB7ACEF09714F100129F905EB140DB35FD04A7A1

Function 00FF8CB5 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 00FF8E01

Strings

Failed to create ACL to secure cache path: %ls, xrefs: 00FF8DB7
Failed to secure cache path: %ls, xrefs: 00FF8DE4
cache.cpp, xrefs: 00FF8DAC
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00FF8D29
Failed to allocate access for Administrators group to path: %ls, xrefs: 00FF8D08
Failed to allocate access for Everyone group to path: %ls, xrefs: 00FF8D4A
Failed to allocate access for Users group to path: %ls, xrefs: 00FF8D6B

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 2826327444-4113288589
Opcode ID: a40d4cb5033ffd78239a5f8b033783e8df3b78fbbc7f8cbf0718e3809fd9ba80
Instruction ID: 574f294dc695a3a77f383613700394d65ab66dbb87f21f89a77f9648e5aedcef
Opcode Fuzzy Hash: a40d4cb5033ffd78239a5f8b033783e8df3b78fbbc7f8cbf0718e3809fd9ba80
Instruction Fuzzy Hash: 5E412672A4022DB6EB3196618C49FFF7AACEF50B90F004065FB44BB1D0DE619E45E7A0

Function 01009A57 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 125COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,0100ADE5,?,00000001,00000000), ref: 01009AE1
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,0100ADE5,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 01009AEB
CopyFileExW.KERNEL32(00000000,00000000,0100993C,00000000,00000020,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 01009B39
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,0100ADE5,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 01009B68

Strings

copy, xrefs: 01009AAF
Failed to clear readonly bit on payload destination path: %ls, xrefs: 01009B1A
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 01009B61
Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 01009B9A
apply.cpp, xrefs: 01009B0F, 01009B53, 01009B8C

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: 4312d455e0bf038aeaff79128b65e45db062699322fcb99ae22ece9a6ea3cd07
Instruction ID: 87597d28a7ebd743f7dd4e57e842f566cba984aa153ce27122841fa883ff40a8
Opcode Fuzzy Hash: 4312d455e0bf038aeaff79128b65e45db062699322fcb99ae22ece9a6ea3cd07
Instruction Fuzzy Hash: 3A312671B40616BBFB219A6ACC85E7BB79DEF41654F108219FC89DB182D724DD0087E1

Function 00FFE05E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 00FFE094
GetLastError.KERNEL32 ref: 00FFE0A0
GetObjectW.GDI32(00000000,00000018,?), ref: 00FFE0E7
GetCursorPos.USER32(?), ref: 00FFE108
MonitorFromPoint.USER32(?,?,00000002), ref: 00FFE11A
GetMonitorInfoW.USER32(00000000,?), ref: 00FFE130

Strings

splashscreen.cpp, xrefs: 00FFE0C4
(, xrefs: 00FFE127
Failed to load splash screen bitmap., xrefs: 00FFE0CE

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: c6140f0a7d1c50efc7fa7cb7cd31e5635b6ed716fd7860af96330f577fe0809a
Instruction ID: 110d5fa5aaa88652d349fcb726127d1b1606c3ae9af4e5f3cf7be81a1a3936ac
Opcode Fuzzy Hash: c6140f0a7d1c50efc7fa7cb7cd31e5635b6ed716fd7860af96330f577fe0809a
Instruction Fuzzy Hash: F0313071A00219AFDB10DFB9D989A9EBBF5EF08710F548119FD04EB254DB75D901CB60

Function 00FE64B6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 00FE64F7
GetLastError.KERNEL32 ref: 00FE6505
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00FE6546
GetLastError.KERNEL32 ref: 00FE6550

Strings

variable.cpp, xrefs: 00FE6535, 00FE6574
Failed to get 64-bit system folder., xrefs: 00FE657E
Failed to get 32-bit system folder., xrefs: 00FE653F
Failed to set system folder variant value., xrefs: 00FE65BE
Failed to backslash terminate system folder., xrefs: 00FE65A2

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastSystem$Wow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 2634638900-1590374846
Opcode ID: 636a4b22b4d15ae22be3a6ef1df575722dac6dd3957ca97a5333084ba914c913
Instruction ID: 5efa139a85ebef471695aa85f23e317cd660758ea2e565e3a754d614681df314
Opcode Fuzzy Hash: 636a4b22b4d15ae22be3a6ef1df575722dac6dd3957ca97a5333084ba914c913
Instruction Fuzzy Hash: FB210F72F4037967EB30A6B79C49BAB33D89F10790F210169FC49E7184D664DD0496E1

Function 00FF4ED2 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,0102B4F0), ref: 00FF4EDB
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00FF4F79
CloseHandle.KERNEL32(00000000), ref: 00FF4F92

Strings

Failed to launch elevated child process: %ls, xrefs: 00FF4F66
burn.elevated, xrefs: 00FF4EFB
Failed to allocate parameters for elevated process., xrefs: 00FF4F14
open, xrefs: 00FF4F43, 00FF4F51
-q -%ls %ls %ls %u, xrefs: 00FF4F00
runas, xrefs: 00FF4F39

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: 37b6308a6d5839253685778386f6400e2757a615cdc3424231181c011f14e524
Instruction ID: 8c33bad20be0fd8c916d8b3794824dda271b1c1756a7730eb3417965093a378b
Opcode Fuzzy Hash: 37b6308a6d5839253685778386f6400e2757a615cdc3424231181c011f14e524
Instruction Fuzzy Hash: 42213B75D0421DBFCF119F95DC808EEBBB8FF08351B50816AFA49AB250D775AE10AB90

Function 00FE671C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 00FE6746
GetProcAddress.KERNEL32(00000000), ref: 00FE674D
GetLastError.KERNEL32 ref: 00FE6757

Strings

DllGetVersion, xrefs: 00FE6738
msi, xrefs: 00FE673D
variable.cpp, xrefs: 00FE677B
Failed to find DllGetVersion entry point in msi.dll., xrefs: 00FE6785
Failed to set variant value., xrefs: 00FE67C3
Failed to get msi.dll version info., xrefs: 00FE679F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: 3c7e87af8659fd26af036984b0cf37332e5e139389a1dfc0ea209179cb9a22ad
Instruction ID: 727fab810e23be7017894835b7d8fc8e6c1a1f147c4243d7fbbbdadc1e748c7d
Opcode Fuzzy Hash: 3c7e87af8659fd26af036984b0cf37332e5e139389a1dfc0ea209179cb9a22ad
Instruction Fuzzy Hash: 62110672A00739AAE721AABADC45ABFB7D8EB18750F110529FD41F7140EA399C0493E1

Function 00FE1174 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00FE111A,cabinet.dll,00000009,?,?,00000000), ref: 00FE1185
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,00FE111A,cabinet.dll,00000009,?,?,00000000), ref: 00FE1190
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00FE119E
GetLastError.KERNEL32(?,?,?,?,00FE111A,cabinet.dll,00000009,?,?,00000000), ref: 00FE11B9
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00FE11C1
GetLastError.KERNEL32(?,?,?,?,00FE111A,cabinet.dll,00000009,?,?,00000000), ref: 00FE11D6

Strings

kernel32, xrefs: 00FE118B
SetDefaultDllDirectories, xrefs: 00FE1198
SetDllDirectoryW, xrefs: 00FE11BB

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: a13f44dcc0f9ca8d6757a1fbf846a40cc30e231611e2c8bcdb1e5e419d7a69ec
Instruction ID: 36a07a08242ebedd2833fa0cc6598423d9afb5726602a7e8c99703e19802dafa
Opcode Fuzzy Hash: a13f44dcc0f9ca8d6757a1fbf846a40cc30e231611e2c8bcdb1e5e419d7a69ec
Instruction Fuzzy Hash: 2E01D471A00269BB87316FA79C49E6F7B6CFF447A1B108025FE9596100DA7DDA00DBB1

Function 00FFF3E6 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FFF3FB
LeaveCriticalSection.KERNEL32(?), ref: 00FFF576

Strings

Failed to set download user., xrefs: 00FFF4FE
Failed to set download URL., xrefs: 00FFF4D5
UX did not provide container or payload id., xrefs: 00FFF565
Failed to set download password., xrefs: 00FFF524
Engine is active, cannot change engine state., xrefs: 00FFF415
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 00FFF466
UX requested unknown container with id: %ls, xrefs: 00FFF4A0
UX requested unknown payload with id: %ls, xrefs: 00FFF450

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: 038f3f9df9ac44ca2e0761565e101e8c72a1e5cd5cbe25f9b1010947fe271d75
Instruction ID: 829bad30029079388057405b84940168874c558794414b16f3367b30832dd67e
Opcode Fuzzy Hash: 038f3f9df9ac44ca2e0761565e101e8c72a1e5cd5cbe25f9b1010947fe271d75
Instruction Fuzzy Hash: 0C41D872A0021AEBD721DE65CC05B76B368EF50720F1D8175FA44EB260EB74DD44E790

Function 01025916 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000000,000000FF,?,00000000,00000000), ref: 01025955
GetLastError.KERNEL32 ref: 01025963
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 010259A4
GetLastError.KERNEL32 ref: 010259B1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 01025B26
CloseHandle.KERNEL32(?), ref: 01025B35

Strings

dlutil.cpp, xrefs: 01025987
GET, xrefs: 01025A58

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$dlutil.cpp
API String ID: 2028584396-3303425918
Opcode ID: afa396cd18ed3a278bc1e3de8b87e0481bce997fe5e98b03e91d0b587b7a6463
Instruction ID: f9a8beb5242b32c261866826a611208c734a0c982b591c3b97051722d3721ae5
Opcode Fuzzy Hash: afa396cd18ed3a278bc1e3de8b87e0481bce997fe5e98b03e91d0b587b7a6463
Instruction Fuzzy Hash: C0616D75A0032AABDB21DFA8CC85BEE7BB9FF08250F114259FE45F7240E77598408B94

Function 00FF0AAE Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00FF0E7E: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,00FF0ACD,?,00000000,?,00000000,00000000), ref: 00FF0EAD

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 00FF0C51
GetLastError.KERNEL32 ref: 00FF0C5E

Strings

Failed to create syncpoint event., xrefs: 00FF0C8C
plan.cpp, xrefs: 00FF0C82
Failed to append package start action., xrefs: 00FF0AF3
Failed to append cache action., xrefs: 00FF0BA8
Failed to append rollback cache action., xrefs: 00FF0B2D
Failed to append payload cache action., xrefs: 00FF0C08

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-2489563283
Opcode ID: 2c55d262e16acf91036c81f387299f96207e51d8c22659c31419c0c0e4622b86
Instruction ID: 644ae211fc9959770e29c979ff1a99c5f82a19080566e9507367983ac1212c04
Opcode Fuzzy Hash: 2c55d262e16acf91036c81f387299f96207e51d8c22659c31419c0c0e4622b86
Instruction Fuzzy Hash: 60618175900708EFDB11DF68C980A6AB7F9FF84310F218459EA55DB222DB35EE41EB50

Function 00FE9DB4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FE9DDA
_MREFOpen@16.MSPDB140-MSVCRT ref: 00FE9DFF

Strings

Failed to set variable., xrefs: 00FE9EE3
Failed to format product code string., xrefs: 00FE9E0A
Failed to get component path: %d, xrefs: 00FE9E63
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00FE9EF3
Failed to format component id string., xrefs: 00FE9DE5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: a8697bb727622c269763e6339c21c193e30aa1554e3cd861550a6e376ff27cfa
Instruction ID: 09e36e598f725be0ae0e521649ca12e07d48821d2e5e38ae95a6da90bc529e5d
Opcode Fuzzy Hash: a8697bb727622c269763e6339c21c193e30aa1554e3cd861550a6e376ff27cfa
Instruction Fuzzy Hash: 5B410E73D08295BACB25DA6ACC45BBEB768EF04320F244A16F705E5190D7B09D50F772

Function 01026ACD Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,774CDFD0,000000FF,name,000000FF,774CDFD0,?,774CDFD0,?,774CDFD0), ref: 01026B2B
CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,email,000000FF), ref: 01026B48
SysFreeString.OLEAUT32(00000000), ref: 01026B86
SysFreeString.OLEAUT32(00000000), ref: 01026BCD

Strings

uri, xrefs: 01026B56
email, xrefs: 01026B3A
name, xrefs: 01026B1D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$CompareFree
String ID: email$name$uri
API String ID: 3589242889-1168628755
Opcode ID: f7713826103ddf12778749cb0dfc21c58e5cb1d50c26fb1c1c915cf7b50b40ef
Instruction ID: 31bd2e36967dfbc33d0af1b726d8487d068cfe1cb584f0892dcad3dfa3ca4dec
Opcode Fuzzy Hash: f7713826103ddf12778749cb0dfc21c58e5cb1d50c26fb1c1c915cf7b50b40ef
Instruction Fuzzy Hash: E5416435D05229BBDF62DB98CC44F9EBBB5EF04720F2042A5ED51AB2D0D7329A44DB50

Function 00FF473A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 115fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00000008,00FE4740,00000000,?,00000000,00000000,?,00000000,00FE4740,?,?,00000000,?,00000000), ref: 00FF4765
GetLastError.KERNEL32 ref: 00FF4772
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 00FF481B
GetLastError.KERNEL32 ref: 00FF4825

Strings

pipe.cpp, xrefs: 00FF47CF, 00FF47E6, 00FF4849
Failed to allocate data for message., xrefs: 00FF47D9
Failed to read data for message., xrefs: 00FF4853
Failed to read message from pipe., xrefs: 00FF47F0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
API String ID: 1948546556-3912962418
Opcode ID: eef6d4596997ac0cd9ca96ddb22548518f680cf3e643683329df84f0144fd1d3
Instruction ID: 952dba91addedfb1e3f7c4e45a421c7779cfb0855f7a12046147703db3130dc2
Opcode Fuzzy Hash: eef6d4596997ac0cd9ca96ddb22548518f680cf3e643683329df84f0144fd1d3
Instruction Fuzzy Hash: DD31E772E40269BBE7209E65DC45BBBF768FF05761F208129F940EA150D774EE00A7D1

Function 00FEF2DC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FEF315

Part of subcall function 00FE4013: CreateDirectoryW.KERNELBASE(00FE533D,00FE53B5,00000000,00000000,?,00FF9EE4,00000000,00000000,00FE533D,00000000,00FE52B5,00000000,?,?,00FED4AC,00FE533D), ref: 00FE4021
Part of subcall function 00FE4013: GetLastError.KERNEL32(?,00FF9EE4,00000000,00000000,00FE533D,00000000,00FE52B5,00000000,?,?,00FED4AC,00FE533D,00000000,00000000), ref: 00FE402F

lstrlenA.KERNEL32(0102B4F0,00000000,00000094,00000000,00000094,?,?,00FF0328,swidtag,00000094,?,0102B508,00FF0328,00000000,?,00000000), ref: 00FEF368

Part of subcall function 01024C67: CreateFileW.KERNEL32(0102B4F0,40000000,00000001,00000000,00000002,00000080,00000000,00FF0328,00000000,?,00FEF37F,?,00000080,0102B4F0,00000000), ref: 01024C7F
Part of subcall function 01024C67: GetLastError.KERNEL32(?,00FEF37F,?,00000080,0102B4F0,00000000,?,00FF0328,?,00000094,?,?,?,?,?,00000000), ref: 01024C8C

Strings

Failed to format tag folder path., xrefs: 00FEF3CE
Failed to write tag xml to file: %ls, xrefs: 00FEF3A6
Failed to allocate regid folder path., xrefs: 00FEF3C7
Failed to create regid folder: %ls, xrefs: 00FEF3B0
Failed to allocate regid file path., xrefs: 00FEF3C0
swidtag, xrefs: 00FEF328

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: 5be24b6c17fba9b9d123bec05bf729297b4ac7343b728c3c35e256e93fc19d6c
Instruction ID: cc320873c72dc3526676cc598207abf74ea8cd3d7daea7e32fe1f3bf78e76fa4
Opcode Fuzzy Hash: 5be24b6c17fba9b9d123bec05bf729297b4ac7343b728c3c35e256e93fc19d6c
Instruction Fuzzy Hash: 3B31CF32D00269BFCB11AE96CC01BDDBBB9AF04710F20817AE900AA250E7759E54AB90

Function 00FF51E9 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,00FE5386,00000000,00000000,?,00000000), ref: 00FF5292
GetLastError.KERNEL32(?,?,?,00FE4B5B,?,?,00000000,?,?,?,?,?,?,0102B490,?,?), ref: 00FF529D

Strings

Failed to wait for child process exit., xrefs: 00FF52CB
pipe.cpp, xrefs: 00FF52C1
Failed to post terminate message to child process cache thread., xrefs: 00FF5261
Failed to post terminate message to child process., xrefs: 00FF527D
Failed to write restart to message buffer., xrefs: 00FF5235
Failed to write exit code to message buffer., xrefs: 00FF520D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: 228751a84f3d5be603e9c071733309a9ad6d267b2e456851f3b8acaed8dba25a
Instruction ID: 35cbb373c7a5020e3214d55fdda5182e4512dfba587d5fb0ec4900b547a79900
Opcode Fuzzy Hash: 228751a84f3d5be603e9c071733309a9ad6d267b2e456851f3b8acaed8dba25a
Instruction Fuzzy Hash: 1121B633941B2DBBDB125A959C05AAF7BACEF11B21F210315FB00FA1A0D735AD50A7E4

Function 00FF8E92 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 88fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00FF9CFF,00000003,000007D0,00000003,?,000007D0), ref: 00FF8EAC
GetLastError.KERNEL32(?,00FF9CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000000,-00000004), ref: 00FF8EB9
CloseHandle.KERNEL32(00000000,?,00FF9CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000000), ref: 00FF8F80

Strings

Failed to verify catalog signature of payload: %ls, xrefs: 00FF8F47
Failed to verify hash of payload: %ls, xrefs: 00FF8F6B
cache.cpp, xrefs: 00FF8EEF
Failed to verify signature of payload: %ls, xrefs: 00FF8F28
Failed to open payload at path: %ls, xrefs: 00FF8EFC

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: cc6a7c94e3b2b706b8961cfe00db30eaf11de735e978f7f55b829f888ddbec4d
Instruction ID: 7f415687b0a05b8fb26663e11d26068165e31d5086ed8e968d59a83c0ae09032
Opcode Fuzzy Hash: cc6a7c94e3b2b706b8961cfe00db30eaf11de735e978f7f55b829f888ddbec4d
Instruction Fuzzy Hash: 2921E736A406297ED73219648C49BBE7B1ABF047B0F144215FE01661F0DB399C51FAD5

Function 00FE69B8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00FE6A03
GetLastError.KERNEL32 ref: 00FE6A0D
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00FE6A51
GetLastError.KERNEL32 ref: 00FE6A5B

Strings

Failed to get windows directory., xrefs: 00FE6A3B
variable.cpp, xrefs: 00FE6A31, 00FE6A7F
Failed to get volume path name., xrefs: 00FE6A89
Failed to set variant value., xrefs: 00FE6AA5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 124030351-4026719079
Opcode ID: fcfc54dd31619ba07617c9390ca74570c85dfaf944f08b4906eb0912f1a0b492
Instruction ID: fb6d8ccbd7b857dc508cf76b18d56c08701ce50ae6595b31deea55662224409c
Opcode Fuzzy Hash: fcfc54dd31619ba07617c9390ca74570c85dfaf944f08b4906eb0912f1a0b492
Instruction Fuzzy Hash: AD214772F003396BE730AAA68C49FDB73EC9B10B10F10417AFD45F7180E6389D4086A5

Function 00FE9B3F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FE9B5A
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 00FE9B72
GetLastError.KERNEL32 ref: 00FE9B81

Strings

Failed to set variable., xrefs: 00FE9C07
Failed to format variable string., xrefs: 00FE9B65
Failed get to file attributes. '%ls', xrefs: 00FE9BC0
search.cpp, xrefs: 00FE9BB3
File search: %ls, did not find path: %ls, xrefs: 00FE9BD5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: 27209c7b34f9efb8c6d04be6af7b9e78efd34d11aff28d610d1afd4570105490
Instruction ID: c6282fdc344f6add51b2ec5a9e215b66b35e937e1377d9321045614ef77b0cec
Opcode Fuzzy Hash: 27209c7b34f9efb8c6d04be6af7b9e78efd34d11aff28d610d1afd4570105490
Instruction Fuzzy Hash: E1213B32E443657BDB116AA6DD06BADB769EF54320F304326FC00A5150E7B19E40E7F1

Function 00FFAB3C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 00FFAB53
GetLastError.KERNEL32 ref: 00FFAB5D
CoInitializeEx.OLE32(00000000,00000000), ref: 00FFAB9C
CoUninitialize.OLE32(?,00FFC4F4,?,?), ref: 00FFABD9

Strings

Failed to set elevated cache pipe into thread local storage for logging., xrefs: 00FFAB8B
elevation.cpp, xrefs: 00FFAB81
Failed to pump messages in child process., xrefs: 00FFABC7
Failed to initialize COM., xrefs: 00FFABA8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: 7d15e5254502f2ff91f38b639a87adcda70e76db65768707576fe1accb3734e1
Instruction ID: e296225c123e6d94f591b4c6b5fe4ec1b0e2e9123567d9bcf38140e8d4761d1c
Opcode Fuzzy Hash: 7d15e5254502f2ff91f38b639a87adcda70e76db65768707576fe1accb3734e1
Instruction Fuzzy Hash: 191159B3A00639BF97211B668C05DABBB9CEF45720B21425BFE08F7110EB759C00A7E1

Function 00FE5BF0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00FE5C77

Strings

Failed to read folder path for '%ls'., xrefs: 00FE5C43
Failed to ensure path was backslash terminated., xrefs: 00FE5C61
Failed to open Windows folder key., xrefs: 00FE5C29
ProgramFilesDir, xrefs: 00FE5BF8
+, xrefs: 00FE5BFD
CommonFilesDir, xrefs: 00FE5C03, 00FE5C33, 00FE5C42
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00FE5C14

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 47109696-3209209246
Opcode ID: f1e12dc49722f7fb870d4d3ac5974d3838f483e4e62848a020cebf964ddafdd6
Instruction ID: f98975e1be56bdd11e764bcd140c22c6593bb963cd201aa2dee801b02c735c7d
Opcode Fuzzy Hash: f1e12dc49722f7fb870d4d3ac5974d3838f483e4e62848a020cebf964ddafdd6
Instruction Fuzzy Hash: 5E01B533A40778BBCB236AAADD22E9EB768DB50F64F304159FC44BA104D7759E10A3D0

Function 0100A024 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 172COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000001,00000000,?), ref: 0100A0F1
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0100A0FB

Strings

Failed to clear readonly bit on payload destination path: %ls, xrefs: 0100A12A
:, xrefs: 0100A174
Failed attempt to download URL: '%ls' to: '%ls', xrefs: 0100A1D8
download, xrefs: 0100A0BB
apply.cpp, xrefs: 0100A11F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-1905830404
Opcode ID: fa6c60536a369d75382a2cd2cd3ca9c628238d6fb6aa8f3c8b93bc1901f06a8e
Instruction ID: 9b9d993352df0e612db90df24ede3935744fab8a702dbb2d542a0b14d7e72639
Opcode Fuzzy Hash: fa6c60536a369d75382a2cd2cd3ca9c628238d6fb6aa8f3c8b93bc1901f06a8e
Instruction Fuzzy Hash: 69518171A00319EFEB12DFA9C840AEFBBF5EF04750F108159E985AB291E335DA40CB91

Function 01026DA8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,774CDFD0,000000FF,type,000000FF,?,774CDFD0,774CDFD0,774CDFD0), ref: 01026DFE
SysFreeString.OLEAUT32(00000000), ref: 01026E49
SysFreeString.OLEAUT32(00000000), ref: 01026EC5
SysFreeString.OLEAUT32(00000000), ref: 01026F11

Strings

url, xrefs: 01026E11
type, xrefs: 01026DF0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$Free$Compare
String ID: type$url
API String ID: 1324494773-1247773906
Opcode ID: 6cda61452cab0c1edd7a7336ead5ff0632ffd179795ee69e38714ca72b8ac7c8
Instruction ID: c0f2a194a2804c40e9f6783752ff7466aa506e359920cc80bc40ad75600e8d05
Opcode Fuzzy Hash: 6cda61452cab0c1edd7a7336ead5ff0632ffd179795ee69e38714ca72b8ac7c8
Instruction Fuzzy Hash: BE516C71901229EBDF65DFA4C844EEEBBB8AF04711F1042A9E951EB2A4D7329E00CB50

Function 0102837F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000000,?,?,01008E1F,000002C0,00000100), ref: 010283AD
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,01008E1F,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 010283C8

Strings

application, xrefs: 010283BA
apuputil.cpp, xrefs: 01028463
type, xrefs: 010283EF
http://appsyndication.org/2006/appsyn, xrefs: 010283A0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: 9661aab35ca960589da07761c0b5e846e64d74f17764fd07d4efb0b1f6882dd3
Instruction ID: 5a4f5e7dc17c113a25dcd9a30f5d11dd93723f75cb4d3d76d7b7988ab68fed8d
Opcode Fuzzy Hash: 9661aab35ca960589da07761c0b5e846e64d74f17764fd07d4efb0b1f6882dd3
Instruction Fuzzy Hash: 9E510275A00721ABEB618F19CC85F1A7BE5EF04720F20C259FAA99B2D5DB75E940CB10

Function 0102635A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 010263B7
DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 010264AE
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 010264BD

Strings

DownloadTimeout, xrefs: 010263F0
dlutil.cpp, xrefs: 010263DB
WiX\Burn, xrefs: 010263F5
Burn, xrefs: 010263A6

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-1704223933
Opcode ID: 0b85915721d1aa1f5c44365d7d11f4fc3d7eaec8a37e2abee491388986bd1e50
Instruction ID: 431ecc0bcb563e5fd018f6bcfdc5543620cd5619c172216fc8777f8a4602d22e
Opcode Fuzzy Hash: 0b85915721d1aa1f5c44365d7d11f4fc3d7eaec8a37e2abee491388986bd1e50
Instruction Fuzzy Hash: CD514F76D00229BBDF12DFA4CD44EEEBBB9EF08610F104155FE44E6150EB368A50DBA0

Function 00FF9080 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FF910E

Part of subcall function 01025587: GetLastError.KERNEL32(?,?,00FF9133,?,00000003,00000000,?), ref: 010255A6

_memcmp.LIBVCRUNTIME ref: 00FF9148
GetLastError.KERNEL32 ref: 00FF91C2

Strings

Failed to get certificate public key identifier., xrefs: 00FF91F0
cache.cpp, xrefs: 00FF91E6
Failed to find expected public key in certificate chain., xrefs: 00FF9183
Failed to read certificate thumbprint., xrefs: 00FF91B6

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast_memcmp
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
API String ID: 3428363238-3408201827
Opcode ID: dac215ebef15b6027264e4b2d62c16ecf967d32985c174fe4aab5507c52b2e44
Instruction ID: a1c362f78e909c894fe4ff3158c3495d6e68158717277eb22006ede0ccacdb9d
Opcode Fuzzy Hash: dac215ebef15b6027264e4b2d62c16ecf967d32985c174fe4aab5507c52b2e44
Instruction Fuzzy Hash: E9416371E0421AAFDB10DEA9C844BAEB7F9BF08710F004129FA45E7261D775ED04DBA4

Function 00FF0419 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 00FF054A
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 00FF0559

Part of subcall function 01020AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00FF0491,?,00000000,00020006), ref: 01020AFA

Strings

%ls.RebootRequired, xrefs: 00FF0467
Failed to open registration key., xrefs: 00FF0591
Failed to write volatile reboot required registry key., xrefs: 00FF0495
Failed to update resume mode., xrefs: 00FF052E
Failed to delete registration key: %ls, xrefs: 00FF04F8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
API String ID: 359002179-2517785395
Opcode ID: 4169c53c2493350438f219108321af5aef47a52a6352bfde72eecea7bf66816a
Instruction ID: 5d3c7ce15ae67fcfc3d6de572418acf18e3e1f2fdc6ad23dfa7dc06e59e09dae
Opcode Fuzzy Hash: 4169c53c2493350438f219108321af5aef47a52a6352bfde72eecea7bf66816a
Instruction Fuzzy Hash: 3441A232900319FBDF22AFA1DC01EBF77BAAF90310F184469FA8561062DB759A50EB51

Function 00FEF69D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00FEF7CD
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00FEF7DA

Strings

%ls.RebootRequired, xrefs: 00FEF6BA
Failed to open registration key., xrefs: 00FEF736
Failed to format pending restart registry key to read., xrefs: 00FEF6D1
Resume, xrefs: 00FEF741
Failed to read Resume value., xrefs: 00FEF763

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 05798b42454ff9a4b570a9ea97674156a91d8837e8bda1cfc19e3eb8c54499de
Instruction ID: 1cd2764df6334d1a814089caca25bf16d55a4ab49b2931bdd11b71acea519159
Opcode Fuzzy Hash: 05798b42454ff9a4b570a9ea97674156a91d8837e8bda1cfc19e3eb8c54499de
Instruction Fuzzy Hash: B2414336D00259EFCB11AF9ACC80AEDBBB5FF05310F65417AE814AB210D3769E44EB90

Function 00FFA7FA Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

WixBundleLastUsedSource, xrefs: 00FFA899, 00FFA89F, 00FFA8DB
Failed to determine length of source path., xrefs: 00FFA82A
Failed to determine length of relative path., xrefs: 00FFA847
Failed to trim source folder., xrefs: 00FFA88F
Failed to set last source., xrefs: 00FFA8EA

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: f8a57f03a770cdea37cdb4259881b4d87548d8fbce122b29246fe18f93713fb2
Instruction ID: 27c2abba1a93a4eef29537e701cb035b3eae84e01700bc18e85ff88ae561d802
Opcode Fuzzy Hash: f8a57f03a770cdea37cdb4259881b4d87548d8fbce122b29246fe18f93713fb2
Instruction Fuzzy Hash: A331E772D0022DBBCB219B94CC45FBEBB79AF40770F200265FA24A61E0EA718E41E751

Function 0100D677 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(01040A84,00000000,00000017,01040A94,?,?,00000000,00000000,?,?,?,?,?,0100DCAE,00000000,00000000), ref: 0100D6AF

Strings

Failed to create IBackgroundCopyManager., xrefs: 0100D6BB
Failed to create BITS job., xrefs: 0100D6E9
WixBurn, xrefs: 0100D6DA
Failed to set notification flags for BITS job., xrefs: 0100D701
Failed to set progress timeout., xrefs: 0100D719
Failed to set BITS job to foreground., xrefs: 0100D730

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: acc6dc9676ea9b1c4c740bee2f5b87a341b6499f14ccda3844b7327309f871a6
Instruction ID: 9c89f489f9d322523924c184c552be68d6c960bec494a039c49be17b000ddbd7
Opcode Fuzzy Hash: acc6dc9676ea9b1c4c740bee2f5b87a341b6499f14ccda3844b7327309f871a6
Instruction Fuzzy Hash: 88316571A40615AFA716CFE5C895EBFBBB4AF48710F00016DF945EB250D671AC0187A1

Function 01025C68 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 01025CB2
GetLastError.KERNEL32 ref: 01025CBF
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 01025D06
CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 01025D6E

Strings

%ls.R, xrefs: 01025C86
dlutil.cpp, xrefs: 01025CE3, 01025D5E

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID: %ls.R$dlutil.cpp
API String ID: 2136311172-657863730
Opcode ID: 67e4f2d1f79b2d55b298ff5e2d46047b6c39da89d9218e36f433230e649ea722
Instruction ID: a1f9b9a534c100bdc87d4fb86185fad230f1de6c1c9a9181b86b60e9b2b91e90
Opcode Fuzzy Hash: 67e4f2d1f79b2d55b298ff5e2d46047b6c39da89d9218e36f433230e649ea722
Instruction Fuzzy Hash: D6312672A00224BFFB319E69CC88BAA7BE8EF05720F114259FE45EB1C0D7759D0187A5

Function 00FEC7DF Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FECC57: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,00FEE336,000000FF,00000000,00000000,00FEE336,?,?,00FEDADD,?,?,?,?), ref: 00FECC82

CreateFileW.KERNEL32(E90102BA,80000000,00000005,00000000,00000003,08000000,00000000,00FE52BD,0102B450,00000000,00FE53B5,04680A79,?,00FE52B5,00000000,00FE5381), ref: 00FEC84F
GetLastError.KERNEL32(?,?,?,00FF75F7,00FE5565,00FE5371,00FE5371,00000000,?,00FE5381,FFF9E89D,00FE5381,00FE53B5,00FE533D,?,00FE533D), ref: 00FEC894

Strings

Failed to open catalog in working path: %ls, xrefs: 00FEC8C2
Failed to get catalog local file path, xrefs: 00FEC8D2
Failed to verify catalog signature: %ls, xrefs: 00FEC88D
Failed to find payload for catalog file., xrefs: 00FEC8D9
catalog.cpp, xrefs: 00FEC8B5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 1774366664-48089280
Opcode ID: a245edf4fd8ca902e0dd2324d41f8a896b4a7078038bba0b22dd7eed5b23580d
Instruction ID: 48bc3858ffbadc6002d72dd2ce1993d77c57ae2145db356829fe6476bed1cf4b
Opcode Fuzzy Hash: a245edf4fd8ca902e0dd2324d41f8a896b4a7078038bba0b22dd7eed5b23580d
Instruction Fuzzy Hash: 6F310872E00625BFD7219F66CD41F59BBA4EF04750F218229FD08EB290E770AE51A7D0

