Edit tour

Windows Analysis Report
Y5JXqbeNdS.exe

Overview

General Information

Sample name:	Y5JXqbeNdS.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	23cddf52736c27fecc5b7e48607f4ce60c949b238e92086841db8ac7f49155e7
Analysis ID:	1419151
MD5:	cd423668f800bbdb227fa8063c33c654
SHA1:	9355b61baea1e1404f7c5b06a472affdd84e0d36
SHA256:	23cddf52736c27fecc5b7e48607f4ce60c949b238e92086841db8ac7f49155e7
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

.NET source code contains potential unpacker

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

Y5JXqbeNdS.exe (PID: 6864 cmdline: "C:\Users\user\Desktop\Y5JXqbeNdS.exe" MD5: CD423668F800BBDB227FA8063C33C654)

Y5JXqbeNdS.exe (PID: 7028 cmdline: "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544 MD5: CD423668F800BBDB227FA8063C33C654)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_0099A0BB DecryptFileW,	0_2_0099A0BB
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	0_2_009BFA62
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_00999E9E DecryptFileW,DecryptFileW,	0_2_00999E9E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A5A0BB DecryptFileW,	2_2_00A5A0BB
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_00A7FA62
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A59E9E DecryptFileW,DecryptFileW,	2_2_00A59E9E

Source: Y5JXqbeNdS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Eula.rtf	Jump to behavior

Source: Y5JXqbeNdS.exe

Static PE information: certificate valid

Source: Y5JXqbeNdS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.BootstrapperApplication\obj\Release\Thermo.BootstrapperApplication.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006196000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: Y5JXqbeNdS.exe, 00000002.00000002.2948619605.000000006CC04000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.2.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdbXXnX `X_CorDllMainmscoree.dll source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009C4440 FindFirstFileW,FindClose,	0_2_009C4440
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_00999B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_00999B43
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_00983CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_00983CC4
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A84440 FindFirstFileW,FindClose,	2_2_00A84440
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A59B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_00A59B43
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A43CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00A43CC4

Source: Y5JXqbeNdS.exe, 00000000.00000002.2937034701.000000000073B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://.crl0
Source: Y5JXqbeNdS.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Thermo.BootstrapperApplication;component/views/GlobalStyles.xamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Thermo.BootstrapperApplication;component/views/welcomeview.xamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/views/welcomeview.baml
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/views/welcomeview.bamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/views/welcomeview.xaml
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Y5JXqbeNdS.exe	String found in binary or memory: http://wixtoolset.org/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Thermo.BootstrapperApplication.dll.2.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Thermo.BootstrapperApplication.dll.2.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr	String found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: mbapreq.thm.2.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: Y5JXqbeNdS.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr	String found in binary or memory: http://www.thermofisher.com
Source: Y5JXqbeNdS.exe, 00000000.00000002.2939049599.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686098603.000000000309B000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685438538.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685289944.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686228797.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686558375.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686427978.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685685338.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685825306.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685963819.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000002.2938649842.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686702946.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693704550.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1691931017.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692755823.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693880629.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692092441.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2940996217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692906229.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693309663.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.thermoscientific.com/chromeleon
Source: Y5JXqbeNdS.exe, 00000000.00000002.2939049599.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686098603.000000000309B000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685438538.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685289944.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686228797.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686558375.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686427978.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685685338.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685825306.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685963819.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000002.2938649842.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686702946.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693704550.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1691931017.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692755823.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693880629.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692092441.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2940996217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692906229.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693309663.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.thermoscientific.com/support
Source: Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thermoscientific.com/support~
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_0098A8F1	0_2_0098A8F1
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B001D	0_2_009B001D
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009A41EA	0_2_009A41EA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009862AA	0_2_009862AA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B03D5	0_2_009B03D5
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AC332	0_2_009AC332
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BA560	0_2_009BA560
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B07AA	0_2_009B07AA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BAA0E	0_2_009BAA0E
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AFB89	0_2_009AFB89
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B0B6F	0_2_009B0B6F
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B2C18	0_2_009B2C18
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B2E47	0_2_009B2E47
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BEE7C	0_2_009BEE7C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A4A8F1	2_2_00A4A8F1
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7001D	2_2_00A7001D
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A641EA	2_2_00A641EA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A462AA	2_2_00A462AA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A703D5	2_2_00A703D5
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6C332	2_2_00A6C332
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7A560	2_2_00A7A560
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A707AA	2_2_00A707AA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7AA0E	2_2_00A7AA0E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6FB89	2_2_00A6FB89
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A70B6F	2_2_00A70B6F
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A72C18	2_2_00A72C18
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7EE7C	2_2_00A7EE7C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A72E47	2_2_00A72E47
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_0607866C	2_2_0607866C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_0607B3B9	2_2_0607B3B9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF707C	2_2_6CBF707C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBFD6D0	2_2_6CBFD6D0
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF6E4D	2_2_6CBF6E4D
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CC027F8	2_2_6CC027F8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBFDB7E	2_2_6CBFDB7E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00EE0BC8	2_2_00EE0BC8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_038AB2B0	2_2_038AB2B0
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_038ABC28	2_2_038ABC28
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_06077A8D	2_2_06077A8D

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: String function: 00A80726 appears 33 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: String function: 00A832F3 appears 83 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: String function: 00A43821 appears 497 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: String function: 00A41F13 appears 52 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: String function: 00A80237 appears 681 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: String function: 009C0237 appears 678 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: String function: 00983821 appears 496 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: String function: 009C0726 appears 33 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: String function: 009C32F3 appears 83 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: String function: 00981F13 appears 52 times

Source: Y5JXqbeNdS.exe, 00000000.00000000.1684138453.0000000000B36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe	Binary or memory string: OriginalFilename vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenameThermo.Chromeleon.BaExtension.dll8 vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2948693965.000000006CC0E000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamembahost.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Deployment.WindowsInstaller.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2938929182.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943834626.00000000061DA000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameThermo.BootstrapperApplication.dll8 vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943279233.0000000005B14000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenameBootstrapperCore.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000000.1690371667.0000000000BF6000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe	Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe.0.dr	Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wuapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wups.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: updatepolicy.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: windowscodecsext.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: thumbcache.dll	Jump to behavior

Source: Y5JXqbeNdS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: Thermo.BootstrapperApplication.dll.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Thermo.Chromeleon.BaExtension.dll.2.dr, ExtensionVariables.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: Thermo.BootstrapperApplication.dll.2.dr, CommonUiViewModel.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Thermo.BootstrapperApplication.dll.2.dr, CommonUiViewModel.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs	Security API names: System.IO.FileInfo.SetAccessControl(System.Security.AccessControl.FileSecurity)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs	Security API names: Thermo.Bootstrapper.Utilities.PackageStatusLogger.SetAccessControl(string)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs	Security API names: System.IO.FileInfo.GetAccessControl()
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs	Security API names: Thermo.Bootstrapper.Utilities.PackageStatusLogger.SetAccessControl(System.IO.FileInfo)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: sus24.evad.winEXE@3/15@0/0

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009BFE21 FormatMessageW,GetLastError,LocalFree,

0_2_009BFE21

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009845EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		0_2_009845EE
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A445EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		2_2_00A445EE

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009C304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

0_2_009C304F

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009A6B88 ChangeServiceConfigW,GetLastError,

0_2_009A6B88

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Mutant created: NULL
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{FE0F444E-3839-43DC-AA5A-1DAD8411A6B1}

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

File created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\

Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: cabinet.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: msi.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: version.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: wininet.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: comres.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: clbcatq.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: msasn1.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: crypt32.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: feclient.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: cabinet.dll	0_2_00981070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: cabinet.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: msi.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: version.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: wininet.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: comres.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: clbcatq.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: msasn1.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: crypt32.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: feclient.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: cabinet.dll	2_2_00A41070

Source: Y5JXqbeNdS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Y5JXqbeNdS.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Y5JXqbeNdS.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Y5JXqbeNdS.exe	String found in binary or memory: [PostInstall] {0}: Error parsing post-install step state
Source: Y5JXqbeNdS.exe	String found in binary or memory: views/installationqualificationview.baml
Source: Y5JXqbeNdS.exe	String found in binary or memory: /Thermo.BootstrapperApplication;component/views/installationqualificationview.xaml
Source: Y5JXqbeNdS.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

File read: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Y5JXqbeNdS.exe "C:\Users\user\Desktop\Y5JXqbeNdS.exe"
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Process created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Process created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544	Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Y5JXqbeNdS.exe

Static PE information: certificate valid

Source: Y5JXqbeNdS.exe

Static file information: File size 5999376 > 1048576

Source: Y5JXqbeNdS.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x195000

Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Y5JXqbeNdS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Y5JXqbeNdS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.BootstrapperApplication\obj\Release\Thermo.BootstrapperApplication.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006196000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: Y5JXqbeNdS.exe, 00000002.00000002.2948619605.000000006CC04000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.2.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdbXXnX `X_CorDllMainmscoree.dll source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr

Source: Y5JXqbeNdS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Y5JXqbeNdS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Y5JXqbeNdS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Y5JXqbeNdS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Y5JXqbeNdS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: Thermo.BootstrapperApplication.dll.2.dr, AssemblyHelper.cs

.Net Code: ResolveEmbeddedAssembly System.Reflection.Assembly.Load(byte[])

Source: Y5JXqbeNdS.exe	Static PE information: section name: .wixburn
Source: Y5JXqbeNdS.exe.0.dr	Static PE information: section name: .wixburn

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AEAD6 push ecx; ret	0_2_009AEAE9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6EAD6 push ecx; ret	2_2_00A6EAE9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_06076708 push es; ret	2_2_06076727
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_0607C2FA push es; iretd	2_2_0607C30C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF4496 push ecx; ret	2_2_6CBF44A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_038A80E8 push esp; iretd	2_2_038A80F9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8EE12 pushfd ; iretd	2_2_05F8EE41
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8EE02 pushad ; iretd	2_2_05F8EE11
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8C3AB pushfd ; iretd	2_2_05F8C3A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8B36A pushfd ; iretd	2_2_05F8B3B9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8C350 pushfd ; iretd	2_2_05F8C3A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8F2DA push esp; retf	2_2_05F8F2E9

Source: Thermo.BootstrapperApplication.dll.2.dr

Static PE information: section name: .text entropy: 7.388050412212095

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll	Jump to dropped file

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Eula.rtf	Jump to behavior

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Memory allocated: 38D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Memory allocated: 58D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Code function: 2_2_0607353E sldt word ptr [eax]

2_2_0607353E

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Window / User API: threadDelayed 1646			Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Window / User API: threadDelayed 681			Jump to behavior

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll	Jump to dropped file

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Evaded block: after key decision

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

API coverage: 9.4 %

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 009BFF61h	0_2_009BFEC6
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 009BFF5Ah	0_2_009BFEC6
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00A7FF61h	2_2_00A7FEC6
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00A7FF5Ah	2_2_00A7FEC6

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009C4440 FindFirstFileW,FindClose,	0_2_009C4440
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_00999B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_00999B43
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_00983CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_00983CC4
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A84440 FindFirstFileW,FindClose,	2_2_00A84440
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A59B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_00A59B43
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A43CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00A43CC4

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009C97A5 VirtualQuery,GetSystemInfo,

0_2_009C97A5

Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: $^qEMutating a value collection derived from a dictionary is not allowed.

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009AE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009AE88A

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B48D8 mov eax, dword ptr fs:[00000030h]	0_2_009B48D8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A748D8 mov eax, dword ptr fs:[00000030h]	2_2_00A748D8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF8F39 mov eax, dword ptr fs:[00000030h]	2_2_6CBF8F39

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_0098394F GetProcessHeap,RtlAllocateHeap,

0_2_0098394F

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009AE3D8
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009AE88A
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AE9DC SetUnhandledExceptionFilter,	0_2_009AE9DC
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009B3C76
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00A6E3D8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00A6E88A
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6E9DC SetUnhandledExceptionFilter,	2_2_00A6E9DC
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A73C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00A73C76
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF44AB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6CBF44AB
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF7EDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6CBF7EDC
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF42CD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6CBF42CD

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Process created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544

Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009C1719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

0_2_009C1719

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009C3A5F AllocateAndInitializeSid,CheckTokenMembership,

0_2_009C3A5F

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009AEC07 cpuid

0_2_009AEC07

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_00994EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

0_2_00994EDF

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_00986037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,

0_2_00986037

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009861DF GetUserNameW,GetLastError,

0_2_009861DF

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009C887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

0_2_009C887B

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_00985195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

0_2_00985195

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	1 Windows Service	2 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Native API	Logon Script (Windows)	12 Process Injection	1 Disable or Modify Tools	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	25 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Y5JXqbeNdS.exe	2%	ReversingLabs
Y5JXqbeNdS.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll	0%	ReversingLabs
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll	0%	Virustotal	Browse
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll	0%	ReversingLabs
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll	0%	Virustotal	Browse
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll	0%	ReversingLabs
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll	0%	Virustotal	Browse
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll	0%	ReversingLabs
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll	0%	Virustotal	Browse
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll	0%	ReversingLabs
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll	0%	Virustotal	Browse
C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	2%	ReversingLabs
C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://defaultcontainer/Thermo.BootstrapperApplication;component/views/GlobalStyles.xamld	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	0%	URL Reputation	safe
http://appsyndication.org/2006/appsyn	0%	URL Reputation	safe
http://defaultcontainer/Thermo.BootstrapperApplication;component/views/welcomeview.xamld	0%	Avira URL Cloud	safe
http://foo/bar/views/welcomeview.baml	0%	Avira URL Cloud	safe
http://foo/views/welcomeview.xaml	0%	Avira URL Cloud	safe
http://foo/bar/views/welcomeview.bamld	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/System	0%	Avira URL Cloud	safe
http://.crl0	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/System	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://defaultcontainer/Thermo.BootstrapperApplication;component/views/GlobalStyles.xamld	Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/soap/encoding/	Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/schemas/thmutil/2010	mbapreq.thm.2.dr	false		high
http://defaultcontainer/Thermo.BootstrapperApplication;component/views/welcomeview.xamld	Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://ocsp.thawte.com0	Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	false	URL Reputation: safe	unknown
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Thermo.BootstrapperApplication.dll.2.dr	false		high
http://foo/bar/views/welcomeview.baml	Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	false	URL Reputation: safe	unknown
http://wixtoolset.org/news/	Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Thermo.BootstrapperApplication.dll.2.dr	false		high
http://www.symauth.com/cps0(	Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	false		high
http://wixtoolset.org/releases/SCreating	Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr	false		high
http://www.thermofisher.com	Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr	false		high
http://wixtoolset.org/releases/	Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	false		high
http://foo/views/welcomeview.xaml	Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.symauth.com/rpa00	Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	false		high
http://schemas.xmlsoap.org/wsdl/	Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://foo/bar/views/welcomeview.bamld	Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.thermoscientific.com/support	Y5JXqbeNdS.exe, 00000000.00000002.2939049599.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686098603.000000000309B000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685438538.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685289944.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686228797.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686558375.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686427978.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685685338.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685825306.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685963819.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000002.2938649842.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686702946.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693704550.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1691931017.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692755823.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693880629.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692092441.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2940996217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692906229.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693309663.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/	Y5JXqbeNdS.exe	false		high
http://wixtoolset.org/telemetry/v	Y5JXqbeNdS.exe	false		high
http://www.thermoscientific.com/support~	Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/System	Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://.crl0	Y5JXqbeNdS.exe, 00000000.00000002.2937034701.000000000073B000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.thermoscientific.com/chromeleon	Y5JXqbeNdS.exe, 00000000.00000002.2939049599.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686098603.000000000309B000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685438538.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685289944.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686228797.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686558375.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686427978.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685685338.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685825306.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685963819.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000002.2938649842.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686702946.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693704550.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1691931017.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692755823.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693880629.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692092441.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2940996217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692906229.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693309663.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsyn	Y5JXqbeNdS.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1419151
Start date and time:	2024-04-03 07:00:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Y5JXqbeNdS.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	23cddf52736c27fecc5b7e48607f4ce60c949b238e92086841db8ac7f49155e7
Detection:	SUS
Classification:	sus24.evad.winEXE@3/15@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 123 Number of non-executed functions: 251

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll	https://download.microsoft.com/download/8/8/0/880BCA75-79DD-466A-927D-1ABF1F5454B0/PBIDesktopSetup_x64.exe	Get hash	malicious	Unknown	Browse
	Building-Construction-Terms-With-Pictures.msi	Get hash	malicious	Unknown	Browse
	Medical-Engagement-Scale-Questionnaire.msi	Get hash	malicious	Unknown	Browse
	Fedex-Tracking-By-Shipper-Receipt.msi	Get hash	malicious	Unknown	Browse
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll	https://download.microsoft.com/download/8/8/0/880BCA75-79DD-466A-927D-1ABF1F5454B0/PBIDesktopSetup_x64.exe	Get hash	malicious	Unknown	Browse
	Building-Construction-Terms-With-Pictures.msi	Get hash	malicious	Unknown	Browse
	Medical-Engagement-Scale-Questionnaire.msi	Get hash	malicious	Unknown	Browse
	Fedex-Tracking-By-Shipper-Receipt.msi	Get hash	malicious	Unknown	Browse
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll	3managerAgentSetup.2.0.72.0 (1).exe	Get hash	malicious	Unknown	Browse
	https://download.microsoft.com/download/8/8/0/880BCA75-79DD-466A-927D-1ABF1F5454B0/PBIDesktopSetup_x64.exe	Get hash	malicious	Unknown	Browse
	Wox-Full-Installer.1.4.1196.exe	Get hash	malicious	Thanos	Browse
	Building-Construction-Terms-With-Pictures.msi	Get hash	malicious	Unknown	Browse
	Medical-Engagement-Scale-Questionnaire.msi	Get hash	malicious	Unknown	Browse
	Fedex-Tracking-By-Shipper-Receipt.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Thermo_Chromeleon_7.2.10_ES_MUa_20240403070104.log

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	406567
Entropy (8bit):	5.433815816808996
Encrypted:	false
SSDEEP:	768:j5je2HFPZWUxd7x39SOXCdNbKTx+Uz2RYe+tc54X2/zOJ2dV412X24h:1e2HFPZWUxd7x39S6Cqch
MD5:	D5E7BAF78144D42791B32874C5F199E0
SHA1:	29BE39AA8213929095122D66D07038228604FFB2
SHA-256:	BC963F11AEB1A0A2E0E82A99F1B474650BEAE05768010F1D7CD3393DF441CF00
SHA-512:	332F8411947BFA2BFD5C440C8F2CBDE01359EA7AEE9BBBB65270F98860FBBFDF25C0CAC43665B346D0DB01915BD807AB2B01AF59572244E453C280C610FA898A
Malicious:	false
Reputation:	low
Preview:	[1B74:1B88][2024-04-03T07:01:03]i001: Burn v3.11.1.2318, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe..[1B74:1B88][2024-04-03T07:01:03]i000: Initializing string variable 'BaBundlePatchVersion' to value ''..[1B74:1B88][2024-04-03T07:01:03]i000: Initializing numeric variable 'BaExecutionCounter' to value '0'..[1B74:1B88][2024-04-03T07:01:03]i000: Initializing string variable 'BaPackageStatesLogDir' to value '[CommonAppDataFolder]Dionex\Chromeleon\IQ\Inventories\'..[1B74:1B88][2024-04-03T07:01:03]i000: Initializing hidden variable 'BaSelectableItemStates'..[1B74:1B88][2024-04-03T07:01:03]i000: Initializing hidden variable 'BaStartTime'..[1B74:1B88][2024-04-03T07:01:03]i000: Initializing string variable 'LogFilesBackupDir' to value '[CommonAppDataFolder]Dionex\Chromeleon\SetupLogs\'..[1B74:1B88][2024-04-03T07:01:03]i000: Initializing string variable '__PreInstallationArguments__' to value ''..[1B74:1B88][2024-0

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (3622), with CRLF line terminators
Category:	dropped
Size (bytes):	529018
Entropy (8bit):	3.6905406400721614
Encrypted:	false
SSDEEP:	3072:X2rgfN1ZF+2iPOyyfSLcofvM71PmB9TnJICp+Oopc1cCf1iRXJuOhgY+AufcVNxW:T1+ky4O6QSRLl+47JYbqAjK4naM
MD5:	C8762247922DE1818F4CB447FF6C2DE0
SHA1:	4928B880F35C14B17476528DFB8C523E91F0CA41
SHA-256:	DE36A35D42EA41170624A31DAFEB04E61BB246C472F5FC1DE535E7D62C05FFC5
SHA-512:	DEB6D2C29E0E4D40D6A36D003AABB66316867DB608115380DA54A89B0A4E9BE1DCE44D168E3C1FE0B8F6B69B00914362760C2B28855BBCEF7E8C64129661D8CC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.B.u.n.d.l.e.C.o.n.f.i.g.u.r.a.t.i.o.n. .B.u.n.d.l.e.I.d.=.".T.h.e.r.m.o...C.h.r.o.m.e.l.e.o.n...B.u.n.d.l.e.". .B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.E.x.t.e.n.s.i.o.n.A.s.s.e.m.b.l.y.=.".T.h.e.r.m.o...C.h.r.o.m.e.l.e.o.n...B.a.E.x.t.e.n.s.i.o.n...d.l.l.". .B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.E.x.t.e.n.s.i.o.n.T.y.p.e.N.a.m.e.=.".T.h.e.r.m.o...C.h.r.o.m.e.l.e.o.n...B.a.E.x.t.e.n.s.i.o.n...E.x.t.e.n.s.i.o.n.". .B.u.n.d.l.e.M.a.r.k.e.t.i.n.g.N.a.m.e.=.".T.h.e.r.m.o. .S.c.i.e.n.t.i.f.i.c."! .D.i.o.n.e.x."! .C.h.r.o.m.e.l.e.o.n."! .7. . .M.U.a.". .B.u.n.d.l.e.S.h.o.r.t.M.a.r.k.e.t.i.n.g.N.a.m.e.=.".C.h.r.o.m.e.l.e.o.n. .7...2...1.0. .E.S.". .B.u.n.d.l.e.S.h.o.r.t.V.e.r.s.i.o.n.

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.config

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	766
Entropy (8bit):	4.872931706608784
Encrypted:	false
SSDEEP:	12:MMHd41PdAzc+TXYr+XFy9b9zc+TXYcXII3VymhsSFbD9g3XmG0z/jDg3uxm:Jd6gtYrx9NtYhmhDbK3WfrU3F
MD5:	ABEED73083E0029ABB632BDD5C4DF4DD
SHA1:	221C6EB77A853BA5A886D70A643DE19236E32EEC
SHA-256:	7B73EB5B58FB8A4F0AE6B6A87FBDE167CDB37644A4D40DF9D899EE8FD8A67F8D
SHA-512:	300C9FB3FBF0DB8A475A7E9D936B453652D4D1BD927A4FB12DEB8EAF1AEB75BD2304778F13AF8E9D13014ACC66FF16654F59E21EC50642E6F32DA2733864ABF5
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <configSections>.. <sectionGroup name="wix.bootstrapper".. type="Microsoft.Tools.WindowsInstallerXml.Bootstrapper.BootstrapperSectionGroup, BootstrapperCore">.. <section name="host".. type="Microsoft.Tools.WindowsInstallerXml.Bootstrapper.HostSection, BootstrapperCore" />.. </sectionGroup>.. </configSections>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0".. sku=".NETFramework,Version=v4.0" />.. </startup>.. <wix.bootstrapper>.. <host assemblyName="Thermo.BootstrapperApplication">.. <supportedFramework version="v4\Full" />.. </host>.. </wix.bootstrapper>..</configuration>..