Function 0100D12C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,774D30B0,00000000,?,?,?,?,0100D439,?), ref: 0100D145
ReleaseMutex.KERNEL32(?,?,?,?,0100D439,?), ref: 0100D161
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0100D1A4
ReleaseMutex.KERNEL32(?), ref: 0100D1BB
SetEvent.KERNEL32(?), ref: 0100D1C4

Strings

Failed to send files in use message from netfx chainer., xrefs: 0100D20A
Failed to get message from netfx chainer., xrefs: 0100D1E5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: 17d417f7af8b34e71dd231870313db16d2cd4da0cce125849a52a25b5abbef50
Instruction ID: cb31b3c02c87147a082078312622c335d49040c61749bb68c258c2b3930565e5
Opcode Fuzzy Hash: 17d417f7af8b34e71dd231870313db16d2cd4da0cce125849a52a25b5abbef50
Instruction Fuzzy Hash: 1231D771900709BFDB229FD8CC48EEEBBF5EF54320F108665F995A61A1C735D9048B90

Function 0102082D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 0102089A
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 010208A4
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 010208ED
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 010208FA

Strings

D, xrefs: 01020882
"%ls" %ls, xrefs: 01020863
procutil.cpp, xrefs: 010208C8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$procutil.cpp
API String ID: 161867955-2732225242
Opcode ID: a1b74df3c105e0f048851ddac8409824a88f4c72cfd240836cc503d28b497f5a
Instruction ID: f4ddc8ebb9daae4de98de14cd1642f97d47344cb484a0a6e85e52bc1de42c219
Opcode Fuzzy Hash: a1b74df3c105e0f048851ddac8409824a88f4c72cfd240836cc503d28b497f5a
Instruction Fuzzy Hash: A4213C71D0022EAFEB11EFE9CD409EFBBB9EF04214F10412AFA45B6155D7755E009BA1

Function 00FE9A6D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FE9A86
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,00FEA7A9,00000100,000002C0,000002C0,00000100), ref: 00FE9AA6
GetLastError.KERNEL32(?,00FEA7A9,00000100,000002C0,000002C0,00000100), ref: 00FE9AB1

Strings

Failed to format variable string., xrefs: 00FE9A91
Failed while searching directory search: %ls, for path: %ls, xrefs: 00FE9B06
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00FE9B1C
Failed to set directory search path variable., xrefs: 00FE9AE1

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: 2ab61db74bbad32f8702bf57da7f9c2bf0e44167abc0d6262cf072d71f177a1f
Instruction ID: 56cea6cf81fbc025a795013d393a5606b339548ff0a2cd25decf2d353d7b687f
Opcode Fuzzy Hash: 2ab61db74bbad32f8702bf57da7f9c2bf0e44167abc0d6262cf072d71f177a1f
Instruction Fuzzy Hash: B9112333944275BBCB226A96DD05F9EBB68EF54720F200225FC00BA160D7AA4E10B6E1

Function 00FE9C39 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FE9C52
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,00FEA781,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00FE9C72
GetLastError.KERNEL32(?,00FEA781,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00FE9C7D

Strings

Failed to format variable string., xrefs: 00FE9C5D
Failed while searching file search: %ls, for path: %ls, xrefs: 00FE9CAA
Failed to set variable to file search path., xrefs: 00FE9CD4
File search: %ls, did not find path: %ls, xrefs: 00FE9CE0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: 6fedc450bb698ffe1d71b49b1403976037ce86149d1df5ac30f7063da864898e
Instruction ID: 0f35f9edddd11e27688a7223ccebfd958df0697d88caacfad77cd53d4e92e214
Opcode Fuzzy Hash: 6fedc450bb698ffe1d71b49b1403976037ce86149d1df5ac30f7063da864898e
Instruction Fuzzy Hash: C2112733D44276BBCB223A9ACE42B9DBBA9AF10720F300115FD44B6160D7A69D10B7E5

Function 00FFCCF4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,00FFD134,00000000,?,?,00FFC59C,00000001,?,?,?,?,?), ref: 00FFCD06
GetLastError.KERNEL32(?,?,00FFD134,00000000,?,?,00FFC59C,00000001,?,?,?,?,?,00000000,00000000,?), ref: 00FFCD10
GetExitCodeThread.KERNEL32(00000001,?,?,?,00FFD134,00000000,?,?,00FFC59C,00000001,?,?,?,?,?,00000000), ref: 00FFCD4C
GetLastError.KERNEL32(?,?,00FFD134,00000000,?,?,00FFC59C,00000001,?,?,?,?,?,00000000,00000000,?), ref: 00FFCD56

Strings

Failed to wait for cache thread to terminate., xrefs: 00FFCD3E
elevation.cpp, xrefs: 00FFCD34, 00FFCD7A
Failed to get cache thread exit code., xrefs: 00FFCD84

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: a2b67ccea9d5fe5ea18c61ab76abb34a88ed15abfbb72c2cbad1cd5d8c066ae6
Instruction ID: b41b5a323aa0386255990b08bdc2359b30627266c2c67be0750d556b107c42d1
Opcode Fuzzy Hash: a2b67ccea9d5fe5ea18c61ab76abb34a88ed15abfbb72c2cbad1cd5d8c066ae6
Instruction Fuzzy Hash: CE012D72B403386BA7306EBA5D09B6F7ADCDF057A1F114125FE45EB050E6698D00A2E9

Function 00FF67B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00FF6CFB,00FE4740,?,00000000,?,00000000,00000001), ref: 00FF67BD
GetLastError.KERNEL32(?,00FF6CFB,00FE4740,?,00000000,?,00000000,00000001), ref: 00FF67C7
GetExitCodeThread.KERNEL32(00000001,00000000,?,00FF6CFB,00FE4740,?,00000000,?,00000000,00000001), ref: 00FF6806
GetLastError.KERNEL32(?,00FF6CFB,00FE4740,?,00000000,?,00000000,00000001), ref: 00FF6810

Strings

Failed to wait for cache thread to terminate., xrefs: 00FF67F8
core.cpp, xrefs: 00FF67EB, 00FF6834
Failed to get cache thread exit code., xrefs: 00FF6841

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 0d0a731f1ffbc593d583489274522b0189cdc3783905bb82acacb513fb739ba6
Instruction ID: 69fb2c73d24098456520fbb6a81730f7405d31b54caf95345ab7999d02a49937
Opcode Fuzzy Hash: 0d0a731f1ffbc593d583489274522b0189cdc3783905bb82acacb513fb739ba6
Instruction Fuzzy Hash: 25016571740304BBEB18AA65DD59B7D77E9DF00711F20412DFD46D91A0DB399E00A618

Function 00FFF586 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FFF59B
LeaveCriticalSection.KERNEL32(?), ref: 00FFF6A8

Strings

UX denied while trying to set source on embedded payload: %ls, xrefs: 00FFF61D
Failed to set source path for payload., xrefs: 00FFF637
Engine is active, cannot change engine state., xrefs: 00FFF5B5
Failed to set source path for container., xrefs: 00FFF68D
UX requested unknown container with id: %ls, xrefs: 00FFF667
UX requested unknown payload with id: %ls, xrefs: 00FFF607

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: eef0d8d2134a90d393b2abfe21a9829ccecb3ed07a85a7b7058d10e4f450e7c6
Instruction ID: 64fad5f6974c07fa8c831d8e559f8a24415e797eb13debff143485b56f85c74c
Opcode Fuzzy Hash: eef0d8d2134a90d393b2abfe21a9829ccecb3ed07a85a7b7058d10e4f450e7c6
Instruction Fuzzy Hash: C2312B73A40629AB8B218F55CC45E7AB3ACDF54720B15416AFD44EB370DF78ED04A790

Function 00FE70D4 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 00FE70E7

Strings

Failed to allocate buffer for escaped string., xrefs: 00FE70FE
Failed to append characters., xrefs: 00FE7173
Failed to copy string., xrefs: 00FE719B
[\%c], xrefs: 00FE7146
[]{}, xrefs: 00FE7111
Failed to format escape sequence., xrefs: 00FE7181
Failed to append escape sequence., xrefs: 00FE717A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: e27a32f72a0f47b5c03b2d30814198d0fe5f0336c0b8d9ae9861b65b8fdaa2ec
Instruction ID: 9a39b1fdf60fd21b28e8d70f55f2ea7b7534ad0bb9124bb407a9ea65dd95f9bb
Opcode Fuzzy Hash: e27a32f72a0f47b5c03b2d30814198d0fe5f0336c0b8d9ae9861b65b8fdaa2ec
Instruction Fuzzy Hash: 5321A833D49375BAEB217697DC42FEEB6A89F10720F20015AF940BA140DB7CAE40B294

Function 010059B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0102B4F0,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,0100659B,?,00000001,?,0102B490), ref: 01005A19

Strings

feclient.dll, xrefs: 01005A0F, 01005B39
Failed grow array of ordered patches., xrefs: 01005AB2
Failed to plan action for target product., xrefs: 01005AC4
Failed to copy target product code., xrefs: 01005B4C
Failed to insert execute action., xrefs: 01005A6E

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: 7083039e3cb3bbb43004d903faa8a2c0b3ecc19dedd485c515f931873be2aa40
Instruction ID: 782c90aab15124f22394c2289951ca8cd446354870a0962d6e52a8fe6b6244e6
Opcode Fuzzy Hash: 7083039e3cb3bbb43004d903faa8a2c0b3ecc19dedd485c515f931873be2aa40
Instruction Fuzzy Hash: 4C8126B560034A9FEB56CF58C880AAA7BE4FF09324F1585AAFD558B392D730E851CF50

Function 01009039 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,00FF6F20,000000B8,0000001C,00000100), ref: 01009068
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,0102B4A8,000000FF,?,?,?,00FF6F20,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 01009101

Strings

detect.cpp, xrefs: 01009163
BA aborted detect forward compatible bundle., xrefs: 0100916D
Failed to initialize update bundle., xrefs: 010091A9
comres.dll, xrefs: 01009187

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: 66ee99f4776f1f731851584a4f6a9be385fd365b8ef0bff9868aeef71c6ac6e1
Instruction ID: 36aaeaaa95b8af1e97f42a8bcd1066db35f5b3e83cd11724a598ecb05aa5b530
Opcode Fuzzy Hash: 66ee99f4776f1f731851584a4f6a9be385fd365b8ef0bff9868aeef71c6ac6e1
Instruction Fuzzy Hash: 6751D471600205BFEB56DF78CC84EBAB7AAFF05314F104668F959CA1A2D731D850DB90

Function 0101C9BD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0101D132,?,00000000,?,00000000,00000000), ref: 0101C9FF
__fassign.LIBCMT ref: 0101CA7A
__fassign.LIBCMT ref: 0101CA95
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0101CABB
WriteFile.KERNEL32(?,?,00000000,0101D132,00000000,?,?,?,?,?,?,?,?,?,0101D132,?), ref: 0101CADA
WriteFile.KERNEL32(?,?,00000001,0101D132,00000000,?,?,?,?,?,?,?,?,?,0101D132,?), ref: 0101CB13

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ec5430e307d98cd77cd34a7fee1e08bbb76c5f0fd2465bf8673cb1ff6112c613
Instruction ID: 15a2053e657ddd097659976f859e97812ef47bab557f313f9e5c472ed38b774b
Opcode Fuzzy Hash: ec5430e307d98cd77cd34a7fee1e08bbb76c5f0fd2465bf8673cb1ff6112c613
Instruction Fuzzy Hash: 2A51E771E002499FEB20CFA8D985AEEBBF4FF09310F14415AE595E7285D734D941CBA1

Function 00FFA998 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 138COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,000000FF,00AAC56B,?,00FE52B5,00000000,00FE533D), ref: 00FFAA90
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,00AAC56B,?,00FE52B5,00000000,00FE533D), ref: 00FFAAD4

Strings

Failed authenticode verification of payload: %ls, xrefs: 00FFAA71
Failed to get signer chain from authenticode certificate., xrefs: 00FFAB02
cache.cpp, xrefs: 00FFAA66, 00FFAAB4, 00FFAAF8
Failed to verify expected payload against actual certificate chain., xrefs: 00FFAB1A
Failed to get provider state from authenticode certificate., xrefs: 00FFAABE

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast
String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp
API String ID: 1452528299-2590768268
Opcode ID: 2d2f7553881cb3c0aaa1e6180762a82d11cbe9c11908f37c5188bd7321252618
Instruction ID: 3459c9abde3d65e4f12e54a65ff984d72188d78e766d68f99fccd94ada2b3c11
Opcode Fuzzy Hash: 2d2f7553881cb3c0aaa1e6180762a82d11cbe9c11908f37c5188bd7321252618
Instruction Fuzzy Hash: 1241B7B2E40329ABEB119BA9CD45BEF7BF8EF48310F000129FE45F7190D77599049AA5

Function 010201F0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000,00000000), ref: 01020234
GetComputerNameW.KERNEL32(?,?), ref: 0102028C

Strings

--- logging level: %hs ---, xrefs: 0102034C
=== Logging started: %ls ===, xrefs: 010202B7
Computer : %ls, xrefs: 010202FA
Executable: %ls v%d.%d.%d.%d, xrefs: 010202E8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 2577110986-3153207428
Opcode ID: 154b2cc5d445035d0d24edc8bcdd35bbb67a60c5caf7973e322aef57699341ab
Instruction ID: a9ae53001f74d4023d9affb037be581ad0eab077313f5ae10ad15f8a804693bb
Opcode Fuzzy Hash: 154b2cc5d445035d0d24edc8bcdd35bbb67a60c5caf7973e322aef57699341ab
Instruction Fuzzy Hash: 3F41DBF6A0022C9BDB31DF68DDC89EA77BCEB55200F0041E9F68AE7105D6359E848F64

Function 0102143C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 01021479
lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 010214F1
lstrlenW.KERNEL32(?,?,?,?,00000001), ref: 010214FD
RegSetValueExW.ADVAPI32(00020006,?,00000000,00000007,00000000,?,00000000,?,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006), ref: 0102153D

Strings

regutil.cpp, xrefs: 01021565
BundleUpgradeCode, xrefs: 01021442

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: lstrlen$Value
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 198323757-1648651458
Opcode ID: 87ded38544789476526efafb7c3d1dc6821e1d4b68b11fb16a53833a88ecdd36
Instruction ID: d2b5cf7c8785b10850479ea8fb0a436822cc0e6ef730ebb73641d7b6c0ea0709
Opcode Fuzzy Hash: 87ded38544789476526efafb7c3d1dc6821e1d4b68b11fb16a53833a88ecdd36
Instruction Fuzzy Hash: 5441C872E0023AEFDB21DFA9C880AAE7BE9AF44610F154169FE45E7250DA35DD118B90

Function 00FFD206 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,0102B4F0,?,00000001,000000FF,?,?,7707B390,00000000,00000001,00000000,?,00FF72F3), ref: 00FFD32F

Strings

UX aborted elevation requirement., xrefs: 00FFD244
Failed to elevate., xrefs: 00FFD311
elevation.cpp, xrefs: 00FFD23A
Failed to create pipe and cache pipe., xrefs: 00FFD28C
Failed to connect to elevated child process., xrefs: 00FFD318
Failed to create pipe name and client token., xrefs: 00FFD270

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: 78b169f668a269fc2fe3aff1e092c6a529051026d15efb23c91d316be68e29ff
Instruction ID: dbea58667be17949d2f8755c57714a63accf4803ed35afdbecd4f6ee34eea93a
Opcode Fuzzy Hash: 78b169f668a269fc2fe3aff1e092c6a529051026d15efb23c91d316be68e29ff
Instruction Fuzzy Hash: 73315C72A4072A7BE72696608C46FBB775EEF41730F100209FB05BB1A1DA65ED00A2E5

Function 0102041B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0104B60C,00000000,?,?,?,00FE5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 0102042B
CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,0104B604,?,00FE5407,00000000,Setup), ref: 010204CC
GetLastError.KERNEL32(?,00FE5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 010204DC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00FE5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 01020515

Part of subcall function 00FE2DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00FE2F1F

LeaveCriticalSection.KERNEL32(0104B60C,?,?,0104B604,?,00FE5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 0102056E

Strings

logutil.cpp, xrefs: 010204FA

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: 173fe86cd9ff61881a207d06095788ad7e2363438bd138246f3f9a710c84589c
Instruction ID: 6aedea88295a1a15e5ae5d7072aea083e8b8cc7d779d440668c0b26f7b39b942
Opcode Fuzzy Hash: 173fe86cd9ff61881a207d06095788ad7e2363438bd138246f3f9a710c84589c
Instruction Fuzzy Hash: 9D31B3B5A01339BFEB31EE65DDC5AAB3BACEB04750F100129FE80AA154D73ADD409790

Function 00FFD01A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 117threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00FFAB3C,?,00000000,00000000), ref: 00FFD0B8
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FFD0C4
CloseHandle.KERNEL32(00000000,00000000,?,?,00FFC59C,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 00FFD145

Strings

Failed to create elevated cache thread., xrefs: 00FFD0F2
elevation.cpp, xrefs: 00FFD0E8
Failed to pump messages in child process., xrefs: 00FFD11C

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLastThread
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
API String ID: 747004058-4134175193
Opcode ID: bf618cb0ca752cc787e52a8379bf8938fa27de6ef401d8bce8b2054b11762bbc
Instruction ID: eea044bd94df4067394fe77fa2552106139d8a2155266d98971584d715a86d3b
Opcode Fuzzy Hash: bf618cb0ca752cc787e52a8379bf8938fa27de6ef401d8bce8b2054b11762bbc
Instruction Fuzzy Hash: 2241F3B5E0131DAF9B11DFA9D8849EEBBF9EF49310F10412AF908E7350D774A9409BA4

Function 01003750 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 010037B7

Strings

Failed to escape string., xrefs: 01003839
Failed to format property value., xrefs: 01003840
Failed to format property string part., xrefs: 01003832
%s%="%s", xrefs: 010037EA
Failed to append property string part., xrefs: 0100382B

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: 223090d35099594221286633b49a9fa25ed6b2002bbdea79aac4b7b4a5d22930
Instruction ID: 9c1050a676da59638fb2e6152c0575f9ee0b8788bca3f502cbe251fb31959b21
Opcode Fuzzy Hash: 223090d35099594221286633b49a9fa25ed6b2002bbdea79aac4b7b4a5d22930
Instruction Fuzzy Hash: CF31A772905316EFEB179F99CC41A9E7BA8FF00B10F0041AAF9456A291D7759B10DB90

Function 00FE7203 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00FE583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 00FE7215
LeaveCriticalSection.KERNEL32(00000000,00000000,00000002,00000000,?,?,?,00FE583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 00FE72F4

Strings

*****, xrefs: 00FE72B0, 00FE72BD
Failed to format value '%ls' of variable: %ls, xrefs: 00FE72BE
Failed to get unformatted string., xrefs: 00FE7285
Failed to get variable: %ls, xrefs: 00FE7256
Failed to get value as string for variable: %ls, xrefs: 00FE72E3

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 35c0337e3de838578b11f21beb86d782c2a5d220719ee061f572df23acd97ebd
Instruction ID: af3b8c18a73d78467e607b4e9c71547b35932e6c12c520af202d2b6da3be3252
Opcode Fuzzy Hash: 35c0337e3de838578b11f21beb86d782c2a5d220719ee061f572df23acd97ebd
Instruction Fuzzy Hash: B431B432D047AABBDF22AE52CC05B9E7B65EF10724F204125FA047A550D775AE50BFC1

Function 00FF8BE5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 00FF8C30
GetLastError.KERNEL32(?,?,?,00000001), ref: 00FF8C3A
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 00FF8C9A

Strings

Failed to allocate administrator SID., xrefs: 00FF8C16
Failed to initialize ACL., xrefs: 00FF8C68
cache.cpp, xrefs: 00FF8C5E

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: e2300b6d5e7127859c3e4c25c0db2cb28bda477c7187dae856048794f63bc0d8
Instruction ID: b731560350c2b0611927afb59be23c4799c9afdcd2e3a7e39e718b580b4819e9
Opcode Fuzzy Hash: e2300b6d5e7127859c3e4c25c0db2cb28bda477c7187dae856048794f63bc0d8
Instruction Fuzzy Hash: AE213D72F40318BBEB219E969C85FAEB7ACEF40750F114029FE04F7180DA759E01A7A0

Function 00FE410D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,00FF3ED4,00000001,feclient.dll,?,00000000,?,?,?,00FE4A0C), ref: 00FE4148
GetLastError.KERNEL32(?,?,00FF3ED4,00000001,feclient.dll,?,00000000,?,?,?,00FE4A0C,?,?,0102B478,?,00000001), ref: 00FE4154
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,00FF3ED4,00000001,feclient.dll,?,00000000,?,?,?,00FE4A0C,?), ref: 00FE418F
GetLastError.KERNEL32(?,?,00FF3ED4,00000001,feclient.dll,?,00000000,?,?,?,00FE4A0C,?,?,0102B478,?,00000001), ref: 00FE4199

Strings

crypt32.dll, xrefs: 00FE4111
dirutil.cpp, xrefs: 00FE41BD

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: crypt32.dll$dirutil.cpp
API String ID: 152501406-1104880720
Opcode ID: 09c65403cac7acc1fd66b3d8d8c57748335f51f1ec76e620a569dd15c994da9f
Instruction ID: 619e79130a2701caef3916ae1e9cbb8a15a7e4327ad5bd08844f50fc66f2d252
Opcode Fuzzy Hash: 09c65403cac7acc1fd66b3d8d8c57748335f51f1ec76e620a569dd15c994da9f
Instruction Fuzzy Hash: 2B119A76E00766ABAB329DAB4C84767B7ECDF14791B210139FD04E7100E769EC4096E1

Function 00FE999B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FE99B6
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 00FE99CE
GetLastError.KERNEL32 ref: 00FE99D9

Strings

Failed to set variable., xrefs: 00FE9A4E
Failed to format variable string., xrefs: 00FE99C1
Failed while searching directory search: %ls, for path: %ls, xrefs: 00FE9A16

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: 1b2005e9f792136637240bedafbbcb6bd14ba41849b41782149e4714fd274932
Instruction ID: 4d9bcc67e92361f084a7aeee7156891a7781c7917a66ac64d444f9352e51d5c3
Opcode Fuzzy Hash: 1b2005e9f792136637240bedafbbcb6bd14ba41849b41782149e4714fd274932
Instruction Fuzzy Hash: 22210B33E44265BBCB11AAA6CC41BADB765EF15720F208329FC40B6150D7795E50B7E1

Function 010008F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 01000940
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0100095F
GetLastError.KERNEL32 ref: 01000969

Strings

Unexpected call to CabWrite()., xrefs: 01000923
cabextract.cpp, xrefs: 0100098D
Failed to write during cabinet extraction., xrefs: 01000997

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: abb5da4c57ed38a0d18f4a535974c4efdde370f807733a92deb24da6ef93246d
Instruction ID: 3e86c1f1a82f3cb9cddb29e27f8d21e9c27e5c963829cf4bbb0a720bcb590eea
Opcode Fuzzy Hash: abb5da4c57ed38a0d18f4a535974c4efdde370f807733a92deb24da6ef93246d
Instruction Fuzzy Hash: 0B21C376600204EFEB11DF6DDD84EA977E9FF88750F110199FE48CB249D672D9008750

Function 010009B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 01000A25
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01000A37
SetFileTime.KERNEL32(?,?,?,?), ref: 01000A4A
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,01000616,?,?), ref: 01000A59

Strings

Invalid operation for this state., xrefs: 010009FE
cabextract.cpp, xrefs: 010009F4

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: 80320f3e5b5a866f43ee3d301e036b3d86063a3308a56b5eadac2016a395a983
Instruction ID: 9b80bdba9699b3c1db6ca1bc10f3fa3ef1efcb65e0d8e115b5a4f34e15349f1f
Opcode Fuzzy Hash: 80320f3e5b5a866f43ee3d301e036b3d86063a3308a56b5eadac2016a395a983
Instruction Fuzzy Hash: 5721F37280061AABAB218FACCC489EA7BBCFF05720F14435AF991D75C4C775DA51CB90

Function 00FF444C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

_memcpy_s.LIBCMT ref: 00FF449E
_memcpy_s.LIBCMT ref: 00FF44B1
_memcpy_s.LIBCMT ref: 00FF44CC

Strings

feclient.dll, xrefs: 00FF4466, 00FF449C
pipe.cpp, xrefs: 00FF447D
Failed to allocate memory for message., xrefs: 00FF4487

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-766083570
Opcode ID: 67e486f7459cb2435c017083a2a3af9f3671914c47a4d0e707e71e1240aa403e
Instruction ID: ac4ed877b9e14784bf77dfb70190003a93d8d835521e8a4502b2bf871cd0a810
Opcode Fuzzy Hash: 67e486f7459cb2435c017083a2a3af9f3671914c47a4d0e707e71e1240aa403e
Instruction Fuzzy Hash: D51151B260431EABDB01DE91CC85DEBB3ACEF58710F00452AFA019B150EB74EA54D7E1

Function 00FE44E8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00FE4512
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00FE4519
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00FE4523
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00FE4573
GetLastError.KERNEL32 ref: 00FE457D
CloseHandle.KERNEL32(?), ref: 00FE4677

Strings

engine.cpp, xrefs: 00FE4547
Failed to get process token., xrefs: 00FE4551

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
String ID: Failed to get process token.$engine.cpp
API String ID: 4232854991-1789768409
Opcode ID: 88539570027eabef374b7735167c27407e7ad7985056f8c38fe5c4324786b14f
Instruction ID: 6585e801cffb4aa03cc9bb5f80d7eb4e98e0701833ead751f5a01d82b2730578
Opcode Fuzzy Hash: 88539570027eabef374b7735167c27407e7ad7985056f8c38fe5c4324786b14f
Instruction Fuzzy Hash: 6801C832A00315AFEB216EBA9C89ABFBBA4EB05211F20012DFE46E7140D6395D0487D5

Function 00FE6644 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00FE667D
GetLastError.KERNEL32 ref: 00FE6687

Strings

Failed to get temp path., xrefs: 00FE66B5
variable.cpp, xrefs: 00FE66AB
4Mw, xrefs: 00FE667D
Failed to set variant value., xrefs: 00FE66D1

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: 4Mw$Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-4272026285
Opcode ID: a21908a2cfaa231a2b6b2448c1fa7fd6728d0b554e180de44d4eb48185450351
Instruction ID: 5d3888ca8f7498349b9fffcd29a15c0260793c6a17fa517a80ca5b3a658078b9
Opcode Fuzzy Hash: a21908a2cfaa231a2b6b2448c1fa7fd6728d0b554e180de44d4eb48185450351
Instruction Fuzzy Hash: B9014972F40339ABF730FAA99D05FEA33989B14750F100169FD44FB180EA659E0487E5

Function 01029555 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

ReleaseSRWLockExclusive, xrefs: 01029594
KERNEL32.DLL, xrefs: 0102956F
AcquireSRWLockExclusive, xrefs: 01029584

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: ecde4a4ecb84476c5bbcf421f0796e1ad0af40a29351a70d9017a53132be7c23
Instruction ID: 72d16be477f81012f6e450f463087064348c04d09e158fae5ec390a53c185c27
Opcode Fuzzy Hash: ecde4a4ecb84476c5bbcf421f0796e1ad0af40a29351a70d9017a53132be7c23
Instruction Fuzzy Hash: 2001F4B53423325B4FB29DBA98C05AB37CCEA0261971441BBE6D1C7240E71BC081C7A0

Function 010209BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00FE5D8F,00000000), ref: 010209CF
GetProcAddress.KERNEL32(00000000), ref: 010209D6
GetLastError.KERNEL32(?,?,?,00FE5D8F,00000000), ref: 010209ED

Strings

IsWow64Process, xrefs: 010209C0
procutil.cpp, xrefs: 01020A0E
kernel32, xrefs: 010209C7

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: 510b39a041f5344b2d1fa3efd3bd15b260762874a5b6eb7ba52e6ab7a39f3496
Instruction ID: 7f8a04d2b1084625a21aa56a67c22c61cbe08fdfb59da08e808507cd6d95b2be
Opcode Fuzzy Hash: 510b39a041f5344b2d1fa3efd3bd15b260762874a5b6eb7ba52e6ab7a39f3496
Instruction Fuzzy Hash: 07F0A472A00335AB97319FA69C49A5BBB98EF05651B008225FD45EB244E679DD0087E0

Function 0101A059 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,01013382,01013382,?,?,?,0101A2AA,00000001,00000001,E3E85006), ref: 0101A0B3
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0101A2AA,00000001,00000001,E3E85006,?,?,?), ref: 0101A139
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,E3E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0101A233
__freea.LIBCMT ref: 0101A240

Part of subcall function 01015154: HeapAlloc.KERNEL32(00000000,?,?,?,01011E90,?,0000015D,?,?,?,?,010132E9,000000FF,00000000,?,?), ref: 01015186

__freea.LIBCMT ref: 0101A249
__freea.LIBCMT ref: 0101A26E

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: a03f704fc7d6416407294d79e9d3a72c8a8cd792cf95235db9c5e3c5a9e21e2f
Instruction ID: e926f96f39e92ffc9f6f11820d6cbb8f65b696dd70d6246d79c38b3776edae25
Opcode Fuzzy Hash: a03f704fc7d6416407294d79e9d3a72c8a8cd792cf95235db9c5e3c5a9e21e2f
Instruction Fuzzy Hash: 2C51E172701266EFEB268E68CC80EFF7BAAEB54650F144269FD84D7148EB3DDC408650

Function 00FFF6B8 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FFF6D0
LeaveCriticalSection.KERNEL32(?,?), ref: 00FFF81D

Strings

update\%ls, xrefs: 00FFF72E
Failed to default local update source, xrefs: 00FFF742
Failed to set update bundle., xrefs: 00FFF7F3
Failed to recreate command-line for update bundle., xrefs: 00FFF79C

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 3168844106-1266646976
Opcode ID: dee80140989bef2e281651eea48e0f4ff7718998dd5429d12ee3c0a48c8a0a7d
Instruction ID: bebc37c512f4ad7edc319a6e3bc902150ee856ba2e95478b3258232285e73f1e
Opcode Fuzzy Hash: dee80140989bef2e281651eea48e0f4ff7718998dd5429d12ee3c0a48c8a0a7d
Instruction Fuzzy Hash: 40419D3290021AEFDF219F94CC45EBAB7A8EF14364F0542B9FA04A7170D771AD54EB90

Function 00FF8AA3 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 00FF8B0F

Strings

Failed to calculate cache path., xrefs: 00FF8ACC
per-user, xrefs: 00FF8B67, 00FF8BA8
per-machine, xrefs: 00FF8B62, 00FF8B6F, 00FF8BA3, 00FF8BB0
Failed to get %hs package cache root directory., xrefs: 00FF8B70
Failed to get old %hs package cache root directory., xrefs: 00FF8BB1

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: c1e93cad8006c78333d7e85cc0230550882c1f132a593ae0bd6cf33abfa8d041
Instruction ID: 73aa236a2c468d10ab58d2b2df61fa7ea34a2849290bd87a92914eba416b2038
Opcode Fuzzy Hash: c1e93cad8006c78333d7e85cc0230550882c1f132a593ae0bd6cf33abfa8d041
Instruction Fuzzy Hash: E5312DB2A0022DBBDB11AA55CC47FBFB65CDF80750F100019FF05E6261DE758D027291

Function 00FFE705 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 00FFE734
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00FFE743
SetWindowLongW.USER32(?,000000EB,?), ref: 00FFE757
DefWindowProcW.USER32(?,?,?,?), ref: 00FFE767
GetWindowLongW.USER32(?,000000EB), ref: 00FFE781
PostQuitMessage.USER32(00000000), ref: 00FFE7DE

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: f5e89818704f7209cd0ace3df325c030335e140b95bbfe4d6b631c6e48719ef9
Instruction ID: b8ccae7e2974f9e3afc83db4355d87f40991d6f9e1f58d37b55856319f70fb37
Opcode Fuzzy Hash: f5e89818704f7209cd0ace3df325c030335e140b95bbfe4d6b631c6e48719ef9
Instruction Fuzzy Hash: C921A13250421CBFDF216FA4DC48E7A3BA9EF44764F248524FA56AA1B0C635DD10EB60

Function 00FFC59C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 00FFC5E4
CloseHandle.KERNEL32(?), ref: 00FFC5EC

Strings

Unexpected elevated message sent to child process, msg: %u, xrefs: 00FFC794
elevation.cpp, xrefs: 00FFC788
Failed to save state., xrefs: 00FFC661

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: 20cc9412d54bc095c597c6a567f777e346fded591adcda9d34f3d2daa27c1651
Instruction ID: bd982f0290b4443e217f981a37af1300af37f37586cbcfb62ce2ecaf9afa9a21
Opcode Fuzzy Hash: 20cc9412d54bc095c597c6a567f777e346fded591adcda9d34f3d2daa27c1651
Instruction Fuzzy Hash: F361C63B10051CEFCB226F95CE41D66BBA2FF093147158559FA995A632C732E921FF80

Function 010210C5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 010210ED
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00FF6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 01021126
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 0102121A

Strings

regutil.cpp, xrefs: 01021161
BundleUpgradeCode, xrefs: 010210CC

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: b5151d3e15ee10774d752aa54211b43ff3157cc33a85c204c4175ffe5157353e
Instruction ID: 5488aaf29ef222f7f2298aeb6548449e262a16996cf55189e6f61aabf57ee23f
Opcode Fuzzy Hash: b5151d3e15ee10774d752aa54211b43ff3157cc33a85c204c4175ffe5157353e
Instruction Fuzzy Hash: 9141F171A0022AAFDB21CF99C884AAEBBF9FF45710F1141A9FD55EB200D635DD158B90

Function 010261FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128fileCOMMON

Download Yara Rule

APIs

Part of subcall function 010247D3: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00FF8564,00000000,00000000,00000000,00000000,00000000), ref: 010247EB
Part of subcall function 010247D3: GetLastError.KERNEL32(?,?,?,00FF8564,00000000,00000000,00000000,00000000,00000000), ref: 010247F5

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,01025AC5,?,?,?,?,?,?,?,00010000,?), ref: 01026263
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,01025AC5,?,?,?,?), ref: 010262B5
GetLastError.KERNEL32(?,01025AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 010262FB
GetLastError.KERNEL32(?,01025AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 01026321

Strings

dlutil.cpp, xrefs: 01026345

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: dlutil.cpp
API String ID: 133221148-2067379296
Opcode ID: 5025b0d2db07b86ae8f991b7aa0896436d30facd9f0e8b7a2371513ef17cbd72
Instruction ID: ebbf30c82449c56dfd76cab017f2fdc7377b14a9653d619a6d624877397bf0bb
Opcode Fuzzy Hash: 5025b0d2db07b86ae8f991b7aa0896436d30facd9f0e8b7a2371513ef17cbd72
Instruction Fuzzy Hash: FC419072900229EFEB218E98CD84BEA7BE8FF04310F154125FE40E6090D776DD64DBA0

Function 00FE2436 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,0101FEE7,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0101FEE7,?,00000000,00000000), ref: 00FE247C
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0101FEE7,?,00000000,00000000,0000FDE9), ref: 00FE2488

Part of subcall function 00FE3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,00FE21DC,000001C7,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE3B59
Part of subcall function 00FE3B51: HeapSize.KERNEL32(00000000,?,00FE21DC,000001C7,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE3B60

Strings

strutil.cpp, xrefs: 00FE24AC

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 14724d44a80367714e5839e59ed813c495f01aac7d482e002c16d0deff9f9c70
Instruction ID: 552ba0161cb8068899d226365086b4ff1366be5c804bceb454e61f9306623832
Opcode Fuzzy Hash: 14724d44a80367714e5839e59ed813c495f01aac7d482e002c16d0deff9f9c70
Instruction Fuzzy Hash: 4031D272200399AFFB50DE6A8CC4A7A32DEFB44364B204229FD519B1D1FA75CC40A760

Function 0100AAE8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract payload: %ls from container: %ls, xrefs: 0100ABE3
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 0100ABEF
Failed to extract all payloads from container: %ls, xrefs: 0100AB9C
Failed to open container: %ls., xrefs: 0100AB2A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1214770103-3891707333
Opcode ID: 7a46207336e34937ba5851717fd7be358c7de3ac9ef8c82f8ee2dc4b3aee7998
Instruction ID: 5d9ccaa6fc79ccac04da115c7100fb406359204b7faf91da4dac9fcb4fef3085
Opcode Fuzzy Hash: 7a46207336e34937ba5851717fd7be358c7de3ac9ef8c82f8ee2dc4b3aee7998
Instruction Fuzzy Hash: 2431C532E0062AFBDF129AE4CC41E8E7769AF14310F200A65FE51AB1D2D7359A51DBE0

Function 010240C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,01024203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00FF9E5F,00000000), ref: 010240ED
GetLastError.KERNEL32(00000001,?,01024203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00FF9E5F,00000000,000007D0,00000001,00000001,00000003), ref: 010240FC
MoveFileExW.KERNEL32(00000003,00000001,000007D0,00000001,00000000,?,01024203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00FF9E5F,00000000), ref: 0102417F
GetLastError.KERNEL32(?,01024203,00000003,00000001,00000001,000007D0,00000003,00000000,?,00FF9E5F,00000000,000007D0,00000001,00000001,00000003,000007D0), ref: 01024189

Strings

fileutil.cpp, xrefs: 010241A7

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastMove
String ID: fileutil.cpp
API String ID: 55378915-2967768451
Opcode ID: 868cc12ab118266841ea17b66ca9b93edf2f55dabc89b5a6ad4c9df85e9f56d1
Instruction ID: 8a2080e0b600f67febff90a6a811d9c11ceb4676764fa73af8b12004dec25f34
Opcode Fuzzy Hash: 868cc12ab118266841ea17b66ca9b93edf2f55dabc89b5a6ad4c9df85e9f56d1
Instruction Fuzzy Hash: 8C21F2367403369BEB221E69CC8067F7AD4EB506A1F220127FD89D7140D7358C0192E1

Function 01024212 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01024315: FindFirstFileW.KERNEL32(01008FFA,?,000002C0,00000000,00000000), ref: 01024350
Part of subcall function 01024315: FindClose.KERNEL32(00000000), ref: 0102435C

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll), ref: 01024305

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

Part of subcall function 010210C5: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 010210ED
Part of subcall function 010210C5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00FF6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 01021126

Strings

crypt32.dll, xrefs: 0102423D
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 01024244
\, xrefs: 0102428E
PendingFileRenameOperations, xrefs: 01024270

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 82ad0e132e9c07f9d3ba9187f016a58c3c1cdeb8f3dfe3ca96fd46349ec6de3f
Instruction ID: db6a150760899c5aa093175c1bb6af3256d4f5250f85300fb158931682dbbc2c
Opcode Fuzzy Hash: 82ad0e132e9c07f9d3ba9187f016a58c3c1cdeb8f3dfe3ca96fd46349ec6de3f
Instruction Fuzzy Hash: 4B31F835A00229FBDF229FCACC809ADBBB9FF01750F9581AAEA44E6111D3319644CB50

Function 00FEEEF9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,00FF04CB,00000001,00000001,00000001,00FF04CB,00000000), ref: 00FEEF70
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,00FF04CB,00000001,00000001,00000001,00FF04CB,00000000,00000001,00000002,00FF04CB,00000001), ref: 00FEEF87

Strings

Failed to remove update registration key: %ls, xrefs: 00FEEFB4
PackageVersion, xrefs: 00FEEF51
Failed to format key for update registration., xrefs: 00FEEF26

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: 203d205dec7982027096c11fe2f93e0a7be883d2c80157780c21f6e3ead3aea5
Instruction ID: 7c3b357eb9a9d747abdc19d1a3cb4945966f2b30c63052e0b87304e26b5e4a72
Opcode Fuzzy Hash: 203d205dec7982027096c11fe2f93e0a7be883d2c80157780c21f6e3ead3aea5
Instruction Fuzzy Hash: BC21F632E402A9BFCB219AA6EC45EDFBFB8EF50720F204169F950A6190D7319E40D790

Function 00FEEE0F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FEEE4A

Part of subcall function 01024038: SetFileAttributesW.KERNEL32(01008FFA,00000080,00000000,01008FFA,000000FF,00000000,?,?,01008FFA), ref: 01024067
Part of subcall function 01024038: GetLastError.KERNEL32(?,?,01008FFA), ref: 01024071

Part of subcall function 00FE3B6A: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,00FEEE95,00000001,00000000,00000095,00000001,00FF04DA,00000095,00000000,swidtag,00000001), ref: 00FE3B87

Strings

Failed to format tag folder path., xrefs: 00FEEEB7
Failed to allocate regid folder path., xrefs: 00FEEEB0
Failed to allocate regid file path., xrefs: 00FEEEA9
swidtag, xrefs: 00FEEE59

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: 27bd26873ea39586aa84ffc889c72c508f15db24b59a718e7538a9be01e11f8c
Instruction ID: 5dbad3962761a06e56dfcd7854a0d9c11c9c86723959ee0b90fa2cba49c41c1f
Opcode Fuzzy Hash: 27bd26873ea39586aa84ffc889c72c508f15db24b59a718e7538a9be01e11f8c
Instruction Fuzzy Hash: 4C218F32E00268FFCB15EF9ADC01ADEFBB9EF54310F11C1AAE504AA160D7319E50AB50

Function 01008B73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 01008BF7
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,00FEF66B,00000001,00000100,000001B4,00000000), ref: 01008C45

Strings

Failed to enumerate uninstall key for related bundles., xrefs: 01008C56
Failed to open uninstall registry key., xrefs: 01008BBA
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 01008B94

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: 0e9864be50a0205d9a5eff13679848eafa02566e3d89b2d6762f13e3e4fec6dd
Instruction ID: e460baff25418e2695c73f2855a39beacfae372dac30f9eedff90c905065c2db
Opcode Fuzzy Hash: 0e9864be50a0205d9a5eff13679848eafa02566e3d89b2d6762f13e3e4fec6dd
Instruction Fuzzy Hash: 16219432D0112DBFEB226A94CC45FEDBA79FB00720F248665F99066090C7754E909690

Function 01023F04 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00FE4CB6,00000000,?,?,00000000,?,01024012,00000000,00FE4CB6,00000000,00000000,?,00FF83E2,?,?), ref: 01023F1E
GetLastError.KERNEL32(?,01024012,00000000,00FE4CB6,00000000,00000000,?,00FF83E2,?,?,00000001,00000003,000007D0,?,?,?), ref: 01023F2C
CopyFileW.KERNEL32(00000000,00FE4CB6,00000000,00FE4CB6,00000000,?,01024012,00000000,00FE4CB6,00000000,00000000,?,00FF83E2,?,?,00000001), ref: 01023F92
GetLastError.KERNEL32(?,01024012,00000000,00FE4CB6,00000000,00000000,?,00FF83E2,?,?,00000001,00000003,000007D0,?,?,?), ref: 01023F9C

Strings

fileutil.cpp, xrefs: 01023FBA

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: 3e661b039fe464251ec958ff1fdc531f8a508991908e7178145e1f9b8c83e428
Instruction ID: d2b3d73abdcc4de76ce2523d2561068ece7b24b1118e5d0cfaf486c5be936591
Opcode Fuzzy Hash: 3e661b039fe464251ec958ff1fdc531f8a508991908e7178145e1f9b8c83e428
Instruction Fuzzy Hash: 64210B366043369AEBB15E696C44F7B76E8FF48A60B150466FEC5DF150E72DCC0182E1

Function 010231C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 010231DD
SysAllocString.OLEAUT32(?), ref: 010231F9
VariantClear.OLEAUT32(?), ref: 01023280
SysFreeString.OLEAUT32(00000000), ref: 0102328B

Strings

xmlutil.cpp, xrefs: 01023210

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: xmlutil.cpp
API String ID: 760788290-1270936966
Opcode ID: 288de8141f98caa1e025821a72d56c0af11320f314dee8ed679b88f465f21e71
Instruction ID: 32020cfdaf9dcd8010b11f02d8df1ddf900d23f6a3b2249face1a2c1d0f8f3fa
Opcode Fuzzy Hash: 288de8141f98caa1e025821a72d56c0af11320f314dee8ed679b88f465f21e71
Instruction Fuzzy Hash: 32219171900229EFDB21DFA8C849EAEBBB8BF49710F154198FD45AB214DB399D05CB90

Function 0100D047 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0100D0DC
ReleaseMutex.KERNEL32(?), ref: 0100D10A
SetEvent.KERNEL32(?), ref: 0100D113

Strings

NetFxChainer.cpp, xrefs: 0100D081
Failed to allocate buffer., xrefs: 0100D08B

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: 52e4d13f7bbc878f12b73a33504a646f87dd06e337dd21d008e4f2001f66145c
Instruction ID: 1011d78d77d51e122cb8324108a0a25b477a2c0717dd42ba86302ff337b163d4
Opcode Fuzzy Hash: 52e4d13f7bbc878f12b73a33504a646f87dd06e337dd21d008e4f2001f66145c
Instruction Fuzzy Hash: 2B21E7B0600705BFD710DFACDC48A99B7F5FF08314F108669F964A7292C775A950CB60

Function 010257BF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,010068CE,00000000,?), ref: 010257D5
GetLastError.KERNEL32(?,?,010068CE,00000000,?,?,?,?,?,?,?,?,?,01006CE1,?,?), ref: 010257E3

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,010068CE,00000000,?), ref: 0102581D
GetLastError.KERNEL32(?,?,010068CE,00000000,?,?,?,?,?,?,?,?,?,01006CE1,?,?), ref: 01025827

Strings

svcutil.cpp, xrefs: 01025806, 01025848

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: a342033921f07c96012f6709b0d6f3122d5eaf76e669b702aa74b836fc4343e9
Instruction ID: fe752994fb9f82a8b1bab8bc6617f8870a946c39d70e77e6275623878102a1a4
Opcode Fuzzy Hash: a342033921f07c96012f6709b0d6f3122d5eaf76e669b702aa74b836fc4343e9
Instruction Fuzzy Hash: 1221D876A40234BBE7315A5A4D08BDBBADDDF45690F110115FD84FB110E6FACD0097E4

Function 00FE96F4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00FE9783

Strings

Failed to find variable., xrefs: 00FE9770
Failed to parse condition '%ls' at position: %u, xrefs: 00FE9735
Failed to read next symbol., xrefs: 00FE979F
condition.cpp, xrefs: 00FE9725, 00FE9766

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: 26eb835392c55b5c9289c9bede65de1e5d8911747b64c4671208791fda0e32c5
Instruction ID: 2a96bed8dbe8ad26c7534be50a0abdc6ebbff8a8f0531bc10d3b3f81974dc627
Opcode Fuzzy Hash: 26eb835392c55b5c9289c9bede65de1e5d8911747b64c4671208791fda0e32c5
Instruction Fuzzy Hash: 061127336942717AEB113EAADC8AE9B3A04DB15720F040125FD046E292C6F2DD14A3F1

Function 00FE9D03 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00FE9D25

Strings

Failed to set variable., xrefs: 00FE9D84
Failed to format path string., xrefs: 00FE9D30
Failed get file version., xrefs: 00FE9D65
File search: %ls, did not find path: %ls, xrefs: 00FE9D90

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: 8f7c917f83d46f081a0b8663b50d7bb62991cd64a5dc03f2e885ace9799dcb86
Instruction ID: 0c5d55f416a4fe2f16f09bcbe86def2b72c516278a50e4110f786eb7a148a1d2
Opcode Fuzzy Hash: 8f7c917f83d46f081a0b8663b50d7bb62991cd64a5dc03f2e885ace9799dcb86
Instruction Fuzzy Hash: 6911D332D4427DBECB226E96CC819AEFB38EF14360F104169FC4466210D2765E10A7E1

Function 00FF4880 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00FF51A4), ref: 00FF48CC

Strings

pipe.cpp, xrefs: 00FF4904
Failed to write message type to pipe., xrefs: 00FF490E
Failed to allocate message to write., xrefs: 00FF48AB

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$pipe.cpp
API String ID: 3934441357-1996674626
Opcode ID: a7abe471a3f6783ca67259be90baa4cf0581f7d48824a018087eea25a0806616
Instruction ID: 8e1a5f21fce167ce3550c83593d23c54e55ecf9f15971e8fd0b485e948055237
Opcode Fuzzy Hash: a7abe471a3f6783ca67259be90baa4cf0581f7d48824a018087eea25a0806616
Instruction Fuzzy Hash: 3111AF72A0021DBFDB21DE95DD08AEF7BE9EF84350F110166FD00A6120D771AE50EAA1

Function 00FF8003 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,00FF8C10,0000001A,00000000,?,00000000,00000000), ref: 00FF804C
GetLastError.KERNEL32(?,?,00FF8C10,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 00FF8056

Strings

cache.cpp, xrefs: 00FF802A, 00FF807A
Failed to create well known SID., xrefs: 00FF8084
Failed to allocate memory for well known SID., xrefs: 00FF8034

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: d7af04b9355c28f74cd2ef772ccd10ec5627b79018c834c3f85bb4aae190f2c3
Instruction ID: b79c6becb148828dd0196e40cd6a2359623678eef0664f2726703174037d5020
Opcode Fuzzy Hash: d7af04b9355c28f74cd2ef772ccd10ec5627b79018c834c3f85bb4aae190f2c3
Instruction Fuzzy Hash: 8F012F73A403647AE73169669C0EF6B7A9DCF41B60F21401AFE05EB150EE798E0152E0

Function 0100DB67 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 0100DB95
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0100DBBF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0100DD8F,00000000,?,?,?,00000001,00000000), ref: 0100DBC7

Strings

bitsengine.cpp, xrefs: 0100DBEB
Failed while waiting for download., xrefs: 0100DBF5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsengine.cpp
API String ID: 435350009-228655868
Opcode ID: 8fd6d07f5a6041507924004e1a8a9123c11d2cb2e909038877760e136ae8efd1
Instruction ID: d9a476e0d031dc8c14419f0a97c0db001392cb5982e5dd193c02bdfc49b0bdd7
Opcode Fuzzy Hash: 8fd6d07f5a6041507924004e1a8a9123c11d2cb2e909038877760e136ae8efd1
Instruction Fuzzy Hash: 1811E572A4532ABBF7219AE99C49EDB7BACEB05620F000126FE44E61C4D9A5990086F4

Function 01023B4A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 01023B98
GetLastError.KERNEL32(?,?,00000000), ref: 01023BA2
CloseHandle.KERNEL32(?,?,?,00000000), ref: 01023BD5

Strings

<, xrefs: 01023B8A
shelutil.cpp, xrefs: 01023BC3

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$shelutil.cpp
API String ID: 3023784893-3991740012
Opcode ID: 02b83dddef3e6e4f06231596e105c1cc7d7f26ac76a6fe616661aa1291c2cc30
Instruction ID: cc768ba0c154a1858674bec5c810b4c8209828c91066399f350e71ae2c1a3b07
Opcode Fuzzy Hash: 02b83dddef3e6e4f06231596e105c1cc7d7f26ac76a6fe616661aa1291c2cc30
Instruction Fuzzy Hash: A211EAB5E01219AFDB61DFA9D984ACE7BF8EF08250F10412AFD45E7340E73999008BA4

Function 00FE5E0B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 00FE5E39
GetLastError.KERNEL32 ref: 00FE5E43

Strings

variable.cpp, xrefs: 00FE5E67
Failed to get computer name., xrefs: 00FE5E71
Failed to set variant value., xrefs: 00FE5E8A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: fc5a9582e30f6e684bf071c294c8768d9f44d525968f1a1e8e56ac66ee021867
Instruction ID: 1e59e140abf4645f5690ed83bb0c101e9b122e3a3babb4ce2006d1c92edda87f
Opcode Fuzzy Hash: fc5a9582e30f6e684bf071c294c8768d9f44d525968f1a1e8e56ac66ee021867
Instruction Fuzzy Hash: 5B01C832A40768ABE721EAA5DD45BEF77E8EB08710F51012AFC41FB140DA75AE0487E5

Function 00FE9908 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00FE997F

Strings

Failed to copy condition string from BSTR, xrefs: 00FE9969
Failed to get Condition inner text., xrefs: 00FE994F
Failed to select condition node., xrefs: 00FE9936
Condition, xrefs: 00FE991A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: FreeString
String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.
API String ID: 3341692771-3600577998
Opcode ID: c81b00becd6ffe86dc5d885aef388a787bcef43c6a44bf621653641fa1bddc13
Instruction ID: 3dbf2cdaf4b70fb8fbbffdaa046ab2db912413730a13bfc283cefff2c9609544
Opcode Fuzzy Hash: c81b00becd6ffe86dc5d885aef388a787bcef43c6a44bf621653641fa1bddc13
Instruction Fuzzy Hash: A011E132D48279BBCB219A92CD05FADBB68AF00760F20415DFC40BB151DBF59E00ABA0

Function 00FE5D71 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00FE5D83

Part of subcall function 010209BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00FE5D8F,00000000), ref: 010209CF
Part of subcall function 010209BB: GetProcAddress.KERNEL32(00000000), ref: 010209D6
Part of subcall function 010209BB: GetLastError.KERNEL32(?,?,?,00FE5D8F,00000000), ref: 010209ED

Part of subcall function 01023BF7: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 01023C24

Strings

Failed to get shell folder., xrefs: 00FE5DB7
Failed to get 64-bit folder., xrefs: 00FE5DCD
variable.cpp, xrefs: 00FE5DAD
Failed to set variant value., xrefs: 00FE5DE7

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: ee4e360619d3892947868bc2e580f298a8592e8203d2a832583fd1e8e02d1458
Instruction ID: 9e3b2a9c5937a565f64feee550f37ec6c4151182ccf8ca03dc1c141d36088626
Opcode Fuzzy Hash: ee4e360619d3892947868bc2e580f298a8592e8203d2a832583fd1e8e02d1458
Instruction Fuzzy Hash: 07010831D04779B7DF22AB92CC0AFDE7A6CAB00B28F204155F840BA040CBB49E00A7D0

Function 01020917 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00FE4E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 01020927
GetLastError.KERNEL32(?,?,00FE4E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 01020935

Strings

procutil.cpp, xrefs: 01020959

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: procutil.cpp
API String ID: 1211598281-1178289305
Opcode ID: e9dc9e2b701fb074bd5e57f09627d310be085bacd202ae6421ac21c1ee53957c
Instruction ID: 1ae2e0996879d8996e11793f069c1da2728b80c087b8ba32c629562f1c2fd6de
Opcode Fuzzy Hash: e9dc9e2b701fb074bd5e57f09627d310be085bacd202ae6421ac21c1ee53957c
Instruction Fuzzy Hash: 06118272F00335EBEB219EA9984879B7BD4EB05360F114255FD96E7244D2398D0096E5

Function 01024038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01024315: FindFirstFileW.KERNEL32(01008FFA,?,000002C0,00000000,00000000), ref: 01024350
Part of subcall function 01024315: FindClose.KERNEL32(00000000), ref: 0102435C

SetFileAttributesW.KERNEL32(01008FFA,00000080,00000000,01008FFA,000000FF,00000000,?,?,01008FFA), ref: 01024067
GetLastError.KERNEL32(?,?,01008FFA), ref: 01024071
DeleteFileW.KERNEL32(01008FFA,00000000,01008FFA,000000FF,00000000,?,?,01008FFA), ref: 01024090
GetLastError.KERNEL32(?,?,01008FFA), ref: 0102409A

Strings

fileutil.cpp, xrefs: 010240B4

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: f03d00c3a4b70d69e9b5f80824234d450cd8d3281811ab6287b2765c04b7df1d
Instruction ID: 927c7832fb90a2f9583803ff7e2af3a063ce905f448708883dec9d9820eaa5de
Opcode Fuzzy Hash: f03d00c3a4b70d69e9b5f80824234d450cd8d3281811ab6287b2765c04b7df1d
Instruction Fuzzy Hash: 9B01B531A01735A7D7326EB98D88B5BBED8EF00664F104315FD85E7090D73ADD4096E5

Function 0100D7CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0100D7E1
LeaveCriticalSection.KERNEL32(?), ref: 0100D826
SetEvent.KERNEL32(?,?,?,?), ref: 0100D83A

Strings

Failure while sending progress during BITS job modification., xrefs: 0100D815
Failed to get state during job modification., xrefs: 0100D7FA

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: 7f97d27f70b8222708035eb351c2341e660c4d0e6ef0f1fa3abbba04997e28b6
Instruction ID: 4abc77ca1a30ba79cca87bea53c82d4ffbfb787b18bdab0d87e2335bb3810174
Opcode Fuzzy Hash: 7f97d27f70b8222708035eb351c2341e660c4d0e6ef0f1fa3abbba04997e28b6
Instruction Fuzzy Hash: C5019272901615ABDB12DF95D488AAEB7ACFF08330F104169F948A7640D735FE048BE5

Function 0100DA45 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,0100DBB5), ref: 0100DA59
LeaveCriticalSection.KERNEL32(00000008,?,0100DBB5), ref: 0100DA9E
SetEvent.KERNEL32(?,?,0100DBB5), ref: 0100DAB2

Strings

Failed to get BITS job state., xrefs: 0100DA72
Failure while sending progress., xrefs: 0100DA8D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: e9b432be7e8488cd3e54ad9e81da006e7e4b09ebcad20e696b713f7ab1de5874
Instruction ID: 11f9da1bcf240251a583a6ed5a04af43c3f12df39c4317515ebbbc1999243928
Opcode Fuzzy Hash: e9b432be7e8488cd3e54ad9e81da006e7e4b09ebcad20e696b713f7ab1de5874
Instruction Fuzzy Hash: 2901F572504615BBD713DBD5D848DAEB7A8FF05321B10025AF94997240D735ED4487E4

Function 0100D5AF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,0100DD19,?,?,?,?,?,00000001,00000000,?), ref: 0100D5C9
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0100DD19,?,?,?,?,?,00000001,00000000,?), ref: 0100D5D4
GetLastError.KERNEL32(?,0100DD19,?,?,?,?,?,00000001,00000000,?), ref: 0100D5E1

Strings

Failed to create BITS job complete event., xrefs: 0100D60F
bitsengine.cpp, xrefs: 0100D605

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsengine.cpp
API String ID: 3069647169-3441864216
Opcode ID: d205de0fa656cac397fa342916f1931ae22129d57a16b6cb640b6cfbb23722b5
Instruction ID: 0e7570ab00ea874a63ee81de1e9a34b9d97c04e4da60180edc4dcf53acee6931
Opcode Fuzzy Hash: d205de0fa656cac397fa342916f1931ae22129d57a16b6cb640b6cfbb23722b5
Instruction Fuzzy Hash: 04019EB2600726ABE3209F6AD844A86BBD8FF09760B104126FD48D7644E77598008BE4

Function 00FED39D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00FF6E4B,000000B8,00000000,?,00000000,7707B390), ref: 00FED3AC
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 00FED3BB
LeaveCriticalSection.KERNEL32(000000D0,?,00FF6E4B,000000B8,00000000,?,00000000,7707B390), ref: 00FED3D0

Strings

userexperience.cpp, xrefs: 00FED3E9
Engine active cannot be changed because it was already in that state., xrefs: 00FED3F3

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: f498130de20497546ddc6fb9f75a0b1efffc428c78c7b45be5950de71a9374aa
Instruction ID: 211aa6ad7783508485bc786eeb6bf45761711366a8f6ec86cb4d7fe8f8c1cf95
Opcode Fuzzy Hash: f498130de20497546ddc6fb9f75a0b1efffc428c78c7b45be5950de71a9374aa
Instruction Fuzzy Hash: BBF0C2763003056F9720AEA7EC84D9773ADEB95764720442AF941C7540DA75FC058771

Function 01021B28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 01021B53
GetLastError.KERNEL32(?,00FE48D4,00000001,?,?,00FE444C,?,?,?,?,00FE535E,?,?,?,?), ref: 01021B62

Strings

srputil.cpp, xrefs: 01021B83
SRSetRestorePointW, xrefs: 01021B48
srclient.dll, xrefs: 01021B31

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 199729137-398595594
Opcode ID: 6232d4de7c93a694db2f71d4303fbed978e196759d5c0e363effb271d1deef72
Instruction ID: dee6ac0cdac5a6e4c86a219af6801c7e80376bbea7d9055fc26ba880893167e4
Opcode Fuzzy Hash: 6232d4de7c93a694db2f71d4303fbed978e196759d5c0e363effb271d1deef72
Instruction Fuzzy Hash: 97F0F9BAB40732D7E73316BA884976635E0CB05655F010135EDC4AB201FE3ECC4087E5

Function 01014897 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01014848,00000000,?,010147E8,00000000,01047CF8,0000000C,0101493F,00000000,00000002), ref: 010148B7
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 010148CA
FreeLibrary.KERNEL32(00000000,?,?,?,01014848,00000000,?,010147E8,00000000,01047CF8,0000000C,0101493F,00000000,00000002), ref: 010148ED

Strings

CorExitProcess, xrefs: 010148C2
mscoree.dll, xrefs: 010148B0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1c1ee38a0d3d7ed714b7b8a49e437f6198dd193d99d8ce4490a30e011d630991
Instruction ID: 126df99a981c07127ff1dfcda388cd4c4a1b09e9d2b496caafc03255ddff6f0d
Opcode Fuzzy Hash: 1c1ee38a0d3d7ed714b7b8a49e437f6198dd193d99d8ce4490a30e011d630991
Instruction Fuzzy Hash: EBF0C230A00208FBDB319FA4D849BADBFB8FF04711F1000B9FC45A2194DB395A40CB90

Function 0102937F Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 01029457
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 01029492
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000), ref: 010294AE
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 010294BB
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 010294C8

Part of subcall function 01020B49: RegCloseKey.ADVAPI32(00000000), ref: 01020CA0

Part of subcall function 01020E9B: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,01029444,00000001), ref: 01020EB3

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: f55a6bdfa0d38479d09c8e9945a6a63e151e533ddb2ff45f9b476743028151f4
Instruction ID: fa4728d0c77b239b444cb4bca7691f52e1519555dc447afad3bbb5848a4b7375
Opcode Fuzzy Hash: f55a6bdfa0d38479d09c8e9945a6a63e151e533ddb2ff45f9b476743028151f4
Instruction Fuzzy Hash: 8341DA76C4123DFFDF22AF958D90DADFFB9EF04668F1141AAEA4166210C7324E509A90

Function 00FE88DE Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00FE8A9E,00FE95E7,?,00FE95E7,?,?,00FE95E7,?,?), ref: 00FE88FE
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00FE8A9E,00FE95E7,?,00FE95E7,?,?,00FE95E7,?,?), ref: 00FE8906
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00FE8A9E,00FE95E7,?,00FE95E7,?), ref: 00FE8955
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00FE8A9E,00FE95E7,?,00FE95E7,?), ref: 00FE89B7
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00FE8A9E,00FE95E7,?,00FE95E7,?), ref: 00FE89E4

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: 34a0c3a841b0fd932d1e2caa736fd96b410418c5665b4a7f0bb23a5f46c5e2ef
Instruction ID: a8ca77e73bfb5c6007ac967d63ca5502269345d0c72f0a97b719d92088dfc3ef
Opcode Fuzzy Hash: 34a0c3a841b0fd932d1e2caa736fd96b410418c5665b4a7f0bb23a5f46c5e2ef
Instruction Fuzzy Hash: 6231C632E00199BFCF219E5ACC84ABE3F6AEF497E0F144015F94D97111CA359D91EB92

Function 00FE21BC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE2202
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE220E

Part of subcall function 00FE3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,00FE21DC,000001C7,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE3B59
Part of subcall function 00FE3B51: HeapSize.KERNEL32(00000000,?,00FE21DC,000001C7,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE3B60

Strings

strutil.cpp, xrefs: 00FE2232

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: ee61fad5aeba830527a8baec05dd04869d79242c42f583716a21b6896052debe
Instruction ID: 73c0b397623359be4b46363e212be5661c441ceeb7c0ba9689a3243a16192443
Opcode Fuzzy Hash: ee61fad5aeba830527a8baec05dd04869d79242c42f583716a21b6896052debe
Instruction Fuzzy Hash: 4531FA32600296ABFB609E6BCC44B6777DDEF45770B114229FD15DB190FA75CD00A7A0

Function 00FE738E Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00FE52B5,WixBundleOriginalSource,?,?,00FFA41D,00FE53B5,WixBundleOriginalSource,00FE533D,0104AA90,?,00000000,00FE533D,?,00FF7587,?,?), ref: 00FE739A
LeaveCriticalSection.KERNEL32(00FE52B5,00FE52B5,00000000,00000000,?,?,00FFA41D,00FE53B5,WixBundleOriginalSource,00FE533D,0104AA90,?,00000000,00FE533D,?,00FF7587), ref: 00FE7401

Strings

Failed to get value of variable: %ls, xrefs: 00FE73D4
WixBundleOriginalSource, xrefs: 00FE7396
Failed to get value as string for variable: %ls, xrefs: 00FE73F0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 0eabe1b4fc97b00a5c3a11de5056249bd5b78a89f893330ac39fb26714a6e17f
Instruction ID: bcd9f82600814e0eecdd8e6313e7be05d9bf368bdd1f1e11c858aa9ada02476f
Opcode Fuzzy Hash: 0eabe1b4fc97b00a5c3a11de5056249bd5b78a89f893330ac39fb26714a6e17f
Instruction Fuzzy Hash: 9D0184329842A9FFCF616E55CC05BDE3B64EF14765F208125FD04AA210D7369E50B7D1

Function 0100CEF5 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,0100CEEB,00000000), ref: 0100CF10
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,0100CEEB,00000000), ref: 0100CF1C
CloseHandle.KERNEL32(0102B508,00000000,?,00000000,?,0100CEEB,00000000), ref: 0100CF29
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,0100CEEB,00000000), ref: 0100CF36
UnmapViewOfFile.KERNEL32(0102B4D8,00000000,?,0100CEEB,00000000), ref: 0100CF45