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	5.445513519612376
Encrypted:	false
SSDEEP:	768:GBgPxZlx0MBps+j7ejaab0Y6OwE7v10WHSp5fh06iG27N9k+6ybJ17rEgtu:qHMBp/GRbgi5ofpiG2pq+517ogE
MD5:	C4F7146DDC56763CCDB1CB3C09478708
SHA1:	BCA088AB33CFB69ADEAE11A272E9C8A83F39A8C9
SHA-256:	886CB2A994461F091752FC7B21E3143C212EFD8841C757909E74AC32761880DA
SHA-512:	DF2CA029E95F80FC5870E541DB8B1D5A03266307BB5F7680AD630868A9A3C584B3A702FBEC09C26FEF7287C99F5D9D1F59CD59B74DCF740C9A8E7508E07D18B5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: Building-Construction-Terms-With-Pictures.msi, Detection: malicious, Browse Filename: Medical-Engagement-Scale-Questionnaire.msi, Detection: malicious, Browse Filename: Fedex-Tracking-By-Shipper-Receipt.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0...... ........... ...@....... ..............................8.....@.................................`...O....@.......................`......(-............................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Eula.rtf

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	4490
Entropy (8bit):	5.059004663494575
Encrypted:	false
SSDEEP:	96:MClBLEcTk6NDZSftJpn0WfoW6USPRl0D6R2jdmNt1Oc/fTp3hk0ifCmIbOEQCcQB:n+j6ToLp0WfkUSPRl0D42jITTpxOIbOu
MD5:	D6613B497E3456AC0AFFC132A8B3728D
SHA1:	83DE0C03CE0641DA348F30FE2D2E2C132CB56E82
SHA-256:	AD4AEBBF044AC67DE571721494704AB91F34BAE44798E1CA12019A255356309C
SHA-512:	2628D41FF5D302ABA56D1B8DD80FCB8190406D84FF308E76C7C413393125D48DED1B6074527BE6A5E317831A6897C1EB4DA5022C10A427FCC20E1EBABBB1195B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset2 Symbol;}}..{\colortbl ;\red255\green255\blue255;\red0\green0\blue255;}..{\\generator Riched20 10.0.10577}{\\mmathPr\mnaryLim0\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT SOFTWARE SUPPLEMENTAL LICENSE TERMS\par....\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 .NET FRAMEWORK AND ASSOCIATED LANGUAGE PACKS FOR MICROSOFT WINDOWS OPERATING SYSTEM\cf1 \cf0\par....\pard\nowidctlpar\sb120\sa120\b0 Microsoft Corporation (or based on where you live, one of its affiliates) licenses this supplement to you. If you are licensed to use Microsoft Windows operating system software (the \ldblquote software\rdblquote ), you may use this supplement. You may not use it if you do not have a license for the software. You may use this supplement with each validly licensed copy of the software.\par..The followi

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	18001
Entropy (8bit):	5.03075383733511
Encrypted:	false
SSDEEP:	384:xdCdsvqpCLNW8oCLtPJNF9JMOtVx8/PJ+XcV2:xdQuzLNnoCTMoVx8/PoXt
MD5:	6084EEB530D0158AFFD1DA440FE068AE
SHA1:	C11905C94716AEFA95A6DA4F86B9D1C832F1A6B7
SHA-256:	884C87BCA98B4E6DA08B4C6C61E4EFFE9A93B2B39BCAC8275731FC9E1822BBFE
SHA-512:	D7ACF2ED57FA102AA901348D021C6D299C79B9DBA179E304FA6EAEA56A374DC6A45BE09F43097E56617B98C94DB20430FE3AECC362D90F8009F7662D2E61DAFE
Malicious:	false
Reputation:	low
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}}..{\colortbl ;\red0\green0\blue0;}..{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\sb100\sa100\qc\lang2057\b\f0\fs20 CHROMELEON (the \ldblquote SOFTWARE\rdblquote )\par..END USER AGREEMENT AND SOFTWARE LICENSE TERMS\par..\pard\sb100\sa100\qj\b0\tab\ul\b For Copies Supplied by Electronic Transmission:\ulnone\b0 BEFORE YOU SELECT THE CHECK BOX TO ACCEPT THESE TERMS AND THEN CLICK THE \ldblquote INSTALL\rdblquote BUTTON, CAREFULLY READ ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT. BY CLICKING ON THE \ldblquote INSTALL\rdblquote BUTTON IN THE CHROMELEON SETUP WINDOW, YOU AGREE TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT CLICK THE "INSTALL" BUTTON AND DO NOT USE THIS SOFTWARE\ul\b\par..\pard\sa200\sl240\slmult0\qj\cf1\lang1033\ulnone\b0\tab\ul\b For Copies Supplied on Tangible Media\ulnone\b0 :

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Installation Guide - Chromeleon 7.2.10.pdf

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	PDF document, version 1.4
Category:	dropped
Size (bytes):	2609948
Entropy (8bit):	7.930934745327068
Encrypted:	false
SSDEEP:	49152:pYfCnBFYkkbOGfcfPfcUKgsIDmcRu3iKLmB/n7Rt+KAyFVf9G:e6BqD3gsIScFnx7XJf9G
MD5:	4748F42F60E6E6A849261D51ABBCB381
SHA1:	1D08763F38D5B60D674461397EF4954F89678E69
SHA-256:	D87E1A5002E516374ABCBA86509A79FB8C7276790B64F4BAE6B9853CCE44CDC6
SHA-512:	86320CE7F8320E64D5E82C177E76E18ABCAAA0357362F43B9019C625464FC819EFC9246DAE0807CC512C41FB44C9A6CE5CF99958193265548BADF5F8B2161E37
Malicious:	false
Reputation:	low
Preview:	%PDF-1.4.%......3222 0 obj.<</Linearized 1/L 2599094/O 3224/E 532679/N 101/T 2534532/H [ 5980 3976]>>.endobj. ..xref..3222 278..0000000016 00000 n..0000010185 00000 n..0000010359 00000 n..0000010695 00000 n..0000011321 00000 n..0000011373 00000 n..0000011626 00000 n..0000012291 00000 n..0000013244 00000 n..0000013829 00000 n..0000014088 00000 n..0000014726 00000 n..0000014841 00000 n..0000056020 00000 n..0000092220 00000 n..0000092835 00000 n..0000092983 00000 n..0000093136 00000 n..0000093289 00000 n..0000093442 00000 n..0000093594 00000 n..0000093746 00000 n..0000093899 00000 n..0000094052 00000 n..0000094205 00000 n..0000094358 00000 n..0000094511 00000 n..0000094664 00000 n..0000094817 00000 n..0000094969 00000 n..0000095121 00000 n..0000095273 00000 n..0000095425 00000 n..0000095578 00000 n..0000095730 00000 n..0000095882 00000 n..0000096034 00000 n..0000096185 00000 n..0000096335 00000 n..0000096485 00000 n..0000096637 00000 n..0000096790 00000 n..0000096940 00000 n..00000970

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1473024
Entropy (8bit):	7.382522256988454
Encrypted:	false
SSDEEP:	24576:CS9+V7m2ovp4Ig1JzK/nXbSWYicdhh0mXWREfvIgAHz6CGZAO1:CLspl8oLSHDdhh0CjgdHz5GZ9
MD5:	BA0C660D822A3C50737E253F1BB70F32
SHA1:	061BB962FD1F35EF0C300480F3C832E83D7579AF
SHA-256:	608B9773064248C20262B9E6F8F217042EED62201D9DE087DE1207CB6748282A
SHA-512:	65CD3606A63DBB73FBA50C048703CBAA64A07ABAB1E1DD7CEBDFDB7A38D5242818380343CF4346DD08F9D8C8E490A281C424BCC3987D210045A75F97BEB75CBA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.4_...........!.....p............... ........... ....................................@.....................................K.................................................................................... ............... ..H............text...4o... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........b.............@.................................................{...."..}......{...."..}......{...."..}......{...."..}....j.(....(....-..(....~....2.(....(j....0..@............(.....(.....(........... .(....r...p.(....(.....o.................... (.....(.....(....o(....(....o....(....o+....(....o,....0..6.........(....%...(!...~....-.(....s"...z~........,..(#...............(.......~.....(....o-.....0..b........o....,..o....(....o?....o....o....

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	5.048605813633129
Encrypted:	false
SSDEEP:	192:wvc791yZmc4fVqenOG9yhzeDNmvmArhRtkzifR69sAlrf:wMkqd7ysBmvm4hRtkzCsP
MD5:	7CF3195CC0F2FE8F193BA6967F974CF3
SHA1:	D80A4EC89E0D1A6BB1F7A551D49C48999DB174E8
SHA-256:	34F88DF2BC9A19B9FD535CAE271D544DB717AB379869FEA0356111FBB68E0F58
SHA-512:	133D63F50B27C93D3DF5093D548BA9F67A5D971DF24E992FDEB65359DB0EC5E11EA3F75E642E8C8F0508C60CBFB059E7D2470F657F9A8EB5887EE3C2F0C9CF48
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.4_...........!.....:..........~X... ...`....... ....................................@.................................0X..K....`...............................V............................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B................`X......H.......L....(..........`)...............................................0..b.......(......(....,&(....o....(....o.....(.....o....o.....(....-%(....o....(....o.....(.....o....o.......0..2.......(....o....o....-..(....o.......(....3.(....(.......0..N.......(....,6(.....r...po....(....o....(....o.....(.....o....o....(.....r...po.......0..........(....o....r...po.....(.....rR..pr...p..'...(....o.....j.+d(....-.(.....r...po....*(.....r...po....#.......?(....(....(.....r...p

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	113664
Entropy (8bit):	6.5129222678649334
Encrypted:	false
SSDEEP:	1536:p80SgCFfGu7VdeirtQAXvmZ7VkxtamC/53E7UGmy+uECOVsWj1cduJPS0IK78:p8zv6AXvXxtam053YrEIuJPS0IK78
MD5:	D7C697CEB6F40CE91DABFCBE8DF08E22
SHA1:	49CD0213A1655DCDB493668083AB2D7F55135381
SHA-256:	B925D9D3E1E2C49BF05A1B0713E2750EE6E0C43C7ADC9D3C3A1B9FB8C557C3DF
SHA-512:	22CA87979CA68F10B5FDA64C27913D0F2A12C359B04E4A6CAA3645303FBD47CD598C805FD9A43C8F3E0934E9D2DB85F7A4E1EFF26CB33D233EFC05EE2613CFC1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: Building-Construction-Terms-With-Pictures.msi, Detection: malicious, Browse Filename: Medical-Engagement-Scale-Questionnaire.msi, Detection: malicious, Browse Filename: Fedex-Tracking-By-Shipper-Receipt.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............gk.gk.gk.<...gk.<....gk.<...gk.Q.h.gk.Q.o.gk.Q.n.gk....gk.gj.8gk.,.n.gk.,.k.gk.,...gk.g..gk.,.i.gk.Rich.gk.........................PE..L......Z...........!.....&..........8>.......@............................................@.........................@..........x...............................t......T...........................(...@............@...............................text....$.......&.................. ..`.rdata...q...@...r...*..............@..@.data...,...........................@....rsrc...............................@..@.reloc..t...........................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	6.528352683227767
Encrypted:	false
SSDEEP:	3072:Pl5bBa/bNK3w4AY6CHGN6XZhuEvY2P9bK6SEPZY/Sq6QY9vJ/SLi9Y+WxhslrN1j:PlPa/bN+w/YhzXZhyQK6zPucy2jblx1j
MD5:	8CA04519005AD03B4D9E062B97D7F79D
SHA1:	DF53ED9440D027401D502F3297668009030350A7
SHA-256:	7B9F919A3D1974FD8FA35AD189EDC8BF287F476BD377E713E616B26864A4B0D3
SHA-512:	1A29E9E9BD798C892A7CD3CD4FF259195E4A92E26F53E8F1A86C75C5EB8FDDA58CEBA312CD791651FAD5CE04529696195815A4BA5C143AD52A5EA0D7C539BB77
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 3managerAgentSetup.2.0.72.0 (1).exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Wox-Full-Installer.1.4.1196.exe, Detection: malicious, Browse Filename: Building-Construction-Terms-With-Pictures.msi, Detection: malicious, Browse Filename: Medical-Engagement-Scale-Questionnaire.msi, Detection: malicious, Browse Filename: Fedex-Tracking-By-Shipper-Receipt.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........Qq.}Qq.}Qq.}..j}Xq.}..h}&q.}..i}Iq.}...\|@q.}...\|Aq.}...\|Kq.}X..}Uq.}X..}Lq.}Qq.}Sp.}...\|Hq.}...\|Pq.}..d}Pq.}Qq.}Pq.}...\|Pq.}RichQq.}........................PE..L......Z...........!......................................................................@....................................................................4.......T...............................@...............\............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.png

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	PNG image data, 427 x 519, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	229956
Entropy (8bit):	7.995263856245214
Encrypted:	true
SSDEEP:	6144:QHmxt4BqEtvFkcmA6MT+1PmmsHxevxEZzl/NbO16k8:K+WBzeIn5xRNbUc
MD5:	188D3F3186E2A88B7C360515123806BD
SHA1:	CD603A9D6B53CA05C1BB4B2400A46359FA3F0B26
SHA-256:	9B423E929ABD6F03C768FB7C1835D8DDFC88746BEEF5C8B73BDB025344914641
SHA-512:	3EE35650122A7648035E8FFC234CF843831760B536EC043A1DD652391279D0200E9DFAB102B04442ECFC1D2531BAFD507B0786442A859112060C0529B0A1D70B
Malicious:	false
Preview:	.PNG........IHDR.............!'se....gAMA....\|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.\|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u@~..(.. ...]..o..0 ~y...s..7.g...%...9.%(....3........H....@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f.....z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.thm

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8375
Entropy (8bit):	4.4726442876777135
Encrypted:	false
SSDEEP:	96:FZVjxv3MIMtVYSIX2YdjmTdOHsygWQ4siOSsGAH1nPSE:FZVjm/RpjrVqE
MD5:	E52E5FE13DE76EBC61382658B25A72A9
SHA1:	AA89152606EDCE509B739A40A4BF3E1A4E0193F3
SHA-256:	FC2CE6D97E46159DFC5603AE1FCC91E431416E1EC939331999E5052BEBDDC27E
SHA-512:	CA9F86CEC00C4D4BFA8DC3E604268DC9139EB2BA2AA2D9BF83C0B85D692752E06BB9C614CE3CBDA2FBFF1BD98CA1ACB61A6270583CC28E442122B0CE7908E878
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. .. =================================================================================================.. Fonts definitions.. =================================================================================================.. -->.. <Window Width="725".. Height="550".. HexStyle="100A0000".. FontId="0">[WixBundleName] Setup</Window>.. Height: 16 -->.. <Font Id="0".. Height="-12".. Weight="500".. Foreground="000000".. Background="FFFFFF">Segoe UI</Font>.. Height: 26 -->.. <Font Id="1".. Height="-16".. Weight="500".. Foreground="000000".. Background="FFFFFF">Segoe UI</Font>.. Height: 16 -->.. <Font Id="2".. Height="-12".. Weight="500".. Foreground="000000".. Background="FFFFFF">Segoe UI</Font>.. Height: 16 -->.. <Font Id="3".. Height="-12".

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	518
Entropy (8bit):	5.0869829269747235
Encrypted:	false
SSDEEP:	12:TMHdS4+D8GR6SVSus2Y7uUXfscHJm9A7u4QC2GNan4ZG:2dS4+QGR6SVLsKUUcpsf4QNGW
MD5:	41A8EAC1599C3249ADA099A003666F2D
SHA1:	B8472DA816AE90F5B6C5DCE65F9AE14638BCD7E6
SHA-256:	AC76AC426091117BB3F65F9312A398CDE2CA8BF117D95E78449C4B0357B9F74F
SHA-512:	C9FB5323C16B68D840A675E65A2EE6B5F1CB57ED6F7739BB1A94C8A77A695770AEB3AE8C274932582ECC292FFB2D2B387F062F77A64BA9D107930FE7B1F4DFB8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<WixLocalization xmlns="http://schemas.microsoft.com/wix/2006/localization".. Culture="en-us".. Language="1033">.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="NET452WIN7RTMErrorMessage">[WixBundleName] cannot run on Windows 7 RTM with .NET 4.5.2 installed. Install Windows 7 SP1 to run in a supported environment.</String>.. <String Id="SuccessHeader">Setup Successful</String>..</WixLocalization>

C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Download File

Process:	C:\Users\user\Desktop\Y5JXqbeNdS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5999376
Entropy (8bit):	7.176445289227108
Encrypted:	false
SSDEEP:	98304:+fUbqTf53XSZMB9zboGxZjHv70kX7H0CpDK6UxC9r4o/:+fUcUs9zbpZ027Ur6UYT
MD5:	CD423668F800BBDB227FA8063C33C654
SHA1:	9355B61BAEA1E1404F7C5B06A472AFFDD84E0D36
SHA-256:	23CDDF52736C27FECC5B7E48607F4CE60C949B238E92086841DB8AC7F49155E7
SHA-512:	3DC91416EB74ACE37DF2AECC83A1CC1B9D13611C042CFA811F50A6971AF51EC851905AA3D9C016FA6A2D2D591968FEC5C3C32F3E5FDF9CA367A42844BB6F05FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@......@.....y@......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@..................PE..L......Z..........................................@..........................` .......[...@..............................................N..........`s[...... ..=..Pv..T....................v......0p..@...................4........................text...7........................... ..`.rdata..`...........................@..@.data...0...........................@....wixburn8...........................@..@.rsrc....N.......P..................@..@.reloc...=... ..>..................@..B................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.176445289227108
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Y5JXqbeNdS.exe
File size:	5'999'376 bytes
MD5:	cd423668f800bbdb227fa8063c33c654
SHA1:	9355b61baea1e1404f7c5b06a472affdd84e0d36
SHA256:	23cddf52736c27fecc5b7e48607f4ce60c949b238e92086841db8ac7f49155e7
SHA512:	3dc91416eb74ace37df2aecc83a1cc1b9d13611c042cfa811f50a6971af51ec851905aa3d9c016fa6a2d2d591968fec5c3c32f3e5fdf9ca367a42844bb6f05fe
SSDEEP:	98304:+fUbqTf53XSZMB9zboGxZjHv70kX7H0CpDK6UxC9r4o/:+fUcUs9zbpZ027Ur6UYT
TLSH:	055612B55D434022D5A70BF3AB2D47342D29DF28173588FBDAD8B90E6A75F8126B310E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A!.S.@...@...@.......@......y@.......@..."\|..@..."{..@..."z.#@...8...@...8...@...@~.PA...#z.N@...#...@...@...@...#}..@..Rich.@.

File Icon


Icon Hash:	0653cd6943080497

Static PE Info

General

Entrypoint:	0x42e2a6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A10AD86 [Sat Nov 18 22:00:38 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	d7e2fd259780271687ffca462b9e69b7

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/03/2019 00:00:00 31/05/2022 00:59:59
Subject Chain	CN=Thermo Fisher Scientific Inc., O=Thermo Fisher Scientific Inc., L=Sunnyvale, S=California, C=US
Version:	3
Thumbprint MD5:	429BC8309E6093F095496FC9568F2841
Thumbprint SHA-1:	0F42A1F00F4B8D30DE087DBE19006D4218676C5B
Thumbprint SHA-256:	8C9064E521F5614AFB23416FAD789D70A7D79FFB954EADFDD54C298DAAB60612
Serial:	5C05245A803266F1F9108199F4A52A97

Entrypoint Preview

Instruction
call 00007FA42081373Fh
jmp 00007FA4208130B3h
mov eax, dword ptr [esp+08h]
mov ecx, dword ptr [esp+10h]
or ecx, eax
mov ecx, dword ptr [esp+0Ch]
jne 00007FA42081322Bh
mov eax, dword ptr [esp+04h]
mul ecx
retn 0010h
push ebx
mul ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
mul dword ptr [esp+14h]
add ebx, eax
mov eax, dword ptr [esp+08h]
mul ecx
add edx, ebx
pop ebx
retn 0010h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
cmp cl, 00000040h
jnc 00007FA420813237h
cmp cl, 00000020h
jnc 00007FA420813228h
shrd eax, edx, cl
shr edx, cl
ret
mov eax, edx
xor edx, edx
and cl, 0000001Fh
shr eax, cl
ret
xor eax, eax
xor edx, edx
ret
push ebp
mov ebp, esp
jmp 00007FA42081322Fh
push dword ptr [ebp+08h]
call 00007FA420819AACh
pop ecx
test eax, eax
je 00007FA420813231h
push dword ptr [ebp+08h]
call 00007FA420819B35h
pop ecx
test eax, eax
je 00007FA420813208h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007FA420813AC4h
jmp 00007FA420813AA1h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FA420813ADDh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 00460DB8h
je 00007FA42081322Ch
push 0000000Ch
push esi
call 00007FA4208131FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x686b4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x194ea4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5b7360	0x17b0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x202000	0x3dfc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x67650	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x676a4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x67030	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4b000	0x3e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x68234	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49937	0x49a00	2319c0baa707bb66cc0bc08c55a13d8c	False	0.5314688561120543	data	6.570006046413636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4b000	0x1ed60	0x1ee00	8ad6c4e18165c6d8ccdc97bab683438d	False	0.3136386639676113	data	5.114228301263695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6a000	0x1730	0xa00	00fde973df27dc2d36084e16d6dddbdf	False	0.274609375	firmware 2005 v9319 (revision 0) N\346@\273\261\031\277D V2, 0 bytes or less, UNKNOWN2 0xffffffff, at 0 0 bytes , at 0 0 bytes , at 0x20a14600	3.1526594027632213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wixburn	0x6c000	0x38	0x200	627416055d88c3c27302ca8ab8e194e9	False	0.095703125	data	0.5205881313429501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6d000	0x194ea4	0x195000	fafc9fe5b53f28c8e7acfeb1c4e66cb2	False	0.24420030381944444	data	3.640080898233727	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x202000	0x3dfc	0x3e00	dd2c47fa48872886af4c9a2e5bd90ccc	False	0.8097278225806451	data	6.794335469567533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x6d340	0x149128	Device independent bitmap graphic, 720 x 624 x 24, image size 0, resolution 2835 x 2835 px/m	English	United States	0.25530052185058594
RT_ICON	0x1b6468	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5748933901918977
RT_ICON	0x1b7310	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7035198555956679
RT_ICON	0x1b7bb8	0x748	Device independent bitmap graphic, 25 x 50 x 8, image size 700, 256 important colors	English	United States	0.8315450643776824
RT_ICON	0x1b8300	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.6893063583815029
RT_ICON	0x1b8868	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.22479436044619344
RT_ICON	0x1fa890	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.41981327800829876
RT_ICON	0x1fce38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4880393996247655
RT_ICON	0x1fdee0	0xa50	Device independent bitmap graphic, 25 x 50 x 32, image size 2600	English	United States	0.759469696969697
RT_ICON	0x1fe930	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8315602836879432
RT_MESSAGETABLE	0x1fed98	0x2840	data	English	United States	0.28823757763975155
RT_GROUP_ICON	0x2015d8	0x84	data	English	United States	0.6590909090909091
RT_VERSION	0x20165c	0x374	data	English	United States	0.4321266968325792
RT_MANIFEST	0x2019d0	0x4d2	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1174), with CRLF line terminators	English	United States	0.47568881685575365

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegQueryValueExW, RegDeleteValueW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
USER32.dll	PeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
GDI32.dll	DeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
ole32.dll	CoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CLSIDFromProgID, CoInitializeSecurity
KERNEL32.dll	GetCommandLineA, GetCPInfo, GetOEMCP, CloseHandle, CreateFileW, GetProcAddress, LocalFree, HeapSetInformation, GetLastError, GetModuleHandleW, FormatMessageW, lstrlenA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, Sleep, GetLocalTime, GetModuleFileNameW, ExpandEnvironmentStringsW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, CompareStringW, GetCurrentProcessId, WriteFile, SetFilePointer, LoadLibraryW, GetSystemDirectoryW, CreateFileA, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindClose, GetCommandLineW, GetCurrentDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, MoveFileExW, GetCurrentProcess, GetCurrentThreadId, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, FreeLibrary, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetNativeSystemInfo, GetModuleHandleExW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetEnvironmentStringsW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetUserDefaultUILanguage, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, DuplicateHandle, InterlockedExchange, InterlockedCompareExchange, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, GetThreadLocale, IsValidCodePage, FindFirstFileExW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DecodePointer, WriteConsoleW, GetModuleHandleA, GlobalAlloc, GlobalFree, GetFileSizeEx, CopyFileW, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetSystemInfo, VirtualProtect, VirtualQuery, GetComputerNameW, SetCurrentDirectoryW, GetFileType, GetACP, ExitProcess, GetStdHandle, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, LoadLibraryExA
RPCRT4.dll	UuidCreate

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:01:02
Start date:	03/04/2024
Path:	C:\Users\user\Desktop\Y5JXqbeNdS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Y5JXqbeNdS.exe"
Imagebase:	0x980000
File size:	5'999'376 bytes
MD5 hash:	CD423668F800BBDB227FA8063C33C654
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:01:03
Start date:	03/04/2024
Path:	C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544
Imagebase:	0xa40000
File size:	5'999'376 bytes
MD5 hash:	CD423668F800BBDB227FA8063C33C654
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 2%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Function 0098A8F1 Relevance: 172.2, APIs: 29, Strings: 69, Instructions: 688COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0098B11C

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

CompareStringW.KERNEL32(0000007F,00000000,009CCA9C,000000FF,DirectorySearch,000000FF,009CCA9C,Condition,feclient.dll,009CCA9C,Variable,?,009CCA9C,009CCA9C,?,?), ref: 0098AA29
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0098AA7E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 0098AA9A
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 0098AABE
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 0098AB11
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0098AB2B
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 0098AB53
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 0098AB91
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 0098ABB0
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 0098ABCF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 0098AC8D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 0098ACA7

Part of subcall function 009C32F3: VariantInit.OLEAUT32(?), ref: 009C3309
Part of subcall function 009C32F3: SysAllocString.OLEAUT32(?), ref: 009C3325
Part of subcall function 009C32F3: VariantClear.OLEAUT32(?), ref: 009C33AC
Part of subcall function 009C32F3: SysFreeString.OLEAUT32(00000000), ref: 009C33B7

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 0098AD06
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 0098AD28
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 0098AD48
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 0098AE20
SysFreeString.OLEAUT32(?), ref: 0098AFFE

Strings

Failed to get @Type., xrefs: 0098B0B0
Failed to get @Variable., xrefs: 0098B0DD
cabinet.dll, xrefs: 0098ACBA
Failed to get @Root., xrefs: 0098B07F
exists, xrefs: 0098AA6F, 0098AB02, 0098AC7E
ExpandEnvironment, xrefs: 0098ACBB
Invalid value for @Root: %ls, xrefs: 0098B078
Win64, xrefs: 0098AC5D
MsiComponentSearch, xrefs: 0098AD61
Failed to get next node., xrefs: 0098B0EB
Failed to get @ComponentId., xrefs: 0098B086
Failed to select search nodes., xrefs: 0098A920
Variable, xrefs: 0098A9DE
Failed to allocate memory for search structs., xrefs: 0098A97D
Failed to get @Id., xrefs: 0098B0E4
Failed to get @ExpandEnvironment., xrefs: 0098B050
Failed to get Key attribute., xrefs: 0098B06E
Type, xrefs: 0098AA56, 0098AAE9, 0098AC42, 0098ADC2, 0098AEC2, 0098AFAC
HKCR, xrefs: 0098AB82
path, xrefs: 0098AA8D, 0098AB3A
Failed to get Win64 attribute., xrefs: 0098B046
Failed to get @ProductCode., xrefs: 0098B0BE
language, xrefs: 0098AEF7
assignment, xrefs: 0098AF2D
RegistrySearch, xrefs: 0098AB46
`<u, xrefs: 0098AFFE, 0098B11C
Failed to get search node count., xrefs: 0098A945
version.dll, xrefs: 0098AC1E
ComponentId, xrefs: 0098ADA7
Failed to get @Condition., xrefs: 0098B028
keyPath, xrefs: 0098ADDB
MsiFeatureSearch, xrefs: 0098AF53
Key, xrefs: 0098AC04
wininet.dll, xrefs: 0098AC03
VariableType, xrefs: 0098ACDE
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch, xrefs: 0098A90D
value, xrefs: 0098AC9A
HKCU, xrefs: 0098ABA3
FeatureId, xrefs: 0098AF91
search.cpp, xrefs: 0098A973
FileSearch, xrefs: 0098AAB1
Failed to get @ProductCode or @UpgradeCode., xrefs: 0098B094
Failed to get @VariableType., xrefs: 0098B064
numeric, xrefs: 0098ACF7
clbcatq.dll, xrefs: 0098AA3A, 0098AACD, 0098AD83, 0098AF75
UpgradeCode, xrefs: 0098AE8C
HKU, xrefs: 0098ABE1
Invalid value for @Type: %ls, xrefs: 0098B0A1
Condition, xrefs: 0098A9F9
version, xrefs: 0098AB1E, 0098AD3B, 0098AEDB
Failed to get @UpgradeCode., xrefs: 0098B08D
Failed to get Value attribute., xrefs: 0098B03C
state, xrefs: 0098ADF7, 0098AF13, 0098AFC5
Path, xrefs: 0098AA3B, 0098AACE
feclient.dll, xrefs: 0098A9F8
directory, xrefs: 0098AE13
DirectorySearch, xrefs: 0098AA1A
comres.dll, xrefs: 0098ADA6, 0098AE5B, 0098AE8B, 0098AF90
Failed to get @Path., xrefs: 0098B032
MsiProductSearch, xrefs: 0098AE39
msi.dll, xrefs: 0098AC5C
Failed to get @FeatureId., xrefs: 0098B0B7
Invalid value for @VariableType: %ls, xrefs: 0098B05D
ProductCode, xrefs: 0098AD84, 0098AE5C, 0098AF76
Root, xrefs: 0098AB69
string, xrefs: 0098AD1B
Value, xrefs: 0098AC1F
HKLM, xrefs: 0098ABC2
Unexpected element name: %ls, xrefs: 0098B0CD