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 9c90daa87ca2030b7885a20787b5a7415d43f211227022b617fad95699f23447
Instruction ID: aa1548d88eb125a6d76c56f8ab87c532f0b9bba0705d338ac3ede04569c1335d
Opcode Fuzzy Hash: 9c90daa87ca2030b7885a20787b5a7415d43f211227022b617fad95699f23447
Instruction Fuzzy Hash: E2016D72404B15DFEB325F5AD98082AFBE9FF50311314C9BEE2D652421C371A840DF40

Function 010279CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

SysFreeString.OLEAUT32(00000000), ref: 01027B2C
SysFreeString.OLEAUT32(00000000), ref: 01027B37
SysFreeString.OLEAUT32(00000000), ref: 01027B42

Strings

atomutil.cpp, xrefs: 010279FF

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: atomutil.cpp
API String ID: 2724874077-4059165915
Opcode ID: 741aa0bfd24d6b033ff1efe4173101bcde198efd5c56e51bf05cfa80bbc9895a
Instruction ID: 3060c61d89b81b4c169cd21ba9307dc7d10f7f2529175b3cc3f55804b0dd88c4
Opcode Fuzzy Hash: 741aa0bfd24d6b033ff1efe4173101bcde198efd5c56e51bf05cfa80bbc9895a
Instruction Fuzzy Hash: 40519771E0122AAFDB12DFA8C854FAEBBB8EF54754F110594EA45AB111DB31DE00CB90

Function 010285CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 010286D8
GetLastError.KERNEL32 ref: 010286E2

Strings

clbcatq.dll, xrefs: 010285E9, 010285F4
timeutil.cpp, xrefs: 01028706

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: clbcatq.dll$timeutil.cpp
API String ID: 2781989572-961924111
Opcode ID: 6c391d889aff9383dcea9a6874f6933262d4bba6d5d74481832a92932e467ea7
Instruction ID: 2ecef28dc89663f232184b59f928c0e104ac446eb26db34e7b286e2f3a9c393f
Opcode Fuzzy Hash: 6c391d889aff9383dcea9a6874f6933262d4bba6d5d74481832a92932e467ea7
Instruction Fuzzy Hash: 89410779B4032676EB709FB88C4DBBFB7E5EF58704F00851BE681A7194D976CA0083A5

Function 010235A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 010235BE
SysAllocString.OLEAUT32(?), ref: 010235CE
VariantClear.OLEAUT32(?), ref: 010236AF

Strings

xmlutil.cpp, xrefs: 010235E6

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: f8bd9c7c3361e305db33a53238ffa7bb3ee5abe25d8dbd52ba4519b2d108be59
Instruction ID: 4dd8b84203e742999520536dd5b989d78922ed0835a3703e85a9da19a7b5f65f
Opcode Fuzzy Hash: f8bd9c7c3361e305db33a53238ffa7bb3ee5abe25d8dbd52ba4519b2d108be59
Instruction Fuzzy Hash: E6415571900626ABCB219FA9C888EAEBBFCBF4D710B0585A5FD45EF311D735D9008B91

Function 01020D1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,01008BD8), ref: 01020D77
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01008BD8,00000000), ref: 01020D99
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,01008BD8,00000000,00000000,00000000), ref: 01020DF1

Strings

regutil.cpp, xrefs: 01020DC1

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: 04afe8d252c0c405845fcfab715584199d75fd9104c4121f332a69b327463334
Instruction ID: eeca0752c6ccc388709b59cc842d30c10198c5d17de7c87b46029ddf8abcd621
Opcode Fuzzy Hash: 04afe8d252c0c405845fcfab715584199d75fd9104c4121f332a69b327463334
Instruction Fuzzy Hash: 2031A3B6A01229FFEB219A998D84EBFBBECEF04350F1100A6FD44E7114D7359E50D6A0

Function 010278C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

SysFreeString.OLEAUT32(00000000), ref: 010279AA
SysFreeString.OLEAUT32(?), ref: 010279B5
SysFreeString.OLEAUT32(00000000), ref: 010279C0

Strings

atomutil.cpp, xrefs: 010278F2

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: atomutil.cpp
API String ID: 2724874077-4059165915
Opcode ID: cb90bd73648fb9fabfbe74ab0904fd87fc3097bb313eb50a1e8eae3649d13e16
Instruction ID: bd11636de9e1d42dd3206252164e603b103fc54e55e3d709bf1b98f4dbeb510a
Opcode Fuzzy Hash: cb90bd73648fb9fabfbe74ab0904fd87fc3097bb313eb50a1e8eae3649d13e16
Instruction Fuzzy Hash: 96317872E01729FBDB129B69CC45BAEBBB8EF55710F0141A5EA40AB110D775DE009B90

Function 010088CF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,01008C14,00000000,00000000), ref: 0100898C

Strings

Failed to open uninstall key for potential related bundle: %ls, xrefs: 010088FB
Failed to ensure there is space for related bundles., xrefs: 0100893F
Failed to initialize package from related bundle id: %ls, xrefs: 01008972

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: e8f64e86b1157231be1db9457bc466d5ecda8b6f96ff8378634a9de2c9649df4
Instruction ID: 70f79996c28b9e0b728df4aeb1f14aa0bd83c05f2c71e58cec4e4c83e98d4217
Opcode Fuzzy Hash: e8f64e86b1157231be1db9457bc466d5ecda8b6f96ff8378634a9de2c9649df4
Instruction Fuzzy Hash: A0214132D4061AFFEB13AE84CD05BEEBB69FB00711F18815AFD5066190D7759A20EB91

Function 00FE3A97 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000010,00000000,80004005,00000000,00000000,00000100,?,00FE1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00FE13B7), ref: 00FE3AB2
HeapReAlloc.KERNEL32(00000000,?,00FE1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00FE13B7,000001C7,00000100,?,80004005,00000000), ref: 00FE3AB9

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

Part of subcall function 00FE3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,00FE21DC,000001C7,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE3B59
Part of subcall function 00FE3B51: HeapSize.KERNEL32(00000000,?,00FE21DC,000001C7,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE3B60

_memcpy_s.LIBCMT ref: 00FE3B04

Strings

memutil.cpp, xrefs: 00FE3B45

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: memutil.cpp
API String ID: 3406509257-2429405624
Opcode ID: ec39838a0c409ac787e487b5a886eb7c9d50251009bda9f77cd48562e55f843d
Instruction ID: e7a2f2c3f1ec5dd2daf2a8ef7a1ef41802db825a644bd8d26186fb08b5d80c7d
Opcode Fuzzy Hash: ec39838a0c409ac787e487b5a886eb7c9d50251009bda9f77cd48562e55f843d
Instruction Fuzzy Hash: 4A11E432A01298BFDB212E269C4DDAE3B5ADF84774B144225F9165B191C775CF50B390

Function 01028803 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0102884C
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 01028874
GetLastError.KERNEL32 ref: 0102887E

Strings

inetutil.cpp, xrefs: 0102889F

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: inetutil.cpp
API String ID: 1528435940-2900720265
Opcode ID: 5ced0a1816f077f6e00d11edc743d6330a55adeea8bdda6e34cd94b39b547895
Instruction ID: ac17527bafe828846993d407e071667457661e8f092a92624972b00466cb5117
Opcode Fuzzy Hash: 5ced0a1816f077f6e00d11edc743d6330a55adeea8bdda6e34cd94b39b547895
Instruction Fuzzy Hash: 0B119376A01229ABE721DAB99D44BABB7ECEF08240F11412AFE45E7140E6759D0487E1

Function 00FF3955 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00FF3E61,feclient.dll,?,00000000,?,?,?,00FE4A0C), ref: 00FF39F1

Part of subcall function 01020F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 01020FE4
Part of subcall function 01020F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0102101F

Strings

feclient.dll, xrefs: 00FF395A
Logging, xrefs: 00FF3983
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00FF3966

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 3f6f7ff64f8b57d36d473c0254500601c85a40ee377bdd582fa2da816b91fab9
Instruction ID: e99c14219f9ccc37072b50d7e3942ba43c9a43b2b3976ea98ad849bb06907f26
Opcode Fuzzy Hash: 3f6f7ff64f8b57d36d473c0254500601c85a40ee377bdd582fa2da816b91fab9
Instruction Fuzzy Hash: B211D333F4020DBBDB319A95CC86ABEB779EF00751F404066E641AB160E6F19F80E710

Function 01020658 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,0101FF0B,?,?,00000000,00000000,0000FDE9), ref: 0102066A
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,?,?,0101FF0B,?,?,00000000,00000000,0000FDE9), ref: 010206A6
GetLastError.KERNEL32(?,?,0101FF0B,?,?,00000000,00000000,0000FDE9), ref: 010206B0

Strings

logutil.cpp, xrefs: 010206E0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 7ccade39ffe4c9c52f76cae1cd0b3902a7f4fe04e8d06472437b273d65ec5fdf
Instruction ID: 1ffdb323e9e75c8abc13e407d33e4f9a1f6b505a2995985d3f6e55796cc38d55
Opcode Fuzzy Hash: 7ccade39ffe4c9c52f76cae1cd0b3902a7f4fe04e8d06472437b273d65ec5fdf
Instruction Fuzzy Hash: 7B11CA76A01334ABD331D96ACD8CDAF7BACEB89760B200215FD45D7144E636AD0086E0

Function 00FE1209 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00FE5137,00000000,?), ref: 00FE1247
GetLastError.KERNEL32(?,?,?,00FE5137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00FE1251

Strings

apputil.cpp, xrefs: 00FE1272
ignored , xrefs: 00FE1216

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: apputil.cpp$ignored
API String ID: 3459693003-568828354
Opcode ID: 4b41e9b92b7b649afa3ea6eda0ab049706c005928d4344e22c08a997984ee035
Instruction ID: f6e2b6e6e5d00664b93ef8d2a58839e5d28ea1a85203369f3cc78451a7d64cbd
Opcode Fuzzy Hash: 4b41e9b92b7b649afa3ea6eda0ab049706c005928d4344e22c08a997984ee035
Instruction Fuzzy Hash: 8C114F72A00269BB9B21DF9BCC45DAEBBB8FF45750B114169FD04E7210E6359E00EBA0

Function 0100CF56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,0100D1DC,00000000,00000000,00000000,?), ref: 0100CF66
ReleaseMutex.KERNEL32(?,?,0100D1DC,00000000,00000000,00000000,?), ref: 0100CFED

Part of subcall function 00FE38D4: GetProcessHeap.KERNEL32(?,000001C7,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38E5
Part of subcall function 00FE38D4: RtlAllocateHeap.NTDLL(00000000,?,00FE2284,000001C7,00000001,80004005,8007139F,?,?,0102015F,8007139F,?,00000000,00000000,8007139F), ref: 00FE38EC

Strings

NetFxChainer.cpp, xrefs: 0100CFAB
Failed to allocate memory for message data, xrefs: 0100CFB5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: dc001eb226aff829e0a75f31d1c70cfd4befff033d6e9b3baa53ae6ec36d2d11
Instruction ID: 2e67c69422f4c1fe4c1da99b044c41780651c0d5cf6fc97ce14833d2328f7fa2
Opcode Fuzzy Hash: dc001eb226aff829e0a75f31d1c70cfd4befff033d6e9b3baa53ae6ec36d2d11
Instruction Fuzzy Hash: E91191B1300216AFDB15DF29D894EAABBE4FF09720F104279F9149B791C732A810CBA5

Function 00FE1F78 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000011FF,00FE5386,?,00000000,00000000,00000000,?,80070656,?,?,?,00FFE50B,00000000,00FE5386,00000000,80070656), ref: 00FE1FAA
GetLastError.KERNEL32(?,?,?,00FFE50B,00000000,00FE5386,00000000,80070656,?,?,00FF3F6B,00FE5386,?,80070656,00000001,crypt32.dll), ref: 00FE1FB7
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,00FFE50B,00000000,00FE5386,00000000,80070656,?,?,00FF3F6B,00FE5386), ref: 00FE1FFE

Strings

strutil.cpp, xrefs: 00FE1FDB

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: c90c084e9f5cd2d20a6b7d90c4639e600e256c01920f2c218f84c772eb9a3a37
Instruction ID: f37d45a532b3e3d54831354946a3f5e778079a140f9ed76ad9c769efcd31536a
Opcode Fuzzy Hash: c90c084e9f5cd2d20a6b7d90c4639e600e256c01920f2c218f84c772eb9a3a37
Instruction Fuzzy Hash: 031152B6900268FBEB259F95CC09AEE7BA9EF08350F104169FD01A2150E6754E10D7E0

Function 00FFFC51 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00FFFC58

Strings

Failed to allocate new BootstrapperEngineForApplication object., xrefs: 00FFFC8E
EngineForApplication.cpp, xrefs: 00FFFC84
Failed to QI for IBootstrapperEngine from BootstrapperEngineForApplication object., xrefs: 00FFFCB0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID:
String ID: EngineForApplication.cpp$Failed to QI for IBootstrapperEngine from BootstrapperEngineForApplication object.$Failed to allocate new BootstrapperEngineForApplication object.
API String ID: 0-1509993410
Opcode ID: 1754670a2d2f302d847720bf0ab6c4f685a43751f40acd836eff11081a022cb1
Instruction ID: 631c8da88a33c72d0dde4240684b898525cc4b8271b268284d3eca28f7255a03
Opcode Fuzzy Hash: 1754670a2d2f302d847720bf0ab6c4f685a43751f40acd836eff11081a022cb1
Instruction Fuzzy Hash: F1F0D63324473ABF97122615DC05DAE7758CF95B70710002AFE45AB2A0EB648A01A165

Function 01024C67 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(0102B4F0,40000000,00000001,00000000,00000002,00000080,00000000,00FF0328,00000000,?,00FEF37F,?,00000080,0102B4F0,00000000), ref: 01024C7F
GetLastError.KERNEL32(?,00FEF37F,?,00000080,0102B4F0,00000000,?,00FF0328,?,00000094,?,?,?,?,?,00000000), ref: 01024C8C
CloseHandle.KERNEL32(00000000,00000000,?,00FEF37F,?,00FEF37F,?,00000080,0102B4F0,00000000,?,00FF0328,?,00000094), ref: 01024CE0

Strings

fileutil.cpp, xrefs: 01024CB0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: 8e8628b34c81307df0f56fa4525f3fe40ea367ff51ce7a40635a4afa09c4f779
Instruction ID: b13d979899d160a3044f5af16328ebbddb8567eaa6e8dea253b2d8720e54152a
Opcode Fuzzy Hash: 8e8628b34c81307df0f56fa4525f3fe40ea367ff51ce7a40635a4afa09c4f779
Instruction Fuzzy Hash: 7F01D47270023967E7726E6D8C49F5B3AD4EB41BB0F210210FE64EB1D0D736981193A0

Function 010069A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(010068BA,00000001,?,00000001,00000000,?,?,?,?,?,?,010068BA,00000000), ref: 010069D0
GetLastError.KERNEL32(?,?,?,?,?,?,010068BA,00000000), ref: 010069DA

Strings

msuengine.cpp, xrefs: 010069FE
Failed to stop wusa service., xrefs: 01006A08

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuengine.cpp
API String ID: 4114567744-2259829683
Opcode ID: 2009592b728bd0b7b10a7b93a305e2c504e81fc10ccc69f809655cbe3edcc228
Instruction ID: 11d9310aa11d3e753bc82a769cee66dcb65b0aa55df15c1f905e3b592975f0ab
Opcode Fuzzy Hash: 2009592b728bd0b7b10a7b93a305e2c504e81fc10ccc69f809655cbe3edcc228
Instruction Fuzzy Hash: 55012B72B403246BE720AAB9AC45BEB77E8DB48710F010129FD04FB180D9299D0083E4

Function 01024840 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,01008A30,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 01024874
GetLastError.KERNEL32(?,01008A30,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 01024881

Strings

fileutil.cpp, xrefs: 01024855, 010248A5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: 4d700d31cee21e9d926abc131c3c99777d788a07d259228286f1aa9a35758614
Instruction ID: db9105089e15f48c1f80ae5c90ceaba3fa7709e1e8da931ea4a900b80874334d
Opcode Fuzzy Hash: 4d700d31cee21e9d926abc131c3c99777d788a07d259228286f1aa9a35758614
Instruction Fuzzy Hash: DD01D672640230B7E73225A9AC8DF7F3688DB41B60F114221FE85EB1C0D6AA4D0093F4

Function 00FFEA72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 00FFEA9A
GetLastError.KERNEL32 ref: 00FFEAA4

Strings

Failed to post elevate message., xrefs: 00FFEAD2
EngineForApplication.cpp, xrefs: 00FFEAC8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: 585a326d18b1e80fd57926646ce548d15319a258acab41a5f43a9e2a0e0c5cd3
Instruction ID: 378264dcd9d24a7757d6bf0a5c42de1d24335fc8c7bbf10bbd5a630982df1c67
Opcode Fuzzy Hash: 585a326d18b1e80fd57926646ce548d15319a258acab41a5f43a9e2a0e0c5cd3
Instruction Fuzzy Hash: F8F09636744334ABD73069699C09AA777C8EF04760F214239FE59EB1A0E72A9C0197D4

Function 00FED7CF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00FED7F6
FreeLibrary.KERNEL32(?,?,00FE47D1,00000000,?,?,00FE5386,?,?), ref: 00FED805
GetLastError.KERNEL32(?,00FE47D1,00000000,?,?,00FE5386,?,?), ref: 00FED80F

Strings

BootstrapperApplicationDestroy, xrefs: 00FED7EE

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: 675528fdd601cc5556cf69d1d0946a672e53af9c08b952bc8910660d2a996820
Instruction ID: 68d6a21a1ac0cd82c566a035ab4821b45594afbe742494bc2e9614739d1f5a0c
Opcode Fuzzy Hash: 675528fdd601cc5556cf69d1d0946a672e53af9c08b952bc8910660d2a996820
Instruction Fuzzy Hash: DAF06D326007019FD7305FA7DC08A66B7E9FF80772B11C52EE8A6C6910D73AE800DBA0

Function 00FFF086 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 00FFF09B
GetLastError.KERNEL32 ref: 00FFF0A5

Strings

Failed to post plan message., xrefs: 00FFF0D3
EngineForApplication.cpp, xrefs: 00FFF0C9

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: 59197e8c1c99cdd911d977a9bd50b6bfb5a7401f5fac0d524a34a5bc964ecdfd
Instruction ID: 4c9c1d9184d9aab552f6333cc1df0c0259ddf20a33f228290ed04ce793933c64
Opcode Fuzzy Hash: 59197e8c1c99cdd911d977a9bd50b6bfb5a7401f5fac0d524a34a5bc964ecdfd
Instruction Fuzzy Hash: 6DF0E5327443307BE7312AAA9C09E877BC8EF04BA0F018025FD4CEB151D62ADC0096E8

Function 00FFF194 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 00FFF1A9
GetLastError.KERNEL32 ref: 00FFF1B3

Strings

EngineForApplication.cpp, xrefs: 00FFF1D7
Failed to post shutdown message., xrefs: 00FFF1E1

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: 4207257137f3f7c8b48f8cb1f13707b4e6aae58a91bc686dccfa8127cf28a04e
Instruction ID: f43777e0e26b2429ae48a1746cfe5ac35bf9555a4c8cc53124375d9f8e122faf
Opcode Fuzzy Hash: 4207257137f3f7c8b48f8cb1f13707b4e6aae58a91bc686dccfa8127cf28a04e
Instruction Fuzzy Hash: 0EF0A032B443347AA73069AAAC09E877BC8EF04BA0F024025FE48EB050E6699D0097E4

Function 0100051A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0102B468,00000000,?,0100145A,?,00000000,?,00FEC121,?,00FE52FD,?,00FF73B2,?,?,00FE52FD,?), ref: 01000524
GetLastError.KERNEL32(?,0100145A,?,00000000,?,00FEC121,?,00FE52FD,?,00FF73B2,?,?,00FE52FD,?,00FE533D,00000001), ref: 0100052E

Strings

cabextract.cpp, xrefs: 01000552
Failed to set begin operation event., xrefs: 0100055C

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: a00c16a0a58674f008ada4d40ee73e55d87cebbf1914836071bdfd6b7b2e60ed
Instruction ID: fba3e51eb7c4b0ef7d0930504797402a867e580fa9eff0ed39d62c0b719cdc59
Opcode Fuzzy Hash: a00c16a0a58674f008ada4d40ee73e55d87cebbf1914836071bdfd6b7b2e60ed
Instruction Fuzzy Hash: 2AF0EC73B047306BB722657A6C05BDB76D8DF055A1F010129FD89E7140E62A9D0052E8

Function 00FFE978 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 00FFE98D
GetLastError.KERNEL32 ref: 00FFE997

Strings

EngineForApplication.cpp, xrefs: 00FFE9BB
Failed to post apply message., xrefs: 00FFE9C5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: b8e748dfb5635563bb808603b98f020a98894407219457fa81b94016ebca2c74
Instruction ID: d4a8562e74b109fc69e8921929d37edd8a379e72833b6935c09314e8e5d49f29
Opcode Fuzzy Hash: b8e748dfb5635563bb808603b98f020a98894407219457fa81b94016ebca2c74
Instruction Fuzzy Hash: 20F0EC327403307BE731396A9C09E877BCCDF44BA0F014025FD48EB051D665DC0096E4

Function 00FFEA09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 00FFEA1E
GetLastError.KERNEL32 ref: 00FFEA28

Strings

EngineForApplication.cpp, xrefs: 00FFEA4C
Failed to post detect message., xrefs: 00FFEA56

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 1f636480c59c81ad3dff46024360fdeaca4ea9a05e57c16e76d32c1d08f8385d
Instruction ID: d7ef0620413c7206ffd6e95696a470bd50d7892e869436b1ac43aa57027eae66
Opcode Fuzzy Hash: 1f636480c59c81ad3dff46024360fdeaca4ea9a05e57c16e76d32c1d08f8385d
Instruction Fuzzy Hash: 0DF0E532B403307FE7306AAAAC09F877BC8EF44AA0F114125FD48EB050D62ADD00D6E8

Function 01016A76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01016B01
__alldvrm.LIBCMT ref: 01016D02
__alldvrm.LIBCMT ref: 01016D24

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: f3a74c95afe91129e83f4a200ae329e72b68e1b987d16e4549aa364eb4fd1ab8
Instruction ID: ee54e8f78c42a6053b9a130eabcd525b60f0d072d6b9b7718d7591d55505802b
Opcode Fuzzy Hash: f3a74c95afe91129e83f4a200ae329e72b68e1b987d16e4549aa364eb4fd1ab8
Instruction Fuzzy Hash: 20A14672D0029A9FEB268F28CC907BEBFE5EF51310F1841ADD5C59B285C6BE9981C750

Function 01025D7F Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 01025E3D
lstrlenW.KERNEL32(?), ref: 01025E55

Strings

dlutil.cpp, xrefs: 01025EDB

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: dlutil.cpp
API String ID: 1659193697-2067379296
Opcode ID: 8e8cdbd5bde33b74b2b46697f4eda0718ff955ef2bd3c04408706162b0ffa54d
Instruction ID: fd1db730f58b12369410a4c7f7201ad7e93780ed8881b26f0d8bc893302494ed
Opcode Fuzzy Hash: 8e8cdbd5bde33b74b2b46697f4eda0718ff955ef2bd3c04408706162b0ffa54d
Instruction Fuzzy Hash: 2351C476A01225ABDF229EA98C84DEFBBF9EF48750F164059FE41A7200DB35DD0187A4

Function 010190AA Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,E3E85006,0101234D,00000000,00000000,01013382,?,01013382,?,00000001,0101234D,E3E85006,00000001,01013382,01013382), ref: 010190F7
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 01019180
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 01019192
__freea.LIBCMT ref: 0101919B

Part of subcall function 01015154: HeapAlloc.KERNEL32(00000000,?,?,?,01011E90,?,0000015D,?,?,?,?,010132E9,000000FF,00000000,?,?), ref: 01015186

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: e6deb7565ff143496852daf097370fb7a73fc544de73516604af55619b58603f
Instruction ID: 6f87e619f6cb2d7ee46464d29de340a38c251ca743f57a2e5ddfa08655f8e6b2
Opcode Fuzzy Hash: e6deb7565ff143496852daf097370fb7a73fc544de73516604af55619b58603f
Instruction Fuzzy Hash: 0131E132A0021AABEF259F68CC98DEE7BA5EB41314F04416CFC44D7284E739CD94CBA0

Function 00FE4E9C Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,00FE545F,?,?,?,?,?,?), ref: 00FE4EF6
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,00FE545F,?,?,?,?,?,?), ref: 00FE4F0A
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00FE545F,?,?), ref: 00FE4FF9
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00FE545F,?,?), ref: 00FE5000

Part of subcall function 00FE1160: LocalFree.KERNEL32(?,?,00FE4EB3,?,00000000,?,00FE545F,?,?,?,?,?,?), ref: 00FE116A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: 73788b8b69954aee46b75c6016beac123bb0dff7ab54f3a6ccaf8a460e721589
Instruction ID: dcb7e0cac94ada69917f5d96f63ea6bed2726d321c2b7a5ae75c1b8227fb993b
Opcode Fuzzy Hash: 73788b8b69954aee46b75c6016beac123bb0dff7ab54f3a6ccaf8a460e721589
Instruction Fuzzy Hash: E041C9B1A00795AADA20EBB6CC49FDBB3ECBF04755F44092DB29AD3051DB38F544A724

Function 01023119 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0102312C
VariantInit.OLEAUT32(?), ref: 01023138
VariantClear.OLEAUT32(?), ref: 010231AC
SysFreeString.OLEAUT32(00000000), ref: 010231B7

Part of subcall function 0102336E: SysAllocString.OLEAUT32(?), ref: 01023383

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID:
API String ID: 347726874-0
Opcode ID: 879358fbad36949d1dee6b01cf5a13636bcbb5acb3cb3e306873b8751afa320e
Instruction ID: 8d2f26a1837ffed6accbf789d2d5b348a10bf64bb062f818962b2f4f4f772e99
Opcode Fuzzy Hash: 879358fbad36949d1dee6b01cf5a13636bcbb5acb3cb3e306873b8751afa320e
Instruction Fuzzy Hash: FD213D31901229AFDB24DFA9C848EAEBBF9BF48B15F24419CE9419B210D735DD05CB90

Function 00FE4B80 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FEF7F7: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00FE4B9F,?,?,00000001), ref: 00FEF847

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00FE4C06

Part of subcall function 0102082D: CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 0102089A
Part of subcall function 0102082D: GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 010208A4
Part of subcall function 0102082D: CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 010208ED
Part of subcall function 0102082D: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 010208FA

Strings

Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00FE4BF0
Failed to get current process path., xrefs: 00FE4BC4
Unable to get resume command line from the registry, xrefs: 00FE4BA5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Close$Handle$CreateErrorLastProcess
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 1572399834-642631345
Opcode ID: 6b3ac33d6038814be0ec9f7cf61e2b001ef497748643e3b237e7ab4d66454830
Instruction ID: 2258e2125a138fa2fd08a265d019a462fb34419b24e27e718fb014e55f509a8e
Opcode Fuzzy Hash: 6b3ac33d6038814be0ec9f7cf61e2b001ef497748643e3b237e7ab4d66454830
Instruction Fuzzy Hash: EB118472D01669FF8F22AB9ADD00DDDFBB8EF54710F2041AAEC40B6214D7319A40AB81

Function 01018731 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,010188D5,00000000,00000000,?,010186D8,010188D5,00000000,00000000,00000000,?,010188D5,00000006,FlsSetValue), ref: 01018763
GetLastError.KERNEL32(?,010186D8,010188D5,00000000,00000000,00000000,?,010188D5,00000006,FlsSetValue,01042208,01042210,00000000,00000364,?,01016130), ref: 0101876F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,010186D8,010188D5,00000000,00000000,00000000,?,010188D5,00000006,FlsSetValue,01042208,01042210,00000000), ref: 0101877D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a82341483ac8f94b4b64fcf4fa11483097dfe7c54ef254ed33d458bf6ca32945
Instruction ID: 701d75d48f98d75591ca9b68b5d5619a44bba3307a0032214c5291e5f33ea0f6
Opcode Fuzzy Hash: a82341483ac8f94b4b64fcf4fa11483097dfe7c54ef254ed33d458bf6ca32945
Instruction Fuzzy Hash: 3A017B36601322ABC7314D6CDC88A5F7B98BF01BB17244621F9C6D3148D72DE920C7E0

Function 0101605E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,010119F5,00000000,80004004,?,01011CF9,00000000,80004004,00000000,00000000), ref: 01016062
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 010160CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 010160D6
_abort.LIBCMT ref: 010160DC

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: b56e51f84187eaa5de71c28aa37ec3910adbb75d65a745f60ee667160289cc7f
Instruction ID: d556c8aa72292d1eae128b61da0df274e91c5c683bb25ab9733a74e4ad68fe65
Opcode Fuzzy Hash: b56e51f84187eaa5de71c28aa37ec3910adbb75d65a745f60ee667160289cc7f
Instruction Fuzzy Hash: 7FF0F436540A0167C27376786C48B9F2AFA9BD2730F244159F9D99B18CFEAF84014261

Function 00FE730C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FE7318
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00FE737F

Strings

Failed to get value of variable: %ls, xrefs: 00FE7352
Failed to get value as numeric for variable: %ls, xrefs: 00FE736E

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: 06079ed8b91016e29bfce9775739167efa993566f4c998cc32801fcaaab53da1
Instruction ID: 9e2e73990567273e1315545ad09522a6bce07147955bf42bd05b3226293faa98
Opcode Fuzzy Hash: 06079ed8b91016e29bfce9775739167efa993566f4c998cc32801fcaaab53da1
Instruction Fuzzy Hash: AE0171329452A9FFCF616E55CC05B9E7B699B14764F108125FD44AA210D3369E10BBD0

Function 00FE7481 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FE748D
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00FE74F4

Strings

Failed to get value of variable: %ls, xrefs: 00FE74C7
Failed to get value as version for variable: %ls, xrefs: 00FE74E3

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: 0a7dfb600c41c2136380e178d18e1a0a8c046f33460b9006dc9b2b246c1f716b
Instruction ID: 18802dbcec1d2d217f94d10b3b383f5349cb98c8c161434060bdfb1995cf310b
Opcode Fuzzy Hash: 0a7dfb600c41c2136380e178d18e1a0a8c046f33460b9006dc9b2b246c1f716b
Instruction Fuzzy Hash: 2C0184729442B9FBCF22AE55CC05A9E3F689F14765F208125FC04AA250C33A9E10A7E0

Function 00FE7410 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00FE9752,00000000,?,00000000,00000000,00000000,?,00FE9590,00000000,?,00000000,00000000), ref: 00FE741C
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00FE9752,00000000,?,00000000,00000000,00000000,?,00FE9590,00000000,?,00000000), ref: 00FE7472

Strings

Failed to get value of variable: %ls, xrefs: 00FE7442
Failed to copy value of variable: %ls, xrefs: 00FE7461

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: 3effaba00530765d1ccdcd9af3ffd644aeb2d03356900b7f5bc40837ca52b264
Instruction ID: 5d07d2b6968c2d2be265252059b015ffc6ac0a1e5e4bb5fa886b1e0cbb9800a6
Opcode Fuzzy Hash: 3effaba00530765d1ccdcd9af3ffd644aeb2d03356900b7f5bc40837ca52b264
Instruction Fuzzy Hash: FEF0AF36940268FBCF22AF95CC05E9E7F28EF14364F108124FD04AA260D3369E20BBD0

Function 01011246 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 01011246
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0101124B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 01011250

Part of subcall function 01011548: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 01011559

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 01011265

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
Instruction ID: 2666ad7e8fce36d2274503a0cad74a7f0d02597695e1f2f0f940482cbbbcf7dd
Opcode Fuzzy Hash: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
Instruction Fuzzy Hash: 32C04C78504203941FDD36F922402ED17851FB358578410C5CFE69750E6D3E002B5032

Function 01024661 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 010247C2

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 01024672
PendingFileRenameOperations, xrefs: 010246B2, 0102479A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: 3f5bce16a967f7833849d435c7f5979ba98d0446b3db7ba4db6e0cde034ed5e5
Instruction ID: eaa323d77bc8c8d95aefa463b45697d5e8a69014ae508a49f19cd754fa6d7bf2
Opcode Fuzzy Hash: 3f5bce16a967f7833849d435c7f5979ba98d0446b3db7ba4db6e0cde034ed5e5
Instruction Fuzzy Hash: D241A475E00235EFDB21DF98C9809ADBBF9FF45710F1140A9E6A0EB211DB719A40CB50

Function 01020B49 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 01020CA0

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

Strings

regutil.cpp, xrefs: 01020C8D

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: regutil.cpp
API String ID: 47109696-955085611
Opcode ID: 8b52e7f57583aed9333ae9b5e1aaac19989eac5741ebe22c3f98cc723b9a16ca
Instruction ID: c84bd5f48521b9f052d2137c59457caef0924c72c5e8e38d0a5ea4affb05e057
Opcode Fuzzy Hash: 8b52e7f57583aed9333ae9b5e1aaac19989eac5741ebe22c3f98cc723b9a16ca
Instruction Fuzzy Hash: 1441C472A0133DFBEF225F68CD44BAD7AA5AB04314F2182A9FE85A7154D7358D40D780

Function 01020F6E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 01020FE4
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0102101F

Strings

regutil.cpp, xrefs: 01021057

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: 615f28661edb2a90f8ef9bd80a8019ecff1a467f8acd77220acea083f4401a18
Instruction ID: fb8154941ebe2caa7b5c7e9d22cd28fc762286d9f6844a5a8a2ca7081515031d
Opcode Fuzzy Hash: 615f28661edb2a90f8ef9bd80a8019ecff1a467f8acd77220acea083f4401a18
Instruction Fuzzy Hash: 9341C431E00269EFDF219E99CC849AEBBB9FF44310F1041A9FA54A7110D77A9E01DB90

Function 010165D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0102B508,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 010166A3
GetLastError.KERNEL32 ref: 010166BF

Strings

comres.dll, xrefs: 0101664A, 01016698, 010166D4

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: 808b8d46a57bbb63f1c5c0f5747636474afb03a0d7350e9b9aae3314b30f6156
Instruction ID: 71c654d05da9fd69023ffe5713cf4f4e07e70f4e23ca276444507ce2972462c1
Opcode Fuzzy Hash: 808b8d46a57bbb63f1c5c0f5747636474afb03a0d7350e9b9aae3314b30f6156
Instruction Fuzzy Hash: 78312E31600315ABEB316F6CCC84BAF3BE4AF69760F0405A4F9954B198DBBAC940C7A1

Function 01028E07 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01028CFB: lstrlenW.KERNEL32(00000100,?,?,01029098,000002C0,00000100,00000100,00000100,?,?,?,01007B40,?,?,000001BC,00000000), ref: 01028D1B

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0102B4F0,wininet.dll,?), ref: 01028F07
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0102B4F0,wininet.dll,?), ref: 01028F14

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

Part of subcall function 01020D1C: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,01008BD8), ref: 01020D77
Part of subcall function 01020D1C: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01008BD8,00000000), ref: 01020D99

Strings

wininet.dll, xrefs: 01028E7C, 01028EC9

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: 04512c740f8b2c0017f15c90a06adad877367b0f4d419241bfe7faae0cc5a499
Instruction ID: f3223da252863414cec438d7e0198dadf96c779315c2ef015b0b0e0e3b95b56b
Opcode Fuzzy Hash: 04512c740f8b2c0017f15c90a06adad877367b0f4d419241bfe7faae0cc5a499
Instruction Fuzzy Hash: F231FC7AC0113AAFDF22AF94CD408EEFFB9EB54350B5581AAEA4177120D7314E509B90

Function 01029220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01028CFB: lstrlenW.KERNEL32(00000100,?,?,01029098,000002C0,00000100,00000100,00000100,?,?,?,01007B40,?,?,000001BC,00000000), ref: 01028D1B

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000), ref: 01029305
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0102931F

Part of subcall function 01020AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00FF0491,?,00000000,00020006), ref: 01020AFA

Part of subcall function 01021392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00FEF1C2,00000000,?,00020006), ref: 010213C5

Part of subcall function 01021392: RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,00FEF1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 010213F5

Part of subcall function 01021344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,00FEF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 01021359

Strings

%ls\%ls, xrefs: 01029281

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: f5c31fd315f22dec2effcb357c5249206d130bcf504c8aa0e40c33d84578c188
Instruction ID: b795319eb3163f39cc837b903e99cd80abe1f7b5981abdb35b7de16464fa558f
Opcode Fuzzy Hash: f5c31fd315f22dec2effcb357c5249206d130bcf504c8aa0e40c33d84578c188
Instruction Fuzzy Hash: 3531D872C0113EBB8F229F95CD808EEBFB9FF04754F5141AAEA8166510D7368E10AB90

Function 00FE39CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00FE3A32

Strings

crypt32.dll, xrefs: 00FE39EF, 00FE3A2E, 00FE3A30
wininet.dll, xrefs: 00FE39F0

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 20d9f25f4ff598d2956f110480d47adb0513f97da9c1314b068fe09bcabe11f2
Instruction ID: b5d1b2be8ab8f865b66718a5a3ae276a811264804130642cce8360e0a141049c
Opcode Fuzzy Hash: 20d9f25f4ff598d2956f110480d47adb0513f97da9c1314b068fe09bcabe11f2
Instruction Fuzzy Hash: 45118171600219ABCF08DE1ACCC999FBF69EF98650F14802AFC454B351D230EA509AE0

Function 01021392 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00FEF1C2,00000000,?,00020006), ref: 010213C5
RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,00FEF1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 010213F5

Strings

regutil.cpp, xrefs: 01021429

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: dd6bfb507de289516a311252b155413422e7ac52c2bfc907626c0195a3427150
Instruction ID: 4f6d32d8078655334984226cbf194b6f977beb541c22f6b8da53a48d14eba9bd
Opcode Fuzzy Hash: dd6bfb507de289516a311252b155413422e7ac52c2bfc907626c0195a3427150
Instruction Fuzzy Hash: 1211C636E01236BBEF215EA98D04BAB7AE5EF08650F114265FE54EA190DB71CD1097D0

Function 00FEDCA5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,0100744B,00000000,IGNOREDEPENDENCIES,00000000,?,0102B508), ref: 00FEDCF6

Strings

Failed to copy the property value., xrefs: 00FEDD2A
IGNOREDEPENDENCIES, xrefs: 00FEDCAD

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: c988c1ddecfc30d4f9b5d4f18788eca145dc97712963e41630cafdbcd67e2b23
Instruction ID: ab6d222393a41e198302b74084b770c1929f8df80ee0ab17a809f467fffe7c17
Opcode Fuzzy Hash: c988c1ddecfc30d4f9b5d4f18788eca145dc97712963e41630cafdbcd67e2b23
Instruction Fuzzy Hash: D511C232604255AFDB204F4ACC84FA9B7A5EF18370F364676FE189B690C770A850E791

Function 00FF55BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00FF55D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00FF5633

Strings

Failed to initialize COM on cache thread., xrefs: 00FF55E5

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 7528e67de65e255628cfec998fd7a60ace5e1c6f8ccce6bb1832726e4aca2421
Instruction ID: 9148d226a2e04b80f60f6a2a75ae09aa3b98b1b610910dfc0429dcf09379b631
Opcode Fuzzy Hash: 7528e67de65e255628cfec998fd7a60ace5e1c6f8ccce6bb1832726e4aca2421
Instruction Fuzzy Hash: D3018072600619BFCB058FA5DC80DE6F7ACFF08354B508126FA08D7220DB31AD149B90

Function 010254F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,00FF8C90,?,00000001,20000004,00000000,00000000,?,00000000), ref: 01025527
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00FF8C90,?), ref: 01025542

Strings

aclutil.cpp, xrefs: 01025565

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: e8a7f9271be9ccdbaf6b786843210605ce0d9c64d605b39dab9728d3307d94a2
Instruction ID: 70eadbc34ee3d897122a09bd652dc828aaa0750335cf25990227d344cca61ca7
Opcode Fuzzy Hash: e8a7f9271be9ccdbaf6b786843210605ce0d9c64d605b39dab9728d3307d94a2
Instruction Fuzzy Hash: 41015273900178BBDF229E99CD05ECE7E6AEF44760F010155FE45A6110D7368E60A794

Function 00FE155F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,00FF6EF3,00000000,00FF6EF3,00000000,00000000,00FF6EF3,00000000,00000000,00000000,?,00FE2326,00000000,00000000), ref: 00FE15A3
GetLastError.KERNEL32(?,00FE2326,00000000,00000000,00FF6EF3,00000200,?,0102516B,00000000,00FF6EF3,00000000,00FF6EF3,00000000,00000000,00000000), ref: 00FE15AD

Strings

strutil.cpp, xrefs: 00FE15D1

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: 9ec18a38946f6cec577d59e130b819a41a4169252fad996a2e4574c024e07d69
Instruction ID: 7779e6fc295c9f45e7b8f1aa2207aaea54326ba4f3f67300f2dac5d352346aee
Opcode Fuzzy Hash: 9ec18a38946f6cec577d59e130b819a41a4169252fad996a2e4574c024e07d69
Instruction Fuzzy Hash: 1B01F133A007B96B9B219E9B8C44E577BA9FF8A760B050225FE15EB150DB35DC1097E0

Function 01023803 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 01023849
SysFreeString.OLEAUT32(00000000), ref: 0102387C

Strings

xmlutil.cpp, xrefs: 01023819, 01023860

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 1075ef02ff66a776747a39c8cb0c962557c6b638ae2a5a85d3760025077186dc
Instruction ID: 5a67d52bd8095cc7cfd886c9e9722924de3e64abefbe300383b17e0f44a9027e
Opcode Fuzzy Hash: 1075ef02ff66a776747a39c8cb0c962557c6b638ae2a5a85d3760025077186dc
Instruction Fuzzy Hash: 7D01A271640329ABDB211A598C08F7B33E8EF49760F448179FE84AF241C6BCCD0197E1

Function 0102388A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 010238D0
SysFreeString.OLEAUT32(00000000), ref: 01023903

Strings

xmlutil.cpp, xrefs: 010238A0, 010238E7

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: fcdd27b0d7bf3873b1c822e1e6b8c9ac447fee2033f0f3e7e8edd64a756063de
Instruction ID: 47c092c072e0557814537b307f12ab09c44ef07e46aaebb283b50342dc662bd2
Opcode Fuzzy Hash: fcdd27b0d7bf3873b1c822e1e6b8c9ac447fee2033f0f3e7e8edd64a756063de
Instruction Fuzzy Hash: CC01A275A40225BBDB214A998C08F7B37D8FF4A760F44412AFD85AF240C6BDCD0057E1

Function 01023AC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,0102396A,?), ref: 01023B3A

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 01023AE4
EnableLUA, xrefs: 01023B0C

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: 23bb85d1239bac76b8242d5b8de7a5fafc76fb5ad168dba9d266c7dd67e896f2
Instruction ID: 46b5004a96979427ef81189becdeb0b2f73e26f555fd25ffb0910d71cc6d04b9
Opcode Fuzzy Hash: 23bb85d1239bac76b8242d5b8de7a5fafc76fb5ad168dba9d266c7dd67e896f2
Instruction Fuzzy Hash: 21018872910238FBD712AEA4C846BDDFBACEB08721F2001A5EA40AB100D3795E50D7D4

Function 00FE501B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00FE1104,?,?,00000000), ref: 00FE503A
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00FE1104,?,?,00000000), ref: 00FE506A

Strings

burn.clean.room, xrefs: 00FE5027, 00FE5034, 00FE5061

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 24b821d12b43eafc5ca1fbc48e2efad515df4be75bd8fd961ed67451cade74f1
Instruction ID: 617b4c8e387fb1539bf06c864143e3ea9da90cd2137b2ef7261b1fd9a9f82761
Opcode Fuzzy Hash: 24b821d12b43eafc5ca1fbc48e2efad515df4be75bd8fd961ed67451cade74f1
Instruction Fuzzy Hash: 9F01D6B6A00666AF83304E5A95C4D73B76CFB08B787204216FA8AC7604C3B69C50D7E0

Function 01026754 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 010267B3

Part of subcall function 010285CB: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 010286D8
Part of subcall function 010285CB: GetLastError.KERNEL32 ref: 010286E2

Strings

atomutil.cpp, xrefs: 010267A1
clbcatq.dll, xrefs: 01026780

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: atomutil.cpp$clbcatq.dll
API String ID: 211557998-3749116663
Opcode ID: 6c827fa1a4aa72dbc69aaf888bf3569c7e2081d9018e012665ca049f78b3887c
Instruction ID: 5c1232fa7d83c2c5221637e881ffb8f2010273fe309300cdcc395030e2f8de40
Opcode Fuzzy Hash: 6c827fa1a4aa72dbc69aaf888bf3569c7e2081d9018e012665ca049f78b3887c
Instruction Fuzzy Hash: D30186B1901536FBCB209F89A984C9EFBB8FF45661B5082BAFE8567100E3325E10D7D0

Function 00FE6418 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00FE642A

Part of subcall function 010209BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00FE5D8F,00000000), ref: 010209CF
Part of subcall function 010209BB: GetProcAddress.KERNEL32(00000000), ref: 010209D6
Part of subcall function 010209BB: GetLastError.KERNEL32(?,?,?,00FE5D8F,00000000), ref: 010209ED

Part of subcall function 00FE5BF0: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00FE5C77

Strings

Failed to get 64-bit folder., xrefs: 00FE644D
Failed to set variant value., xrefs: 00FE6467

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: 2958e15d96922cd20606b45ba169f85ac4af99b496151de7ba25ee5cf21e98eb
Instruction ID: a907be39fad0cd4a55e0d60083f86dd072ac73663be06fe03e8b1c7975d3efc1
Opcode Fuzzy Hash: 2958e15d96922cd20606b45ba169f85ac4af99b496151de7ba25ee5cf21e98eb
Instruction Fuzzy Hash: ED016232D0127DBBDF21EB95DC05AEEBB78EB10761F204265F880A6191D6719E40E7D0

Function 00FE33D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00FE10DD,?,00000000), ref: 00FE33F8
GetLastError.KERNEL32(?,?,?,00FE10DD,?,00000000), ref: 00FE340F

Strings

pathutil.cpp, xrefs: 00FE3433

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: 7763a60919e4d3c12f158c4dc477e6aaa74a7cbca2488f9776ed436dcf0fef9a
Instruction ID: 04312a6ffd4e78b678fb3456ce65c86501d2f5bfbd9ddbd27db1c06c1eab3026
Opcode Fuzzy Hash: 7763a60919e4d3c12f158c4dc477e6aaa74a7cbca2488f9776ed436dcf0fef9a
Instruction Fuzzy Hash: 15F0C233B002B06B9732AA6B5C4CE87BA99EB45760B124121FD09EB150C635DD00A6E0

Function 00FF0598 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01020E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,01025699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 01020E52

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000,?,?,0100BB7C,00000101,?), ref: 00FF05EF

Strings

Failed to open registration key., xrefs: 00FF05BF
Failed to update resume mode., xrefs: 00FF05D9

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update resume mode.
API String ID: 47109696-3366686031
Opcode ID: dba1abf7179156e91c95ca11bc922181f1452be3e8ee1da3ec068dfc4302f0e5
Instruction ID: d1732bf91ad59b4f22434d08e7f2adbb2f8da8423063a13889b35813b48c7735
Opcode Fuzzy Hash: dba1abf7179156e91c95ca11bc922181f1452be3e8ee1da3ec068dfc4302f0e5
Instruction Fuzzy Hash: 3BF0A432941239B7CB225A959C01BEEB769AF04760F180055F600A61609FB5AE10A6D0

Function 010248CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,774D34C0,?,?,?,00FEB919,?,?,?,00000000,00000000), ref: 010248E3
GetLastError.KERNEL32(?,?,?,00FEB919,?,?,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 010248ED

Strings

fileutil.cpp, xrefs: 01024911

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: 357d1b905f6ade9ed702fb41b8762abee4396dc00f51d8ba381b111ea8cf1a5a
Instruction ID: fcf7b5b18bf929c24a5c260a8c73cdf4ad610358cfca2496cb67d7df510bc957
Opcode Fuzzy Hash: 357d1b905f6ade9ed702fb41b8762abee4396dc00f51d8ba381b111ea8cf1a5a
Instruction Fuzzy Hash: 0BF068B1A00225BF97209F59D80995BFBECEF05650B01421AFC49D7300E775AD10C7E4

Function 01023C58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,00FE535E,?,00000000,00FE535E,?,?,?), ref: 01023C7F
CoCreateInstance.OLE32(00000000,00000000,00000001,01046F3C,?), ref: 01023C97

Strings

Microsoft.Update.AutoUpdate, xrefs: 01023C7A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate
API String ID: 2151042543-675569418
Opcode ID: 9e3b46ae040a74b53b76753dd78d030fe817044d3f88fa2bbd5b47dfd3b8d5e2
Instruction ID: 0b296b59958345bcfea456b1377da162661968e186431fa93902431bcb17f94c
Opcode Fuzzy Hash: 9e3b46ae040a74b53b76753dd78d030fe817044d3f88fa2bbd5b47dfd3b8d5e2
Instruction Fuzzy Hash: 0FF05BB160020CBBD710DEE9D945DFFB7B8DB49710F500069ED41F7144D671AE048762

Function 010230BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 010230D4
SysFreeString.OLEAUT32(00000000), ref: 01023104

Strings

xmlutil.cpp, xrefs: 010230E8

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: f40fe8fef6f5622eb2891eff21582b41fa3bb2bb2abab7378d4acd77d3fe9066
Instruction ID: 7e84ac8b7f96f6a4beb0d914b18a199898330e05bb1ec280ab22d3e4b36fdf20
Opcode Fuzzy Hash: f40fe8fef6f5622eb2891eff21582b41fa3bb2bb2abab7378d4acd77d3fe9066
Instruction Fuzzy Hash: 99F0B431200268E7D7315E489C09F6B7BB5BB49A60F244168FD885F200C77D88508BE0

Function 0102336E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 01023383
SysFreeString.OLEAUT32(00000000), ref: 010233B3

Strings

xmlutil.cpp, xrefs: 0102339A

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 3902d0defdeae7fb89690b7deef020490230b2d46fc6a2d48bdb437e7e66cb39
Instruction ID: e8cf95c275b95acf683be473b5bbd58f8d59ee570a0f25782abe4c03237e01df
Opcode Fuzzy Hash: 3902d0defdeae7fb89690b7deef020490230b2d46fc6a2d48bdb437e7e66cb39
Instruction Fuzzy Hash: 8EF0B435200128A7C7220E499C08E6FBBE9FB89A60F148119FD849F300CB7DCA008BE0

Function 01021344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,00FEF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 01021359

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01021347
regutil.cpp, xrefs: 01021381

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: Value
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$regutil.cpp
API String ID: 3702945584-2416625845
Opcode ID: 9e0a974f16392f1c08e0ad227c77326126bfa5fc61f55abdca63e9fe635ac75a
Instruction ID: f3f8ce517dfbd715f76bc46f901757f4faf16d3e3fd32a576d5d6185367796e9
Opcode Fuzzy Hash: 9e0a974f16392f1c08e0ad227c77326126bfa5fc61f55abdca63e9fe635ac75a
Instruction Fuzzy Hash: 7EE06DB2B443357BEB305AAA4C09F977ECCDB05AA0F424121BF08EA190D665CD0082E4

Function 01020CD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 01020CF2

Strings

AdvApi32.dll, xrefs: 01020CD7
RegDeleteKeyExW, xrefs: 01020CE7

Memory Dump Source

Source File: 00000006.00000002.2542515712.0000000000FE1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000006.00000002.2542176943.0000000000FE0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543050563.000000000102B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543423797.000000000104A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2543746185.000000000104E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fe0000_UNK_.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: ecc6fd4d41429d566aff06c5f4991a80ff56a380ed8431b31c9eb386881ccd5b
Instruction ID: 95f87c652a1974cf750fef6f59dba4b52312f8f52ecf21b26f630915af07adf7
Opcode Fuzzy Hash: ecc6fd4d41429d566aff06c5f4991a80ff56a380ed8431b31c9eb386881ccd5b
Instruction Fuzzy Hash: 7FE086F47457109BC7345F7ABADA9043B90E71DB08300012CF88597219DF7FD8008B54

Analysis Process: ._cache_file.exePID: 8028, Parent PID: 7980COMMON

Executed Functions

Function 6CFA23E7 Relevance: 30.5, APIs: 4, Strings: 13, Instructions: 723windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,?,?,00000031), ref: 6CFA246D
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6CFA2489
CompareStringW.KERNEL32(00000000,00000000,?,000000FF,disable,000000FF,?,?), ref: 6CFA2BD0
CompareStringW.KERNEL32(00000000,00000000,?,000000FF,hide,000000FF), ref: 6CFA2C14

Part of subcall function 6CFAC145: GetDlgItem.USER32(?,?), ref: 6CFAC154
Part of subcall function 6CFAC145: SetWindowTextW.USER32(00000000,6CFA2267), ref: 6CFAC162
Part of subcall function 6CFAC145: GetLastError.KERNEL32(?,6CFA2267,?,00000418,?), ref: 6CFAC16C

Strings

disable, xrefs: 6CFA2BC6
WixBundleElevated, xrefs: 6CFA24D8
Disable control %ls, xrefs: 6CFA2BE1
Failed to localize NET452WIN7RTMErrorMessage: %ls, xrefs: 6CFA2837
0x%08x - %ls, xrefs: 6CFA28C0
LaunchTarget, xrefs: 6CFA2742
InstallFolder, xrefs: 6CFA2649
Failed to initialize NET452WIN7RTMErrorMessage loc identifier., xrefs: 6CFA2815
hide, xrefs: 6CFA2C06
#(loc.NET452WIN7RTMErrorMessage), xrefs: 6CFA2806
Hide control %ls, xrefs: 6CFA2C25
The requested operation is successful. Changes will not be effective until the system is rebooted., xrefs: 6CFA245D
%lsState, xrefs: 6CFA2B84

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: CompareMessageString$ErrorItemLastPostTextWindow
String ID: #(loc.NET452WIN7RTMErrorMessage)$%lsState$0x%08x - %ls$Disable control %ls$Failed to initialize NET452WIN7RTMErrorMessage loc identifier.$Failed to localize NET452WIN7RTMErrorMessage: %ls$Hide control %ls$InstallFolder$LaunchTarget$The requested operation is successful. Changes will not be effective until the system is rebooted.$WixBundleElevated$disable$hide
API String ID: 2476112199-408053789
Opcode ID: b1dcd4a6c7b651dd09a3c9b41d13de27f8d7f9deb9eea4e3354b24a197296eb0
Instruction ID: 3e4f72180b36f97737c609876b25d8bd1e2eeec02cb7698217b4c332df778dbd
Opcode Fuzzy Hash: b1dcd4a6c7b651dd09a3c9b41d13de27f8d7f9deb9eea4e3354b24a197296eb0
Instruction Fuzzy Hash: 0742F474B00705EEEB218BF2CD44BABF7F9EF44308F104529F9A9A5950E7329956CB21

Function 00181070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001833D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,00000000,00000000,?,001AAD27,00000001,00000000,?,WixBundleSourceProcessPath,00000001,?), ref: 001833F8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 001810F6

Part of subcall function 00181174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0018111A,cabinet.dll,00000009,?,?,00000000), ref: 00181185
Part of subcall function 00181174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,0018111A,cabinet.dll,00000009,?,?,00000000), ref: 00181190
Part of subcall function 00181174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0018119E
Part of subcall function 00181174: GetLastError.KERNEL32(?,?,?,?,0018111A,cabinet.dll,00000009,?,?,00000000), ref: 001811B9
Part of subcall function 00181174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001811C1
Part of subcall function 00181174: GetLastError.KERNEL32(?,?,?,?,0018111A,cabinet.dll,00000009,?,?,00000000), ref: 001811D6

CloseHandle.KERNEL32(?,?,?,?,001CB4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 00181131

Strings

msi.dll, xrefs: 001810A0
msasn1.dll, xrefs: 001810C3
feclient.dll, xrefs: 001810D1
cabinet.dll, xrefs: 00181099
wininet.dll, xrefs: 001810AE
crypt32.dll, xrefs: 001810CA
comres.dll, xrefs: 001810B5
clbcatq.dll, xrefs: 001810BC
version.dll, xrefs: 001810A7

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 3050153c6224efe1f879a897217fe4f9368b955d0d3d2fad87e396b758804d34
Instruction ID: 924acd6388efc75796f0ecdf7afbaa7c521ea565fbc50f27b8f9eba1bb0e1be8
Opcode Fuzzy Hash: 3050153c6224efe1f879a897217fe4f9368b955d0d3d2fad87e396b758804d34
Instruction Fuzzy Hash: ED217171904208AACB00AFA5DD8AFEEBBBDEF14311F104118F911F6281D7709605CFA0

Function 6CFA1C04 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,00000000,bafunctions.dll,00000000,?,00000000,?,?,6CFA1B21,?,00000000,00000000,?,00000000,00000000,?), ref: 6CFA1C31
GetProcAddress.KERNEL32(00000000,CreateBootstrapperBAFunction), ref: 6CFA1C47
GetLastError.KERNEL32(?,6CFA1B21,?,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000001), ref: 6CFA1C53
FreeLibrary.KERNEL32(?), ref: 6CFA1CBD

Strings

CreateBootstrapperBAFunction, xrefs: 6CFA1C41
Failed to get CreateBootstrapperBAFunction entry-point from: %ls, xrefs: 6CFA1C67
bafunctions.dll, xrefs: 6CFA1C16
Failed to get path to BA function DLL., xrefs: 6CFA1C27
Failed to create BA function., xrefs: 6CFA1C9C

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: Library$AddressErrorFreeLastLoadProc
String ID: CreateBootstrapperBAFunction$Failed to create BA function.$Failed to get CreateBootstrapperBAFunction entry-point from: %ls$Failed to get path to BA function DLL.$bafunctions.dll
API String ID: 2540614322-2645503994
Opcode ID: 236f1f0e065aa8bd9cf42e86b8bd3a426566bda45607afbb5b51827b8bb68b71
Instruction ID: 07f18cb2c0757d1021cc1b9afbc46e5ad54718564743b448f3ed1f9f57b99f7a
Opcode Fuzzy Hash: 236f1f0e065aa8bd9cf42e86b8bd3a426566bda45607afbb5b51827b8bb68b71
Instruction Fuzzy Hash: 4121D136B14616FBDB064AB5CD04BDBF6A9AF04315F024225EC04F2A40EB36DD2187D1

Function 6CFA65CB Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?), ref: 6CFA6606
FindClose.KERNELBASE(00000000), ref: 6CFA6612

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: de0b76ae285fafce00bd01d63b190bd3c929fc7a316b3039e1cee7ea69fc28e1
Instruction ID: fc9008f19931ef116ebc3440fee496aa2c549eb967663a9cb4d39212aaa87dbe
Opcode Fuzzy Hash: de0b76ae285fafce00bd01d63b190bd3c929fc7a316b3039e1cee7ea69fc28e1
Instruction Fuzzy Hash: EA01D675F01108EBDB10EEB9DD88AAAF7BCDBC6319F000555F818D7240D730AA4A8B54

Function 001C4315 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,00000000,?), ref: 001C4350
FindClose.KERNEL32(00000000), ref: 001C435C

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: dcc5f80b838e0ca8c2586e2916a3372e375c32c61947a2119582708eb234df4a
Instruction ID: bd140d73e93a33447a8ea4544c23b7668a7f85ad055fda3e81e68b094dfda06d
Opcode Fuzzy Hash: dcc5f80b838e0ca8c2586e2916a3372e375c32c61947a2119582708eb234df4a
Instruction Fuzzy Hash: CA01F931600158ABDB10EFB9ED89EAAB7ACEFD6321F400169F918D7640DB309D8D8760

Function 0018B389 Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 565
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 0018B3FF
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0018B44C
GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 0018B452
ReadFile.KERNELBASE(00000000,0018435C,00000040,?,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0018B49A
GetLastError.KERNEL32(?,?,?,00000000,7765C3F0,00000000), ref: 0018B4A0
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0018B4FD
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0018B503
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0018B54C
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0018B552
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0018B5C3
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7765C3F0,00000000), ref: 0018B5C9

Strings

Failed to find valid DOS image header in buffer., xrefs: 0018BAE7
PE, xrefs: 0018B594
Failed to read signature offset., xrefs: 0018B643
Failed to read signature size., xrefs: 0018B692
section.cpp, xrefs: 0018B420, 0018B473, 0018B4C1, 0018B524, 0018B573, 0018B5EA, 0018B639, 0018B688, 0018B6DD, 0018B794, 0018B7D4, 0018B826, 0018B88B, 0018B8B5, 0018B8DC, 0018B9C3, 0018BA03, 0018BA22, 0018BA5F, 0018BA9D, 0018BAC0, 0018BADB
Failed to read complete image section header, index: %u, xrefs: 0018BA71
Failed to read complete section info., xrefs: 0018B8C1
(, xrefs: 0018B719
Failed to read image section header, index: %u, xrefs: 0018BAA8
Failed to seek to start of file., xrefs: 0018B47D
Failed to read section info., xrefs: 0018B895
Failed to read DOS header., xrefs: 0018B4CB
Failed to seek to NT header., xrefs: 0018B52E
Failed to find valid NT image header in buffer., xrefs: 0018BACC
burn, xrefs: 0018B734
Failed to read section info, data to short: %u, xrefs: 0018B7A6
4, xrefs: 0018B780
Failed to allocate memory for container sizes., xrefs: 0018B9CF
Failed to find Burn section., xrefs: 0018BA2E
Failed to read section info, unsupported version: %08x, xrefs: 0018B8F1
Failed to allocate buffer for section info., xrefs: 0018B7E0
Failed to get total size of bundle., xrefs: 0018B91F
Failed to seek to section info., xrefs: 0018B5F4, 0018B830
Failed to read NT header., xrefs: 0018B57D
Failed to seek past optional headers., xrefs: 0018B6E7
.wix, xrefs: 0018B72C
PE Header from file didn't match PE Header in memory., xrefs: 0018BA0D
Failed to open handle to engine process path., xrefs: 0018B42A

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$Pointer$Read
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 2600052162-695169583
Opcode ID: ab77cc15ab78f26cd2ec1b908da0cf6d7e1d39d313adebef97556b7e565416b6
Instruction ID: 79a2d5a2d0475cf6ed86cad90065ee735e411ef8f2b92e8e2aa36e33fecbe507
Opcode Fuzzy Hash: ab77cc15ab78f26cd2ec1b908da0cf6d7e1d39d313adebef97556b7e565416b6
Instruction Fuzzy Hash: FC12B371A44325ABEB24AA64CC86FAB76E9EF14B00F014169FD09EB181D771CF41CFA1

Function 6CFA9B79 Relevance: 82.7, APIs: 30, Strings: 17, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Billboard,000000FF,00000080,?,00000080,?,?), ref: 6CFA9CAF
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Button,000000FF), ref: 6CFA9CCE
SysFreeString.OLEAUT32(00000000), ref: 6CFAA005

Part of subcall function 6CFA5B06: GetProcessHeap.KERNEL32(?,?,?,6CFA79BF,?,00000001,?,00000000,?,6CFA8077,?,?,00000001,?,6CFAD455,?), ref: 6CFA5B17
Part of subcall function 6CFA5B06: RtlAllocateHeap.NTDLL(00000000,?,6CFA79BF,?,00000001,?,00000000,?,6CFA8077,?,?,00000001,?,6CFAD455,?,00000001), ref: 6CFA5B1E

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6CFC2180,00000001), ref: 6CFA9CE9
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Checkbox,000000FF), ref: 6CFA9D04
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6CFC21E0,00000002), ref: 6CFA9D1F
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Editbox,000000FF), ref: 6CFA9D3A
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6CFC21F8,00000002), ref: 6CFA9D55
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Hyperlink,000000FF), ref: 6CFA9D70
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6CFC2214,00000001), ref: 6CFA9D8B
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Hypertext,000000FF), ref: 6CFA9DA6
SysFreeString.OLEAUT32(00000000), ref: 6CFAA058

Strings

TreeView, xrefs: 6CFA9F11
Progressbar, xrefs: 6CFA9DEC
ListView, xrefs: 6CFA9EC4
Text, xrefs: 6CFA9E8E
Image, xrefs: 6CFA9DB6
Static, xrefs: 6CFA9E58
Hypertext, xrefs: 6CFA9D98
thmutil.cpp, xrefs: 6CFA9C2A
Richedit, xrefs: 6CFA9E22
Checkbox, xrefs: 6CFA9CF6
Tab, xrefs: 6CFA9F56
Button, xrefs: 6CFA9CC0
Listview, xrefs: 6CFA9EDF
Hyperlink, xrefs: 6CFA9D62
Editbox, xrefs: 6CFA9D2C
Billboard, xrefs: 6CFA9CA1
Treeview, xrefs: 6CFA9F28

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: String$Compare$FreeHeap$AllocateProcess
String ID: Billboard$Button$Checkbox$Editbox$Hyperlink$Hypertext$Image$ListView$Listview$Progressbar$Richedit$Static$Tab$Text$TreeView$Treeview$thmutil.cpp
API String ID: 1229322287-58397606
Opcode ID: 91a3eed78b23a5b32ab8ae2f0e241f62a43c5f38961cdea78437c9caeb4dcc3a
Instruction ID: 5e4a5fa44c32a08f79fc5083411f4ce85d9aabb204a9fea5999d9e11781044d9
Opcode Fuzzy Hash: 91a3eed78b23a5b32ab8ae2f0e241f62a43c5f38961cdea78437c9caeb4dcc3a
Instruction Fuzzy Hash: 9BE19731B8C216FBEF119AD48C42FAEB661AF45734F304760F630BA5D4CA72AA41DB51

Function 6CFA940E Relevance: 58.4, APIs: 2, Strings: 31, Instructions: 624COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(6CFA9FC4), ref: 6CFA9B68

Part of subcall function 6CFAC938: VariantInit.OLEAUT32(00000000), ref: 6CFAC94E
Part of subcall function 6CFAC938: SysAllocString.OLEAUT32(?), ref: 6CFAC96A
Part of subcall function 6CFAC938: VariantClear.OLEAUT32(?), ref: 6CFAC9F1
Part of subcall function 6CFAC938: SysFreeString.OLEAUT32(00000000), ref: 6CFAC9FC