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$`<u$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
API String ID: 2748437055-56916464
Opcode ID: 5ad905102bd8601314695f53189125cfa3030053a741b86b2c51fc04b3781236
Instruction ID: 511b905194256c85ef8dc87a2a5e09d843b16c07dfc4a42b9563d639408e29fa
Opcode Fuzzy Hash: 5ad905102bd8601314695f53189125cfa3030053a741b86b2c51fc04b3781236
Instruction Fuzzy Hash: 5622E531D4822ABADF20AE948C02F6E7A68AF45734F344319F535B63D4DB74AE40D792

Uniqueness

Uniqueness Score: -1.00%

Function 00985195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00985217

Part of subcall function 009C04F8: InitializeCriticalSection.KERNEL32(009EB5FC,?,00985223,00000000,?,?,?,?,?,?), ref: 009C050F

Part of subcall function 0098120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0098523F,00000000,?), ref: 00981248
Part of subcall function 0098120A: GetLastError.KERNEL32(?,?,?,0098523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00981252

CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00985285

Part of subcall function 009C0E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 009C0E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00985317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00985321
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0098558E

Strings

3.11.1.2318, xrefs: 00985384
Failed to initialize Wiutil., xrefs: 009852E1
Failed to parse command line., xrefs: 00985245
Failed to initialize Cryputil., xrefs: 009852A6
Failed to run RunOnce mode., xrefs: 0098541C
Failed to initialize XML util., xrefs: 009852F9
engine.cpp, xrefs: 00985345
Failed to initialize Regutil., xrefs: 009852C9
Failed to get OS info., xrefs: 0098534F
Failed to run per-machine mode., xrefs: 0098546C
Failed to initialize COM., xrefs: 00985291
Failed to run per-user mode., xrefs: 00985494
Failed to run untrusted mode., xrefs: 009854B6
Failed to run embedded mode., xrefs: 00985444
Invalid run mode., xrefs: 009853F9
Failed to initialize engine state., xrefs: 0098526C
Failed to initialize core., xrefs: 009853C3

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
API String ID: 3262001429-510904028
Opcode ID: e14e267a8073d82cb2b9eb88bf13ae237345707f4fa094cc4a87ecc232a30de4
Instruction ID: 721edbd0139cb93928d572c06e8f1803bb4cd43f15331bfc638b688c2ba7dc50
Opcode Fuzzy Hash: e14e267a8073d82cb2b9eb88bf13ae237345707f4fa094cc4a87ecc232a30de4
Instruction Fuzzy Hash: 0FB1A471D40A299BDB32BB64CC46FED76B9AF84314F420199F908B7351DB349E88CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009C304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,009C3609,00000000,?,00000000), ref: 009C3069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,009AC025,?,00985405,?,00000000,?), ref: 009C3075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 009C30B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009C30C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 009C30CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009C30D6
CoCreateInstance.OLE32(009EB6B8,00000000,00000001,009CB818,?,?,?,?,?,?,?,?,?,?,?,009AC025), ref: 009C3111
ExitProcess.KERNEL32 ref: 009C31C0

Strings

Wow64DisableWow64FsRedirection, xrefs: 009C30BB
Wow64RevertWow64FsRedirection, xrefs: 009C30CE
Wow64EnableWow64FsRedirection, xrefs: 009C30C3
kernel32.dll, xrefs: 009C3059
IsWow64Process, xrefs: 009C30AF
xmlutil.cpp, xrefs: 009C3099

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: 26c013ebc798f17759cee9debbca3bdc171dd11f0854f8d77f516101bc78d60d
Instruction ID: 0d2acf53590e342bff3be917ccc10663ae0ae23661a49ec4d74e9b79560258db
Opcode Fuzzy Hash: 26c013ebc798f17759cee9debbca3bdc171dd11f0854f8d77f516101bc78d60d
Instruction Fuzzy Hash: A841AF32E05315AFDB21DBA98885FAEB7A8AF44B50F15C16CE901EB240DB71DE008B91

Uniqueness

Uniqueness Score: -1.00%

Function 00981070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009833C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,009810DD,?,00000000), ref: 009833E8

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 009810F6

Part of subcall function 00981175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0098111A,cabinet.dll,00000009,?,?,00000000), ref: 00981186
Part of subcall function 00981175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0098111A,cabinet.dll,00000009,?,?,00000000), ref: 00981191
Part of subcall function 00981175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0098119F
Part of subcall function 00981175: GetLastError.KERNEL32(?,?,?,?,?,0098111A,cabinet.dll,00000009,?,?,00000000), ref: 009811BA
Part of subcall function 00981175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009811C2
Part of subcall function 00981175: GetLastError.KERNEL32(?,?,?,?,?,0098111A,cabinet.dll,00000009,?,?,00000000), ref: 009811D7

CloseHandle.KERNEL32(?,?,?,?,009CB4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00981131

Strings

crypt32.dll, xrefs: 009810CA
msi.dll, xrefs: 009810A0
wininet.dll, xrefs: 009810AE
msasn1.dll, xrefs: 009810C3
cabinet.dll, xrefs: 00981099, 00981114
feclient.dll, xrefs: 009810D1
clbcatq.dll, xrefs: 009810BC
version.dll, xrefs: 009810A7
comres.dll, xrefs: 009810B5

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 581d3eccfd43d6c042124825d2469de1c0ca73b0abbcbb0e9bb1d96661f9a522
Instruction ID: 9bb9b41e27be0c8b546d080133c7baeb915e9aad3e3711d1da29fd3d08c40589
Opcode Fuzzy Hash: 581d3eccfd43d6c042124825d2469de1c0ca73b0abbcbb0e9bb1d96661f9a522
Instruction Fuzzy Hash: FA218B71D0421CABDB20AFA4CC4AFEEBBBCAB49721F504119FA11B7291D7709905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0099A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed create working folder., xrefs: 0099A0EE
Failed to calculate working folder to ensure it exists., xrefs: 0099A0D8
Failed to copy working folder., xrefs: 0099A116

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 7147a6bf7ab933354c8cfada572152a0d0a401cc2fd45ec39a9afff1d8d84486
Instruction ID: 2440052010cb5f591a410ee97ba8aa53f01b3116420082a738a9e94fa9d451bf
Opcode Fuzzy Hash: 7147a6bf7ab933354c8cfada572152a0d0a401cc2fd45ec39a9afff1d8d84486
Instruction Fuzzy Hash: 0301F732D09528FB8F326B5CDC0ADAEBB79DFD5720B114256F800B6210DB319F40A6D1

Uniqueness

Uniqueness Score: -1.00%

Function 0098394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: c1ae6e218fc6ead09787efa676c48a953b88ba9d021c023a8dc2fa2d2addb353
Instruction ID: 6464f67a4e3d54760ac2b544fa2545bdd944fac9e0abce33b5abed2c2d2711a6
Opcode Fuzzy Hash: c1ae6e218fc6ead09787efa676c48a953b88ba9d021c023a8dc2fa2d2addb353
Instruction Fuzzy Hash: F1C002725AC20DAB8B005FF4DC5EC56779CF754612B088511B515C6150D739E5549760

Uniqueness

Uniqueness Score: -1.00%

Function 0098DF33 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 0098E058
SysFreeString.OLEAUT32(00000000), ref: 0098E736

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

Strings

Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 0098E081
Failed to get package node count., xrefs: 0098E0B1
LogPathVariable, xrefs: 0098E276
Failed to get rollback bundary node count., xrefs: 0098DF8E
cabinet.dll, xrefs: 0098E1FE
Failed to get @PerMachine., xrefs: 0098E6C6
CacheId, xrefs: 0098E1C9
ExePackage, xrefs: 0098E357
Failed to get @InstallSize., xrefs: 0098E6CD
Failed to get @InstallCondition., xrefs: 0098E4F9
Failed to parse dependency providers., xrefs: 0098E6AA
Failed to allocate memory for patch sequence information to package lookup., xrefs: 0098E570
Permanent, xrefs: 0098E235
Failed to get next node., xrefs: 0098E708
Failed to get @Vital., xrefs: 0098E6B8
Failed to allocate memory for MSP patch sequence information., xrefs: 0098E4DB
Failed to get @Id., xrefs: 0098E701
Cache, xrefs: 0098E14B
Vital, xrefs: 0098E027, 0098E25B
Failed to find forward transaction boundary: %ls, xrefs: 0098E506
Failed to get @Size., xrefs: 0098E6D4
Size, xrefs: 0098E1E4
Failed to allocate memory for rollback boundary structs., xrefs: 0098DFCA
Failed to get @LogPathVariable., xrefs: 0098E4E5
Failed to get @RollbackBoundaryBackward., xrefs: 0098E527
Failed to get @Cache., xrefs: 0098E6FA
PerMachine, xrefs: 0098E21A
Failed to get @Permanent., xrefs: 0098E6BF
yes, xrefs: 0098E187
`<u, xrefs: 0098E058, 0098E47B, 0098E736
Failed to get @CacheId., xrefs: 0098E6DB
Failed to parse MSI package., xrefs: 0098E3C1
Failed to allocate memory for package structs., xrefs: 0098E0EF
Failed to parse payload references., xrefs: 0098E6B1
Failed to parse EXE package., xrefs: 0098E389
RollbackBoundary, xrefs: 0098DF56
wininet.dll, xrefs: 0098E25A
InstallCondition, xrefs: 0098E2BC
MsuPackage, xrefs: 0098E406
MspPackage, xrefs: 0098E3CD
Failed to parse MSP package., xrefs: 0098E531
Failed to parse MSU package., xrefs: 0098E53B
RollbackLogPathVariable, xrefs: 0098E299
Failed to parse target product codes., xrefs: 0098E69B
Failed to select package nodes., xrefs: 0098E094
Failed to find backward transaction boundary: %ls, xrefs: 0098E51D
clbcatq.dll, xrefs: 0098E219
crypt32.dll, xrefs: 0098E2BB
RollbackBoundaryForward, xrefs: 0098E2DF
InstallSize, xrefs: 0098E1FF
feclient.dll, xrefs: 0098E298
Failed to get @RollbackLogPathVariable., xrefs: 0098E4EF
comres.dll, xrefs: 0098E234
Failed to get @RollbackBoundaryForward., xrefs: 0098E510
Failed to select rollback boundary nodes., xrefs: 0098DF69
Invalid cache type: %ls, xrefs: 0098E6EA
msi.dll, xrefs: 0098E1C8
package.cpp, xrefs: 0098DFBE, 0098E0E3, 0098E4CF, 0098E564
always, xrefs: 0098E1A7
RollbackBoundaryBackward, xrefs: 0098E319
MsiPackage, xrefs: 0098E395

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`<u$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
API String ID: 336948655-2953049543
Opcode ID: 7f27ef042150e6392c72a980e5ba1813521f6bbeb39c732115c71a55a8774d88
Instruction ID: 4dd14edef3e925383fdc1197c1eb2b3027164c30ef3a992d4c7f6eb8fbd4ea65
Opcode Fuzzy Hash: 7f27ef042150e6392c72a980e5ba1813521f6bbeb39c732115c71a55a8774d88
Instruction Fuzzy Hash: 1832B131D4422AEBCB11AF54CC56FAEBAB4AF84724F108669F915BB390D774ED009B90

Uniqueness

Uniqueness Score: -1.00%

Function 0098F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Registration, xrefs: 0098F9FD
Department, xrefs: 0098FE77
Failed to get @PerMachine., xrefs: 0098FB25
Failed to get @ExecutableName., xrefs: 0098FB07
DisplayVersion, xrefs: 0098FBA3
DisableRemove, xrefs: 0098FDC9
Failed to get @Department., xrefs: 0098FE8E
Failed to get @DisplayName., xrefs: 0098FB95
Register, xrefs: 0098FB5D
registration.cpp, xrefs: 0098FD87
Failed to select ARP node., xrefs: 0098FB4F
Failed to get @Register., xrefs: 0098FB70
Failed to get @DisableRemove., xrefs: 0098FDE0
Publisher, xrefs: 0098FBC8
DisplayName, xrefs: 0098FB7E
Failed to get @DisplayVersion., xrefs: 0098FBBA
Failed to get @Id., xrefs: 0098FA49
Arp, xrefs: 0098FB33
Failed to select Update node., xrefs: 0098FE3C
Comments, xrefs: 0098FCA9
Manufacturer, xrefs: 0098FE53
Failed to get @ProviderKey., xrefs: 0098FAE6
Failed to parse software tag., xrefs: 0098FE10
Version, xrefs: 0098FA91
HelpLink, xrefs: 0098FBED
Failed to get @Name., xrefs: 0098FED4
PerMachine, xrefs: 0098FB12
yes, xrefs: 0098FD36
Failed to parse related bundles, xrefs: 0098FA83
Failed to select registration node., xrefs: 0098FA1C
HelpTelephone, xrefs: 0098FC12
Failed to get @Comments., xrefs: 0098FCC0
AboutUrl, xrefs: 0098FC37
Failed to parse @Version: %ls, xrefs: 0098FAC5
Failed to get @HelpTelephone., xrefs: 0098FC29
Tag, xrefs: 0098FA57
Failed to get @ParentDisplayName., xrefs: 0098FC98
Failed to get @Manufacturer., xrefs: 0098FE66
Failed to get @Tag., xrefs: 0098FA6A
button, xrefs: 0098FD15
Failed to get @Publisher., xrefs: 0098FBDF
UpdateUrl, xrefs: 0098FC5C
ProviderKey, xrefs: 0098FAD3
Failed to set registration paths., xrefs: 0098FF08
Contact, xrefs: 0098FCD1
DisableModify, xrefs: 0098FCF6
Failed to get @ProductFamily., xrefs: 0098FEB3
Update, xrefs: 0098FE1E
Failed to get @AboutUrl., xrefs: 0098FC4E
Classification, xrefs: 0098FEE2
ProductFamily, xrefs: 0098FE9C
Failed to get @UpdateUrl., xrefs: 0098FC73
Failed to get @DisableModify., xrefs: 0098FDB8
ExecutableName, xrefs: 0098FAF4
Failed to get @Contact., xrefs: 0098FCE8
Failed to get @Version., xrefs: 0098FAA4
Failed to get @HelpLink., xrefs: 0098FC04
Name, xrefs: 0098FEC1
ParentDisplayName, xrefs: 0098FC81
Invalid modify disabled type: %ls, xrefs: 0098FD94
Failed to get @Classification., xrefs: 0098FEF5

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-2956246334
Opcode ID: f067a2f922678c44eb5d3606be708dd21042fc7d7ea0a190477f996597aaef68
Instruction ID: d1d43a235246a7f98aa8a80b321ad7485bc658db471c7a350ffdcf3d72dcd860
Opcode Fuzzy Hash: f067a2f922678c44eb5d3606be708dd21042fc7d7ea0a190477f996597aaef68
Instruction Fuzzy Hash: BFE1F733E84639BBCB11B6A0CC52FADB664AB85714F119236FE21F7391D7619E0097C1

Uniqueness

Uniqueness Score: -1.00%

Function 0098B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0098B502
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B550
GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0098B556
ReadFile.KERNELBASE(00000000,00984461,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B59E
GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0098B5A4
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B607
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B656
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B76B
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B7BD

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B872
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B906

Strings

Failed to find valid DOS image header in buffer., xrefs: 0098BBEB
Failed to allocate memory for container sizes., xrefs: 0098BAD3
Failed to read section info, data to short: %u, xrefs: 0098B8AA
Failed to get total size of bundle., xrefs: 0098BA23
burn, xrefs: 0098B838
Failed to find valid NT image header in buffer., xrefs: 0098BBD0
.wix, xrefs: 0098B830
4, xrefs: 0098B884
Failed to seek past optional headers., xrefs: 0098B7EB
Failed to allocate buffer for section info., xrefs: 0098B8E4
Failed to read image section header, index: %u, xrefs: 0098BBAC
Failed to open handle to engine process path., xrefs: 0098B52D
Failed to seek to start of file., xrefs: 0098B581
PE, xrefs: 0098B698
Failed to seek to section info., xrefs: 0098B6F8, 0098B934
Failed to read section info., xrefs: 0098B999
section.cpp, xrefs: 0098B523, 0098B577, 0098B5C5, 0098B628, 0098B677, 0098B6EE, 0098B73D, 0098B78C, 0098B7E1, 0098B898, 0098B8D8, 0098B92A, 0098B98F, 0098B9B9, 0098B9E0, 0098BAC7, 0098BB07, 0098BB26, 0098BB63, 0098BBA1, 0098BBC4, 0098BBDF
Failed to read complete image section header, index: %u, xrefs: 0098BB75
Failed to read NT header., xrefs: 0098B681
Failed to find Burn section., xrefs: 0098BB32
Failed to read complete section info., xrefs: 0098B9C5
Failed to read signature size., xrefs: 0098B796
(, xrefs: 0098B81D
PE Header from file didn't match PE Header in memory., xrefs: 0098BB11
Failed to seek to NT header., xrefs: 0098B632
Failed to read section info, unsupported version: %08x, xrefs: 0098B9F5
Failed to read signature offset., xrefs: 0098B747
Failed to read DOS header., xrefs: 0098B5CF

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 3411815225-695169583
Opcode ID: aa8f1b393aabd0b007cbad2944afb356dca4fda2c62145b9348d2e09a0e7d0d4
Instruction ID: 5ef9a886b4434b5c6c32e3d4737bb2b052865804026fde20c67ccf8e53acfddb
Opcode Fuzzy Hash: aa8f1b393aabd0b007cbad2944afb356dca4fda2c62145b9348d2e09a0e7d0d4
Instruction Fuzzy Hash: A9121972D40235EBDB30AB558C46FAA76A8AF84B50F0941A9FE05BB381D774DD40CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0098CDBD Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,0098545D,00000000,009CCA9C,00985445,00000000), ref: 0098CEF3

Strings

Failed to allocate memory for payload structs., xrefs: 0098CE49
Failed to get @Packaging., xrefs: 0098D213
CertificateRootPublicKeyIdentifier, xrefs: 0098D03D
Failed to hex decode @CertificateRootThumbprint., xrefs: 0098D1C0
Failed to get @FileSize., xrefs: 0098D1AB
FileSize, xrefs: 0098D002
Container, xrefs: 0098CF4B
FilePath, xrefs: 0098CEAB
Hash, xrefs: 0098D0B7
Failed to get @Hash., xrefs: 0098D1E3
Failed to get @Catalog., xrefs: 0098D1D5
download, xrefs: 0098CEE5
Failed to get @CertificateRootThumbprint., xrefs: 0098D1C7
SourcePath, xrefs: 0098CFB0
Failed to select payload nodes., xrefs: 0098CDEB
Failed to get @Container., xrefs: 0098D18D
Failed to to find container: %ls, xrefs: 0098D186
Failed to get next node., xrefs: 0098D228
Invalid value for @Packaging: %ls, xrefs: 0098D200
payload.cpp, xrefs: 0098CE3F
DownloadUrl, xrefs: 0098CFD9
CertificateRootThumbprint, xrefs: 0098D07A
Failed to find catalog., xrefs: 0098D1CE
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 0098D1B2
Failed to get @Id., xrefs: 0098D221
Failed to get @DownloadUrl., xrefs: 0098D1EA
Catalog, xrefs: 0098D0EC
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 0098D1B9
Failed to get payload node count., xrefs: 0098CE10
Failed to get @LayoutOnly., xrefs: 0098D197
Payload, xrefs: 0098CDD8
Failed to hex decode the Payload/@Hash., xrefs: 0098D1DC
Packaging, xrefs: 0098CEC6
Failed to get @FilePath., xrefs: 0098D21A
LayoutOnly, xrefs: 0098CF8D
external, xrefs: 0098CF21
Failed to get @SourcePath., xrefs: 0098D1F1
embedded, xrefs: 0098CF05
Failed to parse @FileSize., xrefs: 0098D1A1

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$download$embedded$external$payload.cpp
API String ID: 1171520630-3127305756
Opcode ID: c6d709b4f05ebbef04821bc92abe1b29ad14ac32989105d70a49ea12a28395b6
Instruction ID: 9b3e851c0e17455c45ea432d5f0274962dd55efdb4307caf4402e4553602533f
Opcode Fuzzy Hash: c6d709b4f05ebbef04821bc92abe1b29ad14ac32989105d70a49ea12a28395b6
Instruction Fuzzy Hash: CAC11172D46629FBCB15BA90CC06FADB769AF48B20F204269F911B73D0C774EE009791

Uniqueness

Uniqueness Score: -1.00%

Function 00988476 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00985445,?,00000000,80070490,?,?,?,?,?,?,?,?,009AC1BF,?,00985445,?), ref: 009884A7
LeaveCriticalSection.KERNEL32(00985445,?,?,?,?,?,?,?,?,009AC1BF,?,00985445,?,00985445,00985445,Chain), ref: 00988804

Strings

Failed to get @Type., xrefs: 00988788
Failed to set variant encryption, xrefs: 0098879D
Failed to insert variable '%ls'., xrefs: 009886C6
Initializing string variable '%ls' to value '%ls', xrefs: 0098861A
Initializing numeric variable '%ls' to value '%ls', xrefs: 009885E2
Failed to get @Value., xrefs: 00988796
variable.cpp, xrefs: 009887B9
Initializing version variable '%ls' to value '%ls', xrefs: 00988653
Hidden, xrefs: 0098852F
Failed to set variant value., xrefs: 0098878F
Persisted, xrefs: 0098854A
Failed to set value of variable: %ls, xrefs: 009887A7
Initializing hidden variable '%ls', xrefs: 00988671
numeric, xrefs: 009885BC
Failed to select variable nodes., xrefs: 009884C4
Failed to get next node., xrefs: 009887F6
Invalid value for @Type: %ls, xrefs: 00988778
Variable, xrefs: 009884B1
version, xrefs: 0098862C
Failed to get @Id., xrefs: 009887EF
Failed to find variable value '%ls'., xrefs: 009887D2
Type, xrefs: 009885A3
Failed to get @Persisted., xrefs: 009887E1
Failed to change variant type., xrefs: 009887DA
Failed to get @Hidden., xrefs: 009887E8
Failed to get variable node count., xrefs: 009884E1
Attempt to set built-in variable value: %ls, xrefs: 009887C8
string, xrefs: 009885F7
Value, xrefs: 00988565

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-1614826165
Opcode ID: 690673f675f76210b82c431e30691f79c9462c76f0878872429e4c4f170bc770
Instruction ID: 7384cd80a86468e89dcd4af9f8e3a39d220813a4071055688a96218d7be881cf
Opcode Fuzzy Hash: 690673f675f76210b82c431e30691f79c9462c76f0878872429e4c4f170bc770
Instruction Fuzzy Hash: 7CB1D172D40219FBCF11EB94CC46FAFBB78AF84710F604659F918B6291DB349A00DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009A0D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,009A08BC,?,?), ref: 009A0D25
GetLastError.KERNEL32(?,?,?,?,009A08BC,?,?), ref: 009A0D2F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,009A08BC,?,?), ref: 009A0D74
GetLastError.KERNEL32(?,?,?,?,009A08BC,?,?), ref: 009A0D7F
ResetEvent.KERNEL32(?,?,?,?,?,009A08BC,?,?), ref: 009A0DB7
GetLastError.KERNEL32(?,?,?,?,009A08BC,?,?), ref: 009A0DC1

Strings

Failed to set operation complete event., xrefs: 009A0D5D, 009A0E9E
Failed to allocate buffer for stream., xrefs: 009A0F93
Failed to create file: %ls, xrefs: 009A1001
Invalid operation for this state., xrefs: 009A0E1D
Failed to set end of file., xrefs: 009A1094
Failed to copy stream name: %ls, xrefs: 009A0E50
Failed to set file pointer to end of file., xrefs: 009A104F
cabextract.cpp, xrefs: 009A0D53, 009A0DA3, 009A0DE5, 009A0E11, 009A0E94, 009A0EDC, 009A0F21, 009A0F89, 009A0FF4, 009A1045, 009A108A, 009A10CE
Failed to reset begin operation event., xrefs: 009A0DEF, 009A0F2B
Failed to wait for begin operation event., xrefs: 009A0DAD, 009A0EE6
Failed to set file pointer to beginning of file., xrefs: 009A10D8

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 1865021742-2104912459
Opcode ID: 3c7208ef37be69111336a4b13144198eba968c1d2701c2dc09a9b3feeac74df8
Instruction ID: fb548a8a7fe0319b5d8fbf56f3e702a149f9eea652a6e775d2ae25f3c46fa78a
Opcode Fuzzy Hash: 3c7208ef37be69111336a4b13144198eba968c1d2701c2dc09a9b3feeac74df8
Instruction Fuzzy Hash: CA912737AD1632BBD33016A54D0AF2A7958BF86B34F228622BE50BB3C0D355DC1092D1