SysFreeString.OLEAUT32(6CFA9FC4), ref: 6CFA9843

Strings

Width, xrefs: 6CFA9565
SourceX, xrefs: 6CFA95B9
HideWhenDisabled, xrefs: 6CFA9783
HoverFontId, xrefs: 6CFA9661
ImageListGroupHeader, xrefs: 6CFA9A0F
ImageListState, xrefs: 6CFA99D8
FontId, xrefs: 6CFA9629
thmutil.cpp, xrefs: 6CFA9461
sid, xrefs: 6CFA97EF
StringId, xrefs: 6CFA97D9
ImageList, xrefs: 6CFA996A
EnableDragDrop, xrefs: 6CFA9A5E
Interval, xrefs: 6CFA988D
DisablePrefix, xrefs: 6CFA98FA
SourceY, xrefs: 6CFA95F1
Name, xrefs: 6CFA9493
HasButtons, xrefs: 6CFA9AB8
SelectedFontId, xrefs: 6CFA9699
Center, xrefs: 6CFA98CC
AlwaysShowSelect, xrefs: 6CFA9AE2
HexStyle, xrefs: 6CFA96D3
FullRowSelect, xrefs: 6CFA9A8B
FileSystemAutoComplete, xrefs: 6CFA97AE
Height, xrefs: 6CFA952B
LinesAtRoot, xrefs: 6CFA9B08
HasLines, xrefs: 6CFA9B2E
TabStop, xrefs: 6CFA9702
ImageListSmall, xrefs: 6CFA99A1
Visible, xrefs: 6CFA9755
HexExtendedStyle, xrefs: 6CFA9939
Loop, xrefs: 6CFA9863

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: String$Free$Variant$AllocClearInit
String ID: AlwaysShowSelect$Center$DisablePrefix$EnableDragDrop$FileSystemAutoComplete$FontId$FullRowSelect$HasButtons$HasLines$Height$HexExtendedStyle$HexStyle$HideWhenDisabled$HoverFontId$ImageList$ImageListGroupHeader$ImageListSmall$ImageListState$Interval$LinesAtRoot$Loop$Name$SelectedFontId$SourceX$SourceY$StringId$TabStop$Visible$Width$sid$thmutil.cpp
API String ID: 3564436086-2239863677
Opcode ID: 5b71e57705612bb8e89c79bfc9a11df5922bdc543a0032eaae9789c9985e4f73
Instruction ID: e05bda1250b9a33d371a701475954c51bbc078620a90fc976fe9e5b0f062fb50
Opcode Fuzzy Hash: 5b71e57705612bb8e89c79bfc9a11df5922bdc543a0032eaae9789c9985e4f73
Instruction Fuzzy Hash: 5412E832D11129EBC715EAD58890BFFB6ACDB04698F0106B1ED10ABA40DB37DF46C7A1

Function 6CFAB75B Relevance: 51.2, APIs: 16, Strings: 13, Instructions: 424
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32(?,6CFCA028), ref: 6CFAB792
CompareStringW.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 6CFAB97D
CreateWindowExW.USER32(?,Static,?,?,?,?,?,?,74C0850C,?,00000000,00000000), ref: 6CFABA00
SHAutoComplete.SHLWAPI(00000000,00000010), ref: 6CFABA23
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 6CFABA53
SendMessageW.USER32(?,00001061,00000000,0000000F), ref: 6CFABAB9
SendMessageW.USER32(?,00001003,00000003,?), ref: 6CFABB02
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 6CFABB32
SendMessageW.USER32(?,00000445,00000000,04010000), ref: 6CFABB47
GetClassLongA.USER32(74C0850C,000000F6), ref: 6CFABB7A
SetClassLongA.USER32(?,000000F6,00000000), ref: 6CFABB86
SendMessageW.USER32(?,0000133E,00000000,00000003), ref: 6CFABBCA
SendMessageW.USER32(?,00000030,?,00000000), ref: 6CFABBF1
GetLastError.KERNEL32 ref: 6CFABC27
GetLastError.KERNEL32 ref: 6CFABC4D
GetLastError.KERNEL32 ref: 6CFABC73

Strings

SysLink, xrefs: 6CFAB8A0
SysListView32, xrefs: 6CFAB859
Edit, xrefs: 6CFAB877
Riched20.dll, xrefs: 6CFAB90E
SysTabControl32, xrefs: 6CFAB86D
ThemeHyperLink, xrefs: 6CFAB88F
SysTreeView32, xrefs: 6CFAB863
Static, xrefs: 6CFAB7B2, 6CFAB9FC
msctls_progress32, xrefs: 6CFAB8F9
thmutil.cpp, xrefs: 6CFABCA6
Button, xrefs: 6CFAB814
RichEdit20W, xrefs: 6CFAB927
+, xrefs: 6CFAB894

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: MessageSend$ErrorLast$ClassLong$AutoClientCompareCompleteCreateRectStringWindow
String ID: +$Button$Edit$RichEdit20W$Riched20.dll$Static$SysLink$SysListView32$SysTabControl32$SysTreeView32$ThemeHyperLink$msctls_progress32$thmutil.cpp
API String ID: 3933361081-283255470
Opcode ID: fbf2332b4555c3576f5c71e08ae384c0d77cd7bb887f416f4ac45948f9cb63b7
Instruction ID: f67516652f5dea8e3f0d8f8fc10a2fab4ee467231d5cdcdbfa816ab03ce49352
Opcode Fuzzy Hash: fbf2332b4555c3576f5c71e08ae384c0d77cd7bb887f416f4ac45948f9cb63b7
Instruction Fuzzy Hash: 14F19275E01209DFDF54CFA8C880B9EBBF5FF49314F20866AE911AB695D7318842CB94

Function 001952E3 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 222
filepipesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,00000000,?,001CB4F0,?,00000000,?,0018442A,?,001CB4F0), ref: 00195304
GetCurrentProcessId.KERNEL32(?,0018442A,?,001CB4F0), ref: 0019530F
SetNamedPipeHandleState.KERNELBASE(?,000000FF,00000000,00000000,?,0018442A,?,001CB4F0), ref: 00195346
ConnectNamedPipe.KERNELBASE(?,00000000,?,0018442A,?,001CB4F0), ref: 0019535B
GetLastError.KERNEL32(?,0018442A,?,001CB4F0), ref: 00195365
Sleep.KERNELBASE(00000064,?,0018442A,?,001CB4F0), ref: 00195396
SetNamedPipeHandleState.KERNELBASE(?,00000000,00000000,00000000,?,0018442A,?,001CB4F0), ref: 001953B9
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0018442A,?,001CB4F0), ref: 001953D4
WriteFile.KERNEL32(?,0018442A,001CB4F0,00000000,00000000,?,0018442A,?,001CB4F0), ref: 001953EF
WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,0018442A,?,001CB4F0), ref: 0019540A
ReadFile.KERNELBASE(?,00000000,00000004,00000000,00000000,?,0018442A,?,001CB4F0), ref: 00195425
GetLastError.KERNEL32(?,0018442A,?,001CB4F0), ref: 0019547D
GetLastError.KERNEL32(?,0018442A,?,001CB4F0), ref: 001954B1
GetLastError.KERNEL32(?,0018442A,?,001CB4F0), ref: 001954E5
GetLastError.KERNEL32(?,0018442A,?,001CB4F0), ref: 0019557B

Strings

Failed to wait for child to connect to pipe., xrefs: 00195473
Failed to write secret length to pipe., xrefs: 00195543
Failed to write our process id to pipe., xrefs: 001954DB
Failed to reset pipe to blocking., xrefs: 00195574
Failed to set pipe to non-blocking., xrefs: 001955A5
Failed to write secret to pipe., xrefs: 0019550F
crypt32.dll, xrefs: 001953D2
pipe.cpp, xrefs: 00195469, 0019549D, 001954D1, 00195505, 00195539, 0019556A, 0019559B
Failed to read ACK from pipe., xrefs: 001954A7

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
API String ID: 2944378912-2047837012
Opcode ID: 062dcdc47ec20303d9c1108d22a4d9b373d14777fc7bd86e4ca0e1214c8cb6b9
Instruction ID: b4d6a2c803ecba27ea0dff1f35ba647f5de453f27c4d70f63ccaa856157f4169
Opcode Fuzzy Hash: 062dcdc47ec20303d9c1108d22a4d9b373d14777fc7bd86e4ca0e1214c8cb6b9
Instruction Fuzzy Hash: 6161B972E40725ABFB11ABB98C85BAA76E9EF04741F124125FD05F7190E774CE4087E1

Function 0018508D Relevance: 44.1, APIs: 5, Strings: 20, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 0018510F

Part of subcall function 001C03F0: InitializeCriticalSection.KERNEL32(001EB60C,?,0018511B,00000000,?,?,?,?,?,?), ref: 001C0407

Part of subcall function 00181209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00185137,00000000,?), ref: 00181247
Part of subcall function 00181209: GetLastError.KERNEL32(?,?,?,00185137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00181251

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 0018517D

Part of subcall function 001C0CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 001C0CF2

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 0018520F
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00185219
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0018549B

Strings

Setup, xrefs: 001853FC
Failed to run RunOnce mode., xrefs: 00185314
3.10.4.4718, xrefs: 0018527C
engine.cpp, xrefs: 0018523D
Failed to initialize engine state., xrefs: 00185164
Failed to run per-machine mode., xrefs: 00185364
Failed to initialize COM., xrefs: 00185189
Failed to initialize Cryputil., xrefs: 0018519E
Failed to get OS info., xrefs: 00185247
Failed to initialize Regutil., xrefs: 001851C1
txt, xrefs: 001853F2
Failed to run per-user mode., xrefs: 0018538C
Failed to run untrusted mode., xrefs: 001853AE
Invalid run mode., xrefs: 001852F1
Failed to initialize Wiutil., xrefs: 001851D9
Failed to initialize core., xrefs: 001852BB
_Failed, xrefs: 001853F7
Failed to parse command line., xrefs: 0018513D
Failed to initialize XML util., xrefs: 001851F1
Failed to run embedded mode., xrefs: 0018533C

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.10.4.4718$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
API String ID: 3262001429-867073019
Opcode ID: 8a5925c78fdf5fb4cb33e19d19c63fbbd934dc7d4a149ca9fe25e9face612092
Instruction ID: dae3692e3c5958c068bfc64de83dd1eaa9b08582b645480daaa5fcb1dccb9b28
Opcode Fuzzy Hash: 8a5925c78fdf5fb4cb33e19d19c63fbbd934dc7d4a149ca9fe25e9face612092
Instruction Fuzzy Hash: 36B1A371D44A299BDB32BB648C86FED76AAEF24711F050099F909A7241DB70DF808F91

Function 0018567D Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,001899BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 001856A2
lstrlenW.KERNEL32(00000000,?,001899BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 001856AC
_wcschr.LIBVCRUNTIME ref: 001858B4
LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,001899BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 00185B56

Strings

Failed to allocate buffer for format string., xrefs: 001856CA
Failed to set record format string., xrefs: 001859DD
Failed to format record., xrefs: 00185B1A
Failed to get variable name., xrefs: 00185998
Failed to allocate variable array., xrefs: 00185991
Failed to allocate record., xrefs: 00185917
Failed to set record string., xrefs: 00185AA2
Failed to append string., xrefs: 00185728
Failed to append placeholder., xrefs: 00185959
Failed to format placeholder string., xrefs: 00185963
Failed to get formatted length., xrefs: 00185A6D
Failed to allocate string., xrefs: 00185AD1
Failed to reallocate variable array., xrefs: 00185938
Failed to determine variable visibility: '%ls'., xrefs: 00185946
variable.cpp, xrefs: 0018590A, 0018592B, 00185984, 001859D0, 00185A60, 00185A95, 00185B0D
[%d], xrefs: 0018586F
Failed to copy string., xrefs: 00185B3A
Failed to set variable value., xrefs: 0018596D
*****, xrefs: 00185820

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: eb7ffe5c100d46a639ffd5cc3313bcb092215c7cfe0f9f6c2b74cb43febae6f9
Instruction ID: 9ad498243ceb7af6d5b087ec1f12d2f416a951e90b9e2ac896023c0e9ebd653b
Opcode Fuzzy Hash: eb7ffe5c100d46a639ffd5cc3313bcb092215c7cfe0f9f6c2b74cb43febae6f9
Instruction Fuzzy Hash: 03F1A1B2D00629EBDB15AFA48841EAF7BAAEF14750F15812AFD05A7240D774DF01CFA1

Function 00197337 Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to initialize internal cache functionality., xrefs: 0019758D
Failed to overwrite the %ls built-in variable., xrefs: 001974C9
Failed to open attached UX container., xrefs: 0019739B
Failed to set source process path variable., xrefs: 001974F7
Failed to load manifest., xrefs: 001973F5
Failed to set source process folder variable., xrefs: 00197533
WixBundleOriginalSource, xrefs: 00197547
Failed to get unique temporary folder for bootstrapper application., xrefs: 001975BC
Failed to set original source variable., xrefs: 00197558
WixBundleElevated, xrefs: 001974B3, 001974C4
Failed to load catalog files., xrefs: 001975FD
Failed to get source process folder from path., xrefs: 00197513
Failed to extract bootstrapper application payloads., xrefs: 001975DD
Failed to initialize variables., xrefs: 0019737E
WixBundleSourceProcessFolder, xrefs: 00197522
Failed to get manifest stream from container., xrefs: 001973D9
Failed to parse command line., xrefs: 00197474
WixBundleSourceProcessPath, xrefs: 001974E6
Failed to open manifest stream., xrefs: 001973B8

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
API String ID: 32694325-252221001
Opcode ID: 02776b2e38d5d591ddc954d1e5409adfa3aeab5d4091030c410a4418d0057aaf
Instruction ID: 52ee8a24480edbf00e8345dc9c1108f69dd57f0eeac276bb57a3d4708c546074
Opcode Fuzzy Hash: 02776b2e38d5d591ddc954d1e5409adfa3aeab5d4091030c410a4418d0057aaf
Instruction Fuzzy Hash: 38914072A54A1ABBDF179AA4CC42EEEB77CBF24700F050226F515E7181D770EA449BE0

Function 001984C4 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 205
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00184CB6,?,?,00000000,00184CB6,00000000), ref: 00198507
GetLastError.KERNEL32 ref: 00198514
CloseHandle.KERNELBASE(00000000,?,00000000,001CB4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001986F6

Strings

msi.dll, xrefs: 00198608
Failed to seek to original data in exe burn section header., xrefs: 001986CF
Failed to seek to checksum in exe header., xrefs: 001985F9
cabinet.dll, xrefs: 0019866F
Failed to zero out original data offset., xrefs: 001986E8
Failed to copy engine from: %ls to: %ls, xrefs: 0019859C
Failed to update signature offset., xrefs: 00198615
Failed to seek to signature table in exe header., xrefs: 00198660
cache.cpp, xrefs: 00198538, 001985EF, 00198656, 001986C5
Failed to create engine file at path: %ls, xrefs: 00198545
Failed to seek to beginning of engine file: %ls, xrefs: 0019856D

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 2528220319-1976062716
Opcode ID: 9370ee93d92f77962d85c43f81283f1f737d4332296cfb3cdf376094ae1c5235
Instruction ID: 66b2955c134ead67b6a23fdc64e76e699828f9eda799d3393c8c082936837608
Opcode Fuzzy Hash: 9370ee93d92f77962d85c43f81283f1f737d4332296cfb3cdf376094ae1c5235
Instruction Fuzzy Hash: 7951D972A40221BFFB116B688C4AFBF76A8EB15750F010119FD01FB291EB60DD1096E5

Function 001980AE Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,?,?), ref: 00198104

Part of subcall function 001C076C: OpenProcessToken.ADVAPI32(?,00000008,?,?,?,?,?,?,?,00198110,00000000), ref: 001C078A
Part of subcall function 001C076C: GetLastError.KERNEL32(?,?,?,?,00198110,00000000), ref: 001C0794
Part of subcall function 001C076C: CloseHandle.KERNELBASE(?,?,?,?,?,00198110,00000000), ref: 001C081D

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 0019812A
GetLastError.KERNEL32 ref: 00198134
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 001981B1
GetLastError.KERNEL32 ref: 001981BB

Strings

%ls%ls\, xrefs: 0019824C
4Mw, xrefs: 001981B1
Failed to append bundle id on to temp path for working folder., xrefs: 00198264
Failed to ensure windows path for working folder ended in backslash., xrefs: 0019817F
Temp\, xrefs: 00198189
Failed to get temp path for working folder., xrefs: 001981E9
Failed to convert working folder guid into string., xrefs: 0019823A
Failed to copy working folder path., xrefs: 0019827F
Failed to create working folder guid., xrefs: 00198207
Failed to get windows path for working folder., xrefs: 00198162
Failed to concat Temp directory on windows path for working folder., xrefs: 001981A1
cache.cpp, xrefs: 00198158, 001981DF, 00198230

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorLast$Process$CloseCurrentDirectoryHandleOpenPathTempTokenWindows
String ID: 4Mw$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 348923985-1835725942
Opcode ID: cc15a282711d6c9eb37fec7e4ead2fb0984736bd26d38747d5c43ff981767c12
Instruction ID: 1ac0c160f4e79d38ba41174299d464b182022db03dcf1e0c803d76eec5eb1fc2
Opcode Fuzzy Hash: cc15a282711d6c9eb37fec7e4ead2fb0984736bd26d38747d5c43ff981767c12
Instruction Fuzzy Hash: 3A410A72B40B24BBEF20A7B4DC4AFAB77ACAB15710F050166FD05E7240EB74DD448A91

Function 00187503 Relevance: 33.4, APIs: 1, Strings: 21, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00197378,001852B5,00000000,0018533D), ref: 00187523

Strings

', xrefs: 001877E2
WixBundleAction, xrefs: 00187C90
#, xrefs: 0018759C
Date, xrefs: 00187642
WixBundleForcedRestartPackage, xrefs: 00187CF0
WixBundleExecutePackageAction, xrefs: 00187CCE
WixBundleTag, xrefs: 00187D99
WixBundleInstalled, xrefs: 00187D12
InstallerName, xrefs: 001876F8
WixBundleElevated, xrefs: 00187D2E
WixBundleActiveParent, xrefs: 00187D47
WixBundleVersion, xrefs: 00187DAC
LogonUser, xrefs: 001877B2
WixBundleProviderKey, xrefs: 00187D5A
InstallerVersion, xrefs: 0018771E
WixBundleSourceProcessFolder, xrefs: 00187D86
0, xrefs: 0018753D
$, xrefs: 00187C54
WixBundleExecutePackageCacheFolder, xrefs: 00187CAC
WixBundleSourceProcessPath, xrefs: 00187D6D
Failed to add built-in variable: %ls., xrefs: 00187DF0

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion
API String ID: 32694325-826827252
Opcode ID: a5c1b1907ee913c01b789387500da0c19a40ebb20732309e8b188db8afef80e0
Instruction ID: f406c6159baaf3c81d9b9ff63342b1a07a6014f8ae1c67539e5395b63af35a8c
Opcode Fuzzy Hash: a5c1b1907ee913c01b789387500da0c19a40ebb20732309e8b188db8afef80e0
Instruction Fuzzy Hash: 1D3238B0D253798BDB65CF598A887CDBAB8BB59B04F5081DEE10CB6211D7B04B85CF84

Function 6CFA1CE0 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 186COMMON

Download Yara Rule

Strings

WixStdBALanguageId, xrefs: 6CFA1D77
FailureRepairHeader, xrefs: 6CFA1EB3
#(loc.SuccessHeader), xrefs: 6CFA1E16
Failed to set WixStdBALanguageId variable., xrefs: 6CFA1D86
Failed to localize confirm close message: %ls, xrefs: 6CFA1DC5
#(loc.SuccessInstallHeader), xrefs: 6CFA1DF8
Failed to load loc file from path: %ls, xrefs: 6CFA1D47
Failed to probe for loc file: %ls in path: %ls, xrefs: 6CFA1D1F
FailureUninstallHeader, xrefs: 6CFA1ECE
mbapreq.wxl, xrefs: 6CFA1CF1, 6CFA1D0C, 6CFA1D1E
SuccessRepairHeader, xrefs: 6CFA1E4E
SuccessInstallHeader, xrefs: 6CFA1E2F
#(loc.FailureHeader), xrefs: 6CFA1E7F
FailureInstallHeader, xrefs: 6CFA1E98
thm.wxl, xrefs: 6CFA1CE9
#(loc.ConfirmCancelMessage), xrefs: 6CFA1D9A
SuccessUninstallHeader, xrefs: 6CFA1E69

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: Default$LangLanguageSystemUser
String ID: #(loc.ConfirmCancelMessage)$#(loc.FailureHeader)$#(loc.SuccessHeader)$#(loc.SuccessInstallHeader)$Failed to load loc file from path: %ls$Failed to localize confirm close message: %ls$Failed to probe for loc file: %ls in path: %ls$Failed to set WixStdBALanguageId variable.$FailureInstallHeader$FailureRepairHeader$FailureUninstallHeader$SuccessInstallHeader$SuccessRepairHeader$SuccessUninstallHeader$WixStdBALanguageId$mbapreq.wxl$thm.wxl
API String ID: 4175731448-3264773947
Opcode ID: c58882929310eb8bbcad8e7372f933c7331917937cac71e0ced7a1ec1582f7aa
Instruction ID: d86df3286c2e506881b0cf28da3546892bc4ccf376d153093a47ee3e297c1933
Opcode Fuzzy Hash: c58882929310eb8bbcad8e7372f933c7331917937cac71e0ced7a1ec1582f7aa
Instruction Fuzzy Hash: F451707A501519FFDB125BD8CC80ECABBB5EF08354F068164F904ABA60DB32DD26DB90

Function 001A3870 Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 589COMMON

Download Yara Rule

Strings

Failed to copy the installed ProductCode to the package., xrefs: 001A3B20
Invalid state value., xrefs: 001A3F47
Failed to get version for product in machine context: %ls, xrefs: 001A3EB9
UX aborted detect., xrefs: 001A3F5E
msiengine.cpp, xrefs: 001A39F5, 001A3AF6, 001A3F3D, 001A3F54
UX aborted detect related MSI package., xrefs: 001A39FF
Failed to get product information for ProductCode: %ls, xrefs: 001A3A1F
VersionString, xrefs: 001A38CB, 001A3A52, 001A3BAC, 001A3BE3
msasn1.dll, xrefs: 001A39D6, 001A3ADD, 001A3DB3, 001A3EFE
Language, xrefs: 001A3CBC
Failed to query feature state., xrefs: 001A3F2B
Failed to enum related products., xrefs: 001A3EC3
UX aborted detect compatible MSI package., xrefs: 001A3B00
Failed to convert version: %ls to DWORD64 for ProductCode: %ls, xrefs: 001A390F
Failed to get version for product in user unmanaged context: %ls, xrefs: 001A3E97

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to copy the installed ProductCode to the package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to query feature state.$Invalid state value.$Language$UX aborted detect compatible MSI package.$UX aborted detect related MSI package.$UX aborted detect.$VersionString$msasn1.dll$msiengine.cpp
API String ID: 1659193697-2574767977
Opcode ID: 78e1942c3459fe22506a17b7f6eeb5b0fd346e5845db1a8531a085abb281cc5e
Instruction ID: 125b47d3dee9ed388d12c03a64b8bddd729a591658d293d860df3584ed342b01
Opcode Fuzzy Hash: 78e1942c3459fe22506a17b7f6eeb5b0fd346e5845db1a8531a085abb281cc5e
Instruction Fuzzy Hash: AD229C75E00619EFDB259EA4CC81FAEB7B9FF05310F10412AF52AAB251D730AE50DB90

Function 001841D2 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,0018515E,?,?,00000000,?,?), ref: 001841FE
InitializeCriticalSection.KERNEL32(000000D0,?,?,0018515E,?,?,00000000,?,?), ref: 00184207
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,0018515E,?,?,00000000,?,?), ref: 0018424D
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,0018515E,?,?,00000000,?,?), ref: 00184257
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,0018515E,?,?,00000000,?,?), ref: 0018426B
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,0018515E,?,?,00000000,?,?), ref: 0018427B
lstrlenW.KERNEL32(burn.filehandle.self,?,?,0018515E,?,?,00000000,?,?), ref: 001842CB
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,0018515E,?,?,00000000,?,?), ref: 001842D5
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,0018515E,?,?,00000000,?,?), ref: 001842E9
lstrlenW.KERNEL32(burn.filehandle.self,?,?,0018515E,?,?,00000000,?,?), ref: 001842F9

Strings

Failed to parse file handle: '%ls', xrefs: 0018437D
Failed to initialize engine section., xrefs: 00184362
engine.cpp, xrefs: 00184390, 001843BC
Missing required parameter for switch: %ls, xrefs: 0018439F
burn.filehandle.self, xrefs: 001842C6, 001842CE, 001842D3, 001842D4, 001842F4, 001843C6
burn.filehandle.attached, xrefs: 00184248, 00184250, 00184255, 00184256, 00184276, 0018439A

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: a60382deb7c77c1644803bb37e19290025239dfb3ed75cff192ff21b9fde7d24
Instruction ID: c0caeb05f3ab2dfb4b3b373c8a3efb9baeb323942d4351400c9163178cee1159
Opcode Fuzzy Hash: a60382deb7c77c1644803bb37e19290025239dfb3ed75cff192ff21b9fde7d24
Instruction Fuzzy Hash: 645198B1A44226BFD724AB65DC87F9AB76CFB14760F040119FA14D7290DB70EA50CBA4

Function 0019E563 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 135registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 0019E5AE
RegisterClassW.USER32(?), ref: 0019E5DA
GetLastError.KERNEL32 ref: 0019E5E5
CreateWindowExW.USER32(00000080,001D9CC4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 0019E64C
GetLastError.KERNEL32 ref: 0019E656
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 0019E6F4

Strings

Failed to register window., xrefs: 0019E613
Unexpected return value from message pump., xrefs: 0019E6DF
Failed to create window., xrefs: 0019E684
uithread.cpp, xrefs: 0019E609, 0019E67A
WixBurnMessageWindow, xrefs: 0019E5D3, 0019E6EF

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: a181b7b8383af17c3b825f40ac03a889eaff9ba3b396d75982faf2a07c7337e6
Instruction ID: aa89bcd447c3c47e47b03fb1a9436142b0565177ccd3d45a548a60ed3c1c2068
Opcode Fuzzy Hash: a181b7b8383af17c3b825f40ac03a889eaff9ba3b396d75982faf2a07c7337e6
Instruction Fuzzy Hash: 76418E72E00254ABDF20DBA4DC89EDABFE8FF18750F114126F909E6290D731E950CBA1

Function 6CFA14FF Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160registrywindowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000,00000001), ref: 6CFA154F
LoadIconW.USER32(00000000,00000001), ref: 6CFA155B
LoadCursorW.USER32(00000000,00007F00), ref: 6CFA157E
RegisterClassW.USER32(?), ref: 6CFA15A9
GetLastError.KERNEL32 ref: 6CFA15B4
IsWindow.USER32(?), ref: 6CFA15FB
GetCursorPos.USER32(?), ref: 6CFA160F
MonitorFromPoint.USER32(?,?,00000002), ref: 6CFA1621
GetMonitorInfoW.USER32(00000000,00000002), ref: 6CFA1637
CreateWindowExW.USER32(00000000,6CFBFE40,?,?,?,?,?,?,00000000,00000000,?,?), ref: 6CFA1691
GetLastError.KERNEL32 ref: 6CFA16A1

Strings

WixStdBA, xrefs: 6CFA15A2
(, xrefs: 6CFA162E
WixStandardBootstrapperApplication.cpp, xrefs: 6CFA16C5

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: CursorErrorLastLoadMonitorWindow$ClassCreateFromHandleIconInfoModulePointRegister
String ID: ($WixStandardBootstrapperApplication.cpp$WixStdBA
API String ID: 4193476069-4208313422
Opcode ID: cdc4749702ab266637772979fc82823a1e01043531de918d1facb276c94f546d
Instruction ID: bda3561c94e9211ad13c18a061930e2c8a9bfd952e1ff2d4661624ac7abb4fea
Opcode Fuzzy Hash: cdc4749702ab266637772979fc82823a1e01043531de918d1facb276c94f546d
Instruction Fuzzy Hash: 08513D79E11215EFDF44CFA9C988A9EBBF5EF49300F154169E905EB250D731D802CB60

Function 6CFAC694 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,?,6CFACC0B,00000000,00000000,00000000,?,6CFA5200,?), ref: 6CFAC6AE
GetLastError.KERNEL32(?,6CFACC0B,00000000,00000000,00000000,?,6CFA5200,?), ref: 6CFAC6BA
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CFAC6FA
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6CFAC706
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 6CFAC711
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 6CFAC71B
CoCreateInstance.OLE32(6CFCAB30,00000000,00000001,6CFBF3E0,00000000,?,6CFACC0B,00000000,00000000,00000000,?,6CFA5200,?), ref: 6CFAC756
ExitProcess.KERNEL32 ref: 6CFAC805

Strings

Wow64RevertWow64FsRedirection, xrefs: 6CFAC713
Wow64EnableWow64FsRedirection, xrefs: 6CFAC708
kernel32.dll, xrefs: 6CFAC69E
xmlutil.cpp, xrefs: 6CFAC6DE
Wow64DisableWow64FsRedirection, xrefs: 6CFAC700
IsWow64Process, xrefs: 6CFAC6F4

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: fcc1053576ded21756850c1e150ad0a7701b6a7f2bb94c0f43b4181db938f0ad
Instruction ID: 6d0e18691a61274258ca3a43d53ae364848181dc307e81c09eedff0199ebe9ed
Opcode Fuzzy Hash: fcc1053576ded21756850c1e150ad0a7701b6a7f2bb94c0f43b4181db938f0ad
Instruction Fuzzy Hash: B741BD39B01215EBDB14EBE9C894B9FBBB4EF45300F210569E801EBA40DB32D9028B90

Function 0018C129 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 128fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(001AAB22,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,?,?,001AAB22), ref: 0018C170
GetLastError.KERNEL32(?,001AAB22), ref: 0018C181
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,?,?,001AAB22), ref: 0018C1D0
GetCurrentProcess.KERNEL32(000000FF,00000000,?,001AAB22), ref: 0018C1D6
DuplicateHandle.KERNELBASE(00000000,?,001AAB22), ref: 0018C1D9
GetLastError.KERNEL32(?,001AAB22), ref: 0018C1E3
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,001AAB22), ref: 0018C235
GetLastError.KERNEL32(?,001AAB22), ref: 0018C23F

Strings

Failed to move file pointer to container offset., xrefs: 0018C26D
Failed to open container., xrefs: 0018C28B
container.cpp, xrefs: 0018C1A5, 0018C207, 0018C263
Failed to duplicate handle to container: %ls, xrefs: 0018C214
Failed to open file: %ls, xrefs: 0018C1B2

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp
API String ID: 2619879409-2168299741
Opcode ID: 946a0cab5d34babb1834faed92d1f7e2d3ca7897182187bbf7c2647c5c927cc0
Instruction ID: 31fb327aff3b79853f32f67c5a45b365ee63b2f783534b916cbe76577f68bd1f
Opcode Fuzzy Hash: 946a0cab5d34babb1834faed92d1f7e2d3ca7897182187bbf7c2647c5c927cc0
Instruction Fuzzy Hash: 4041AF72240301ABEB10AE6ADC89F577BEAEB95760F15412DFD18DB291DB31C911CBB0

Function 6CFAAE55 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 295windowkeyboardCOMMON

Download Yara Rule

APIs

GetUpdateRect.USER32(?,00000000,00000000), ref: 6CFAAEE8
BeginPaint.USER32(?,?,?,6CFA55CA,00000000,?,?,?,?), ref: 6CFAAEFD
EndPaint.USER32(?,?,?,?,?,6CFA55CA,00000000,?,?,?,?), ref: 6CFAAF12
GetClientRect.USER32(?,?), ref: 6CFAAF31
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?,?,6CFA55CA,00000000,?), ref: 6CFAAF90
SendMessageW.USER32(?,0000101E,00000000,?), ref: 6CFAAFDA
GetDlgItem.USER32(?,?), ref: 6CFAB062
GetKeyState.USER32(00000010), ref: 6CFAB0F4
GetNextDlgTabItem.USER32(?,?,00000000), ref: 6CFAB109
SetFocus.USER32(00000000,?,6CFA55CA,00000000,?,?,?,?), ref: 6CFAB110
DefWindowProcW.USER32(?,?,?,?,?,00000000,?,?,6CFA55CA,00000000,?,?,?,?), ref: 6CFAB1F9

Strings

open, xrefs: 6CFAB0B3

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: ItemPaintRectWindow$BeginClientFocusMessageMoveNextProcSendStateUpdate
String ID: open
API String ID: 3202820204-2758837156
Opcode ID: d16b784efe3c5eb755d0bbe3b46edc41726925fedd3f27ddd2382f4ff85ce54c
Instruction ID: f339b4668deefeaa55de3ab9abd2fb7b528de8eb9c95181bda998bab59c80c40
Opcode Fuzzy Hash: d16b784efe3c5eb755d0bbe3b46edc41726925fedd3f27ddd2382f4ff85ce54c
Instruction Fuzzy Hash: ECA1D775A01118EFDF248FA5CD849EEF7B9EF49304F11899AE61593A40D730D986CFA0