Uniqueness

Uniqueness Score: -1.00%

Function 00984D39 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009833C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,009810DD,?,00000000), ref: 009833E8

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00984F40
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00984F4F
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00984F5E
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00984F69

Strings

burn.clean.room, xrefs: 00984DDE
Failed to wait for clean room process: %ls, xrefs: 00984F23
engine.cpp, xrefs: 00984EEA
Failed to get path for current process., xrefs: 00984D83
burn.filehandle.self, xrefs: 00984E45
Failed to cache to clean room., xrefs: 00984DC2
Failed to launch clean room process: %ls, xrefs: 00984EF7
-%ls="%ls", xrefs: 00984DE6
Failed to append original command line., xrefs: 00984E69
Failed to append %ls, xrefs: 00984E1C
Failed to allocate full command-line., xrefs: 00984E8E
"%ls" %ls, xrefs: 00984E7A
burn.filehandle.attached, xrefs: 00984E17
D, xrefs: 00984EA9
%ls %ls, xrefs: 00984E55
Failed to allocate parameters for unelevated process., xrefs: 00984DFA

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3884789274-2391192076
Opcode ID: 54b56880406809c2ba8e7276a091adef3f129c6b117b7b2d4b8f387f88112329
Instruction ID: 8743a46152b43aa174fe8edf344093bd5dd558ef08f7177f96e516dfac0165fd
Opcode Fuzzy Hash: 54b56880406809c2ba8e7276a091adef3f129c6b117b7b2d4b8f387f88112329
Instruction Fuzzy Hash: CE718532D4022AABCF11AB94CC46FEEBB7CAF44724F114259FA14B7391D7749A418BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0099752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get unique temporary folder for bootstrapper application., xrefs: 009977CE
Failed to open attached UX container., xrefs: 0099758E
Failed to get manifest stream from container., xrefs: 009975CC
Failed to parse command line., xrefs: 00997667
Failed to overwrite the %ls built-in variable., xrefs: 009976BB
WixBundleSourceProcessFolder, xrefs: 00997734
WixBundleOriginalSource, xrefs: 00997759
Failed to set source process path variable., xrefs: 00997709
Failed to get source process folder from path., xrefs: 00997725
Failed to initialize variables., xrefs: 00997571
Failed to load catalog files., xrefs: 0099780F
Failed to initialize internal cache functionality., xrefs: 0099779F
Failed to extract bootstrapper application payloads., xrefs: 009977EF
WixBundleElevated, xrefs: 009976A5, 009976B6
WixBundleUILevel, xrefs: 009976D6, 009976E7
Failed to load manifest., xrefs: 009975E8
Failed to set source process folder variable., xrefs: 00997745
Failed to set original source variable., xrefs: 0099776A
Failed to open manifest stream., xrefs: 009975AB
WixBundleSourceProcessPath, xrefs: 009976F8

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: 0ce8f86373b8b5b0cd90cb2feea1b3e07b32650792ce18f9ac90432aa2a49225
Instruction ID: 48dee2373ff04b9041a04ea9175e4df23455c5065b49e956c067da44c660fce0
Opcode Fuzzy Hash: 0ce8f86373b8b5b0cd90cb2feea1b3e07b32650792ce18f9ac90432aa2a49225
Instruction Fuzzy Hash: BFA18FB2E5461ABBDF129AE8CC85FEAF76CAB44700F014626F515E7240DB34E944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009A27FC Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to parse exit codes., xrefs: 009A290C
DetectCondition, xrefs: 009A2814
Failed to get @RepairArguments., xrefs: 009A288B
Failed to get @Repairable., xrefs: 009A28B5
Failed to get @UninstallArguments., xrefs: 009A2869
Protocol, xrefs: 009A28C3
Invalid protocol type: %ls, xrefs: 009A295C
Failed to get @Protocol., xrefs: 009A2974
Repairable, xrefs: 009A289C
burn, xrefs: 009A28E0
UninstallArguments, xrefs: 009A2858
RepairArguments, xrefs: 009A287A
Failed to parse command lines., xrefs: 009A2988
Failed to get @InstallArguments., xrefs: 009A2847
netfx4, xrefs: 009A2915
none, xrefs: 009A2936
Failed to get @DetectCondition., xrefs: 009A2825
InstallArguments, xrefs: 009A2836

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: daddb0db9f58aefc66187b686a85eb20d705ffb1eb64283088d4d85512532f83
Instruction ID: 1ec7b1478ad422cd9ffb4a9e43fe1900c81b6fe2b8e88aa23b88c271f919d616
Opcode Fuzzy Hash: daddb0db9f58aefc66187b686a85eb20d705ffb1eb64283088d4d85512532f83
Instruction Fuzzy Hash: 0D410971EC8726F6CB21576C8D02F6BB2589B96B34F218366F924B73C5C768990092D1

Uniqueness

Uniqueness Score: -1.00%

Function 009986D0 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00984DBC,?,?,00000000,00984DBC,00000000), ref: 00998713
GetLastError.KERNEL32 ref: 00998720

Part of subcall function 009C3EDD: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 009C3F73

SetFilePointerEx.KERNEL32(00000000,009CB4B8,00000000,00000000,00000000,?,00000000,009CB500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009987CD
GetLastError.KERNEL32 ref: 009987D7
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,009CB500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00998902

Strings

Failed to update signature offset., xrefs: 00998821
msi.dll, xrefs: 00998814
Failed to seek to original data in exe burn section header., xrefs: 009988DB
Failed to copy engine from: %ls to: %ls, xrefs: 009987A8
cabinet.dll, xrefs: 0099887B
Failed to zero out original data offset., xrefs: 009988F4
cache.cpp, xrefs: 00998744, 009987FB, 00998862, 009988D1
Failed to create engine file at path: %ls, xrefs: 00998751
Failed to seek to signature table in exe header., xrefs: 0099886C
Failed to seek to beginning of engine file: %ls, xrefs: 00998779
Failed to seek to checksum in exe header., xrefs: 00998805

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: File$ErrorLast$ChangeCloseCreateFindNotificationPointerRead
String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
API String ID: 3608016165-1976062716
Opcode ID: 0b46011500122e0ff806c888843025d5823c4958209b1fe5165997bac6333ce8
Instruction ID: faa76200bc346f7ba03fccd4c238680dbf6cbfef939407b445ff72988a30e4d5
Opcode Fuzzy Hash: 0b46011500122e0ff806c888843025d5823c4958209b1fe5165997bac6333ce8
Instruction Fuzzy Hash: FC51E673E41235ABEB119A998C46F7F766CEF85B10F51452DFE10FB281EA249C0096F2

Uniqueness

Uniqueness Score: -1.00%

Function 0098762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(0099756B,009853BD,00000000,00985445), ref: 0098764C

Strings

LogonUser, xrefs: 00987882
0, xrefs: 00987663
WixBundleProviderKey, xrefs: 00987E7E
WixBundleAction, xrefs: 00987D76
WixBundleActiveParent, xrefs: 00987E62
WixBundleForcedRestartPackage, xrefs: 00987E14
WixBundleSourceProcessFolder, xrefs: 00987E9E
#, xrefs: 009876CB
', xrefs: 009878EB
Date, xrefs: 00987770
WixBundleElevated, xrefs: 00987E46
InstallerName, xrefs: 00987812
$, xrefs: 00987D49
WixBundleVersion, xrefs: 00987ECE
Failed to add built-in variable: %ls., xrefs: 00987F19
WixBundleInstalled, xrefs: 00987E2A
WixBundleUILevel, xrefs: 00987EBE
WixBundleExecutePackageAction, xrefs: 00987DF8
InstallerVersion, xrefs: 00987833
WixBundleExecutePackageCacheFolder, xrefs: 00987D98
WixBundleTag, xrefs: 00987EAE
WixBundleSourceProcessPath, xrefs: 00987E8E

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 30c277dd7708a5be15698ede5f1c7bbc064855bcbacf45b9bbdfd237e9244fff
Instruction ID: 4608194b54a3294501a94e5e94016746bf1b16a7ff952161e2d8b10d65d784de
Opcode Fuzzy Hash: 30c277dd7708a5be15698ede5f1c7bbc064855bcbacf45b9bbdfd237e9244fff
Instruction Fuzzy Hash: 143239F0C157699BDB75CF5AC98878DFAF4BB49304F5085EED20CAA211C7B00A898F46

Uniqueness

Uniqueness Score: -1.00%

Function 009982BA Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00985489), ref: 00998310

Part of subcall function 009C0879: OpenProcessToken.ADVAPI32(?,00000008,?,009853BD,00000000,?,?,?,?,?,?,?,0099769D,00000000), ref: 009C0897
Part of subcall function 009C0879: GetLastError.KERNEL32(?,?,?,?,?,?,?,0099769D,00000000), ref: 009C08A1
Part of subcall function 009C0879: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0099769D,00000000), ref: 009C092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00998336
GetLastError.KERNEL32 ref: 00998340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 009983BD
GetLastError.KERNEL32 ref: 009983C7
UuidCreate.RPCRT4(?), ref: 00998406

Strings

Temp\, xrefs: 00998395
Failed to ensure windows path for working folder ended in backslash., xrefs: 0099838B
Failed to create working folder guid., xrefs: 00998413
Failed to get windows path for working folder., xrefs: 0099836E
cache.cpp, xrefs: 00998364, 009983EB, 0099843C
Failed to concat Temp directory on windows path for working folder., xrefs: 009983AD
Failed to copy working folder path., xrefs: 0099848B
%ls%ls\, xrefs: 00998458
Failed to convert working folder guid into string., xrefs: 00998446
Failed to get temp path for working folder., xrefs: 009983F5
Failed to append bundle id on to temp path for working folder., xrefs: 00998470

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$Process$ChangeCloseCreateCurrentDirectoryFindNotificationOpenPathTempTokenUuidWindows
String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 2898636500-819636856
Opcode ID: 3125c3b168771ff9111a329b817899009e01ad3dc463f2998cde72a94a2d8690
Instruction ID: fde993921a0bd5bc572118adb9d1887868e17690ecb5abcd128631c230bdf68b
Opcode Fuzzy Hash: 3125c3b168771ff9111a329b817899009e01ad3dc463f2998cde72a94a2d8690
Instruction Fuzzy Hash: AB410932E84725B7DF30A6A9CC4AF9B736C9F81B15F008569BA04F7240EA75DD0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 009A10FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 009A111D
CoUninitialize.OLE32 ref: 009A1398

Strings

Failed to set operation complete event., xrefs: 009A12C4
Invalid operation for this state., xrefs: 009A137C
Failed to initialize COM., xrefs: 009A1129
cabextract.cpp, xrefs: 009A1193, 009A12BA, 009A1307, 009A1346, 009A1372
Failed to initialize cabinet.dll., xrefs: 009A119F
Failed to reset begin operation event., xrefs: 009A1350
Failed to wait for begin operation event., xrefs: 009A1311
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 009A1279
<the>.cab, xrefs: 009A11BD

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: a992432afe26d582922eeb473cdb57df935a60371d4892f10d0c1398a469d89c
Instruction ID: c35541e06bba5aa3d314515feb5b7b3482403e14ce8baed741ec24e4676099b1
Opcode Fuzzy Hash: a992432afe26d582922eeb473cdb57df935a60371d4892f10d0c1398a469d89c
Instruction Fuzzy Hash: 07513937D84261E7CF205AA48C06FAF36589BC7B70F264766BD21FB390D629CD0096D6

Uniqueness

Uniqueness Score: -1.00%

Function 009842D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00985266,?,?,00000000,?,?), ref: 00984303
InitializeCriticalSection.KERNEL32(000000D0,?,?,00985266,?,?,00000000,?,?), ref: 0098430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00985266,?,?,00000000,?,?), ref: 00984352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00985266,?,?,00000000,?,?), ref: 0098435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00985266,?,?,00000000,?,?), ref: 00984370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00985266,?,?,00000000,?,?), ref: 00984380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00985266,?,?,00000000,?,?), ref: 009843D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00985266,?,?,00000000,?,?), ref: 009843DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00985266,?,?,00000000,?,?), ref: 009843EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00985266,?,?,00000000,?,?), ref: 009843FE

Strings

Missing required parameter for switch: %ls, xrefs: 009844A4
burn.filehandle.attached, xrefs: 0098434D, 00984355, 0098435A, 0098435B, 0098437B, 0098449F
engine.cpp, xrefs: 00984495, 009844C1
burn.filehandle.self, xrefs: 009843CB, 009843D3, 009843D8, 009843D9, 009843F9, 009844CB
Failed to parse file handle: '%ls', xrefs: 00984482
Failed to initialize engine section., xrefs: 00984467

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: 1ae1b54c3a6063cc15142f9077da1e8c078c5d7e1b3564ab594490e1a97241d4
Instruction ID: acbc56c667309887148503d7e701070676620c3da609cfd3c250ee21c6741be2
Opcode Fuzzy Hash: 1ae1b54c3a6063cc15142f9077da1e8c078c5d7e1b3564ab594490e1a97241d4
Instruction Fuzzy Hash: 5A51B371E4421ABECB24EF69DC87F9A77ACEF44760F10011AF615A72A0D770A910CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0098C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0098C47F,00985405,?,?,00985445), ref: 0098C2D6
GetLastError.KERNEL32(?,0098C47F,00985405,?,?,00985445,00985445,00000000,?,00000000), ref: 0098C2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0098C47F,00985405,?,?,00985445,00985445,00000000,?), ref: 0098C336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,0098C47F,00985405,?,?,00985445,00985445,00000000,?,00000000), ref: 0098C33C
DuplicateHandle.KERNELBASE(00000000,?,0098C47F,00985405,?,?,00985445,00985445,00000000,?,00000000), ref: 0098C33F
GetLastError.KERNEL32(?,0098C47F,00985405,?,?,00985445,00985445,00000000,?,00000000), ref: 0098C349
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0098C47F,00985405,?,?,00985445,00985445,00000000,?,00000000), ref: 0098C39B
GetLastError.KERNEL32(?,0098C47F,00985405,?,?,00985445,00985445,00000000,?,00000000), ref: 0098C3A5

Strings

crypt32.dll, xrefs: 0098C397
Failed to open container., xrefs: 0098C3F1
container.cpp, xrefs: 0098C30B, 0098C36D, 0098C3C9
Failed to move file pointer to container offset., xrefs: 0098C3D3
feclient.dll, xrefs: 0098C398
Failed to duplicate handle to container: %ls, xrefs: 0098C37A
Failed to open file: %ls, xrefs: 0098C318

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 74f4e7c108b4c882c61cf0e0ce334a5373695dd989f83c4b75230a33abd443e4
Instruction ID: 824f6da3d1386ffdf06a5dd64d4f1afbfb77d6e983665cf2b8a9936e03d7a205
Opcode Fuzzy Hash: 74f4e7c108b4c882c61cf0e0ce334a5373695dd989f83c4b75230a33abd443e4
Instruction Fuzzy Hash: 5541CAB6540201ABDB21AF199C45F1B7BAAEBC5720F21842AFD14EB381D771C802DB71

Uniqueness

Uniqueness Score: -1.00%

Function 009C2AF7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00983838: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00983877
Part of subcall function 00983838: GetLastError.KERNEL32 ref: 00983881

Part of subcall function 009C4A6C: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 009C4A9D

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 009C2B41
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 009C2B61
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 009C2B81
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 009C2BA1
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 009C2BC1
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 009C2BE1
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 009C2C01

Strings

MsiDeterminePatchSequenceW, xrefs: 009C2B36
MsiSourceListAddSourceExW, xrefs: 009C2BF6
MsiGetPatchInfoExW, xrefs: 009C2B96
Msi.dll, xrefs: 009C2B09
MsiGetProductInfoExW, xrefs: 009C2BB6
MsiSetExternalUIRecord, xrefs: 009C2BD6
MsiDetermineApplicablePatchesW, xrefs: 009C2B56
MsiEnumProductsExW, xrefs: 009C2B76

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 87bbdbe740d1eaa580aad4f7f0ac3c740edd359716c5a4af9f17fec51955e48c
Instruction ID: 578290780c22f6cc6cb731f6287a6980b9e7c9eb0626740e46bddc5e1d39daad
Opcode Fuzzy Hash: 87bbdbe740d1eaa580aad4f7f0ac3c740edd359716c5a4af9f17fec51955e48c
Instruction Fuzzy Hash: 9F3105719682DAEFDB129F21ED82B2B7BA4F754F68F00012AE4045A170E7B20C41FF50

Uniqueness

Uniqueness Score: -1.00%

Function 009BFCAE Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 009BFCD6
GetProcAddress.KERNEL32(SystemFunction041), ref: 009BFCE8
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 009BFD2B
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 009BFD3F
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 009BFD77
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 009BFD8B

Strings

AdvApi32.dll, xrefs: 009BFCB5
cryputil.cpp, xrefs: 009BFD60
SystemFunction041, xrefs: 009BFCD8
CryptProtectMemory, xrefs: 009BFD20
SystemFunction040, xrefs: 009BFCCB
`+?s, xrefs: 009BFCEA, 009BFCF1, 009BFD79
Crypt32.dll, xrefs: 009BFD0C
CryptUnprotectMemory, xrefs: 009BFD6C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$`+?s$cryputil.cpp
API String ID: 4214558900-776468437
Opcode ID: e17469d1f3f3ee89baf1f15d5b79c0557a8b097c58a01426a0c4b8bb01c99f32
Instruction ID: 120ad22cb990ece894b5519d3c126fde7a95c3d6f742ff9c4af3542e63370700
Opcode Fuzzy Hash: e17469d1f3f3ee89baf1f15d5b79c0557a8b097c58a01426a0c4b8bb01c99f32
Instruction Fuzzy Hash: 8C21AA329657B697C7229B56AE557977994ABD0BA5F010135FD00AF2E0EF608C00FAD0

Uniqueness

Uniqueness Score: -1.00%

Function 009A1741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0098C3EB,?,00000000,?,0098C47F), ref: 009A1778
GetLastError.KERNEL32(?,0098C3EB,?,00000000,?,0098C47F,00985405,?,?,00985445,00985445,00000000,?,00000000), ref: 009A1781

Strings

wininet.dll, xrefs: 009A1757
Failed to create operation complete event., xrefs: 009A17F5
Failed to wait for operation complete., xrefs: 009A1854
cabextract.cpp, xrefs: 009A17A5, 009A17EB, 009A1837
Failed to create begin operation event., xrefs: 009A17AF
Failed to create extraction thread., xrefs: 009A1841
Failed to copy file name., xrefs: 009A1763

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: 8ca54017ad8fbb5fb67c066c7968808534490a896eb123d0ece99990a8000b85
Instruction ID: aeab1e5170804f855e4e269996655cea3320691bb26a868187ecf7a0d05f9261
Opcode Fuzzy Hash: 8ca54017ad8fbb5fb67c066c7968808534490a896eb123d0ece99990a8000b85
Instruction Fuzzy Hash: 7E214877E8073A77D32116A94C46F2B7A9CEF41BB4F124622BE10BB380EB54DC0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 009A08C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 009A08F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 009A090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 009A090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 009A0912
GetLastError.KERNEL32(?,?), ref: 009A091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 009A098B
GetLastError.KERNEL32(?,?), ref: 009A0998

Strings

Failed to open cabinet file: %hs, xrefs: 009A09C9
cabextract.cpp, xrefs: 009A0940, 009A09BC
Failed to duplicate handle to cab container., xrefs: 009A094A
Failed to add virtual file pointer for cab container., xrefs: 009A0971
<the>.cab, xrefs: 009A08EB

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 627a09e3a3dc26952e16f0454e5a554867cd6a8b17d45f7eb5d8be6cf54dbe8c
Instruction ID: 7df0b2c2652df3a27431863b8bbd0d34c6eed033ac56e6f7c404ded062968dac
Opcode Fuzzy Hash: 627a09e3a3dc26952e16f0454e5a554867cd6a8b17d45f7eb5d8be6cf54dbe8c
Instruction Fuzzy Hash: 5D31E436D81239BBEB215B958C49F9FBA6CEF86760F114116FE04B7250D720AD109AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00996A57 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00984E11,?,?), ref: 00996A77
GetCurrentProcess.KERNEL32(?,00000000,?,?,00984E11,?,?), ref: 00996A7D
DuplicateHandle.KERNELBASE(00000000,?,?,00984E11,?,?), ref: 00996A80
GetLastError.KERNEL32(?,?,00984E11,?,?), ref: 00996A8A
CloseHandle.KERNEL32(000000FF,?,00984E11,?,?), ref: 00996B03

Strings

%ls -%ls=%u, xrefs: 00996AD7
burn.filehandle.attached, xrefs: 00996AD0
Failed to append the file handle to the command line., xrefs: 00996AEB
core.cpp, xrefs: 00996AAE
Failed to duplicate file handle for attached container., xrefs: 00996AB8

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$core.cpp
API String ID: 4224961946-4196573879
Opcode ID: fc87554438e5b6ea24168763da06f189aa770eca79c747ac668dc10e6053c13c
Instruction ID: c72423b5abcf62fecccf1826eb458ef4fdeccec1225c54287139ff877c04f891
Opcode Fuzzy Hash: fc87554438e5b6ea24168763da06f189aa770eca79c747ac668dc10e6053c13c
Instruction Fuzzy Hash: 16117232951625FBCB10AFA88C06E5E7B6C9B45730F518256F924F72D0D7709D019790

Uniqueness

Uniqueness Score: -1.00%

Function 009C32F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009C3309
SysAllocString.OLEAUT32(?), ref: 009C3325
VariantClear.OLEAUT32(?), ref: 009C33AC
SysFreeString.OLEAUT32(00000000), ref: 009C33B7

Strings

`<u, xrefs: 009C33B7
xmlutil.cpp, xrefs: 009C333C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `<u$xmlutil.cpp
API String ID: 760788290-3482516102
Opcode ID: 2ebc01adeafb9ced491f25a8e96463928b981c2f4afb9e2bafad7f76d9fd187c
Instruction ID: 8042b795b44cd4094f603de3ce661a38aeab3b62c7595cdd6a8cd657bde81fd8
Opcode Fuzzy Hash: 2ebc01adeafb9ced491f25a8e96463928b981c2f4afb9e2bafad7f76d9fd187c
Instruction Fuzzy Hash: 6221D331D01259EFCB11EF94C849FAEBBB9AF84711F55C15CF801AB260CB319E019B92

Uniqueness

Uniqueness Score: -1.00%

Function 009C0879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,009853BD,00000000,?,?,?,?,?,?,?,0099769D,00000000), ref: 009C0897
GetLastError.KERNEL32(?,?,?,?,?,?,?,0099769D,00000000), ref: 009C08A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,0099769D,00000000), ref: 009C08D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,0099769D,00000000), ref: 009C08EC
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,0099769D,00000000), ref: 009C092B

Strings

procutil.cpp, xrefs: 009C0919

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastToken$ChangeCloseFindInformationNotificationOpenProcess
String ID: procutil.cpp
API String ID: 3650908616-1178289305
Opcode ID: f803ec6fe892d2deac6267ad6c54348292aebc06d9fcd58aec1af725dda1ed30
Instruction ID: 72751fe0f4d92e5170028986b0d00610f07fe6edd46be97c5bb6d258184ca6fe
Opcode Fuzzy Hash: f803ec6fe892d2deac6267ad6c54348292aebc06d9fcd58aec1af725dda1ed30
Instruction Fuzzy Hash: 8821F632E04229EBD7219B958C05F9EBBBCEF90750F01805AED14EB251D3708E00EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00996B13 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 00996B49
CloseHandle.KERNEL32(00000000), ref: 00996BB9

Strings

Failed to append the file handle to the obfuscated command line., xrefs: 00996BA7
%ls -%ls=%u, xrefs: 00996B61, 00996B93
Failed to append the file handle to the command line., xrefs: 00996B75
burn.filehandle.self, xrefs: 00996B5A, 00996B8C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: 6fcb7fdcdbf01f3fb01183e74073987a77047e216acc6a6bf48cd2c0ee5bbc32
Instruction ID: 02dae43df1b8083f935304b3237daba4bcb92c54d168eb54232210efc9dae671
Opcode Fuzzy Hash: 6fcb7fdcdbf01f3fb01183e74073987a77047e216acc6a6bf48cd2c0ee5bbc32
Instruction Fuzzy Hash: 6711E632A44614BBCF205A6CCC06F9B7BACDB89B34F454355FE25EB2E1E37049118691

Uniqueness

Uniqueness Score: -1.00%

Function 009C3565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009C3574
InterlockedIncrement.KERNEL32(009EB6C8), ref: 009C3591
CLSIDFromProgID.OLE32(Msxml2.DOMDocument,009EB6B8,?,?,?,?,?,?), ref: 009C35AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,009EB6B8,?,?,?,?,?,?), ref: 009C35B8

Strings

MSXML.DOMDocument, xrefs: 009C35B3
Msxml2.DOMDocument, xrefs: 009C35A7

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 85da8cdd2a7ea99f66bc28d5c55c849dedd2175d8dc957d7156fd3cae36b703b
Instruction ID: 6a7977b08cbba8aadbca6f11e94632d4055e12e26286ab7c0f3fae014a2a0b2d
Opcode Fuzzy Hash: 85da8cdd2a7ea99f66bc28d5c55c849dedd2175d8dc957d7156fd3cae36b703b
Instruction Fuzzy Hash: D1F0A030F952EA57D7221B62BD09F0B2DA9AB90FA9F00852DF808C2054D360CD418AB2

Uniqueness

Uniqueness Score: -1.00%

Function 009C4A6C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 009C4A9D
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 009C4ACA
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 009C4AF6
GetLastError.KERNEL32(00000000,009CB7A0,?,00000000,?,00000000,?,00000000), ref: 009C4B34
GlobalFree.KERNEL32(00000000), ref: 009C4B65

Strings

fileutil.cpp, xrefs: 009C4AB8, 009C4B11

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: fileutil.cpp
API String ID: 1145190524-2967768451
Opcode ID: 6478c252f3b736f52d285deb7f877247351e3339f0fa58265c1c8f584c3ce6ee
Instruction ID: c5b57e53cea8851eb6926458edf0c1a376c00aab3aea136786f22e94868cd3c2
Opcode Fuzzy Hash: 6478c252f3b736f52d285deb7f877247351e3339f0fa58265c1c8f584c3ce6ee
Instruction Fuzzy Hash: 7E318636F44229ABC7129A958C51FAFFABCAF84750F114159FD14EB341D730DD0096E6

Uniqueness

Uniqueness Score: -1.00%

Function 009A0A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 009A0B27
GetLastError.KERNEL32(?,?,?), ref: 009A0B31

Strings

Failed to move file pointer 0x%x bytes., xrefs: 009A0B62
Invalid seek type., xrefs: 009A0ABD
cabextract.cpp, xrefs: 009A0B55

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: ce993631656a836ef01a9e7d782d074194a1c0a60f6d0a3de1bd834ff4477a08
Instruction ID: 417609caa8ebfa8b920e3e3f74d868a30c243c5b6366ae2217ee674a20609266
Opcode Fuzzy Hash: ce993631656a836ef01a9e7d782d074194a1c0a60f6d0a3de1bd834ff4477a08
Instruction Fuzzy Hash: 0431A132A4021AEFCB10DFA8D985E6EB769FB89728B148515F92497650D330ED20CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00984115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,0099A0E8,00000000,00000000,?,00000000,009853BD,00000000,?,?,0098D5B5,?), ref: 00984123
GetLastError.KERNEL32(?,0099A0E8,00000000,00000000,?,00000000,009853BD,00000000,?,?,0098D5B5,?,00000000,00000000), ref: 00984131
CreateDirectoryW.KERNEL32(?,840F01E8,00985489,?,0099A0E8,00000000,00000000,?,00000000,009853BD,00000000,?,?,0098D5B5,?,00000000), ref: 0098419A
GetLastError.KERNEL32(?,0099A0E8,00000000,00000000,?,00000000,009853BD,00000000,?,?,0098D5B5,?,00000000,00000000), ref: 009841A4

Strings

dirutil.cpp, xrefs: 009841D4

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 3a80161f20dd4e68f2d2a6fd2ecb71a3cc380f13b0d51e87bf1f34027a3c12f6
Instruction ID: 816037be9345d23f24eb694609b06a0afd5c17ea8bad2cdabb0cf937b2af9bac
Opcode Fuzzy Hash: 3a80161f20dd4e68f2d2a6fd2ecb71a3cc380f13b0d51e87bf1f34027a3c12f6
Instruction Fuzzy Hash: 9311D236A4C33796D7313AA54C49B3BB658EF75B61F114025FD05EB340E3688C8093D1

Uniqueness

Uniqueness Score: -1.00%

Function 009856A9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00986595,00986595,?,0098563D,?,?,00000000), ref: 009856E5
GetLastError.KERNEL32(?,0098563D,?,?,00000000,?,?,00986595,?,00987F02,?,?,?,?,?), ref: 00985714

Strings

Failed to compare strings., xrefs: 00985742
version.dll, xrefs: 009856D7
variable.cpp, xrefs: 00985738

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$variable.cpp$version.dll
API String ID: 1733990998-4228644734
Opcode ID: c408a85e79dc9fdfcf72ea741654199231c4d0f88465e854c69fd82bb57ff032
Instruction ID: 4913599b9fea4e938755eb1f5deca079b6b6d8843233ea1f181f22e805df569c
Opcode Fuzzy Hash: c408a85e79dc9fdfcf72ea741654199231c4d0f88465e854c69fd82bb57ff032
Instruction Fuzzy Hash: A5213436A40925EBCB109F98CC41E59BBA8EB49730F224318E924EB380E630EE018790

Uniqueness

Uniqueness Score: -1.00%

Function 009A09EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009A140C: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,009A0A19,?,?,?), ref: 009A1434
Part of subcall function 009A140C: GetLastError.KERNEL32(?,009A0A19,?,?,?), ref: 009A143E

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 009A0A27
GetLastError.KERNEL32 ref: 009A0A31

Strings

cabextract.cpp, xrefs: 009A0A55
Failed to read during cabinet extraction., xrefs: 009A0A5F

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: c4d83283648308134af811f91a60e77a25f703aed82a953887c3046cfd5bf559
Instruction ID: 846e037981b497db3426aeb15e2c03770601f3e0d489e182aaf3a7836db8e92e
Opcode Fuzzy Hash: c4d83283648308134af811f91a60e77a25f703aed82a953887c3046cfd5bf559
Instruction Fuzzy Hash: 3811E136A40229FBCB219F95DC08E9E7B68FF89760F014115FE14A7250C730AD10D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 009A140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,009A0A19,?,?,?), ref: 009A1434
GetLastError.KERNEL32(?,009A0A19,?,?,?), ref: 009A143E

Strings

cabextract.cpp, xrefs: 009A1462
Failed to move to virtual file pointer., xrefs: 009A146C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: 75a0cef9e9bfe25db0725c51a0b6eedb379e08772810db513921eb776ac2f663
Instruction ID: 5fe042c23a91eb9d5ca35d1267e0bf4874cf1b9b2ac8b6aa09bb6ca42c0ec37d
Opcode Fuzzy Hash: 75a0cef9e9bfe25db0725c51a0b6eedb379e08772810db513921eb776ac2f663
Instruction Fuzzy Hash: CD01F737940635B7C7215A9A8C05E8BFF58EF457B0F11C126FD2857250D7319C10C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 009C3EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 009C3F73
GetLastError.KERNEL32 ref: 009C3FD6

Strings

fileutil.cpp, xrefs: 009C3FFA

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: fileutil.cpp
API String ID: 1948546556-2967768451
Opcode ID: 490c8fbbdd919ad7d00bf592777c65380e06a53cc819faced0be57bb7593321c
Instruction ID: b3626d84babc245cc02ad80029b13cd21c98365ed69c89a038f0c062516f11c6
Opcode Fuzzy Hash: 490c8fbbdd919ad7d00bf592777c65380e06a53cc819faced0be57bb7593321c
Instruction Fuzzy Hash: C9316171E002699BEB21CE15C840FDA77B8FB44751F00C4AEFA49E7240D7B49EC49B96

Uniqueness

Uniqueness Score: -1.00%

Function 009C4E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,009C3F9A,?,?,?), ref: 009C4E5E
GetLastError.KERNEL32(?,?,009C3F9A,?,?,?), ref: 009C4E68

Strings

fileutil.cpp, xrefs: 009C4E91

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: fileutil.cpp
API String ID: 442123175-2967768451
Opcode ID: 7c73f22c4ddfa84776d319d4f338251038af1ab46a190a969ea1fe13ea78be66
Instruction ID: f6356241fa89f1dfd1021367809ac119b0cd1c5c67990c95fcba1bd6b58ea1c8
Opcode Fuzzy Hash: 7c73f22c4ddfa84776d319d4f338251038af1ab46a190a969ea1fe13ea78be66
Instruction Fuzzy Hash: 74F04B33A00229ABC7209A9A9C55FDFBB6DFB44761F020119FD04D7140D720AE0096E1

Uniqueness

Uniqueness Score: -1.00%

Function 009C490D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00998770,00000000,00000000,00000000,00000000,00000000), ref: 009C4925
GetLastError.KERNEL32(?,?,?,00998770,00000000,00000000,00000000,00000000,00000000), ref: 009C492F

Strings

fileutil.cpp, xrefs: 009C4953

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: fileutil.cpp
API String ID: 2976181284-2967768451
Opcode ID: c3c977e0c7a1b06d41fb096bcadb064a189064eed29a27d760406621e5426103
Instruction ID: d0e680516289de586993f820d46e40527c73688f96b12275e978275ac812b00a
Opcode Fuzzy Hash: c3c977e0c7a1b06d41fb096bcadb064a189064eed29a27d760406621e5426103
Instruction Fuzzy Hash: 17F08176E04139AB9B218F85DC15EAB7FA8EF04BA0F014158BD54AB221E731DC10D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00983838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00983877
GetLastError.KERNEL32 ref: 00983881
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 009838EA

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 72017db251c8273731a218d8ad7da6267433448c0d028ffd0709bfa034126535
Instruction ID: c017c6b2ea689843fca7afcb2dc01244294ecd68ebb648810ba1f5e4fa25932c
Opcode Fuzzy Hash: 72017db251c8273731a218d8ad7da6267433448c0d028ffd0709bfa034126535
Instruction Fuzzy Hash: F521F5B2D0123DA7DB20AB69CC49F9A77AC9B40B10F1145A5FE14EB341EA70DE408BE0

Uniqueness

Uniqueness Score: -1.00%

Function 009C0F6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009EAAA0,00000000,?,009C57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009C0F80

Strings

regutil.cpp, xrefs: 009C0FC3

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Open
String ID: regutil.cpp
API String ID: 71445658-955085611
Opcode ID: 76389aa193fabea57d628c933713d44a453f3b89237417a7cae58840ff9b9f34
Instruction ID: 2d0407fa283da9205d4f34ba662875a8ff3dcdc90fdb43e84460c65992077cfe
Opcode Fuzzy Hash: 76389aa193fabea57d628c933713d44a453f3b89237417a7cae58840ff9b9f34
Instruction Fuzzy Hash: A6F04633E01136E69F3005568C01F6BAE49EBC0BB0F15452DBD469E240E2208C4092F2

Uniqueness

Uniqueness Score: -1.00%

Function 009BF49A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009BF491

Part of subcall function 009C998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009C99A1
Part of subcall function 009C998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009C9A09
Part of subcall function 009C998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009C9A1A

Strings

PA`n, xrefs: 009BF48B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: PA`n
API String ID: 697777088-1424363697
Opcode ID: c924a3ea11dd041e7274601ea4428e2c71482ca1e6d25774c8ea503664def5ba
Instruction ID: 8bebc0c717ed1b25107b593ea542b2f7078d5a1d7ed161b121ff270ce036bd57
Opcode Fuzzy Hash: c924a3ea11dd041e7274601ea4428e2c71482ca1e6d25774c8ea503664def5ba
Instruction Fuzzy Hash: 6BB012A16695426E334552561F1BE37014DC2C5FB1330456EB004C1172E8441C010033

Uniqueness

Uniqueness Score: -1.00%

Function 009BF4AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009BF491

Part of subcall function 009C998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009C99A1
Part of subcall function 009C998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009C9A09
Part of subcall function 009C998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009C9A1A

Strings

PA`n, xrefs: 009BF48B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: PA`n
API String ID: 697777088-1424363697
Opcode ID: 4a9488accf0b28962957c01188dc3298693ff4bcda648689e54fc8b5f38be25c
Instruction ID: 39f6314bf0ca9a2482833567b56316855d8293dffd5963dd67267164b5360e3f
Opcode Fuzzy Hash: 4a9488accf0b28962957c01188dc3298693ff4bcda648689e54fc8b5f38be25c
Instruction Fuzzy Hash: 59B012A16696426D334552561E1AE37014CC2C5FB1330866EF004C1172E8541C400033

Uniqueness

Uniqueness Score: -1.00%

Function 009BF479 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009BF491

Part of subcall function 009C998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009C99A1
Part of subcall function 009C998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009C9A09
Part of subcall function 009C998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009C9A1A

Strings

PA`n, xrefs: 009BF479, 009BF48B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: PA`n
API String ID: 697777088-1424363697
Opcode ID: c8abf9ca5168c99cecaf38538b80d366a3a830009b5d361f3cd20534c85643fa
Instruction ID: 886e28eddcfdd427c92df1ae052053a57ca72fab3132ece05babda6bbcdddbe6
Opcode Fuzzy Hash: c8abf9ca5168c99cecaf38538b80d366a3a830009b5d361f3cd20534c85643fa
Instruction Fuzzy Hash: 08B012A56695427D330512521E1AD37010CC2C1FB1330C66EB400C0072A8401C000033

Uniqueness

Uniqueness Score: -1.00%

Function 00983AF0 Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,?,0098226D,?,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000), ref: 00983B04
RtlReAllocateHeap.NTDLL(00000000,?,0098226D,?,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983B0B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: f813521aaf288ba60a1e1e52f5736acb227d91cdd3e631652d4f2a4689d60032
Instruction ID: 9c728e15adaa38dd8410a3adc0b35054a6a6d977ec3d1938cbffb1d585d490a7
Opcode Fuzzy Hash: f813521aaf288ba60a1e1e52f5736acb227d91cdd3e631652d4f2a4689d60032
Instruction Fuzzy Hash: 03D0C97256820DAB8F005FE8DC0EDAA3BACEB58602B088405B915C2120C739E424AB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C35C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009C35F8

Part of subcall function 009C304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,009C3609,00000000,?,00000000), ref: 009C3069
Part of subcall function 009C304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,009AC025,?,00985405,?,00000000,?), ref: 009C3075

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 10007ea36596ba1690ca85594cce896ca331b24ae47e215be6a929a8bf91ea23
Instruction ID: 0b6af21f06c6025414d2a028e5b1684c658224c6bbba3924712a2868270314b6
Opcode Fuzzy Hash: 10007ea36596ba1690ca85594cce896ca331b24ae47e215be6a929a8bf91ea23
Instruction Fuzzy Hash: 37314F76D00229ABCB11DFA8C985BDEB7F8EF08710F01856AED05AB311D6759D008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 009C5870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,009EAAA0,00000000,80070490,?,?,00998B19,WiX\Burn,PackageCache,00000000,009EAAA0,00000000,00000000,80070490), ref: 009C58CA

Part of subcall function 009C10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 009C112B
Part of subcall function 009C10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 009C1163

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 5952db460920faf46b503c4ba238e84a58ef3a1fb9ad163f6399a82eea737cac
Instruction ID: 1fadb4b7b1b6aa386bf421a07bc5c37201e83ae1f41d5f35c6964d9d6422b351
Opcode Fuzzy Hash: 5952db460920faf46b503c4ba238e84a58ef3a1fb9ad163f6399a82eea737cac
Instruction Fuzzy Hash: 5B119E36C0062AEF8B21AE948D41FAEBB6CEB54360B22423DED0167211C7316E9096D2

Uniqueness

Uniqueness Score: -1.00%

Function 009834B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00998BD3,0000001C,80070490,00000000,00000000,80070490), ref: 009834D5

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 7099f65d53dc9cb0c5ecc048cf9c570c2886f3c103c73823127e60da89a263ff
Instruction ID: 048d6cd89df72b28b6a3fc645c3a611a77a57e17a9f24bc09428d0986cca9a06
Opcode Fuzzy Hash: 7099f65d53dc9cb0c5ecc048cf9c570c2886f3c103c73823127e60da89a263ff
Instruction Fuzzy Hash: 07E012B23011287BE6023F755C05DAB7B5C9F45764B008051BE40D6211D766D95097B0

Uniqueness

Uniqueness Score: -1.00%

Function 009C9684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009C966B

Part of subcall function 009C998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009C99A1
Part of subcall function 009C998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009C9A09
Part of subcall function 009C998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009C9A1A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 357c05dc9cce124384ca3649a09affa707e207cfa52badd929079bdf4eb4245e
Instruction ID: 7d3d87b5c5b7673f18a26b0ecd673e08d3d24b279a987f3338855522eeccbc47
Opcode Fuzzy Hash: 357c05dc9cce124384ca3649a09affa707e207cfa52badd929079bdf4eb4245e
Instruction Fuzzy Hash: ABB01291A683416D3B4553862F4BF37014CC7C0B51330451EB004D21D1E8541C010133

Uniqueness

Uniqueness Score: -1.00%

Function 009C9653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009C966B

Part of subcall function 009C998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009C99A1
Part of subcall function 009C998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009C9A09
Part of subcall function 009C998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009C9A1A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 87f9a7fcc4a500b82bda66ee8947a57d4e4160618755a118533198e8ec7caaae
Instruction ID: d01752fd0d46c19647cf1710c44a69d55c34df69dbfad98b8400cfd3463ac519
Opcode Fuzzy Hash: 87f9a7fcc4a500b82bda66ee8947a57d4e4160618755a118533198e8ec7caaae
Instruction Fuzzy Hash: 67B01291A68241BD3B0513426E8AF37010CC7C0B51331851EB000E10D1E8501C000237

Uniqueness

Uniqueness Score: -1.00%

Function 009C9674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 009C966B

Part of subcall function 009C998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 009C99A1
Part of subcall function 009C998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009C9A09
Part of subcall function 009C998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009C9A1A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 01bea24d509cfef4b161b6a79e23a71e9df1bddba84fd59a2611f5b2a7c53006
Instruction ID: 85ed9c3a8ee90c632e836e88f798f5340dae4350a3cbf37054fd6dd74ab8bb80
Opcode Fuzzy Hash: 01bea24d509cfef4b161b6a79e23a71e9df1bddba84fd59a2611f5b2a7c53006
Instruction Fuzzy Hash: 7AB01291A681426D374553461E0BF37054CC3C0B11330C51EB404C21D1E8505C040133

Uniqueness

Uniqueness Score: -1.00%

Function 009814B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,009821A8,?,00000000,?,00000000,?,0098390C,00000000,?,00000104), ref: 009814E8

Part of subcall function 00983BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,009821CC,000001C7,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983BDB
Part of subcall function 00983BD3: HeapSize.KERNEL32(00000000,?,009821CC,000001C7,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983BE2

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 6d51951d696c9cea3b0d14b099f8a5b2767f43e602ed7ff98c4901c12e79a4de
Instruction ID: 4d9b2e04bd7bdfb8043cc30bdc7d94c2a9d35ef8bd38b2e5952d9ef6e9d5a266
Opcode Fuzzy Hash: 6d51951d696c9cea3b0d14b099f8a5b2767f43e602ed7ff98c4901c12e79a4de
Instruction Fuzzy Hash: DB012D33200219ABCF117E64ECC0F9A776D9F85750F114219FA165B361D7329C429BD0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00983CC4 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 320fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00983D40
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00983D53
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00983D9E
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00983DA8
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00983DF6
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00983E00
FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00983E53
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00983E64
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00983F3E
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00983F52
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00983F79
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00983F9C
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00983FB5
FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00983FC5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00983FDA
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00984009
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0098402B
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0098404D
RemoveDirectoryW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00984064
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 0098406E
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00984095
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 009840B0
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 009840E6

Strings

DEL, xrefs: 00983F6D
*.*, xrefs: 00983E2C
dirutil.cpp, xrefs: 00983D76, 00983FFA

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: *.*$DEL$dirutil.cpp
API String ID: 1544372074-1252831301
Opcode ID: f2b9a939bc915ec235ce07d335933e8d4127344c98c1d0304bb2337129eb5da7
Instruction ID: c7b21635e96989965ed804b4b2ae7c5005004d6ca713e65be02c6f3216538de6
Opcode Fuzzy Hash: f2b9a939bc915ec235ce07d335933e8d4127344c98c1d0304bb2337129eb5da7
Instruction Fuzzy Hash: B7B1E773D052399BDB317A658C05F9AB679AF40B20F0142A5EE08BB390D7769E90CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 009A41EA Relevance: 43.0, Strings: 34, Instructions: 498COMMON

Download Yara Rule

Strings

Failed to add reboot suppression property on uninstall., xrefs: 009A477D
Failed to install MSI package., xrefs: 009A4746
Failed to enable logging for package: %ls to: %ls, xrefs: 009A441F
Failed to add properties to argument string., xrefs: 009A4463
Failed to uninstall MSI package., xrefs: 009A47EF
Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 009A469B
Failed to add patch properties to argument string., xrefs: 009A44FD
msasn1.dll, xrefs: 009A440B
Failed to add obfuscated properties to argument string., xrefs: 009A4497
Failed to get cached path for package: %ls, xrefs: 009A434F
Failed to run maintanance mode for MSI package., xrefs: 009A46F6
WixBundleExecutePackageAction, xrefs: 009A43B7, 009A48B4
Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 009A460C
%ls %ls=ALL, xrefs: 009A46B6, 009A4795
Failed to add the list of dependencies to ignore to the properties., xrefs: 009A46CA
WixBundleExecutePackageCacheFolder, xrefs: 009A436A, 009A48A4
Failed to perform minor upgrade of MSI package., xrefs: 009A4638
Failed to add patch properties to obfuscated argument string., xrefs: 009A451F
crypt32.dll, xrefs: 009A440A
Failed to build MSI path., xrefs: 009A439D
feclient.dll, xrefs: 009A42C5, 009A434D, 009A441D, 009A454B, 009A47D8
REBOOT=ReallySuppress, xrefs: 009A45A0, 009A476C
REINSTALL=ALL, xrefs: 009A45D3, 009A464D
VersionString, xrefs: 009A428E, 009A42EF
Failed to add feature action properties to obfuscated argument string., xrefs: 009A44DB
IGNOREDEPENDENCIES, xrefs: 009A46A5, 009A4784
REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 009A45F5
ACTION=ADMIN, xrefs: 009A4709
Failed to add reboot suppression property on install., xrefs: 009A45BB
Failed to add ADMIN property on admin install., xrefs: 009A471E
%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 009A4687
Failed to add reinstall all property on minor upgrade., xrefs: 009A45EA
Failed to initialize external UI handler., xrefs: 009A43F4
Failed to add feature action properties to argument string., xrefs: 009A44B9

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$crypt32.dll$feclient.dll$msasn1.dll
API String ID: 0-2033600224
Opcode ID: aba604913b6087533f09ab3a2c948819c6bb4a2599bce88230b51578907776cb
Instruction ID: 8657692bce192a8d419a4573ed28fb4f5d5297791595702df6f46efe34d913c9
Opcode Fuzzy Hash: aba604913b6087533f09ab3a2c948819c6bb4a2599bce88230b51578907776cb
Instruction Fuzzy Hash: 1B02917194062AAFDF219F54CD41FA9B6AABBC6714F0041A5F508A7251D7B2EEA0CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 009C1719 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 009C17B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C17BB
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 009C1808
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C180E
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 009C1848
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C184E
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 009C188E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C1894
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 009C18D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C18DA
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 009C191A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C1920
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 009C1A11
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 009C1A4B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C1A55
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 009C1A8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C1A97
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009C1AD0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C1ADA
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 009C1B18
LocalFree.KERNEL32(?), ref: 009C1B2E

Strings

srputil.cpp, xrefs: 009C17DC

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
String ID: srputil.cpp
API String ID: 267631441-4105181634
Opcode ID: 190b7fa863ed7ecc3670dcc37141664298e81dc70e324e6327e79ce3b8689db8
Instruction ID: f4b685fde1e47e9beb3ef5bb0f2d1e806f047d8744e37e9ed89e41f2694d1724
Opcode Fuzzy Hash: 190b7fa863ed7ecc3670dcc37141664298e81dc70e324e6327e79ce3b8689db8
Instruction Fuzzy Hash: 3CC18376D4123DABDB208B968C49FDFFABCAF45750F0101AAA905F7241E7709E408EA5

Uniqueness

Uniqueness Score: -1.00%

Function 009AC332 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 376COMMON

Download Yara Rule

Strings

Failed to copy uninstall arguments for related bundle package, xrefs: 009AC623
Failed to copy download source for pseudo bundle., xrefs: 009AC469
Failed to append relation type to repair arguments for related bundle package, xrefs: 009AC5F1
Failed to copy repair arguments for related bundle package, xrefs: 009AC5D0
Failed to copy key for pseudo bundle payload., xrefs: 009AC3F3
Failed to allocate memory for pseudo bundle payload hash., xrefs: 009AC4AD
Failed to copy cache id for pseudo bundle., xrefs: 009AC55F
Failed to allocate memory for dependency providers., xrefs: 009AC6DE
Failed to copy local source path for pseudo bundle., xrefs: 009AC43B
Failed to copy filename for pseudo bundle., xrefs: 009AC417
Failed to copy display name for pseudo bundle., xrefs: 009AC74F
-%ls, xrefs: 009AC34C
pseudobundle.cpp, xrefs: 009AC379, 009AC3B2, 009AC4A1, 009AC6D2
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 009AC3BE
Failed to copy key for pseudo bundle., xrefs: 009AC542
Failed to copy version for pseudo bundle., xrefs: 009AC72D
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 009AC385
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 009AC644
Failed to append relation type to install arguments for related bundle package, xrefs: 009AC5A9
Failed to copy install arguments for related bundle package, xrefs: 009AC584

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
API String ID: 1357844191-2832335422
Opcode ID: ca6c1658f12869b100bbe7080202c9686722206a73c109f485d5d097a568bfe6
Instruction ID: 57c5decab5bbd994be9ae36c4b8a355b398133fee3a9b42e1de1c3cbe3bb4015
Opcode Fuzzy Hash: ca6c1658f12869b100bbe7080202c9686722206a73c109f485d5d097a568bfe6
Instruction Fuzzy Hash: B4C1E2B1A4461ABBCB15DF24C892B6A77A9FF4A714B048526F905EF350DB70EC008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 009845EE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 141sleepshutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00984617
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0098461E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00984628
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00984678
GetLastError.KERNEL32 ref: 00984682
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 009846C6
GetLastError.KERNEL32 ref: 009846D0
Sleep.KERNEL32(000003E8), ref: 0098470C
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 0098471D
GetLastError.KERNEL32 ref: 00984727
CloseHandle.KERNEL32(?), ref: 0098477D

Strings

Failed to get shutdown privilege LUID., xrefs: 009846B0
Failed to adjust token to add shutdown privileges., xrefs: 009846FE
SeShutdownPrivilege, xrefs: 0098466B
engine.cpp, xrefs: 0098464C, 009846A6, 009846F4, 0098475E
Failed to get process token., xrefs: 00984656
Failed to schedule restart., xrefs: 00984768

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
API String ID: 2241679041-1583736410
Opcode ID: d6dd701f728f4d9865ec81408af23ab78e000368c7afc126fd3ccd5d287cb2a1
Instruction ID: e6d3028a01f499b4e0880f43f4039b3ef0c9c7d9f22c2610cc2f71e33d66088b
Opcode Fuzzy Hash: d6dd701f728f4d9865ec81408af23ab78e000368c7afc126fd3ccd5d287cb2a1
Instruction Fuzzy Hash: 6541F972D54226ABD720ABA58C47F6F7A5CAF41754F110529FE01FB380E7658C0047E1

Uniqueness

Uniqueness Score: -1.00%

Function 00994EDF Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 165pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00994F0D
GetLastError.KERNEL32(?,00000000,?,?,0098452F,?), ref: 00994F16
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,0098452F,?), ref: 00994FB8
GetLastError.KERNEL32(?,0098452F,?), ref: 00994FC5
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,0098452F), ref: 00995040
GetLastError.KERNEL32(?,?,?,?,?,?,?,0098452F,?), ref: 0099504B
CloseHandle.KERNEL32(00000000,pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,0098452F,?), ref: 0099508B
LocalFree.KERNEL32(00000000,?,0098452F,?), ref: 009950B9

Strings

\\.\pipe\%ls.Cache, xrefs: 0099500C
Failed to allocate full name of cache pipe: %ls, xrefs: 00995022
Failed to create pipe: %ls, xrefs: 00994FF6, 0099507C
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00994F08
Failed to allocate full name of pipe: %ls, xrefs: 00994F84
Failed to create the security descriptor for the connection event and pipe., xrefs: 00994F44
\\.\pipe\%ls, xrefs: 00994F6E
pipe.cpp, xrefs: 00994F3A, 00994FE9, 0099506F

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
API String ID: 1214480349-3253666091
Opcode ID: 9cd1cbe443b635facd5fc42a561a2c4d2f38f3d654074ea5fae32ede5e4cfdbc
Instruction ID: 7cebf2e55b815fa047a538f816f3dcdd4069fc77ffde7d0ddd4e3c29cfeebbaa
Opcode Fuzzy Hash: 9cd1cbe443b635facd5fc42a561a2c4d2f38f3d654074ea5fae32ede5e4cfdbc
Instruction Fuzzy Hash: EC51E532D81626FBDF229B98CD46FAEBB68AF04720F114125FE14B7290D3B55E409BD1

Uniqueness

Uniqueness Score: -1.00%

Function 009BFA62 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 173encryptionfileCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,00999F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0), ref: 009BFAC7
GetLastError.KERNEL32 ref: 009BFAD1
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 009BFB0E
GetLastError.KERNEL32 ref: 009BFB18
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 009BFB5F
ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 009BFB83
GetLastError.KERNEL32 ref: 009BFB8D
CryptDestroyHash.ADVAPI32(00000000), ref: 009BFBCA
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 009BFBE1
GetLastError.KERNEL32 ref: 009BFBFC
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 009BFC34
GetLastError.KERNEL32 ref: 009BFC3E
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 009BFC77
GetLastError.KERNEL32 ref: 009BFC85

Strings

cryputil.cpp, xrefs: 009BFBB1

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
String ID: cryputil.cpp
API String ID: 3955742341-2185294990
Opcode ID: d3ef3b3630473804d2f2cdf3a97a945cccdfc42824007d10c2f018f58498cd4f
Instruction ID: c24ebbffe3c8a718e7f770c35da7278b10bceef2aaa7b9bc55fb8d7439466308
Opcode Fuzzy Hash: d3ef3b3630473804d2f2cdf3a97a945cccdfc42824007d10c2f018f58498cd4f
Instruction Fuzzy Hash: 3151E537D50239ABDB318A51CE25FDB7A68EF04761F0144B5BE48FB180E7B49D809AE4

Uniqueness

Uniqueness Score: -1.00%

Function 00999E9E Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 181COMMON

Download Yara Rule

Strings

Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 00999FCB
Failed to reset permissions on unverified cached payload: %ls, xrefs: 00999FF1
Failed to create unverified path., xrefs: 00999F6E
Failed to transfer working path to unverified path for payload: %ls., xrefs: 00999FA4
copying, xrefs: 0099A030, 0099A038
Failed to move verified file to complete payload path: %ls, xrefs: 0099A06C
Failed to get cached path for package with cache id: %ls, xrefs: 00999EC8
moving, xrefs: 0099A029
Failed to concat complete cached path., xrefs: 00999EF4

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: f6db90327c7a0acbb8a755dce0beec715c735c208a978f05f1a4a2ddaecce761
Instruction ID: 19c91ac7461fcf21ae958890ff169d73f50d227bd70140950d5558c7a3f6f289
Opcode Fuzzy Hash: f6db90327c7a0acbb8a755dce0beec715c735c208a978f05f1a4a2ddaecce761
Instruction Fuzzy Hash: A8519031D44119FBDF226F98CD02FADBB75EF55310F14405AF900B62A1E7369E60AB82

Uniqueness

Uniqueness Score: -1.00%

Function 009862AA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 009862F8
GetLastError.KERNEL32 ref: 00986302

Strings

Failed to set variant value., xrefs: 00986423
Failed to get OS info., xrefs: 00986330
variable.cpp, xrefs: 00986326

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
API String ID: 305913169-1971907631
Opcode ID: d7007a61cc74c449593951568a39f8ae82ab046f38cf7d3e44e85056801ff579
Instruction ID: fad546cb04bc6b83dfa780ad4cd3dc259777baf8cd1bf8e0173fcb7a3906985e
Opcode Fuzzy Hash: d7007a61cc74c449593951568a39f8ae82ab046f38cf7d3e44e85056801ff579
Instruction Fuzzy Hash: 3A41B672E04228ABDB20AB69DC46FEF7BBCEB85750F00055AF545EB250D7349E40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00986037 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00986062
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00986076
GetLastError.KERNEL32 ref: 00986088
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 009860DC
GetLastError.KERNEL32 ref: 009860E6

Strings

Failed to set variant value., xrefs: 00986124
Failed to get the Date., xrefs: 0098610B
Failed to allocate the buffer for the Date., xrefs: 009860C4
Failed to get the required buffer length for the Date., xrefs: 009860AD
variable.cpp, xrefs: 009860A3, 00986101

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
API String ID: 2700948981-3682088697
Opcode ID: 8e2a544532dbafd704664a957cc499ffe9cb43e5e47ae554c19774dbbe0c6d91
Instruction ID: 49427be6bf641392604de667be2dff9968c5ba8381bce37007ee9e684662771b
Opcode Fuzzy Hash: 8e2a544532dbafd704664a957cc499ffe9cb43e5e47ae554c19774dbbe0c6d91
Instruction Fuzzy Hash: 3F31FB32E442296BDB11ABE9CC47FAFBA78AB44710F110429FE00FB381D6649D4087E6

Uniqueness

Uniqueness Score: -1.00%

Function 009BFEC6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(009EB5FC,00000000,?,?,?,?,009A12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 009BFEF4
GetCurrentProcessId.KERNEL32(00000000,?,009A12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 009BFF04
GetCurrentThreadId.KERNEL32 ref: 009BFF0D
GetLocalTime.KERNEL32(8007139F,?,009A12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 009BFF23
LeaveCriticalSection.KERNEL32(009EB5FC,009A12CF,?,00000000,0000FDE9,?,009A12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 009C001A

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 009BFFC0

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: 9897971a8d96657efa58c0430b8493e676ae80af0db2d942d1175d65a5dcc8e6
Instruction ID: dee03598b784609f8b5d0e81b202bf862563b10f3a05da18648063a6e40e5e46
Opcode Fuzzy Hash: 9897971a8d96657efa58c0430b8493e676ae80af0db2d942d1175d65a5dcc8e6
Instruction Fuzzy Hash: CF417C72E04219EBDB21DFA5DD55BBFB6B8EB49B21F040429F900AA250DB349D40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00999B43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 00999BF2
lstrlenW.KERNEL32(?), ref: 00999C19
FindNextFileW.KERNEL32(00000000,00000010), ref: 00999C79
FindClose.KERNEL32(00000000), ref: 00999C84

Part of subcall function 00983CC4: GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00983D40
Part of subcall function 00983CC4: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00983D53

Strings

*.*, xrefs: 00999BCC
.unverified, xrefs: 00999B86

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: 2e0fdf8c7c27bc245671c6bb69ef37723b87dc58746c52a0f2846bbe60366bb2
Instruction ID: 3ca26e6db322f5e42d0cc00c150f8342f2d265610f47474edf96dcfe4914ede0
Opcode Fuzzy Hash: 2e0fdf8c7c27bc245671c6bb69ef37723b87dc58746c52a0f2846bbe60366bb2
Instruction Fuzzy Hash: CC416E3090452CAEDF21AB69DD49FEAB7FCAF84301F4041A9E848E10A0EB719EC4DF54

Uniqueness

Uniqueness Score: -1.00%

Function 009C887B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 009C88D0
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 009C88E2

Strings

crypt32.dll, xrefs: 009C88A0
%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 009C892D
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 009C88B9
feclient.dll, xrefs: 009C88AA

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: 089d9a118bdb48e09c51aa0b91dc37812f91c625700aa945834b760462b8d0a6
Instruction ID: 7077fe6de8f4fc518fd60f7a6284c6bd9f280b6a924a93a03c5e35ee6fc9ffca
Opcode Fuzzy Hash: 089d9a118bdb48e09c51aa0b91dc37812f91c625700aa945834b760462b8d0a6
Instruction Fuzzy Hash: 6D21F8A6900128EADB60DBAADC05FBFB3FCEB5C711F00455AB955D2180E738AE80D771

Uniqueness

Uniqueness Score: -1.00%

Function 009BAA0E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 009BAB54

Strings

1#SNAN, xrefs: 009BBD53
1#IND, xrefs: 009BBD4C
1#INF, xrefs: 009BBD61
1#QNAN, xrefs: 009BBD5A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b0dfe48c8cedc4642dc3bcd68ac336660e8a70e54c35db71cf6b913fee869bc4
Instruction ID: 9d073ba026c7d016c05841d8cf4c7497ab3c3ed4bdb5599f0c49163e4ee3365b
Opcode Fuzzy Hash: b0dfe48c8cedc4642dc3bcd68ac336660e8a70e54c35db71cf6b913fee869bc4
Instruction Fuzzy Hash: A5C25171D046298FDB25CF28DE447E9B7B9EB84324F1445EAD44DE7280E7B8AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 009861DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0098620F
GetLastError.KERNEL32 ref: 00986219

Strings

Failed to set variant value., xrefs: 0098625E
Failed to get the user name., xrefs: 00986242
variable.cpp, xrefs: 00986238

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: 4ec72ffe33c98a1d0ca062157171f96674c16e6457fae243b424d31dcaee6dda
Instruction ID: 1a6a3080654d25893726525f9888fdb7df65a3fbf27e3fe8814cccfda4273caa
Opcode Fuzzy Hash: 4ec72ffe33c98a1d0ca062157171f96674c16e6457fae243b424d31dcaee6dda
Instruction Fuzzy Hash: 3201D672E0522867C720AB559C46FAB77ACAB41720F010299FC14EB341DA649E449BD5

Uniqueness

Uniqueness Score: -1.00%

Function 009BFE21 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,009C04F4,?,?,?,?,00000001), ref: 009BFE40
GetLastError.KERNEL32(?,009C04F4,?,?,?,?,00000001,?,00985616,?,?,00000000,?,?,00985395,00000002), ref: 009BFE4C
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,009C04F4,?,?,?,?,00000001,?,00985616,?,?), ref: 009BFEB5

Strings

logutil.cpp, xrefs: 009BFE6B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: logutil.cpp
API String ID: 1365068426-3545173039
Opcode ID: 1f562c8ddd6038254fbe47ba179ad633ce8b6fdd0d6790ed150f617a239b0ffc
Instruction ID: 5cedd911664fbb4f8575ce561c6ab91ac40780ef3942b5b23341af875f906776
Opcode Fuzzy Hash: 1f562c8ddd6038254fbe47ba179ad633ce8b6fdd0d6790ed150f617a239b0ffc
Instruction Fuzzy Hash: 0A118F32A00129EBDB219F958E1AEFF7B69EF54B60F018029FD0596175D731CE20E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 009A6B88 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,009A6B32,00000000,00000003), ref: 009A6B9F
GetLastError.KERNEL32(?,009A6B32,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,009A6F28,?), ref: 009A6BA9

Strings

Failed to set service start type., xrefs: 009A6BD7
msuengine.cpp, xrefs: 009A6BCD

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$msuengine.cpp
API String ID: 1456623077-1628545019
Opcode ID: a1dc655cb440357be141c307179c84d8e4e4c77d7d594ac58b4b749769355431
Instruction ID: 710784ac54e680a1df0c4dcad0dfb5a5cb04198c81d49fab6c369df463a46d79
Opcode Fuzzy Hash: a1dc655cb440357be141c307179c84d8e4e4c77d7d594ac58b4b749769355431
Instruction Fuzzy Hash: 83F0A033A8D13677C72166969C0AE8B7E5C9F06BB0F114325BE78FB2D0DA51890086F4

Uniqueness

Uniqueness Score: -1.00%

Function 009AE3D8 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,009AE4F7,009E0DBC,00000017), ref: 009AE3DD
UnhandledExceptionFilter.KERNEL32(009E0DBC,?,009AE4F7,009E0DBC,00000017), ref: 009AE3E6
GetCurrentProcess.KERNEL32(C0000409,?,009AE4F7,009E0DBC,00000017), ref: 009AE3F1
TerminateProcess.KERNEL32(00000000,?,009AE4F7,009E0DBC,00000017), ref: 009AE3F8

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 5da6b7d2cafd4b36ac71ca3979f11febbed0909036b75d6ee1e238b3020b0ee2
Instruction ID: 84f477466b55ca72e91107701d7b6071c9759a9f03d81a289d1ae776d0898b4b
Opcode Fuzzy Hash: 5da6b7d2cafd4b36ac71ca3979f11febbed0909036b75d6ee1e238b3020b0ee2
Instruction Fuzzy Hash: A5D0123682D248BBCB002BE0FC0EE4C3F2CFF08613F844000F70A82022CB324400AB61

Uniqueness

Uniqueness Score: -1.00%

Function 009B3C76 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 009B3D6E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 009B3D78
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 009B3D85

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: abc23b64d5daa1b320f2b0d49c576a1b987fccb7fd42420a47cffa75958a4187
Instruction ID: c488f663db005564430d3d9d5be0728f0a7b9ae88f35dc118c9d8cb02f7665d9
Opcode Fuzzy Hash: abc23b64d5daa1b320f2b0d49c576a1b987fccb7fd42420a47cffa75958a4187
Instruction Fuzzy Hash: E131C47491122C9BCB61DF69D989BDCBBB8BF48310F5085EAE40CA7251E7749F818F44

Uniqueness

Uniqueness Score: -1.00%

Function 009B48D8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,009B48AE,00000000,009E7F08,0000000C,009B4A05,00000000,00000002,00000000), ref: 009B48F9
TerminateProcess.KERNEL32(00000000,?,009B48AE,00000000,009E7F08,0000000C,009B4A05,00000000,00000002,00000000), ref: 009B4900
ExitProcess.KERNEL32 ref: 009B4912

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 49529b25cefc6957f8fd1f980403b16e006095884b7746b8ea266406a2b65fc4
Instruction ID: dd99b49b66e1206ad657b09ee1b2bc3334940742fbb3055eb963bc9dc1bfe7f3
Opcode Fuzzy Hash: 49529b25cefc6957f8fd1f980403b16e006095884b7746b8ea266406a2b65fc4
Instruction Fuzzy Hash: 53E0E631815248AFCF116F54DE09E993B6DEF45B91F004014F81547133CB35DD52EB40

Uniqueness

Uniqueness Score: -1.00%

Function 009BA560 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction ID: f60217d70dd4682f9694df525d940498c9676486259619c9d8f6ad445edf5933
Opcode Fuzzy Hash: 4f8f95bc5e7c876d0a1a0b2598f8063104ee7b1299e502c05a036ee161ca1c45
Instruction Fuzzy Hash: 39021C71E002199FDF14CFA9C9806EDB7F5EF88324F25816AD919E7284E731AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009C3A5F Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C3BF1: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,009C3A8E,?), ref: 009C3C62

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009C3AB2
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009C3AC3

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: 640ebd8f2919c81ae3e3e1a165bb1e37afeb75fed0cc45ef2a298abcb4f38803
Instruction ID: 387a196cd490e9cf9ca150789003171db636e24b70e98f88d4e3d9bf2c06206f
Opcode Fuzzy Hash: 640ebd8f2919c81ae3e3e1a165bb1e37afeb75fed0cc45ef2a298abcb4f38803
Instruction Fuzzy Hash: F611F771D0021AABDB10DFA4DD85FAFB7BCEF08300F50882DA541A6151E7719E548B96

Uniqueness

Uniqueness Score: -1.00%

Function 009C4440 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(009A923A,?,00000100,00000000,00000000), ref: 009C447B
FindClose.KERNEL32(00000000), ref: 009C4487

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ef7f0019ccd7f6271509153f864ea8601fe27e1e46e0b64ae752d9b74542eb8f
Instruction ID: 12309586b16a00f9b4a2149a7059f02913fe3a195860b9cebf47e53579238cb2
Opcode Fuzzy Hash: ef7f0019ccd7f6271509153f864ea8601fe27e1e46e0b64ae752d9b74542eb8f
Instruction Fuzzy Hash: FF01F931B0020C6BCB10EFA9ED89FABB3BCEBC5326F000465F914C3150D634AE498795

Uniqueness

Uniqueness Score: -1.00%

Function 009B2C18 Relevance: 2.7, Strings: 2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

comres.dll, xrefs: 009B2DBF, 009B2DD8, 009B2E00, 009B2E2B
0, xrefs: 009B2D88

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID: 0$comres.dll
API String ID: 0-3030269839
Opcode ID: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction ID: cd532ee316c87e60afc7db677f482324f31f62bd6df83c9d6a30898b13de0f8e
Opcode Fuzzy Hash: f7a880ec5967ec64a90054ca813bf1243ddeae79b496adee3d9f08ad155e7dd2
Instruction Fuzzy Hash: FF516A60214B0457DB398B6887967FF2B9DDB96370F180DADE8C2DB2D2C609DE428352

Uniqueness

Uniqueness Score: -1.00%

Function 009BEE7C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009BEE77,?,?,00000008,?,?,009BEB17,00000000), ref: 009BF0A9

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5669ebdb86c77d59b436908acafdc252ba9ecdf159d90c3b019b3198a6d9e51f
Instruction ID: 03202f2d02823cf6fac8c528d659f5c1f92cae8693b6e52997a1d96391e1315c
Opcode Fuzzy Hash: 5669ebdb86c77d59b436908acafdc252ba9ecdf159d90c3b019b3198a6d9e51f
Instruction Fuzzy Hash: F3B15E31610609DFD715CF2CC99ABA57BE4FF45364F258668E899CF2A2C335E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 009AEC07 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 009AEC20

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 746d3d9b1a424bcd74b76382be8a7682742ec59c77eb92a21064a4152269d979
Instruction ID: 874785accb1f54a0ad75487ddf333926f3c8b73996c15aaa750800c4dee8fc14
Opcode Fuzzy Hash: 746d3d9b1a424bcd74b76382be8a7682742ec59c77eb92a21064a4152269d979
Instruction Fuzzy Hash: 20519DB1D143158BDB18CF59D8C57AABBF8FB49310F15846AD405EB2A0E375AE00CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009AE9DC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(009AE9E8,009AE131), ref: 009AE9E1

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 11309eba9e655739c86516c8cc92b13fbc6f9595e6915dd10e4d75764e5806f0
Instruction ID: 3abd8140f26203f65bdaa15d64570412b28509401aa7e341ace6b8633d329564
Opcode Fuzzy Hash: 11309eba9e655739c86516c8cc92b13fbc6f9595e6915dd10e4d75764e5806f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 009AFB89 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023a93e258ed89174ad46147633814f7cf8c58adac7c2fdeb56cd2fa8b6c7c8c
Instruction ID: 230b5ba02822356b3340b12d7e61777a9ecbc819eaa2d5471f51acc6a86503e4
Opcode Fuzzy Hash: 023a93e258ed89174ad46147633814f7cf8c58adac7c2fdeb56cd2fa8b6c7c8c
Instruction Fuzzy Hash: 350218321091A20FDF2D4A79857007B7BE56A833B171E47ADD8F6CF0D6DE20D964D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 009B0B6F Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction ID: b7f8f199221c16c4419bc4d8437f41b7d51a1c4282b00ac1e57bacc9754d52d0
Opcode Fuzzy Hash: 713254dbb735968c7063ac25a152bc56bcdf297f8f834348282298adb5de4d15
Instruction Fuzzy Hash: 99C16E332091A20AEF6D463986740BFBFE59AD23B131A1B9DD4F2CB1D5EE20D535D620

Uniqueness

Uniqueness Score: -1.00%

Function 009B07AA Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction ID: d1bd4e76d7ad472ad7a7d58adc70274f843024b256dbbfdae8106c0ce4dbd720
Opcode Fuzzy Hash: f3c7a540a95456d95b2f03679edd2d49eac6f1621006280bdad19664e1d0b21d
Instruction Fuzzy Hash: 74C191331051A20AEF2D423986740BFFBE95ED23B131E1B9DD4F2CB1C6EE209665D660

Uniqueness

Uniqueness Score: -1.00%

Function 009B03D5 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction ID: e5e576a80d87a7d4664ab50b97a4f72dd86048e05377ed65593054ec6d418c41
Opcode Fuzzy Hash: 43c190a499e79552c1a64f39d84a7142e521bf6eb77b491d3645054bb47bb5be
Instruction Fuzzy Hash: 3CC181321051A24BEF6D863986740BFFBE55AD23B131A179DE4F2CB0D5EE20D574DA20

Uniqueness

Uniqueness Score: -1.00%

Function 009B001D Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction ID: 3402180f1b3875000fd8080fa33d96b5c7dd242900c759d84873c113d99074e8
Opcode Fuzzy Hash: c3d2de95a5a3d7d395022a3d348c00081b72a5afa3478eed40d51441493dea68
Instruction Fuzzy Hash: 5BB180322091A24BEF2D423D86784BFFBE55AD23B131A179DD4B2CB1D5EE20D539D620

Uniqueness

Uniqueness Score: -1.00%

Function 009B2E47 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743eddd9501ba6a2bdd4e5df89e213c6d6728fbf12b4bc7fc9c4ba0d61eeeeae
Instruction ID: b84fc37857b29996d1fa2800241b8f03df608bb268862ace44925cc268a78495
Opcode Fuzzy Hash: 743eddd9501ba6a2bdd4e5df89e213c6d6728fbf12b4bc7fc9c4ba0d61eeeeae
Instruction Fuzzy Hash: 0E61787160070C66DB389B688B99BFE73ADEF86730F10491AF883DF281D615DE828355

Uniqueness

Uniqueness Score: -1.00%

Function 0098FF99 Relevance: 84.5, APIs: 1, Strings: 47, Instructions: 484registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 00990592

Strings

3.11.1.2318, xrefs: 00990193
QuietUninstallString, xrefs: 0099044D, 00990463
Failed to create registration key., xrefs: 0099001C
SystemComponent, xrefs: 00990428, 0099043B
NoModify, xrefs: 0099038B, 0099039E
BundleUpgradeCode, xrefs: 00990057, 0099005F
URLInfoAbout, xrefs: 009902A6, 009902B9
ParentKeyName, xrefs: 00990312, 00990325
/modify, xrefs: 00990474
BundleDetectCode, xrefs: 00990093, 0099009B
DisplayVersion, xrefs: 00990201, 00990214
Contact, xrefs: 00990362, 00990375
BundleTag, xrefs: 0099017B, 00990180
"%ls" /modify, xrefs: 009903B0
Failed to register the bundle dependency key., xrefs: 00990553
Failed to write software tags., xrefs: 009904C5
Publisher, xrefs: 00990234, 00990247
BundleAddonCode, xrefs: 00990075, 0099007D
BundlePatchCode, xrefs: 009900B1, 009900B9
BundleVersion, xrefs: 009900CF, 009900F5
%hu.%hu.%hu.%hu, xrefs: 009900F0
EstimatedSize, xrefs: 0099051C, 00990521, 00990530
DisplayIcon, xrefs: 009901BB, 009901C5
Failed to write update registration., xrefs: 009904E5
Comments, xrefs: 0099033A, 0099034D
UninstallString, xrefs: 00990489, 0099049F
NoElevateOnModify, xrefs: 009903D7, 009903EA
HelpLink, xrefs: 0099025A, 0099026D
Failed to cache bundle from path: %ls, xrefs: 0098FFEF
EngineVersion, xrefs: 0099019D, 009901A2
VersionMajor, xrefs: 0099010F, 00990115
ModifyPath, xrefs: 009903B5, 009903CB
"%ls" %ls, xrefs: 00990484
Failed to update name and publisher., xrefs: 009901EE
%s,0, xrefs: 009901C0
NoRemove, xrefs: 00990403, 00990416
URLUpdateInfo, xrefs: 009902CC, 009902DF
VersionMinor, xrefs: 00990138, 0099013E
ParentDisplayName, xrefs: 009902F2, 00990305
%hs, xrefs: 00990198
HelpTelephone, xrefs: 00990280, 00990293
BundleProviderKey, xrefs: 0099015A, 0099015F
/uninstall, xrefs: 0099047B, 00990480
BundleCachePath, xrefs: 0099003C, 00990041
"%ls" /uninstall /quiet, xrefs: 00990448
Failed to update resume mode., xrefs: 0099056D
Failed to write %ls value., xrefs: 00990531

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.11.1.2318$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor
API String ID: 3535843008-2755343042
Opcode ID: 8f566bf9cce18490493f8be6134c54dcee90627de0e0b72b61f85ac04ea463e3
Instruction ID: 44b69d3a4f088d3c8471957a76a8474fab4eb9e1c62d8bc1d7437737d523830a
Opcode Fuzzy Hash: 8f566bf9cce18490493f8be6134c54dcee90627de0e0b72b61f85ac04ea463e3
Instruction Fuzzy Hash: 58F10332E8062AFFDF225668CD02F6D76A9ABC0714F154111FD20B6362D771ED20EAD6

Uniqueness

Uniqueness Score: -1.00%

Function 009C744A Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 340COMMON

Download Yara Rule

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 009C755D
SysFreeString.OLEAUT32(00000000), ref: 009C7726
SysFreeString.OLEAUT32(00000000), ref: 009C77C3