Function 001A1484 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,0000001C,?,00000000,00000000,00000000,00000000,?,0018C285,00000000,001AAB22,?,001AAB22), ref: 001A14BB
GetLastError.KERNEL32(?,0018C285,00000000,001AAB22,?,001AAB22), ref: 001A14C4

Strings

Failed to create operation complete event., xrefs: 001A1538
Failed to copy file name., xrefs: 001A14A6
Failed to create extraction thread., xrefs: 001A1584
cabextract.cpp, xrefs: 001A14E8, 001A152E, 001A157A
Failed to wait for operation complete., xrefs: 001A1597
Failed to create begin operation event., xrefs: 001A14F2

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp
API String ID: 545576003-1680384675
Opcode ID: b98c48a452a98001db06c4ff8eace7ba5e9ec5dd35c5764a4ab7f94065a1587b
Instruction ID: a2c29c30e62f2144d3c89a4d0b5a9e76e7bd0a34896824f3a8826fee61b4baf5
Opcode Fuzzy Hash: b98c48a452a98001db06c4ff8eace7ba5e9ec5dd35c5764a4ab7f94065a1587b
Instruction Fuzzy Hash: 792136B6E407357AF72166795C86FA779ECEF467A0F020222BD05E7680E751DD0086E2

Function 001A0627 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 001A0657
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 001A066F
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 001A0674
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 001A0677
GetLastError.KERNEL32(?,?), ref: 001A0681
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 001A06F0
GetLastError.KERNEL32(?,?), ref: 001A06FD

Strings

<the>.cab, xrefs: 001A0650
Failed to duplicate handle to cab container., xrefs: 001A06AF
cabextract.cpp, xrefs: 001A06A5, 001A0721
Failed to add virtual file pointer for cab container., xrefs: 001A06D6
Failed to open cabinet file: %hs, xrefs: 001A072E

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 7ad5acaf99b278545becb37a494a18fb6e330115d1d182116c8c79fde039486a
Instruction ID: 47e1420ca523a29004e067d54040cefdd00760e59538b46c80683d5692f4e2fc
Opcode Fuzzy Hash: 7ad5acaf99b278545becb37a494a18fb6e330115d1d182116c8c79fde039486a
Instruction Fuzzy Hash: C231F576A41724BBEB219BA58C49F9B7FACEF09760F010116FD08E7650C721DD50CAE5

Function 6CFA51A7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 152windowCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 6CFA51BD
PostMessageW.USER32(?,-00008064,00000000,00000000), ref: 6CFA5263
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 6CFA52AC

Part of subcall function 6CFA4E81: PostMessageW.USER32(?,00008068,00000000,?), ref: 6CFA4EBE

Part of subcall function 6CFAB59C: IsDialogMessageW.USER32(?,?), ref: 6CFAB5AC

TranslateMessage.USER32(?), ref: 6CFA5293
DispatchMessageW.USER32(?), ref: 6CFA529D
CoUninitialize.OLE32 ref: 6CFA5339

Strings

Unexpected return value from message pump., xrefs: 6CFA52C5
Failed to initialize data in bootstrapper application., xrefs: 6CFA5206
Failed to initialize theme manager., xrefs: 6CFA51F2
Failed to create main window., xrefs: 6CFA5221
Failed to initialize COM., xrefs: 6CFA51CC

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: Message$Post$CallbackDialogDispatchDispatcherInitializeTranslateUninitializeUser
String ID: Failed to create main window.$Failed to initialize COM.$Failed to initialize data in bootstrapper application.$Failed to initialize theme manager.$Unexpected return value from message pump.
API String ID: 3891601100-138392756
Opcode ID: 9e70e9647cf9e3af6b4f8a71615c3caa2e5befde61be16940d77c61e77fba4ef
Instruction ID: 6b8e6c8a06381646cc630d71d26f91cd3fa5ca22e823b17b6f1a67d3e7d2352a
Opcode Fuzzy Hash: 9e70e9647cf9e3af6b4f8a71615c3caa2e5befde61be16940d77c61e77fba4ef
Instruction Fuzzy Hash: 9441E476B04B16EFDB145AE4C880EBFF6ADAF45314F144625ED05D6A80EB24DC0B87A1

Function 0019E82A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 99threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00185386,?,?), ref: 0019E84A
GetLastError.KERNEL32(?,00185386,?,?), ref: 0019E857
CreateThread.KERNELBASE(00000000,00000000,Function_0001E563,?,00000000,00000000), ref: 0019E8B0
GetLastError.KERNEL32(?,00185386,?,?), ref: 0019E8BD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00185386,?,?), ref: 0019E8F8
CloseHandle.KERNEL32(00000000,?,00185386,?,?), ref: 0019E917
CloseHandle.KERNELBASE(?,?,00185386,?,?), ref: 0019E924

Strings

Failed to create the UI thread., xrefs: 0019E8E8
uithread.cpp, xrefs: 0019E878, 0019E8DE
Failed to create initialization event., xrefs: 0019E882

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: ee7b54206c4d152f7f26e0b340a8a2311bc40e9806a286abf77f8d8ec6e3f998
Instruction ID: c8195ec58b0f47ed119ffe75396e45bf300b926b6242eca1110f7a1b571199c6
Opcode Fuzzy Hash: ee7b54206c4d152f7f26e0b340a8a2311bc40e9806a286abf77f8d8ec6e3f998
Instruction Fuzzy Hash: 82313475E40219BBEB10EFA9DD85AAFBAECEF08750F114126F915E3250D7309E008AA1

Function 6CFAB5FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CFACB3D: CoInitialize.OLE32(00000000), ref: 6CFACB4C
Part of subcall function 6CFACB3D: InterlockedIncrement.KERNEL32(6CFCAB40), ref: 6CFACB69
Part of subcall function 6CFACB3D: CLSIDFromProgID.OLE32(Msxml2.DOMDocument,6CFCAB30,?,?,?,?,?,?,?,6CFA51EC,?), ref: 6CFACB84
Part of subcall function 6CFACB3D: CLSIDFromProgID.OLE32(MSXML.DOMDocument,6CFCAB30,?,?,?,?,?,?,?,6CFA51EC,?), ref: 6CFACB90

LoadCursorA.USER32(00000000,00007F89), ref: 6CFAB62E
GetClassInfoW.USER32(00000000,Button,?), ref: 6CFAB643
GetLastError.KERNEL32(?,?,?,?,?,?,?,6CFA51EC,?), ref: 6CFAB64D
RegisterClassW.USER32(?), ref: 6CFAB693
GetLastError.KERNEL32(?,?,?,?,?,?,?,6CFA51EC,?), ref: 6CFAB69E
GdiplusStartup.GDIPLUS(6CFCAB18,6CFCA1C4,6CFCAB10,?,?,?,?,?,?,?,6CFA51EC,?), ref: 6CFAB6E5
InitCommonControlsEx.COMCTL32(?,00000000,6CFCAB18,6CFCA1C4,6CFCAB10,?,?,?,?,?,?,?,6CFA51EC,?), ref: 6CFAB713

Strings

thmutil.cpp, xrefs: 6CFAB671
Button, xrefs: 6CFAB63D
ThemeHyperLink, xrefs: 6CFAB68C

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: ClassErrorFromLastProg$CommonControlsCursorGdiplusIncrementInfoInitInitializeInterlockedLoadRegisterStartup
String ID: Button$ThemeHyperLink$thmutil.cpp
API String ID: 1186214510-4220003992
Opcode ID: 27ae13f3eaed799a8db5f2b77ac6c70da9d95584a68eff9016fd135a512854ce
Instruction ID: e6411cb24132d3f7b016b7c7963ba240794aba6361b2e94faaceeb3a5eacdf4e
Opcode Fuzzy Hash: 27ae13f3eaed799a8db5f2b77ac6c70da9d95584a68eff9016fd135a512854ce
Instruction Fuzzy Hash: F131C57AF50229EBDB509FE9C888B9BBAF8EB05354F014926FD04F7640D73199018BE5

Function 001A1224 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,00000000,774D2F60,?,00000000,?,?,?,00000000), ref: 001A1249
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,001AB555,?,?,80000000,?,?,?,?,?), ref: 001A125C
GetExitCodeThread.KERNELBASE(?,?,?,?,00000000,?,?,?,?,001AB555,?,?,80000000,?,?,?), ref: 001A129E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,001AB555,?,?,80000000,?,?,?,?,?), ref: 001A12AC
ResetEvent.KERNEL32(?,?,?,00000000,?,?,?,?,001AB555,?,?,80000000,?,?,?,?), ref: 001A12E7
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,001AB555,?,?,80000000,?,?,?,?,?), ref: 001A12F1

Strings

Failed to get extraction thread exit code., xrefs: 001A12DD
Failed to reset operation complete event., xrefs: 001A1322
cabextract.cpp, xrefs: 001A1280, 001A12D0, 001A1315
Failed to wait for operation complete event., xrefs: 001A128D

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: c667f15e065caf262146d6130e9986c459dfde1e8034f565b9ab96975f3723a5
Instruction ID: 8dddea72b6c787baae71ca092ec593881b4556b18fa98a0e846da4231c9d9a6f
Opcode Fuzzy Hash: c667f15e065caf262146d6130e9986c459dfde1e8034f565b9ab96975f3723a5
Instruction Fuzzy Hash: 5121BFB5640304BFEB18AB6A8D46ABE7AF8FF05710F50412FB946D66A0E730DA009B15

Function 0018D5C0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,?,001846F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00185386,?,?), ref: 0018D5CD
GetLastError.KERNEL32(?,001846F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00185386,?,?), ref: 0018D5DA
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0018D612
GetLastError.KERNEL32(?,001846F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00185386,?,?), ref: 0018D61E

Strings

wininet.dll, xrefs: 0018D5F8, 0018D63C, 0018D667
Failed to create UX., xrefs: 0018D662
Failed to load UX DLL., xrefs: 0018D605
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0018D649
BootstrapperApplicationCreate, xrefs: 0018D60C
userexperience.cpp, xrefs: 0018D5FB, 0018D63F

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
API String ID: 1866314245-1140179540
Opcode ID: aa5b8189486c86906f893b03642ebe0b2dba25cdcb82e54672153df6a06d3607
Instruction ID: 07246826ff80bb10f921e31b0a1d67cb1723c40037896f528e9998a2467b397c
Opcode Fuzzy Hash: aa5b8189486c86906f893b03642ebe0b2dba25cdcb82e54672153df6a06d3607
Instruction Fuzzy Hash: 2C110633A40735ABEB216A68AC05F5737E5EF14761F02402EFD09E3590EB20CD018BD4

Function 001AB2F6 Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 553COMMON

Download Yara Rule

Strings

Failed to set syncpoint event., xrefs: 001AB88F
(, xrefs: 001AB760
layout bundle, xrefs: 001AB452
end cache package, xrefs: 001AB707
apply.cpp, xrefs: 001AB346, 001AB882
begin cache package, xrefs: 001AB4AF
UX aborted cache., xrefs: 001AB350

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID:
String ID: ($Failed to set syncpoint event.$UX aborted cache.$apply.cpp$begin cache package$end cache package$layout bundle
API String ID: 0-826262529
Opcode ID: 2a3145cf3b71ee6e419bb7d29ef9d9b4c9f771dce7c2395e587c01eb0e80348b
Instruction ID: 54b71ff2f28be3de6f627a61a75f43d7d2f1f77c1e42f5c32091911f8c041e9e
Opcode Fuzzy Hash: 2a3145cf3b71ee6e419bb7d29ef9d9b4c9f771dce7c2395e587c01eb0e80348b
Instruction Fuzzy Hash: C4226575A00655FFDF05CF94C880FAABBB6FF49710F218259F914AB262C331A961DB90

Function 00184690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 001846B5
GetCurrentThreadId.KERNEL32 ref: 001846BB

Part of subcall function 0019FC51: new.LIBCMT ref: 0019FC58

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00184749

Strings

Failed to create engine for UX., xrefs: 001846D5
Failed to start bootstrapper application., xrefs: 00184717
wininet.dll, xrefs: 001846E8
Failed to load UX., xrefs: 001846FE
Unexpected return value from message pump., xrefs: 0018479F
engine.cpp, xrefs: 00184795

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 685faf56c624a2da5cece2fbaa1947f5dc7d555ab4d0a2e329f42909aa04ba65
Instruction ID: f4e7a06482840caa1153cbf45cd7584a58bf94e643d2c48dd6f04c8673da9111
Opcode Fuzzy Hash: 685faf56c624a2da5cece2fbaa1947f5dc7d555ab4d0a2e329f42909aa04ba65
Instruction Fuzzy Hash: 0441C3B2600216BFEB14ABA4CC85FBAB7ACEF15314F110129F905E7140EF30EE518BA0

Function 6CFA66A7 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,00000000,?,00000000,?,00000000,?,00000000), ref: 6CFA66C4
GetLastError.KERNEL32(?,00000000,?,00000000,?,00000000,?,00000000), ref: 6CFA66CF
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 6CFA66FE
GetFileVersionInfoW.VERSION(00000000,00000000,00000000,00000000), ref: 6CFA671F
GetLastError.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CFA6728
VerQueryValueW.VERSION(00000000,6CFC1ACC,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6CFA6760
GetLastError.KERNEL32(00000000,6CFC1ACC,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6CFA6769
GlobalFree.KERNEL32(00000000), ref: 6CFA679D

Strings

fileutil.cpp, xrefs: 6CFA66ED, 6CFA6746

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: ErrorLast$FileGlobalInfoVersion$AllocFreeQuerySizeValue
String ID: fileutil.cpp
API String ID: 2342464106-2967768451
Opcode ID: 87a220db6388a9b09abd4429767bef4543019da0c7def4c32dc83c4bcc9cb146
Instruction ID: c57151ad98af60135300281eb7ed0ecb8b16d5f9a69c3cd39f9347199d8a8d7e
Opcode Fuzzy Hash: 87a220db6388a9b09abd4429767bef4543019da0c7def4c32dc83c4bcc9cb146
Instruction Fuzzy Hash: C721813AA40229FBD7119AE9CD84ADBFAB8EF45354F014266FD04E7650EB31CC0186E1

Function 0019473A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 115fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000008,?,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000001,00000000), ref: 00194765
GetLastError.KERNEL32 ref: 00194772
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,00000000), ref: 0019481B
GetLastError.KERNEL32 ref: 00194825

Strings

Failed to allocate data for message., xrefs: 001947D9
pipe.cpp, xrefs: 001947CF, 001947E6, 00194849
Failed to read message from pipe., xrefs: 001947F0
Failed to read data for message., xrefs: 00194853

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
API String ID: 1948546556-3912962418
Opcode ID: e3b4879ef536cdadae3838fbd3175ddf7289af338d73ea1fbd4e4c6063600315
Instruction ID: 05fda2d352f1ada8d9436467ba24125c1f73310b65c71297d3b6747372863ec2
Opcode Fuzzy Hash: e3b4879ef536cdadae3838fbd3175ddf7289af338d73ea1fbd4e4c6063600315
Instruction Fuzzy Hash: DB31F476E40229BBEF189FA5DC45FAAB7A8EB05711F10812AF811E6580E770DE418BD1

Function 0018F69D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0018F7CD
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0018F7DA

Strings

Failed to format pending restart registry key to read., xrefs: 0018F6D1
Failed to open registration key., xrefs: 0018F736
Resume, xrefs: 0018F741
%ls.RebootRequired, xrefs: 0018F6BA
Failed to read Resume value., xrefs: 0018F763

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 0c5544ebd4b397231a02e8c65043d76d7227a0b43f8302574772922eb29ea7ba
Instruction ID: f7ac14e22a616080d1e6faff2d5fa3f4d52ca5464824a64b9c81efb7869e561d
Opcode Fuzzy Hash: 0c5544ebd4b397231a02e8c65043d76d7227a0b43f8302574772922eb29ea7ba
Instruction Fuzzy Hash: 37414C36900119FBEB12BF98C881AADBBB5EB15710F25817AE914AB250D3719F42DF90

Function 6CFABD67 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6CFABD80
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,08000000,00000000,00000000,00000033,6CFCA028,?,00000000,00000000,?,6CFCA028,00000033), ref: 6CFABDB9
GetLastError.KERNEL32(?,00000000,00000000,?,6CFCA028,00000033), ref: 6CFABDC6
SendMessageW.USER32(00000000,00000435,00000000,?), ref: 6CFABE15
SendMessageW.USER32(?,00000449,00000002,?), ref: 6CFABE37
CloseHandle.KERNELBASE(00000000,00000000,00000033,6CFCA028,?,00000000,00000000,?,6CFCA028,00000033), ref: 6CFABE50

Strings

thmutil.cpp, xrefs: 6CFABDEA

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: MessageSend$CloseCreateErrorFileHandleItemLast
String ID: thmutil.cpp
API String ID: 875121269-2961750086
Opcode ID: 8c43e386e918e819c209d8bbd549531dc2f7d6467210061471d9fe2a1b69424f
Instruction ID: 021e84c8828d4aa8114aa867db6440016fc7d44aa589111cc88386ed2cded824
Opcode Fuzzy Hash: 8c43e386e918e819c209d8bbd549531dc2f7d6467210061471d9fe2a1b69424f
Instruction Fuzzy Hash: C121A236A00619FBEB119EA8CC85BDFBBB8EB04720F204615FA10B62D0C3719D11DB94

Function 6CFA6ABE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CFAC88A: SysAllocString.OLEAUT32(?), ref: 6CFAC89D
Part of subcall function 6CFAC88A: VariantInit.OLEAUT32(?), ref: 6CFAC8A9
Part of subcall function 6CFAC88A: VariantClear.OLEAUT32(?), ref: 6CFAC91D
Part of subcall function 6CFAC88A: SysFreeString.OLEAUT32(00000000), ref: 6CFAC928

SysFreeString.OLEAUT32(00000000), ref: 6CFA6B14
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,yes,000000FF,?,Overridable,00000000,00000000,?), ref: 6CFA6B43
SysFreeString.OLEAUT32(00000000), ref: 6CFA6B5D
SysFreeString.OLEAUT32(00000000), ref: 6CFA6B8E

Strings

yes, xrefs: 6CFA6B35
Overridable, xrefs: 6CFA6B1E
#(loc.%s), xrefs: 6CFA6AF7

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: String$Free$Variant$AllocClearCompareInit
String ID: #(loc.%s)$Overridable$yes
API String ID: 2861138797-597988432
Opcode ID: 5f4cd902990e80b6aab8cf1609fc8d56fbd8d6ded9f11cf8beaa53d5101e8b23
Instruction ID: af747aa2bf7f30450e9ededd064a05776a6e2ab5e8015878324d04665268ce14
Opcode Fuzzy Hash: 5f4cd902990e80b6aab8cf1609fc8d56fbd8d6ded9f11cf8beaa53d5101e8b23
Instruction Fuzzy Hash: BE215A32911519FBDB01DAE8CD44FDDB7B8EB047A9F208260F914B75A0D731AE16EB90

Function 001967B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00196CFB,00184740,?,00000000,?,00000000,00000001), ref: 001967BD
GetLastError.KERNEL32(?,00196CFB,00184740,?,00000000,?,00000000,00000001), ref: 001967C7
GetExitCodeThread.KERNELBASE(00000001,00000000,?,00196CFB,00184740,?,00000000,?,00000000,00000001), ref: 00196806
GetLastError.KERNEL32(?,00196CFB,00184740,?,00000000,?,00000000,00000001), ref: 00196810

Strings

Failed to get cache thread exit code., xrefs: 00196841
core.cpp, xrefs: 001967EB, 00196834
Failed to wait for cache thread to terminate., xrefs: 001967F8

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 81d026d2ceaea53551f734afdd8eea96f765c9adf5a3cc47c9583d491f92ba96
Instruction ID: 142a168b160493de459c6bc0db75096c2a0e55ac9bf6f3473e5709ba00a07059
Opcode Fuzzy Hash: 81d026d2ceaea53551f734afdd8eea96f765c9adf5a3cc47c9583d491f92ba96
Instruction Fuzzy Hash: 71018071344304BBFF08ABA5DE56B7E76E6EB00711F10412EB816D51E0EB35DE50AA28

Function 0019D206 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,001CB4F0,?,00000001,000000FF,?,?,7707B390,00000000,00000001,00000000,?,001972F3), ref: 0019D32F

Strings

Failed to create pipe and cache pipe., xrefs: 0019D28C
UX aborted elevation requirement., xrefs: 0019D244
elevation.cpp, xrefs: 0019D23A
Failed to create pipe name and client token., xrefs: 0019D270
Failed to connect to elevated child process., xrefs: 0019D318
Failed to elevate., xrefs: 0019D311

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: eb9fa90203ff41333b18e47d63c8944ce26480594cf23a06914bb31f2abe93f9
Instruction ID: f20933a9e418490615c26b7ae2a78a26f66b840b28d643cfd4c5137a91086d0f
Opcode Fuzzy Hash: eb9fa90203ff41333b18e47d63c8944ce26480594cf23a06914bb31f2abe93f9
Instruction Fuzzy Hash: 5D31FBB2A45722BBEF15A660AC46FAFB75DFF10721F100216F905B72C1DB61EF0086A5

Function 001C041B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(001EB60C,00000000,?,?,?,00185407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 001C042B
CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,001EB604,?,00185407,00000000,Setup), ref: 001C04CC
GetLastError.KERNEL32(?,00185407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 001C04DC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00185407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 001C0515

Part of subcall function 00182DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00182F1F

LeaveCriticalSection.KERNEL32(001EB60C,?,?,001EB604,?,00185407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 001C056E

Strings

logutil.cpp, xrefs: 001C04FA

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: 7644e7e7b440215af8bc2938ace671bc528e0e4ac7ed4e27f3d06f97b7d31998
Instruction ID: cacdaac0fe76efcac958e2e3f411826d4e08cb813dcea9932633fb16d5454070
Opcode Fuzzy Hash: 7644e7e7b440215af8bc2938ace671bc528e0e4ac7ed4e27f3d06f97b7d31998
Instruction Fuzzy Hash: 183197B1E05655EFDB23AFA19CC6F5F3A78EB28751F040129F900AA160D771CD909F90

Function 6CFAA478 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 110windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CFAC88A: SysAllocString.OLEAUT32(?), ref: 6CFAC89D
Part of subcall function 6CFAC88A: VariantInit.OLEAUT32(?), ref: 6CFAC8A9
Part of subcall function 6CFAC88A: VariantClear.OLEAUT32(?), ref: 6CFAC91D
Part of subcall function 6CFAC88A: SysFreeString.OLEAUT32(00000000), ref: 6CFAC928

SysFreeString.OLEAUT32(00000000), ref: 6CFAA4CE
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,00000000,FF000000,00000000,ImageResource,00000000,00000000,00000000), ref: 6CFAA53D

Part of subcall function 6CFAD0EA: GlobalAlloc.KERNEL32(00000002,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000), ref: 6CFAD122
Part of subcall function 6CFAD0EA: GetLastError.KERNEL32 ref: 6CFAD12E
Part of subcall function 6CFAD0EA: GlobalFree.KERNEL32(00000000), ref: 6CFAD240

SysFreeString.OLEAUT32(00000000), ref: 6CFAA58F

Strings

ImageFile, xrefs: 6CFAA4E2
thmutil.cpp, xrefs: 6CFAA55F
ImageResource, xrefs: 6CFAA486

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: FreeString$AllocGlobalVariant$BitmapClearCreateErrorFromGdipInitLast
String ID: ImageFile$ImageResource$thmutil.cpp
API String ID: 2882486289-1357958357
Opcode ID: cfdac53895ea01d7c97e1298116bcb84c11860507c61b719e8b0cf94d4e15638
Instruction ID: 9d6d96838c00befddba0e51b62f42294d360e49ae9ae8d4e4278c4aeab8dabd5
Opcode Fuzzy Hash: cfdac53895ea01d7c97e1298116bcb84c11860507c61b719e8b0cf94d4e15638
Instruction Fuzzy Hash: 10317A36D01508FFCB129EE5C804AEEFBB5AF80314F218155E81067A60D7329E2ADF94

Function 001C076C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,?,?,?,?,?,?,00198110,00000000), ref: 001C078A
GetLastError.KERNEL32(?,?,?,?,00198110,00000000), ref: 001C0794
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00198110,00000000), ref: 001C07C6
CloseHandle.KERNELBASE(?,?,?,?,?,00198110,00000000), ref: 001C081D

Strings

procutil.cpp, xrefs: 001C080B

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: Token$CloseErrorHandleInformationLastOpenProcess
String ID: procutil.cpp
API String ID: 3370771294-1178289305
Opcode ID: 909322a001f787f2556d102bb56cc5f87db782c1044e199cdfe014f225726cef
Instruction ID: 7c2cb21d536798e3baa089a1efb69f68b518da9e7ab640dc325af4c949b87520
Opcode Fuzzy Hash: 909322a001f787f2556d102bb56cc5f87db782c1044e199cdfe014f225726cef
Instruction Fuzzy Hash: 77219272D00228EBDB119B958C45F9EBBB8EF68711F11806ABD15E7190D330CE50DAD0

Function 6CFA1B91 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36comregistrywindowCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(6CFC2A54,00000000,00000017,6CFC10F4,?,00000000,6CFA5214,?), ref: 6CFA1BA9
RegisterWindowMessageW.USER32(TaskbarButtonCreated), ref: 6CFA1BC7
GetLastError.KERNEL32 ref: 6CFA1BD7

Strings

Failed to get TaskbarButtonCreated message. Continuing., xrefs: 6CFA1BE8
Failed to create ITaskbarList3. Continuing., xrefs: 6CFA1BBA
TaskbarButtonCreated, xrefs: 6CFA1BC2

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: CreateErrorInstanceLastMessageRegisterWindow
String ID: Failed to create ITaskbarList3. Continuing.$Failed to get TaskbarButtonCreated message. Continuing.$TaskbarButtonCreated
API String ID: 1594109290-758521254
Opcode ID: 2588a1c9c947e8c657d8e8d45d9641faf52d846c5bb79fed6df2e9c2a834827e
Instruction ID: 1c5de1636716765f8631e8c3dcb55a63da8ba28fadbf9f67a054a4391ee78d8d
Opcode Fuzzy Hash: 2588a1c9c947e8c657d8e8d45d9641faf52d846c5bb79fed6df2e9c2a834827e
Instruction Fuzzy Hash: 44F0E235718703FFEBA806654D51BE771EC8B05304F12482EFC46E09A0FB26CC014129

Function 001C343B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001C344A
InterlockedIncrement.KERNEL32(001EB6D8), ref: 001C3467
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,001EB6C8,?,?,?,?,?,?), ref: 001C3482
CLSIDFromProgID.OLE32(MSXML.DOMDocument,001EB6C8,?,?,?,?,?,?), ref: 001C348E

Strings

Msxml2.DOMDocument, xrefs: 001C347D
MSXML.DOMDocument, xrefs: 001C3489

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 9e7cea3bae4d05d9d1cfa02bc0c01af6ad76c8bea1ac1d0fb5278932a6f6f50f
Instruction ID: d853f8380b2e6b429084740d3fb695681188781fc27f2c3713877285ced81e4f
Opcode Fuzzy Hash: 9e7cea3bae4d05d9d1cfa02bc0c01af6ad76c8bea1ac1d0fb5278932a6f6f50f
Instruction Fuzzy Hash: 76F0E5207487F597CB264BA6AC8EF1F6E68ABA4FA5F00402CFC00D1594D360C9C18AB0

Function 0019E705 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 0019E734
SetWindowLongW.USER32(?,000000EB,00000000), ref: 0019E743
SetWindowLongW.USER32(?,000000EB,?), ref: 0019E757
DefWindowProcW.USER32(?,?,?,?), ref: 0019E767
GetWindowLongW.USER32(?,000000EB), ref: 0019E781
PostQuitMessage.USER32(00000000), ref: 0019E7DE

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 4093222a69f681bf7b40a8e7ede2a55268017d9defb83037d25d8a5f190134a7
Instruction ID: 7b8313340775232e2ec332bcd1f3e792675db8240b78733e37f02e0c1d43a62f
Opcode Fuzzy Hash: 4093222a69f681bf7b40a8e7ede2a55268017d9defb83037d25d8a5f190134a7
Instruction Fuzzy Hash: 85219D32108118BFDF159FA4DC89E6A3FA9FF45350F144525F906EA1A0C731DD50DBA1

Function 001C10C5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 001C10ED
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,00196EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 001C1126
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 001C121A

Strings

regutil.cpp, xrefs: 001C1161
BundleUpgradeCode, xrefs: 001C10CC

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 67c5286cf465c77c39c7e938685a7a763d134f8b0cea781ed4bae32658c75ccb
Instruction ID: 9111d6ff8475164ad48eec74ac2903323b4574753848b944a2cf4ed44fa2564f
Opcode Fuzzy Hash: 67c5286cf465c77c39c7e938685a7a763d134f8b0cea781ed4bae32658c75ccb
Instruction Fuzzy Hash: 7241B135A4021AFFDB259FA8C880FAEB7B9EB55710F65416DE905EB211D730DE018B90

Function 001A07E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 001A088A
GetLastError.KERNEL32(?,?,?), ref: 001A0894

Strings

cabextract.cpp, xrefs: 001A08B8
Invalid seek type., xrefs: 001A0820
Failed to move file pointer 0x%x bytes., xrefs: 001A08C5

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: cb3d0320eb9a64dbb40917480fb7ac3d650f8692b8fd0cb20420e68250b65779
Instruction ID: 0b138760aef8bbd22065c259fbe68cdcc7492bbcc21c63b0686ff40b83aacfa3
Opcode Fuzzy Hash: cb3d0320eb9a64dbb40917480fb7ac3d650f8692b8fd0cb20420e68250b65779
Instruction Fuzzy Hash: 5E31BC75E0021AEFDB05DFA8CC84DAAB7A8FF09320F05822AF915A7650D334E9108BD4

Function 001C4212 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C4315: FindFirstFileW.KERNELBASE(?,?,00000000,00000000,?), ref: 001C4350
Part of subcall function 001C4315: FindClose.KERNEL32(00000000), ref: 001C435C

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll), ref: 001C4305

Part of subcall function 001C0E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,001C5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 001C0E52

Part of subcall function 001C10C5: RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 001C10ED
Part of subcall function 001C10C5: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,00196EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 001C1126

Strings

\, xrefs: 001C428E
crypt32.dll, xrefs: 001C423D
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 001C4244
PendingFileRenameOperations, xrefs: 001C4270

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 1a8bb14f6b67ba198408cdd50caad5a073c2399e45e9b09098d7b78ba6133a22
Instruction ID: 8c879118cb8cb018b2d1d88d1b57deb5a303be882122413818987d069433f58e
Opcode Fuzzy Hash: 1a8bb14f6b67ba198408cdd50caad5a073c2399e45e9b09098d7b78ba6133a22
Instruction Fuzzy Hash: B431CD35A04219ABDF31AFC1EC62FAEBB79EF20351F54816EF800A6151D330CA80CB54

Function 00184013 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000003,00000001,00000000,00000000,?,001C416C,00000001,00000000,?,001C4203,00000003,00000001,00000001,00000000,00000000,00000000), ref: 00184021
GetLastError.KERNEL32(?,001C416C,00000001,00000000,?,001C4203,00000003,00000001,00000001,00000000,00000000,00000000,?,0019A55D,?,00000000), ref: 0018402F
CreateDirectoryW.KERNEL32(00000003,00000001,00000001,?,001C416C,00000001,00000000,?,001C4203,00000003,00000001,00000001,00000000,00000000,00000000), ref: 00184097
GetLastError.KERNEL32(?,001C416C,00000001,00000000,?,001C4203,00000003,00000001,00000001,00000000,00000000,00000000,?,0019A55D,?,00000000), ref: 001840A1

Strings

dirutil.cpp, xrefs: 001840CF

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 6db147a468489d4b37c2b29b667a1f78fd554446f25d61255aa40421d8ed8115
Instruction ID: a520a9ef81059b01b913ef18684eaef89d7238d40f176bd502f83edcfb157e93
Opcode Fuzzy Hash: 6db147a468489d4b37c2b29b667a1f78fd554446f25d61255aa40421d8ed8115
Instruction Fuzzy Hash: AF11E736604323ABEB313AA15C45BBBB658EF50B60F114226FF45EB050DF60CE519BE1

Function 6CFAC0A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6CFAC0B4
InvalidateRect.USER32(00000000,00000000,00000000), ref: 6CFAC0F2
GetLastError.KERNEL32 ref: 6CFAC0FC
SendMessageW.USER32(00000000,00000402,?,00000000), ref: 6CFAC133

Strings

thmutil.cpp, xrefs: 6CFAC120

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: ErrorInvalidateItemLastMessageRectSend
String ID: thmutil.cpp
API String ID: 3203272787-2961750086
Opcode ID: 0dec9e242c24940af219abb1c24e8048dc94c7a8823a99bc9b0e0ffcfdf0b1b3
Instruction ID: e1f811b30d8d5d3da3b5e0971800317d463321415e09ff89d79d16f75cd70c08
Opcode Fuzzy Hash: 0dec9e242c24940af219abb1c24e8048dc94c7a8823a99bc9b0e0ffcfdf0b1b3
Instruction Fuzzy Hash: 3F11293A701621E7E7502AA98C94F67FAE8EF46744B11412AFD01DA741D732CC03D2E4