Strings

@, xrefs: 009C76CC
link, xrefs: 009C74F2, 009C76D4
author, xrefs: 009C749B, 009C762C
updated, xrefs: 009C7604
logo, xrefs: 009C75B0
generator, xrefs: 009C7550
entry, xrefs: 009C74D5, 009C769E
category, xrefs: 009C74B8, 009C7665
atomutil.cpp, xrefs: 009C7477, 009C77AD
title, xrefs: 009C75E8
subtitle, xrefs: 009C75CC
icon, xrefs: 009C7574
`<u, xrefs: 009C7726, 009C77C3
(, xrefs: 009C7701

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$`<u$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-639730868
Opcode ID: 6b4e437a0c33e424114af9a793ac286b5f57741b31ad74a4cc5821fc132880fc
Instruction ID: 0353368b75a678a707e4f8470e8e7f0837e38896401c58fb49cfebe355d5c011
Opcode Fuzzy Hash: 6b4e437a0c33e424114af9a793ac286b5f57741b31ad74a4cc5821fc132880fc
Instruction Fuzzy Hash: C8B16E31D4821ABBDB119BE4CD42FAEBA78AB14720F204759F521A72D1D770EE10DF92

Uniqueness

Uniqueness Score: -1.00%

Function 009C710D Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,009E3E78,000000FF,?,?,?), ref: 009C71D4
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 009C71F9
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 009C7219
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 009C7235
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 009C725D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 009C7279
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 009C72B2
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 009C72EB

Part of subcall function 009C6D50: SysFreeString.OLEAUT32(00000000), ref: 009C6E89
Part of subcall function 009C6D50: SysFreeString.OLEAUT32(00000000), ref: 009C6EC8

SysFreeString.OLEAUT32(00000000), ref: 009C736F
SysFreeString.OLEAUT32(00000000), ref: 009C741F

Strings

published, xrefs: 009C7227
link, xrefs: 009C7172, 009C731D
updated, xrefs: 009C724F
author, xrefs: 009C7138, 009C726B
summary, xrefs: 009C71EB
cabinet.dll, xrefs: 009C7150
feclient.dll, xrefs: 009C7206
content, xrefs: 009C72DD
category, xrefs: 009C7155, 009C72A4
msi.dll, xrefs: 009C7137
atomutil.cpp, xrefs: 009C740C
title, xrefs: 009C720B
clbcatq.dll, xrefs: 009C7242
`<u, xrefs: 009C736F, 009C741F
version.dll, xrefs: 009C7133
(, xrefs: 009C734A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($`<u$atomutil.cpp$author$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-2569518843
Opcode ID: f2e58eda7607f28c0e35bb67e2e2390c6ad3c0dc6cc5b8c12614c654bbabef42
Instruction ID: bab6941efa5c00fc47de46caf222a20f3404037cc9c010aa1fbc9d34bd160805
Opcode Fuzzy Hash: f2e58eda7607f28c0e35bb67e2e2390c6ad3c0dc6cc5b8c12614c654bbabef42
Instruction Fuzzy Hash: 25A17F31D48216BBDB219AE4CC41FADBB69AB04730F244759F921A61D1DB70EE10DF92

Uniqueness

Uniqueness Score: -1.00%

Function 009AD43E Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 290synchronizationprocessCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 009AD4B3
StringFromGUID2.OLE32(?,?,00000027), ref: 009AD4DC
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 009AD5C5
GetLastError.KERNEL32(?,?,?,?), ref: 009AD5CF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 009AD668
WaitForSingleObject.KERNEL32(009CB500,000000FF,?,?,?,?), ref: 009AD673
ReleaseMutex.KERNEL32(009CB500,?,?,?,?), ref: 009AD69D
GetExitCodeProcess.KERNEL32(?,?), ref: 009AD6BE
GetLastError.KERNEL32(?,?,?,?), ref: 009AD6CC
GetLastError.KERNEL32(?,?,?,?), ref: 009AD704

Part of subcall function 009AD33E: WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,?,009AD642,?), ref: 009AD357
Part of subcall function 009AD33E: ReleaseMutex.KERNEL32(?,?,?,?,009AD642,?), ref: 009AD375
Part of subcall function 009AD33E: WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AD3B6
Part of subcall function 009AD33E: ReleaseMutex.KERNEL32(?), ref: 009AD3CD
Part of subcall function 009AD33E: SetEvent.KERNEL32(?), ref: 009AD3D6

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 009AD7B9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 009AD7D1

Strings

Failed to CreateProcess on path: %ls, xrefs: 009AD5FE
NetFxChainer.cpp, xrefs: 009AD4F1, 009AD5F3, 009AD6F0, 009AD728
Failed to process netfx chainer message., xrefs: 009AD648
Failed to create netfx chainer., xrefs: 009AD55E
Failed to create netfx chainer guid., xrefs: 009AD4C0
D, xrefs: 009AD5AA
Failed to wait for netfx chainer process to complete, xrefs: 009AD732
Failed to allocate event name., xrefs: 009AD53F
NetFxEvent.%ls, xrefs: 009AD52B
Failed to convert netfx chainer guid into string., xrefs: 009AD4FB
Failed to allocate section name., xrefs: 009AD51D
%ls /pipe %ls, xrefs: 009AD57F
NetFxSection.%ls, xrefs: 009AD509
Failed to allocate netfx chainer arguments., xrefs: 009AD593
Failed to get netfx return code., xrefs: 009AD6FA

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
API String ID: 1533322865-1825855094
Opcode ID: 1b50a8dc66fd5eb8a86480e55572e43e00fa6b6c331e155312152f3d1c649b26
Instruction ID: 7bc942561dfd5d1599aee4b4b22790748c3c8282455d981e51ff0d89ba0a7e92
Opcode Fuzzy Hash: 1b50a8dc66fd5eb8a86480e55572e43e00fa6b6c331e155312152f3d1c649b26
Instruction Fuzzy Hash: F5A1CF72D01228ABDB219BA4CC45FAEB7B8BF49720F104165F90AFB251E7749D408FD1

Uniqueness

Uniqueness Score: -1.00%

Function 009954DC Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 229filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,009CB500,?,00000000,?,0098452F,?,009CB500), ref: 009954FD
GetCurrentProcessId.KERNEL32(?,0098452F,?,009CB500), ref: 00995508
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0098452F,?,009CB500), ref: 0099553F
ConnectNamedPipe.KERNEL32(?,00000000,?,0098452F,?,009CB500), ref: 00995554
GetLastError.KERNEL32(?,0098452F,?,009CB500), ref: 0099555E
Sleep.KERNEL32(00000064,?,0098452F,?,009CB500), ref: 00995593
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0098452F,?,009CB500), ref: 009955B6
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0098452F,?,009CB500), ref: 009955D1
WriteFile.KERNEL32(?,0098452F,009CB500,00000000,00000000,?,0098452F,?,009CB500), ref: 009955EC
WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,0098452F,?,009CB500), ref: 00995607
ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,0098452F,?,009CB500), ref: 00995622
GetLastError.KERNEL32(?,0098452F,?,009CB500), ref: 0099567D
GetLastError.KERNEL32(?,0098452F,?,009CB500), ref: 009956B1
GetLastError.KERNEL32(?,0098452F,?,009CB500), ref: 009956E5
GetLastError.KERNEL32(?,0098452F,?,009CB500), ref: 00995719
GetLastError.KERNEL32(?,0098452F,?,009CB500), ref: 0099574A
GetLastError.KERNEL32(?,0098452F,?,009CB500), ref: 0099577B

Strings

crypt32.dll, xrefs: 009955CF
Failed to write secret to pipe., xrefs: 0099570F
Failed to wait for child to connect to pipe., xrefs: 00995673
Failed to read ACK from pipe., xrefs: 009956A7
Failed to write our process id to pipe., xrefs: 009956DB
Failed to reset pipe to blocking., xrefs: 00995774
Failed to write secret length to pipe., xrefs: 00995743
Failed to set pipe to non-blocking., xrefs: 009957A5
pipe.cpp, xrefs: 00995669, 0099569D, 009956D1, 00995705, 00995739, 0099576A, 0099579B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$crypt32.dll$pipe.cpp
API String ID: 2944378912-2047837012
Opcode ID: 55814ccea60334a94e469130af71e1e170e174fc16f8661d2883767826e721ad
Instruction ID: 461952b4714e8723e2dcc4571fe12fe12e088ff4c6d664ab9c047ef21c082cde
Opcode Fuzzy Hash: 55814ccea60334a94e469130af71e1e170e174fc16f8661d2883767826e721ad
Instruction Fuzzy Hash: C371C576D85635ABDF219AE98C46FAFB6ACAF04B20F134525BD00FB280D6748D0087E1

Uniqueness

Uniqueness Score: -1.00%

Function 0098A416 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0098A45A
_MREFOpen@16.MSPDB140-MSVCRT ref: 0098A480
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0098A768

Strings

Failed to clear variable., xrefs: 0098A4D8
Failed to query registry key value size., xrefs: 0098A554
Failed to query registry key value., xrefs: 0098A5DA
Failed to allocate string buffer., xrefs: 0098A667
Failed to change value type., xrefs: 0098A70F
Failed to set variable., xrefs: 0098A72B
Unsupported registry key value type. Type = '%u', xrefs: 0098A608
Failed to get expand environment string., xrefs: 0098A6DD
search.cpp, xrefs: 0098A54A, 0098A57D, 0098A5D0, 0098A6D3
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0098A740
Failed to allocate memory registry value., xrefs: 0098A587
Failed to format value string., xrefs: 0098A48B
Failed to format key string., xrefs: 0098A465
Failed to read registry value., xrefs: 0098A6F6
Failed to open registry key., xrefs: 0098A4ED
Registry key not found. Key = '%ls', xrefs: 0098A4B4
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0098A51C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: 88792813009832bc99f238b3e47e7888e37813cecf1b8aaff232a9971f2ceb3b
Instruction ID: af4dfb9f582e4dd853876b4217417ee72141772b2215ecb5d781341af568180e
Opcode Fuzzy Hash: 88792813009832bc99f238b3e47e7888e37813cecf1b8aaff232a9971f2ceb3b
Instruction Fuzzy Hash: CFA10572D00129BBEF21BAE4CC45FAEBA78AF44710F158516F901B6351E775DE00AB93

Uniqueness

Uniqueness Score: -1.00%

Function 00985770 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,0098A8B4,00000100,000002C0,000002C0,00000100), ref: 00985795
lstrlenW.KERNEL32(000002C0,?,0098A8B4,00000100,000002C0,000002C0,00000100), ref: 0098579F
_wcschr.LIBVCRUNTIME ref: 009859A7
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,0098A8B4,00000100,000002C0,000002C0,00000100), ref: 00985C4A

Strings

[%d], xrefs: 00985962
Failed to format placeholder string., xrefs: 00985A57
Failed to copy string., xrefs: 00985C2E
Failed to get formatted length., xrefs: 00985B92
Failed to allocate string., xrefs: 00985BC1
Failed to set record string., xrefs: 00985B60
Failed to determine variable visibility: '%ls'., xrefs: 00985A3A
Failed to format record., xrefs: 00985C0E
variable.cpp, xrefs: 009859FE, 00985A1F, 00985A78, 00985ACA, 00985B56, 00985B88, 00985C04
Failed to allocate buffer for format string., xrefs: 009857BD
Failed to set record format string., xrefs: 00985AD4
Failed to get variable name., xrefs: 00985A8C
Failed to reallocate variable array., xrefs: 00985A2C
Failed to allocate variable array., xrefs: 00985A85
*****, xrefs: 00985913
Failed to append placeholder., xrefs: 00985A4D
Failed to set variable value., xrefs: 00985A61
Failed to allocate record., xrefs: 00985A0B
Failed to append string., xrefs: 0098581B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: bfaf4b71c2ad2df722d312bbe3d62758b9cfdad9f7e331be02b7655cb3fe0b5f
Instruction ID: c4c22768fefd53772137c162f0dc248077c74bf71749078c3c79c6367dc7ff50
Opcode Fuzzy Hash: bfaf4b71c2ad2df722d312bbe3d62758b9cfdad9f7e331be02b7655cb3fe0b5f
Instruction Fuzzy Hash: D6F18771D01619EBCB11EFA58841FAF7BA8EB44B60F16852AFD05A7340D7349E05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009ACE81 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 240synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,009AD558,?,?,?), ref: 009ACEC7
GetLastError.KERNEL32(?,?,009AD558,?,?,?), ref: 009ACED4
ReleaseMutex.KERNEL32(?), ref: 009AD13C

Strings

Failed to create event: %ls, xrefs: 009ACF67
%ls_send, xrefs: 009ACF06
NetFxChainer.cpp, xrefs: 009ACEA3, 009ACEF5, 009ACF5A, 009ACFC9, 009AD01B, 009AD063
failed to allocate memory for mutex name, xrefs: 009ACF89
Failed to create mutex: %ls, xrefs: 009ACFD6
Failed to allocate memory for NetFxChainer struct., xrefs: 009ACEAD
Failed to MapViewOfFile for %ls., xrefs: 009AD070
failed to copy event name to shared memory structure., xrefs: 009AD09A
failed to allocate memory for event name, xrefs: 009ACF1A
%ls_mutex, xrefs: 009ACF75
Failed to memory map cabinet file: %ls, xrefs: 009AD028

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2991465304
Opcode ID: 27d01f3d9a10e158711c01a025b8c6e185d723a03b8e3da1223618a3f795d8ad
Instruction ID: 766d669c73cfe071c50890d3e4443ab07ac314c172ed0adc709b07f69d1c4de9
Opcode Fuzzy Hash: 27d01f3d9a10e158711c01a025b8c6e185d723a03b8e3da1223618a3f795d8ad
Instruction Fuzzy Hash: 498148B6A45736FBC7229B668C09F5ABAA8FF46720F114114FD14AB341E774DD40CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 0098EA42 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 231COMMON

Download Yara Rule

APIs

Part of subcall function 009C32F3: VariantInit.OLEAUT32(?), ref: 009C3309
Part of subcall function 009C32F3: SysAllocString.OLEAUT32(?), ref: 009C3325
Part of subcall function 009C32F3: VariantClear.OLEAUT32(?), ref: 009C33AC
Part of subcall function 009C32F3: SysFreeString.OLEAUT32(00000000), ref: 009C33B7

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,009CCA9C,?,?,Action,?,?,?,00000000,00985445), ref: 0098EB13
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 0098EB5D

Strings

Failed to get @Id., xrefs: 0098EC62
Failed to resize Addon code array in registration, xrefs: 0098EC3C
cabinet.dll, xrefs: 0098EBBA
Addon, xrefs: 0098EB9A
Invalid value for @Action: %ls, xrefs: 0098EC52
Failed to get RelatedBundle nodes, xrefs: 0098EA72
Failed to get @Action., xrefs: 0098EC69
comres.dll, xrefs: 0098EB26
Detect, xrefs: 0098EB04
Action, xrefs: 0098EAD0
Failed to get next RelatedBundle element., xrefs: 0098EC70
Failed to resize Upgrade code array in registration, xrefs: 0098EC35
Upgrade, xrefs: 0098EB50
Failed to resize Detect code array in registration, xrefs: 0098EC2E
RelatedBundle, xrefs: 0098EA50
version.dll, xrefs: 0098EB70
Failed to get RelatedBundle element count., xrefs: 0098EA97
Failed to resize Patch code array in registration, xrefs: 0098EC43
Patch, xrefs: 0098EBDD

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: 5ddefb4a5103e5260f81ee87f2b50c56b39569f0c25b3e0b7219cb0c866796bc
Instruction ID: 33e8f3ff5760b74b46d21dbf592ccd99300844d85c5c35d31002d6709e193335
Opcode Fuzzy Hash: 5ddefb4a5103e5260f81ee87f2b50c56b39569f0c25b3e0b7219cb0c866796bc
Instruction Fuzzy Hash: 9E71AF31E4462ABBCB14EF94CD55EAEB7B4FB44724F208259E952A73C1D734AE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009946DC Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 185fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,00994BF5,009CB4E8,?,feclient.dll,00000000,?,?), ref: 009946F3
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,00994BF5,009CB4E8,?,feclient.dll,00000000,?,?), ref: 00994714
GetLastError.KERNEL32(?,00994BF5,009CB4E8,?,feclient.dll,00000000,?,?), ref: 0099471A
ReadFile.KERNEL32(feclient.dll,00000000,009CB518,?,00000000,00000000,009CB519,?,00994BF5,009CB4E8,?,feclient.dll,00000000,?,?), ref: 009947A8
GetLastError.KERNEL32(?,00994BF5,009CB4E8,?,feclient.dll,00000000,?,?), ref: 009947AE

Strings

Verification secret from parent does not match., xrefs: 00994816
Verification secret from parent is too big., xrefs: 00994775
msasn1.dll, xrefs: 0099482B
Failed to read size of verification secret from parent pipe., xrefs: 00994748
Failed to read verification secret from parent pipe., xrefs: 009947DC
Verification process id from parent does not match., xrefs: 009948FD
feclient.dll, xrefs: 009946E2, 00994712, 00994713, 009947A7, 0099482C, 00994882
Failed to read verification process id from parent pipe., xrefs: 00994861
Failed to inform parent process that child is running., xrefs: 009948BB
Failed to allocate buffer for verification secret., xrefs: 00994791
pipe.cpp, xrefs: 0099473E, 00994769, 009947D2, 0099480A, 00994857, 009948B1, 009948F1

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastRead$CurrentProcess
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
API String ID: 1233551569-452622383
Opcode ID: 27a40335e5e925aedc1c8f99f3f43150d6ecabfc30dd4695b55121f6b67b4c7a
Instruction ID: 747c663a345964392be1199245917af92632a0eece812ee0b289e17a0fff8632
Opcode Fuzzy Hash: 27a40335e5e925aedc1c8f99f3f43150d6ecabfc30dd4695b55121f6b67b4c7a
Instruction Fuzzy Hash: 5751F636D84229B7DF229BDA8C42F7F766CAB45B20F114625FE10BB280D7749D0197E1

Uniqueness

Uniqueness Score: -1.00%

Function 00988F72 Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,56009CDB,00000001,?,00989946,?,00000000,00000000,?,?,0098992E,?,?,00000000,?), ref: 00988FB2

Strings

AND, xrefs: 009892BC
Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00989408
NOT, xrefs: 009892DB
Failed to set symbol value., xrefs: 00989060
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00989098
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 009893C4
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00989242
condition.cpp, xrefs: 00989084, 0098914E, 009891CA, 0098922E, 0098936C, 009893B0, 009893F4
-, xrefs: 00989118
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00989162
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 009891DE
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00989380

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: StringType
String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
API String ID: 4177115715-3594736606
Opcode ID: 1e499406b4bc5ac42fe4d231fff4c13e405e2243bd7f318667564e3b6a414b7c
Instruction ID: c4c77375fa42764a2af96242a9598687f232bbe49d0b2b0ef8457789d96c704b
Opcode Fuzzy Hash: 1e499406b4bc5ac42fe4d231fff4c13e405e2243bd7f318667564e3b6a414b7c
Instruction Fuzzy Hash: 4AF13571904211FFDB24EF68C889FBA7BA8FB04704F18455AF9159A794C3B9DA91CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 009A1BB1 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 009A1CB8
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 009A1CD6

Strings

Invalid exit code type: %ls, xrefs: 009A1DA7
Failed to get @Type., xrefs: 009A1DB7
Failed to get @Code., xrefs: 009A1D98
Failed to get exit code node count., xrefs: 009A1C03
Type, xrefs: 009A1C90
Failed to allocate memory for exit code structs., xrefs: 009A1C43
Failed to select exit code nodes., xrefs: 009A1BDE
Failed to parse @Code value: %ls, xrefs: 009A1D91
Code, xrefs: 009A1D25
forceReboot, xrefs: 009A1D03
Failed to get next node., xrefs: 009A1DBE
scheduleReboot, xrefs: 009A1CE5
ExitCode, xrefs: 009A1BBF
exeengine.cpp, xrefs: 009A1C39
error, xrefs: 009A1CC9
success, xrefs: 009A1CA9

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$error$exeengine.cpp$forceReboot$scheduleReboot$success
API String ID: 2664528157-1714101571
Opcode ID: c1a71a0bd0446ff3330f11de38e67ded887bbedb537e5804c40b58db1bc54c53
Instruction ID: 6b839441fe19fe046af865fc72c68eae8dc2c58cfa5ee97b7f58d865ceca98c3
Opcode Fuzzy Hash: c1a71a0bd0446ff3330f11de38e67ded887bbedb537e5804c40b58db1bc54c53
Instruction Fuzzy Hash: D861B331D4521AFBCB109B94CC41FAEBBA9EF86724F218659F425AB2D0DB709E00D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 009C77F7 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 206COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 009C7857
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 009C787C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 009C789C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 009C78CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 009C78EB
SysFreeString.OLEAUT32(00000000), ref: 009C7916
SysFreeString.OLEAUT32(00000000), ref: 009C798D
SysFreeString.OLEAUT32(00000000), ref: 009C79D9

Strings

msi.dll, xrefs: 009C7975
type, xrefs: 009C78DD
length, xrefs: 009C788E
title, xrefs: 009C78C1
msasn1.dll, xrefs: 009C79C7
feclient.dll, xrefs: 009C7889
rel, xrefs: 009C784A
href, xrefs: 009C786E
`<u, xrefs: 009C7916, 009C798D, 009C79D9
version.dll, xrefs: 009C78FA
comres.dll, xrefs: 009C78A6

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$Compare$Free
String ID: `<u$comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-782967201
Opcode ID: bd5dff7f1942c14f58a0984b637256083c10f5b332b142c67f71a6c9b384d8f9
Instruction ID: e0dacf7a2216e919576d210dd5d8de81956b3e196b0dbefee22cca18bc57dd56
Opcode Fuzzy Hash: bd5dff7f1942c14f58a0984b637256083c10f5b332b142c67f71a6c9b384d8f9
Instruction Fuzzy Hash: 3E612E71D09219BBDB15DBD4CC45FAEFBB9AF08320F2046A9E521A71A0D731AE10DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00996BCA Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 351synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0098D4A8: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00997040,000000B8,00000000,?,00000000,75C0B390), ref: 0098D4B7
Part of subcall function 0098D4A8: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0098D4C6
Part of subcall function 0098D4A8: LeaveCriticalSection.KERNEL32(000000D0,?,00997040,000000B8,00000000,?,00000000,75C0B390), ref: 0098D4DB

CreateThread.KERNEL32(00000000,00000000,009957BD,?,00000000,00000000), ref: 00996E34
GetLastError.KERNEL32(?,?,?,?,?,?,?,00984522,?,009CB500,?,00984846,?,?), ref: 00996E43
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00984522,?,009CB500,?,00984846,?,?), ref: 00996EA0
ReleaseMutex.KERNEL32(00000000,?,00000000,?,00000000,00000001,00000000), ref: 00996F92
CloseHandle.KERNEL32(00000000), ref: 00996F9B
CloseHandle.KERNEL32(crypt32.dll,?,00000000,?,00000000,00000001,00000000), ref: 00996FB5

Part of subcall function 009ABD05: SetThreadExecutionState.KERNEL32(80000001), ref: 009ABD0A

Strings

crypt32.dll, xrefs: 00996ECD, 00996EE7, 00996FB4
Failed to set initial apply variables., xrefs: 00996D02
Another per-user setup is already executing., xrefs: 00996CD8
Failed to create cache thread., xrefs: 00996E71
Failed to cache engine to working directory., xrefs: 00996D71
Failed to register bundle., xrefs: 00996DEE
Failed to elevate., xrefs: 00996D94
Another per-machine setup is already executing., xrefs: 00996DC8
core.cpp, xrefs: 00996C8A, 00996E67
Failed while caching, aborting execution., xrefs: 00996E98
Engine cannot start apply because it is busy with another action., xrefs: 00996C28
UX aborted apply begin., xrefs: 00996C94

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseHandle$CriticalSectionThread$CompareCreateEnterErrorExchangeExecutionInterlockedLastLeaveMutexReleaseState
String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$core.cpp$crypt32.dll
API String ID: 2169948125-4292671789
Opcode ID: 426315295174b61ebd7d38414fa7396af12e44276315ec659dd6f9d66a7d2ee5
Instruction ID: ced74e21460dc69716ff1cb8ccf72d83f4843bd4650cd4a3a368bab85c298b3f
Opcode Fuzzy Hash: 426315295174b61ebd7d38414fa7396af12e44276315ec659dd6f9d66a7d2ee5
Instruction Fuzzy Hash: 75C1B172900219EBDF119FA8CC85BEE77ACEF44715F14417AFD09AE282DB749940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C8134 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 309COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 009C8161
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 009C817C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 009C821F
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,009CB518,00000000), ref: 009C825E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 009C82B1
CompareStringW.KERNEL32(0000007F,00000000,009CB518,000000FF,true,000000FF), ref: 009C82CF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 009C8307
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 009C844B

Strings

type, xrefs: 009C81A7
true, xrefs: 009C82C1
upgrade, xrefs: 009C8211
enclosure, xrefs: 009C8439
http://appsyndication.org/2006/appsyn, xrefs: 009C8154
exclusive, xrefs: 009C82A3
apuputil.cpp, xrefs: 009C836E
version, xrefs: 009C8250, 009C82F9
application, xrefs: 009C816E

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareString
String ID: application$apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3037633208
Opcode ID: 2f775294b2a1f96edcbdc250a8c61bad9f95ecf2510a3330fa68d2bb01f98e3a
Instruction ID: 3795d30441e9b034f101ce6218c2a56f327dcf5927028ed993c5b3cc7a0c6618
Opcode Fuzzy Hash: 2f775294b2a1f96edcbdc250a8c61bad9f95ecf2510a3330fa68d2bb01f98e3a
Instruction Fuzzy Hash: 1AB19031A08206ABCB219F54CC85F5B7BBABB44770F254618F975EB2E1DB70E941CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0099E3C8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 146registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0099E2AF: LoadBitmapW.USER32(?,00000001), ref: 0099E2E5
Part of subcall function 0099E2AF: GetLastError.KERNEL32 ref: 0099E2F1

LoadCursorW.USER32(00000000,00007F00), ref: 0099E429
RegisterClassW.USER32(?), ref: 0099E43D
GetLastError.KERNEL32 ref: 0099E448
UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 0099E54D
DeleteObject.GDI32(00000000), ref: 0099E55C

Strings

WixBurnSplashScreen, xrefs: 0099E436, 0099E548
Unexpected return value from message pump., xrefs: 0099E537
Failed to create window., xrefs: 0099E4DF
Failed to register window., xrefs: 0099E476
splashscreen.cpp, xrefs: 0099E46C, 0099E4D5
Failed to load splash screen., xrefs: 0099E401

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 164797020-2188509422
Opcode ID: 01598deaf23c1b3bb71938ebeaf6914eb40245ce89878f2e2b7544665d56cd20
Instruction ID: 1ebc321e990b6cbe31fc0bea371fbf1f6d979b39018a747400b693ac48485e19
Opcode Fuzzy Hash: 01598deaf23c1b3bb71938ebeaf6914eb40245ce89878f2e2b7544665d56cd20
Instruction Fuzzy Hash: A941C472954219BFDF11EBE8DD09EAEBBB9FF04714F114125FA01B6190E7309D009BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009A9DE1 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 233threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,00000000,?,009ABC85,00000001), ref: 009A9E46
GetLastError.KERNEL32(?,009ABC85,00000001), ref: 009A9FB6
GetExitCodeThread.KERNEL32(00000001,00000000,?,009ABC85,00000001), ref: 009A9FF6
GetLastError.KERNEL32(?,009ABC85,00000001), ref: 009AA000

Strings

Failed to execute MSI package., xrefs: 009A9EA6
Failed to execute MSP package., xrefs: 009A9ECB
Failed to execute dependency action., xrefs: 009A9F36
Failed to get cache thread exit code., xrefs: 009AA031
apply.cpp, xrefs: 009A9FDD, 009AA027
Invalid execute action., xrefs: 009AA056
Failed to execute compatible package action., xrefs: 009A9F73
Failed to execute EXE package., xrefs: 009A9E7D
Failed to execute package provider registration action., xrefs: 009A9F17
Failed to execute MSU package., xrefs: 009A9EFB
Cache thread exited unexpectedly., xrefs: 009AA047
Failed to load compatible package on per-machine package., xrefs: 009A9F5C
Failed to wait for cache check-point., xrefs: 009A9FE7

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
API String ID: 3703294532-2662572847
Opcode ID: 8f285e9a3b9b718aa97cf60ef8755791550e0ab52ead7723fbb73a1038852ec2
Instruction ID: e1b2c4ae58f0fdf662f832e01bff9c41c604b5e22446befa40eb6988b76d3ef6
Opcode Fuzzy Hash: 8f285e9a3b9b718aa97cf60ef8755791550e0ab52ead7723fbb73a1038852ec2
Instruction Fuzzy Hash: 37716E71A41229EFDB10DF54C941EBE7BB8FB86754F20856AF905EB240D3349E009BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0098F210 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 183registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C3AF1: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 009C3B3E

RegCloseKey.ADVAPI32(00000000,?,009D0D10,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 0098F440

Part of subcall function 009C14A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,0098F28D,009D0D10,Resume,00000005,?,00000000,00000000,00000000), ref: 009C14BB

Strings

burn.runonce, xrefs: 0098F2DA
BundleResumeCommandLine, xrefs: 0098F348, 0098F3DB
Failed to format resume command line for RunOnce., xrefs: 0098F2F9
Failed to write Resume value., xrefs: 0098F293
Installed, xrefs: 0098F2A5
Failed to create run key., xrefs: 0098F31D
Failed to write Installed value., xrefs: 0098F2B6
Failed to write resume command line value., xrefs: 0098F35D
Resume, xrefs: 0098F282
Failed to delete resume command line value., xrefs: 0098F41C
registration.cpp, xrefs: 0098F3C4, 0098F412
Failed to delete run key value., xrefs: 0098F3CE
"%ls" /%ls, xrefs: 0098F2E5
Failed to write run key value., xrefs: 0098F33B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$registration.cpp
API String ID: 2348918689-2631711097
Opcode ID: 3948026007629632d63a3f07a01729c6ed80f992d237daf498274aaf8bc866d4
Instruction ID: d19e1c57c1d7ef7bce129777217343575df5b44de5e50387db1ca8b006d0b0d8
Opcode Fuzzy Hash: 3948026007629632d63a3f07a01729c6ed80f992d237daf498274aaf8bc866d4
Instruction Fuzzy Hash: 5251F432D8032ABBCF25BAA4CC16FAEB668AB80754F11953BF901B7361D774991097C1

Uniqueness

Uniqueness Score: -1.00%

Function 009ACC91 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 174processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(74DE8FB0,00000002,00000000), ref: 009ACC9D

Part of subcall function 00994D8D: UuidCreate.RPCRT4(?), ref: 00994DC0

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,009A2401,?,?,00000000,?,?,?), ref: 009ACD7B
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 009ACD85
GetProcessId.KERNEL32(009A2401,?,?,00000000,?,?,?,?), ref: 009ACDBD

Part of subcall function 009954DC: lstrlenW.KERNEL32(?,?,00000000,?,009CB500,?,00000000,?,0098452F,?,009CB500), ref: 009954FD
Part of subcall function 009954DC: GetCurrentProcessId.KERNEL32(?,0098452F,?,009CB500), ref: 00995508
Part of subcall function 009954DC: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,0098452F,?,009CB500), ref: 0099553F
Part of subcall function 009954DC: ConnectNamedPipe.KERNEL32(?,00000000,?,0098452F,?,009CB500), ref: 00995554
Part of subcall function 009954DC: GetLastError.KERNEL32(?,0098452F,?,009CB500), ref: 0099555E
Part of subcall function 009954DC: Sleep.KERNEL32(00000064,?,0098452F,?,009CB500), ref: 00995593
Part of subcall function 009954DC: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,0098452F,?,009CB500), ref: 009955B6
Part of subcall function 009954DC: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,0098452F,?,009CB500), ref: 009955D1
Part of subcall function 009954DC: WriteFile.KERNEL32(?,0098452F,009CB500,00000000,00000000,?,0098452F,?,009CB500), ref: 009955EC
Part of subcall function 009954DC: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,0098452F,?,009CB500), ref: 00995607

Part of subcall function 009C0A28: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00984F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 009C0A38
Part of subcall function 009C0A28: GetLastError.KERNEL32(?,?,00984F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 009C0A46

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,009ACBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 009ACE41
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,009ACBEF,?,?,?,?,?,00000000,?,?,?,?), ref: 009ACE50
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,009ACBEF,?,?,?,?,?,00000000,?,?,?), ref: 009ACE67

Strings

Failed to process messages from embedded message., xrefs: 009ACE04
Failed to create embedded process at path: %ls, xrefs: 009ACDB3
Failed to create embedded pipe., xrefs: 009ACD27
Failed to wait for embedded process to connect to pipe., xrefs: 009ACDDF
Failed to wait for embedded executable: %ls, xrefs: 009ACE24
embedded.cpp, xrefs: 009ACDA6
%ls -%ls %ls %ls %u, xrefs: 009ACD40
Failed to create embedded pipe name and client token., xrefs: 009ACD00
Failed to allocate embedded command., xrefs: 009ACD54
burn.embedded, xrefs: 009ACD38

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$embedded.cpp
API String ID: 875070380-3803182736
Opcode ID: 702b91999bbd2e1ed9585feb1a02738e8e44ebf085ef30a83f8505a57d3b0700
Instruction ID: 281b91a8b5a84d0fa589d294cba58d57618e44270aa56fc72ad235a1c459caf5
Opcode Fuzzy Hash: 702b91999bbd2e1ed9585feb1a02738e8e44ebf085ef30a83f8505a57d3b0700
Instruction Fuzzy Hash: F2516FB2D4022DBBDF12AB94DC06FDEBBB8AF48711F110121FA04BA290D7759E409BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0098ECBE Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 173COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0098EE4C

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

SysFreeString.OLEAUT32(?), ref: 0098EE04

Strings

Failed to convert SoftwareTag text to UTF-8, xrefs: 0098EE81
Failed to get @Regid., xrefs: 0098EE9F
Failed to get software tag count., xrefs: 0098ED13
SoftwareTag, xrefs: 0098ECCD
Path, xrefs: 0098EDB2
Regid, xrefs: 0098ED9A
Failed to get @Path., xrefs: 0098EE95
Failed to get @Filename., xrefs: 0098EEA9
Failed to get SoftwareTag text., xrefs: 0098EE8B
Failed to get next node., xrefs: 0098EEB3
registration.cpp, xrefs: 0098ED41
Failed to allocate memory for software tag structs., xrefs: 0098ED4B
Failed to select software tag nodes., xrefs: 0098ECEE
`<u, xrefs: 0098EE04, 0098EE4C
Filename, xrefs: 0098ED7F

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$`<u$registration.cpp
API String ID: 336948655-956346883
Opcode ID: cea20c45356bb86e66f70949f1da594725c58b872c0532d6c6800d8a0c1b56f7
Instruction ID: 98ec5b7deb74e80da79d6691048071963bb8795ba2097c0c0f0224f83c435903
Opcode Fuzzy Hash: cea20c45356bb86e66f70949f1da594725c58b872c0532d6c6800d8a0c1b56f7
Instruction Fuzzy Hash: F9517136E4162AFBCB11AF98C8A1FAEB7A8BF44714B108569E915AB351C770DE008790

Uniqueness

Uniqueness Score: -1.00%

Function 009C7F7E Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,009C8468,00000001,?), ref: 009C7F9E
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,009C8468,00000001,?), ref: 009C7FB9
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,009C8468,00000001,?), ref: 009C7FD4
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,009C8468,00000001,?), ref: 009C8040
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,009C8468,00000001,?), ref: 009C8064
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,009C8468,00000001,?), ref: 009C8088
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,009C8468,00000001,?), ref: 009C80A8
lstrlenW.KERNEL32(006C0064,?,009C8468,00000001,?), ref: 009C80C3

Strings

msi.dll, xrefs: 009C7F98
sha256, xrefs: 009C809F
md5, xrefs: 009C805B
name, xrefs: 009C7FCB
algorithm, xrefs: 009C8037
sha1, xrefs: 009C807F
http://appsyndication.org/2006/appsyn, xrefs: 009C7F91
apuputil.cpp, xrefs: 009C80DB
digest, xrefs: 009C7FB0

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-2492263259
Opcode ID: 22c937327041e65e32c76971236f19c49f7a9fdf5ac536fcd21fd1b574aa6f09
Instruction ID: 8308a07b145f212a8860ff73f6d03f21b2a9d7963f3e989a7149abf405f430a5
Opcode Fuzzy Hash: 22c937327041e65e32c76971236f19c49f7a9fdf5ac536fcd21fd1b574aa6f09
Instruction Fuzzy Hash: 5751B531A4C212BBDB219F55CC86F66BA65AB15730F304718F634AF2D1CBA5EC408B91

Uniqueness

Uniqueness Score: -1.00%

Function 0098A03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0098A0B6

Strings

MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0098A24F
Unsupported product search type: %u, xrefs: 0098A07E
Failed to change value type., xrefs: 0098A21D
VersionString, xrefs: 0098A0A6, 0098A131, 0098A147, 0098A15B, 0098A174, 0098A188
Failed to set variable., xrefs: 0098A23C
Failed to enumerate related products for upgrade code., xrefs: 0098A0F1
Language, xrefs: 0098A09F
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 0098A175
Failed to copy upgrade code., xrefs: 0098A116
Product or related product not found: %ls, xrefs: 0098A1A1
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 0098A148
Failed to get product info., xrefs: 0098A1E3
AssignmentType, xrefs: 0098A091
Failed to format GUID string., xrefs: 0098A0C1
State, xrefs: 0098A098

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: 1cc637e4b8f409969709e101db890894987c18e0bd9c9d00a6c66886e3928ff4
Instruction ID: 42f165fdcaa1d517c2401705113de45ae87e619a5c6a96f39e7c9c70314873f2
Opcode Fuzzy Hash: 1cc637e4b8f409969709e101db890894987c18e0bd9c9d00a6c66886e3928ff4
Instruction Fuzzy Hash: 1A61C432D40118FBEB21BE98CD49FAE7B68AB85714F10015AF915BB351D236DF009793

Uniqueness

Uniqueness Score: -1.00%

Function 00994B2A Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 158sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 00994B84
GetLastError.KERNEL32 ref: 00994B92
Sleep.KERNEL32(00000064), ref: 00994BB6

Strings

Failed to allocate name of parent cache pipe., xrefs: 00994C2B
Failed to allocate name of parent pipe., xrefs: 00994B50
\\.\pipe\%ls.Cache, xrefs: 00994C17
feclient.dll, xrefs: 00994BE9, 00994C84, 00994C98, 00994CDC
Failed to open parent pipe: %ls, xrefs: 00994BDC
Failed to open companion process with PID: %u, xrefs: 00994CDE
Failed to verify parent pipe: %ls, xrefs: 00994BFE
\\.\pipe\%ls, xrefs: 00994B3C
pipe.cpp, xrefs: 00994BCF, 00994CD2

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$feclient.dll$pipe.cpp
API String ID: 408151869-3212458075
Opcode ID: 403d18d1fdda417b039e2691c46328631605c1e2467827b7bcc52bf9f9cc35c7
Instruction ID: c74649921658b55933134de98ba00c791c69e29e0ebcb3a8d9d3f8a797474ed0
Opcode Fuzzy Hash: 403d18d1fdda417b039e2691c46328631605c1e2467827b7bcc52bf9f9cc35c7
Instruction Fuzzy Hash: 2E414836D86636BFDF2356E88D06F9E7A68AF10720F114221FE40BB290E775DD019AD4

Uniqueness

Uniqueness Score: -1.00%

Function 0098F585 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,009904DF,InstallerVersion,InstallerVersion,00000000,009904DF,InstallerName,InstallerName,00000000,009904DF,Date,InstalledDate,00000000,009904DF,LogonUser), ref: 0098F733

Part of subcall function 009C14F4: RegSetValueExW.ADVAPI32(00020006,009D0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0098F335,00000000,?,00020006), ref: 009C1527

Strings

LogonUser, xrefs: 0098F6A9
Failed to get the formatted key path for update registration., xrefs: 0098F5A7
InstalledDate, xrefs: 0098F6C4, 0098F6DD
PublishingGroup, xrefs: 0098F667, 0098F67A
InstalledBy, xrefs: 0098F6A4, 0098F6BD
Date, xrefs: 0098F6C9
PackageVersion, xrefs: 0098F61F, 0098F632
InstallerName, xrefs: 0098F6E4, 0098F6E9, 0098F6EA, 0098F6FA
ThisVersionInstalled, xrefs: 0098F5DF, 0098F5F2
ReleaseType, xrefs: 0098F68A, 0098F68F, 0098F69E
InstallerVersion, xrefs: 0098F701, 0098F706, 0098F707, 0098F717
Publisher, xrefs: 0098F63F, 0098F652
PackageName, xrefs: 0098F5FF, 0098F612
Failed to create the key for update registration., xrefs: 0098F5D3
Failed to write %ls value., xrefs: 0098F71C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: 774eca7b75862101ebe5c39f39f6285908773e922e8c42da400e732c553df425
Instruction ID: 53ce091e55f8980bad2e2ce008150e1198e3e02b0699352e80dc3629ecf52bee
Opcode Fuzzy Hash: 774eca7b75862101ebe5c39f39f6285908773e922e8c42da400e732c553df425
Instruction Fuzzy Hash: A8412732E84669B7DF22B650CD22FAE7A249FA1B18F144175F800F7362D7709E10A395

Uniqueness

Uniqueness Score: -1.00%

Function 0099E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 0099E7FF
RegisterClassW.USER32(?), ref: 0099E82B
GetLastError.KERNEL32 ref: 0099E836
CreateWindowExW.USER32(00000080,009D9E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 0099E89D
GetLastError.KERNEL32 ref: 0099E8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 0099E945

Strings

WixBurnMessageWindow, xrefs: 0099E824, 0099E940
Unexpected return value from message pump., xrefs: 0099E930
Failed to create window., xrefs: 0099E8D5
uithread.cpp, xrefs: 0099E85A, 0099E8CB
Failed to register window., xrefs: 0099E864

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 0470278697c674af949554fa696e2ecaddec6a3c9797f5db53e6ba1632cf8745
Instruction ID: e79a24afda0704c91498b8a49a6b17426616710426736509ae5e6e66aafd18a4
Opcode Fuzzy Hash: 0470278697c674af949554fa696e2ecaddec6a3c9797f5db53e6ba1632cf8745
Instruction Fuzzy Hash: 6C41A372D41215ABCF20DBE9DC45FDEBFB8EF08760F104126F915AB280D73199409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009AC774 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON

Download Yara Rule

Strings

Failed to copy key for passthrough pseudo bundle., xrefs: 009AC988
Failed to copy related arguments for passthrough bundle package, xrefs: 009ACA82
Failed to allocate memory for pseudo bundle payload hash., xrefs: 009AC9AD
Failed to copy download source for passthrough pseudo bundle., xrefs: 009AC98F
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 009ACAAC
Failed to copy filename for passthrough pseudo bundle., xrefs: 009AC9BE
Failed to recreate command-line arguments., xrefs: 009ACA43
Failed to copy install arguments for passthrough bundle package, xrefs: 009ACA62
Failed to copy cache id for passthrough pseudo bundle., xrefs: 009ACA05
pseudobundle.cpp, xrefs: 009AC7A8, 009AC9A1, 009AC9DB
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 009AC7B4
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 009AC9E7
Failed to copy key for passthrough pseudo bundle payload., xrefs: 009AC9C5
Failed to copy local source path for passthrough pseudo bundle., xrefs: 009AC9B7

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
API String ID: 1357844191-115096447
Opcode ID: 89d803cbcc02d628ba936f71ace11ad386a13bb731b312cdf8524f94795373fe
Instruction ID: da0d2c9de9170db50f00a8fef17dc323cc6a8e91f12e5bfaef44d0758739b82b
Opcode Fuzzy Hash: 89d803cbcc02d628ba936f71ace11ad386a13bb731b312cdf8524f94795373fe
Instruction Fuzzy Hash: F1B178B5A04606EFCB12DF68C881F56BBA5BF89710F118169ED19AF351CB71E811DBC0

Uniqueness

Uniqueness Score: -1.00%

Function 009ADE46 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 204stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,0000002C,?,?,00000000), ref: 009ADE61

Strings

Falied to start BITS job., xrefs: 009AE019
Failed to complete BITS job., xrefs: 009AE00B
Failed to set credentials for BITS job., xrefs: 009ADF0F
Failed to initialize BITS job callback., xrefs: 009ADF82
bitsengine.cpp, xrefs: 009ADE77, 009ADF6A
Failed to add file to BITS job., xrefs: 009ADF2E
Failed to create BITS job callback., xrefs: 009ADF74
Invalid BITS engine URL: %ls, xrefs: 009ADE83
Failed to create BITS job., xrefs: 009ADEF0
Failed to download BITS job., xrefs: 009ADFF8
Failed to set callback interface for BITS job., xrefs: 009ADF99
Failed while waiting for BITS download., xrefs: 009AE012
Failed to copy download URL., xrefs: 009ADEA8

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
API String ID: 1659193697-2382896028
Opcode ID: aabdc454bc1570d5bba7e1a4801922919f5ec5dbb5d4b77ad4eb53cacc283130
Instruction ID: 6f54b15df44f694c63d864c5bd77ae62780cab533925b0054654fa73195bb797
Opcode Fuzzy Hash: aabdc454bc1570d5bba7e1a4801922919f5ec5dbb5d4b77ad4eb53cacc283130
Instruction Fuzzy Hash: 58611731A05225EFCB129F94C885E6E7BB8EF8AB20B214155FC05AF251D7B5DD409BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0098BC93 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 190processCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0098BCE5
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 0098BDF2
GetLastError.KERNEL32(?,?,?,?), ref: 0098BDFC
WaitForInputIdle.USER32(?,?), ref: 0098BE50
CloseHandle.KERNEL32(?,?,?), ref: 0098BE9B
CloseHandle.KERNEL32(?,?,?), ref: 0098BEA8

Strings

Failed to CreateProcess on path: %ls, xrefs: 0098BE2D
Failed to format obfuscated argument string., xrefs: 0098BD3C
D, xrefs: 0098BDD1
Failed to format argument string., xrefs: 0098BCF0
"%ls" %s, xrefs: 0098BD0B, 0098BD4C
"%ls", xrefs: 0098BD62, 0098BD7C
Failed to create executable command., xrefs: 0098BD1F
Failed to create obfuscated executable command., xrefs: 0098BD90
approvedexe.cpp, xrefs: 0098BE20

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$approvedexe.cpp
API String ID: 155678114-2737401750
Opcode ID: 8a18d1753a61ff54b05257c0ff5fe12ba13ed018a0b1c26234cd0f98cd1a75da
Instruction ID: 9a546324d05a8fb4965ed9e16514f9c231cda8e47b590832264c0d08344b8ed4
Opcode Fuzzy Hash: 8a18d1753a61ff54b05257c0ff5fe12ba13ed018a0b1c26234cd0f98cd1a75da
Instruction Fuzzy Hash: 19516D72D0061ABFCF11AFD0CC42EEEBB79BF44350B18456AFA14B6261D7319E509B91

Uniqueness

Uniqueness Score: -1.00%

Function 009A69D2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 153serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,009A6F28,?), ref: 009A6A0B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,009A6F28,?,?,?), ref: 009A6A18
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,009A6F28,?,?,?), ref: 009A6A60
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,009A6F28,?,?,?), ref: 009A6A6C
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,009A6F28,?,?,?), ref: 009A6AA6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,009A6F28,?,?,?), ref: 009A6AB0
CloseServiceHandle.ADVAPI32(00000000), ref: 009A6B67
CloseServiceHandle.ADVAPI32(?), ref: 009A6B71

Strings

Failed to query status of WU service., xrefs: 009A6ADE
Failed to open WU service., xrefs: 009A6A9A
wuauserv, xrefs: 009A6A5A
msuengine.cpp, xrefs: 009A6A3C, 009A6A90, 009A6AD4
Failed to read configuration for WU service., xrefs: 009A6B17
Failed to open service control manager., xrefs: 009A6A46
Failed to mark WU service to start on demand., xrefs: 009A6B38

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
API String ID: 971853308-301359130
Opcode ID: 53740895a58478a402358be2617c728fced914a958181ac695281da06743db8d
Instruction ID: e55ea9340db0b9a880d9e7ce09a25e4247599de119ac1666327eba6a5f93df08
Opcode Fuzzy Hash: 53740895a58478a402358be2617c728fced914a958181ac695281da06743db8d
Instruction Fuzzy Hash: F141C676E85329ABD721DFA58C45EAEB7A8AB45710F198425FD01FB241D774DC0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0098A28B Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0098A2B3
_MREFOpen@16.MSPDB140-MSVCRT ref: 0098A30E
RegQueryValueExW.ADVAPI32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 0098A32F
RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 0098A405

Strings

Failed to open registry key. Key = '%ls', xrefs: 0098A3C7
Failed to query registry key value., xrefs: 0098A36A
Failed to format value string., xrefs: 0098A319
Failed to format key string., xrefs: 0098A2BE
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 0098A3DD
Failed to set variable., xrefs: 0098A3BD
Registry key not found. Key = '%ls', xrefs: 0098A396
search.cpp, xrefs: 0098A360
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0098A37A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: f89f49314ef856fc05863e0da725386b423f3c6d03b740943fdfeaadb445d029
Instruction ID: 40501b0545ad6528f418b96ee6d3685b97be39eb05da02eefc21d7c7a3a84767
Opcode Fuzzy Hash: f89f49314ef856fc05863e0da725386b423f3c6d03b740943fdfeaadb445d029
Instruction Fuzzy Hash: 4841D732D40128FBEB227B94CC06FAEBA69EB84710F104267F915B6252D7759E10A792

Uniqueness

Uniqueness Score: -1.00%

Function 0098B208 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 137COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,0098BAFB,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B210
GetLastError.KERNEL32(?,0098BAFB,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0098B21C

Strings

Failed to find valid DOS image header in buffer., xrefs: 0098B27D
.wixburn, xrefs: 0098B2BE
Failed to find Burn section., xrefs: 0098B332
.wix, xrefs: 0098B2E3
Bundle guid didn't match the guid in the PE Header in memory., xrefs: 0098B39B
Failed to read section info, data to short: %u, xrefs: 0098B314
Failed to get module handle to process., xrefs: 0098B24A
Failed to find valid NT image header in buffer., xrefs: 0098B2A8
Failed to read section info, unsupported version: %08x, xrefs: 0098B35E
section.cpp, xrefs: 0098B240, 0098B271, 0098B29C, 0098B305, 0098B326, 0098B34F, 0098B38F
burn, xrefs: 0098B2EB

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
API String ID: 4242514867-926796631
Opcode ID: bc3dca3223d5c8082f6508517a4a675b27d03b3bc5d1f6f1b263a36dd4317ddf
Instruction ID: 1f78394912cb4eb16ad4a26f91b9deae9514a9d815ca6ac226e8d021b0c9fd21
Opcode Fuzzy Hash: bc3dca3223d5c8082f6508517a4a675b27d03b3bc5d1f6f1b263a36dd4317ddf
Instruction Fuzzy Hash: BE415B32680710E7CB2075419C46F6E2255EBD5F70F69842EF9125F382D769CC0293E6

Uniqueness

Uniqueness Score: -1.00%

Function 0098694B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 0098699B
GetLastError.KERNEL32 ref: 009869A5
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 009869E8
GetLastError.KERNEL32 ref: 009869F2
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 00986B03

Strings

Failed to set variant value., xrefs: 00986AE7
Failed to get OS info., xrefs: 00986A43
Failed to locate RtlGetVersion., xrefs: 00986A20
ntdll, xrefs: 00986995
variable.cpp, xrefs: 009869C9, 00986A16
RtlGetVersion, xrefs: 009869DD
Failed to locate NTDLL., xrefs: 009869D3

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$ntdll$variable.cpp
API String ID: 3057421322-109962352
Opcode ID: 4fb380b71fc91ed9fed2560f3bf12f84870f24ff05d8a60bce2ea2591a1c97ec
Instruction ID: 883271c94ff5b6f7aa3bf728f7831e0d3da0ecf80b50245d