Function 6CFA534A Relevance: 7.7, APIs: 5, Instructions: 213windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 6CFA5355
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CFA5480
SetWindowLongW.USER32(?,000000EB,00000000), ref: 6CFA54B4
PostQuitMessage.USER32(00000000), ref: 6CFA54BC
SetWindowLongW.USER32(?,000000EB,00000000), ref: 6CFA54D1

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: LongWindow$Message$PostQuitSend
String ID:
API String ID: 1409866109-0
Opcode ID: 09636632573e5af48e022032c9a1c0c06eeb9d901b41887348f7059fae939257
Instruction ID: e69a93e15cb2d938432c1b95ddf8f2b87d8a1798647d114b4759d2ddcd33a76b
Opcode Fuzzy Hash: 09636632573e5af48e022032c9a1c0c06eeb9d901b41887348f7059fae939257
Instruction Fuzzy Hash: 4551C236348E11DFCA151AFC8854BAEF667AF4271CF104605E9228AFE0DF25CA0B8756

Function 6CFA6F60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(mbapreq.wxl,00000000,?,00000000,00000000,?,6CFA1D15,00000000,mbapreq.wxl,?,00000000,?,00000000,?,?,?), ref: 6CFA6FC0
GetSystemDefaultUILanguage.KERNEL32(00000000,00000000,00000000,00000000,00000000,?), ref: 6CFA7078

Part of subcall function 6CFA65CB: FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?), ref: 6CFA6606
Part of subcall function 6CFA65CB: FindClose.KERNELBASE(00000000), ref: 6CFA6612

Strings

mbapreq.wxl, xrefs: 6CFA6F75
%u\%ls, xrefs: 6CFA6FD4, 6CFA7037, 6CFA708C, 6CFA70EB

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: DefaultFind$CloseFileFirstLangLanguageSystemUser
String ID: %u\%ls$mbapreq.wxl
API String ID: 2342833387-3698500817
Opcode ID: 82bcc44f26f9fa18b58113ddd3cb9a4463d0e92b68910febb51476fe1f35c81b
Instruction ID: 49ccfed57fcb55cce8ae3a9a417c431bc09224b742bf1c360d00af13eed2e898
Opcode Fuzzy Hash: 82bcc44f26f9fa18b58113ddd3cb9a4463d0e92b68910febb51476fe1f35c81b
Instruction Fuzzy Hash: 6F51BE76E01519FBDB169AE58C01FEEFAFCDF04614F1201A2BD00E7A54E734DE0A96A0

Function 6CFACBAF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFACBC9
SysAllocString.OLEAUT32(00000000), ref: 6CFACBD9
VariantClear.OLEAUT32(00000000), ref: 6CFACCBA

Strings

xmlutil.cpp, xrefs: 6CFACBF1

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 7c35a34f9fa6bbebacb8bc26a9780e6ee89f23b01949761da4839a7d2a0fa3f8
Instruction ID: 3f7fc453d5c8ab3ed7e24e5fb1bd5caae7e5a7065c796717cc0c90ddf812e359
Opcode Fuzzy Hash: 7c35a34f9fa6bbebacb8bc26a9780e6ee89f23b01949761da4839a7d2a0fa3f8
Instruction Fuzzy Hash: 394183B6D01666EBCB11EFE9C888E9FBBB8EF05710B0141A5EC15EB711D731D9018BA0

Function 6CFA5939 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 6CFA5978
GetLastError.KERNEL32 ref: 6CFA5982
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 6CFA59EA

Strings

msctls_progress32, xrefs: 6CFA5957

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID: msctls_progress32
API String ID: 1230559179-3107856198
Opcode ID: ed467916b6ffd48ce7d338cd8b775a0e5d022336da246ba2d90d04a9ac8aae06
Instruction ID: 68dc39b4283762f43048045b8e0947e9bfa42d303d91776a88b4caf3c5441eec
Opcode Fuzzy Hash: ed467916b6ffd48ce7d338cd8b775a0e5d022336da246ba2d90d04a9ac8aae06
Instruction Fuzzy Hash: 3321D6B6E11729E7DB10DBE49C84F9BB7BC9B05724F110161AD14FB240E730DD4987A0

Function 001C0658 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,?,001BFF0B,0019A1AD,0019A1AD,00000000,00000000,0000FDE9,?,?,0019A1AD), ref: 001C066A
WriteFile.KERNELBASE(00000200,00000000,00000000,0000FDE9,00000000,?,?,001BFF0B,0019A1AD,0019A1AD,00000000,00000000,0000FDE9,?,?,0019A1AD), ref: 001C06A6
GetLastError.KERNEL32(?,?,001BFF0B,0019A1AD,0019A1AD,00000000,00000000,0000FDE9,?,?,0019A1AD), ref: 001C06B0

Strings

logutil.cpp, xrefs: 001C06E0

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 1053e4e7751546f0a2cb2b58c53031a05cf285e1321fa9ee053c4525224ce30d
Instruction ID: 07ab210a124d062a19d33a42628c0bc064c2975a72f792f092c645739ffcf705
Opcode Fuzzy Hash: 1053e4e7751546f0a2cb2b58c53031a05cf285e1321fa9ee053c4525224ce30d
Instruction Fuzzy Hash: 1B11C672A01235ABD311DF668C94EAFBA6CEBA9B61F010219FD15D7640D770ED50C6E0

Function 6CFA34D8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,?,?,?,?,?,?,?,?,?,?,00000005,00000000,?,00000000), ref: 6CFA3527

Strings

Failed calling detect BA function., xrefs: 6CFA3505
Failed to start detecting chain., xrefs: 6CFA3547
Running detect BA function, xrefs: 6CFA34E6

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: ShowWindow
String ID: Failed calling detect BA function.$Failed to start detecting chain.$Running detect BA function
API String ID: 1268545403-266677022
Opcode ID: c3f16f5957394a8ade7afc71b1f9f49be32fdda478c08c1a84f3c77b9f24c742
Instruction ID: c794d6117e4e4c33a9450812dbec9432966c14a81e4ab48a373e9ccab2f9729f
Opcode Fuzzy Hash: c3f16f5957394a8ade7afc71b1f9f49be32fdda478c08c1a84f3c77b9f24c742
Instruction Fuzzy Hash: C801C036704A12EFC2199A98DC48BABFBA5AF46724F110059F500DBB90DF62EC17CB81

Function 001A074E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001A114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,001A077D,?,?,?), ref: 001A1177
Part of subcall function 001A114F: GetLastError.KERNEL32(?,001A077D,?,?,?), ref: 001A1181

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 001A078B
GetLastError.KERNEL32 ref: 001A0795

Strings

Failed to read during cabinet extraction., xrefs: 001A07C3
cabextract.cpp, xrefs: 001A07B9

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 01e84f51bc26214b8e2be3e7a5d2b289aa196757aa308bf2edba922ff9865265
Instruction ID: e618c84e176c2da95ed4b3fc4063bc8c3b43fbd8b708c893f44edd0a52199cef
Opcode Fuzzy Hash: 01e84f51bc26214b8e2be3e7a5d2b289aa196757aa308bf2edba922ff9865265
Instruction Fuzzy Hash: 4F01C472A00264BBDB119FA8DC45E9A7BA9FF09760F01011AFD09E7650D731DA11CBD0

Function 001A114F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,001A077D,?,?,?), ref: 001A1177
GetLastError.KERNEL32(?,001A077D,?,?,?), ref: 001A1181

Strings

Failed to move to virtual file pointer., xrefs: 001A11AF
cabextract.cpp, xrefs: 001A11A5

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 22ebbd0c43523a455427ed649bbd0f3d7ef8291b35842cb434dcce78864762f8
Instruction ID: d4394eb96fe9cb4c85ba6605292b5cbde3ee090359f5b5b38f43356b11826a7d
Opcode Fuzzy Hash: 22ebbd0c43523a455427ed649bbd0f3d7ef8291b35842cb434dcce78864762f8
Instruction Fuzzy Hash: 1501F236600235BBDB215A669C04E87BFA9EF117B0F01812AFE0896510D731CC20C6D0

Function 0019F086 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 0019F09B
GetLastError.KERNEL32 ref: 0019F0A5

Strings

EngineForApplication.cpp, xrefs: 0019F0C9
Failed to post plan message., xrefs: 0019F0D3

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: 0192747571e3e36745559e7ff0406a69a8220930adfd0aada3f99006f8e68426
Instruction ID: 35c56cabfef7a0de3ffeff9859e7ec1429d704a553fe4ce31e308e98c5715da1
Opcode Fuzzy Hash: 0192747571e3e36745559e7ff0406a69a8220930adfd0aada3f99006f8e68426
Instruction Fuzzy Hash: 19F0A7327443307AE7216AAA5C49E877FD9EF04BA1F014026FD08E6191D715CC5086E4

Function 001A051A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?,001A145A,00000000,00000000,?,0018C121,00000000,?,?,001AAB88,?,00000000,?,?), ref: 001A0524
GetLastError.KERNEL32(?,001A145A,00000000,00000000,?,0018C121,00000000,?,?,001AAB88,?,00000000,?,?,?,00000000), ref: 001A052E

Strings

Failed to set begin operation event., xrefs: 001A055C
cabextract.cpp, xrefs: 001A0552

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 51298efe613d68a05c74522aa14f3460fc36df106196b5a3f53b4ab4c8e3fdf3
Instruction ID: 7e6f7e643935271e9f1f9010d8ecd28e70d4b3ad04d92a2fdb6ca74e39759358
Opcode Fuzzy Hash: 51298efe613d68a05c74522aa14f3460fc36df106196b5a3f53b4ab4c8e3fdf3
Instruction Fuzzy Hash: 46F05533E007306BA711A6B9AC06FCB7AD8CF09BA1F020026FD08F7140E710DD0086E9

Function 6CFAC145 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6CFAC154
SetWindowTextW.USER32(00000000,6CFA2267), ref: 6CFAC162
GetLastError.KERNEL32(?,6CFA2267,?,00000418,?), ref: 6CFAC16C

Strings

thmutil.cpp, xrefs: 6CFAC190

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: ErrorItemLastTextWindow
String ID: thmutil.cpp
API String ID: 1272195076-2961750086
Opcode ID: 37f5af7ad41c8b5653ce96cda9d4f351a03421cbaa29d1c9783d73cee9933f96
Instruction ID: 240d19d3321c2570971630e15442b11bd9d6812aaaf191be7b94f6d907771d66
Opcode Fuzzy Hash: 37f5af7ad41c8b5653ce96cda9d4f351a03421cbaa29d1c9783d73cee9933f96
Instruction Fuzzy Hash: B4F0823EB40225ABDB506EEA8C08B97BBE8EF05695B024114FD05E7210D731C811C6E4

Function 6CFA6B9B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,String,00000000,00000000,00000000,?), ref: 6CFA6BC0
GetLastError.KERNEL32 ref: 6CFA6BFD

Part of subcall function 6CFA5B06: GetProcessHeap.KERNEL32(?,?,?,6CFA79BF,?,00000001,?,00000000,?,6CFA8077,?,?,00000001,?,6CFAD455,?), ref: 6CFA5B17
Part of subcall function 6CFA5B06: RtlAllocateHeap.NTDLL(00000000,?,6CFA79BF,?,00000001,?,00000000,?,6CFA8077,?,?,00000001,?,6CFAD455,?,00000001), ref: 6CFA5B1E

Strings

locutil.cpp, xrefs: 6CFA6BE1, 6CFA6C41
String, xrefs: 6CFA6BAA

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: ErrorHeapLast$AllocateProcess
String ID: String$locutil.cpp
API String ID: 669838880-2823821818
Opcode ID: 72020a7bba0e6025a2d511b09f3f1f4814eccccd7b8e538c12800ec6a851a1c2
Instruction ID: e333bb3b43a70d943b7f7998cf9ca5e7da601dc5b3869dd8c05611906ea2b397
Opcode Fuzzy Hash: 72020a7bba0e6025a2d511b09f3f1f4814eccccd7b8e538c12800ec6a851a1c2
Instruction Fuzzy Hash: 77418E79A01215FBDB209FEDC984AAAFBB8EF44355B108159FC05EB660D731DD42CBA0

Function 6CFA3561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00008066,00000000,?), ref: 6CFA3638

Strings

Ignoring attempt to only cache a bundle that does not explicitly support it., xrefs: 6CFA3605
Running detect complete BA function, xrefs: 6CFA357B

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: MessagePost
String ID: Ignoring attempt to only cache a bundle that does not explicitly support it.$Running detect complete BA function
API String ID: 410705778-194666019
Opcode ID: 943f5c68b0e0a7438f1d3b56efbe88e7331e95f2645f4bb187d0e65eec3206ea
Instruction ID: b2cb1333140679c3152e050bcaadf97448f87970940fa6ad77138556ab06776a
Opcode Fuzzy Hash: 943f5c68b0e0a7438f1d3b56efbe88e7331e95f2645f4bb187d0e65eec3206ea
Instruction Fuzzy Hash: 6B21E772601B01DFE7248FA58484B97F3F5EB44768F20442ED26647B60DB71E84BCB50

Function 6CFAD046 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64memoryfilewindowCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010,00000000,00000000,?,?,6CFAA52B,?,00000000,?,00000000,00000000,00000000,ImageFile,00000000,00000000,ImageResource), ref: 6CFAD069
GdipCreateBitmapFromFile.GDIPLUS(00000000,00000000,00000010,00000000,00000000,?,?,6CFAA52B,?,00000000,?,00000000,00000000,00000000,ImageFile,00000000), ref: 6CFAD085

Strings

gdiputil.cpp, xrefs: 6CFAD05A, 6CFAD0A3, 6CFAD0C5

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFileFrom
String ID: gdiputil.cpp
API String ID: 2762118622-3769319569
Opcode ID: 5b7b9ec5bb3e4b35489bd3fcc77e3a55acc3461e412c14fccc72cad76b73e096
Instruction ID: 30b18583688d01f04cc62a224834ea804f489468db4be6cae06c615926688ec5
Opcode Fuzzy Hash: 5b7b9ec5bb3e4b35489bd3fcc77e3a55acc3461e412c14fccc72cad76b73e096
Instruction Fuzzy Hash: D2119876641616E7C3309E968844F47F7A4AF81B24F10C515FD945BB44CB72D8478BB2

Function 001955BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 001955D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00195633

Strings

Failed to initialize COM on cache thread., xrefs: 001955E5

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 0ca0f71eaa36018b68b8f645dbf7926c62bd6163ae70d67bce8f02250d51e45b
Instruction ID: 4a6bbcc363dbdd75be0d6006af448ce9643b661cb195ed19b1a6f2c6f67987fa
Opcode Fuzzy Hash: 0ca0f71eaa36018b68b8f645dbf7926c62bd6163ae70d67bce8f02250d51e45b
Instruction Fuzzy Hash: EF016D72600619BFCB059FA5D880ED6FBADFF18354B408126FA08D7221DB31EE548B94

Function 0018501B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00181104,?,?,00000000), ref: 0018503A
CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00181104,?,?,00000000), ref: 0018506A

Strings

burn.clean.room, xrefs: 00185027, 00185034, 00185061

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 054ecc7edc3b12c587fdaf6b399838edb811592a0e10bab27a3d381a9554ede3
Instruction ID: 25e7ef61756cb3732e064c209b79ebc9b403937f3b05ebc42e4a125bb7df809d
Opcode Fuzzy Hash: 054ecc7edc3b12c587fdaf6b399838edb811592a0e10bab27a3d381a9554ede3
Instruction Fuzzy Hash: C401D172600725AEC7205B98ACC4D7BBFADFB587657504126F949C7A10C370AD80CBE1

Function 001C47D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,00000000,?,00000000,00000000,00000000,?,001C6219,?,?,00000000,00000000,00000000,00000001), ref: 001C47EB
GetLastError.KERNEL32(?,001C6219,?,?,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,001C5AC5,?,?,?), ref: 001C47F5

Strings

fileutil.cpp, xrefs: 001C4819

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: e56ca7aadbe7f94ba6a02d196eea65ca1b45545b73d30d2b82cfcae05ad852f4
Instruction ID: 621edd9d110c644db2c5d81b787c13a60a4fef06de0a2877e19cedbe736f37e6
Opcode Fuzzy Hash: e56ca7aadbe7f94ba6a02d196eea65ca1b45545b73d30d2b82cfcae05ad852f4
Instruction Fuzzy Hash: C8F08C72A04269AFEB209F95DC09EAB7FA8EF18790F014119BD09D7260E731CD10DBE0

Function 6CFA43F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000051A7,?,00000000,?), ref: 6CFA4413
GetLastError.KERNEL32 ref: 6CFA4423

Strings

WixStandardBootstrapperApplication.cpp, xrefs: 6CFA4447

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: CreateErrorLastThread
String ID: WixStandardBootstrapperApplication.cpp
API String ID: 1689873465-3796977662
Opcode ID: 6a0693ede2d8ce84c0595034697895a4db669f31ee5b0b4dbecbc5fa4d076e4f
Instruction ID: c8ab6c60760d0d66b331ae7827b1055bf5471743ea7f212acfc0c794dde3c406
Opcode Fuzzy Hash: 6a0693ede2d8ce84c0595034697895a4db669f31ee5b0b4dbecbc5fa4d076e4f
Instruction Fuzzy Hash: 3EF0897A750245FBE7509AAB8C08FA7BAFDDBC2751F02012AFD04D3600EA719901D6B5

Function 6CFAAC04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 6CFAAC17
GetLastError.KERNEL32 ref: 6CFAAC21

Strings

thmutil.cpp, xrefs: 6CFAAC45

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: thmutil.cpp
API String ID: 1948546556-2961750086
Opcode ID: f74f0ae0412cb28cac39c1206d4070fc04aed9de8992dd904ea6be72f7f54828
Instruction ID: c906853f95c8420ad5a8a802fa5583cdae4819c1e10c62ba8b255d881f2bce5e
Opcode Fuzzy Hash: f74f0ae0412cb28cac39c1206d4070fc04aed9de8992dd904ea6be72f7f54828
Instruction Fuzzy Hash: 33E06537B00239B7DB615DEA8C04BC77EA8EF05691F014511FE08E7110D321CC2097E4

Function 6CFAC1E6 Relevance: 4.6, APIs: 3, Instructions: 86windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 6CFAC24A
ShowWindow.USER32(?,00000000,?,?,?,?,?,6CFA2CB1,?,?,00000000,?,?), ref: 6CFAC26F
SetFocus.USER32(00000000,?,?,6CFA2CB1,?,?,00000000,?,?), ref: 6CFAC2C0

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: CallbackDispatcherFocusShowUserWindow
String ID:
API String ID: 334017688-0
Opcode ID: 741cbab2f1fca040b4c16a001784d47957692400b2e3f83e24b2c77ddb64ce93
Instruction ID: f4c5366f61fc2e7a8da6bebacdc40ad52d0c33f03dd73f7474930d8c0fecc280
Opcode Fuzzy Hash: 741cbab2f1fca040b4c16a001784d47957692400b2e3f83e24b2c77ddb64ce93
Instruction Fuzzy Hash: 0F31E03A508204EBCB15EFD8C880BAAB7F5FF45714F108159ED158BA44C332D882CB94

Function 001837EA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00183829
GetLastError.KERNEL32 ref: 00183833
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 0018389B

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: fca267fd338d6596f474597288239b40f68687104ac97d104b5ad9ce49244714
Instruction ID: c4ec9edec4a0cdc9a7575359844d86f5574dd7a1e1a4c4461b3490972798f010
Opcode Fuzzy Hash: fca267fd338d6596f474597288239b40f68687104ac97d104b5ad9ce49244714
Instruction Fuzzy Hash: 7721AAB6D0132967DB20EBA49C49F9A77ACAF05B10F190265BD15E7241EB70DF448FE0

Function 6CFAAD91 Relevance: 4.5, APIs: 3, Instructions: 40COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6CFAADA0
KiUserCallbackDispatcher.NTDLL(00000000,6CFA2C02), ref: 6CFAADCC
ShowWindow.USER32(00000000,6CFA2C02,?,00000000), ref: 6CFAADE1

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: CallbackDispatcherItemShowUserWindow
String ID:
API String ID: 3248985991-0
Opcode ID: 3fb2b63f894d5b9780cb835c3925a637a3d9fdc98ea8012ffc9e394d7926612d
Instruction ID: 8da0e3367317d50650c5a68790141a03c2593f807ac5243d9ed99dcc5b527158
Opcode Fuzzy Hash: 3fb2b63f894d5b9780cb835c3925a637a3d9fdc98ea8012ffc9e394d7926612d
Instruction Fuzzy Hash: E3F0F63AA01A24BB87114E69CC88F97BF6CEF46629710011AFE5653640C771E802CAE0

Function 6CFA3DDB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00008067,00000000,00000000), ref: 6CFA3E6F

Strings

Running plan complete BA function, xrefs: 6CFA3DF5

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: MessagePost
String ID: Running plan complete BA function
API String ID: 410705778-249194442
Opcode ID: 57d9559749beda7808643b03e2eadaa1a1388d5835c73fc783db33fd9cd05922
Instruction ID: 11437c38ef676875d57b8a752a0ff75714390cb00733de5db653d1845e988724
Opcode Fuzzy Hash: 57d9559749beda7808643b03e2eadaa1a1388d5835c73fc783db33fd9cd05922
Instruction Fuzzy Hash: 29118B71605700DFEB208FA5C8C5BDAF7E9FB84718F20842ED66A47650CB72A80ECB50

Function 0018F5E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C0E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,001C5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 001C0E52

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00197B4D,?,?,?), ref: 0018F644

Part of subcall function 001C0EEC: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000078,00000000,?,?,?,001C56EF,00000000,?,001C63FF,00000078,00000000), ref: 001C0F10

Strings

Installed, xrefs: 0018F60C

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: 30863e311b8bac833a69d8747634c984698990a99b39420696dae99c902384a2
Instruction ID: 9af8ab52f74f0c5ab4e392f418bda5e2ce2630cb96a552174a31ad0267d45df6
Opcode Fuzzy Hash: 30863e311b8bac833a69d8747634c984698990a99b39420696dae99c902384a2
Instruction Fuzzy Hash: 3E018F36810128FBCB11EB94C846BDEBBB8EB04711F2141A9E800A7120D3759E50DB90

Function 001C9006 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,000000B0,00000088,00000410,000002C0), ref: 001C905C

Part of subcall function 001C0E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,001C5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 001C0E52

Strings

%ls%ls\%ls\%ls, xrefs: 001C9029

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: %ls%ls\%ls\%ls
API String ID: 47109696-1267659288
Opcode ID: abc9cf9399de0d0e31b27e63038733f62379a51a72e415f42191788ec91b39fd
Instruction ID: f8d3478475738f5164883766638434a53325ce4f6e42f71fc9a1993fb3d60d76
Opcode Fuzzy Hash: abc9cf9399de0d0e31b27e63038733f62379a51a72e415f42191788ec91b39fd
Instruction Fuzzy Hash: 31014B3280021CFBDF22ABD0DC0AFDDBB79EB14356F504098FA0066060D3769BA0EB90

Function 6CFACFC9 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GdipDisposeImage.GDIPLUS(?), ref: 6CFACFD8
GdipFree.GDIPLUS(?,?), ref: 6CFACFEA

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: Gdip$DisposeFreeImage
String ID:
API String ID: 1950503971-0
Opcode ID: a7bcf6b88cda871042ea00fc0b3af52f3ba35d7e0f3cad7d66d18aefa7d09291
Instruction ID: e1491761419bac6cb08d53004ea396ec24b0b492ce93912d63b6fcdaa3006ff6
Opcode Fuzzy Hash: a7bcf6b88cda871042ea00fc0b3af52f3ba35d7e0f3cad7d66d18aefa7d09291
Instruction Fuzzy Hash: 9BE0CDB224D31C61D7152A959401BC6FADCCF0976CF10801AFD9465E81CBF3648653FA

Function 6CFA5B06 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,6CFA79BF,?,00000001,?,00000000,?,6CFA8077,?,?,00000001,?,6CFAD455,?), ref: 6CFA5B17
RtlAllocateHeap.NTDLL(00000000,?,6CFA79BF,?,00000001,?,00000000,?,6CFA8077,?,?,00000001,?,6CFAD455,?,00000001), ref: 6CFA5B1E

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 12d68911be66c920d62c1d914f892a78f960d832c70120981e40d30c53b52936
Instruction ID: 2f4612034039a749dc9b71dff05c4d98394e3071919c58690815395e731ad301
Opcode Fuzzy Hash: 12d68911be66c920d62c1d914f892a78f960d832c70120981e40d30c53b52936
Instruction Fuzzy Hash: CFC0123B6A0208A7CF805EF8CC49D5537ACB7156027048801F509C6000C739E0108764

Function 001C3499 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001C34CE

Part of subcall function 001C2F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,001C34DF,00000000,?,00000000), ref: 001C2F3D
Part of subcall function 001C2F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,001ABDED,?,001852FD,?,00000000,?), ref: 001C2F49

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: bb05ffb478dcd71253b18843927c197405fcc371b89cad8e0d8d5e9a3de6c8ef
Instruction ID: 3b1338b2167b272f62fbd126916bc9ba7985f3bb2d838b48647c7f3c3285f74a
Opcode Fuzzy Hash: bb05ffb478dcd71253b18843927c197405fcc371b89cad8e0d8d5e9a3de6c8ef
Instruction Fuzzy Hash: 60311A76E006299BCB11DFA8C884ADEB7F8EF09710F01456AED15EB311D770EE048BA0

Function 001C907D Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C8CFB: lstrlenW.KERNEL32(00000100,?,?,001C9098,000002C0,00000100,00000100,00000100,?,?,?,001A7B40,?,?,000001BC,00000000), ref: 001C8D1B

RegCloseKey.ADVAPI32(000002C0,000002C0,00000100,00000100,00000100,?,?,?,001A7B40,?,?,000001BC,00000000,00000000,00000000,00000100), ref: 001C9136

Part of subcall function 001C0E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,001C5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 001C0E52

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: CloseOpenlstrlen
String ID:
API String ID: 514153755-0
Opcode ID: a5378c2a181f44de986426114e261669d7c209ef07e4f13e367fd8ae3ac814a6
Instruction ID: 62fad1e2535b9f508eee4f3b0f2b0ae79aafd0a1389c311848619aa30cb4ae39
Opcode Fuzzy Hash: a5378c2a181f44de986426114e261669d7c209ef07e4f13e367fd8ae3ac814a6
Instruction Fuzzy Hash: 54215872C00529FBCF22AEA4CC4ADDEBAB5EB64750B154669FD0167111D332CD50D7D0

Function 001C5728 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,001EAAA0,00000000,?,0082A3D0,?,0019890E,WiX\Burn,PackageCache,00000000,001EAAA0,00000000,?,?), ref: 001C5782

Part of subcall function 001C0F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,?), ref: 001C0FE4
Part of subcall function 001C0F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 001C101F

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: b45f99ced84899c13309ea0f9a344f180a794da528164f50ae77c4a931fbafe7
Instruction ID: 151848a7fb9ca7c42f3232202077a7ec4391266c7dfdae48fb5e4ea07a843fff
Opcode Fuzzy Hash: b45f99ced84899c13309ea0f9a344f180a794da528164f50ae77c4a931fbafe7
Instruction Fuzzy Hash: 8D117376800729EB8F226EA49D85FAEB66BEB24361B55423DED0167110C335ADE0DAD0

Function 6CFA4E81 Relevance: 1.5, APIs: 1, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00008068,00000000,?), ref: 6CFA4EBE

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e72878aa4486bdc1dc805ee59a588b3d04e143e23b731f69f2723eb121babf34
Instruction ID: 6af248301f06bce6f016beff40a8eefec6aabff9517072f5cb30fecd25dcfea1
Opcode Fuzzy Hash: e72878aa4486bdc1dc805ee59a588b3d04e143e23b731f69f2723eb121babf34
Instruction Fuzzy Hash: 72E01A30241305EFE7509FA1D888BD5BBE8AB00709F24D47AE509ED991EB72A457CA10

Function 001834C5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000000,00000000,00000104,00000000,?,001989CA,0000001C,?,00000000,?,?), ref: 001834E5

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: a6eca92a86b6fcf12a5d11942c4e7dad938c1cf22ab964ecbe8e7d3fe818f8fe
Instruction ID: 6ad7f1577e513a70a809f42deb7b86119457d516c27c6d98e5b3f8affa460a0a
Opcode Fuzzy Hash: a6eca92a86b6fcf12a5d11942c4e7dad938c1cf22ab964ecbe8e7d3fe818f8fe
Instruction Fuzzy Hash: 97E012722012257BA6033E665C0ADEB7B9CEF15B50B448051FE44D6100E771EB518BB0

Function 001840E2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000000,?,0019A229,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,?), ref: 001840EB

Memory Dump Source

Source File: 00000007.00000002.2540080555.0000000000181000.00000020.00000001.01000000.00000007.sdmp, Offset: 00180000, based on PE: true

Associated: 00000007.00000002.2539841297.0000000000180000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2540620821.00000000001CB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541114307.00000000001EA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2541381840.00000000001EE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_180000_UNK_.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3b50006a1195fb149b61cca2167cd0e1b49c6776c52896346c7bfbd0039ac9c7
Instruction ID: 8059cf63372e4cc750ee8086b2d4423ba269093629a8e78b4fceb314f2209a32
Opcode Fuzzy Hash: 3b50006a1195fb149b61cca2167cd0e1b49c6776c52896346c7bfbd0039ac9c7
Instruction Fuzzy Hash: BBD02B31301124174718EE699C085667B15DF127B07014215EC14CA1A0C730AD51CBC0

Function 6CFAB59C Relevance: 1.5, APIs: 1, Instructions: 12windowCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32(?,?), ref: 6CFAB5AC

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: DialogMessage
String ID:
API String ID: 547518314-0
Opcode ID: 3490fa84d4c91136bd5bd1053df5de5039aa2c38c1c88cbcd5b4814df5e00b05
Instruction ID: 64ddfc476c4c35315e846adbf9bb319e0a77987024e668a99e64d0649bc2f9d7
Opcode Fuzzy Hash: 3490fa84d4c91136bd5bd1053df5de5039aa2c38c1c88cbcd5b4814df5e00b05
Instruction Fuzzy Hash: EBC08C3621820DDFAF81DFE8DC80E1BBBB9AF017007008824F804C2520EB31ED62EB50

Function 6CFA788F Relevance: 1.3, APIs: 1, Instructions: 88stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CFA5CE0: GetProcessHeap.KERNEL32(00000000,?,?,6CFA5C6D,?,?,?,?,6CFA79A1,?,?,00000000,?,?,00000000), ref: 6CFA5CE8
Part of subcall function 6CFA5CE0: HeapSize.KERNEL32(00000000,?,6CFA5C6D,?,?,?,?,6CFA79A1,?,?,00000000,?,?,00000000,?,6CFA8077), ref: 6CFA5CEF

lstrlenW.KERNEL32(00000000,00000000,?,00000000), ref: 6CFA78CA

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: b3163a14d454d5c33847410dbb57b4f721485a44cfdd294bc8b3a84c478def4e
Instruction ID: 2c1c453ffe170a14515c9010c1f640de0e24655137b4380ea7ae56acc1aa1e0e
Opcode Fuzzy Hash: b3163a14d454d5c33847410dbb57b4f721485a44cfdd294bc8b3a84c478def4e
Instruction Fuzzy Hash: 7F21D232D01618EBCB028EE9C880FAEF7B9EF48364F258267E95467754D7309D169B84

Function 6CFA2088 Relevance: 1.3, APIs: 1, Instructions: 76sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000000FA), ref: 6CFA2140

Memory Dump Source

Source File: 00000007.00000002.2553926094.000000006CFA1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000007.00000002.2553822139.000000006CFA0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554090673.000000006CFBF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554205360.000000006CFCA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2554297462.000000006CFCC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6cfa0000_UNK_.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 935818b035fd84c42a6c429ff3613b1337d248f5cc55d40c3f5471f25462b3a4
Instruction ID: f36f30c7f33af9b17aa42d34634435d6ae91f121eea500b97e9c892903d60f9b
Opcode Fuzzy Hash: 935818b035fd84c42a6c429ff3613b1337d248f5cc55d40c3f5471f25462b3a4
Instruction Fuzzy Hash: C1218131715701CFEB248BABC489797F2E1AF45309F11843ED66E86A90DB72E446CF11

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: XRed

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

4539ef.rbf (copy)

4539f4.rbf (copy)

4539f5.rbf (copy)

4539f6.rbf (copy)

4539f7.rbf (copy)

C:\Config.Msi\4539ee.rbs

C:\Config.Msi\4539f3.rbs

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_e73781c637c020daee3de6ae263d2d0a91f2a4c_455b7b6e_c430b686-e5b3-481e-a9c3-cb586e85c1c5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4381.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER57C6.tmp.WERInternalMetadata.xml

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre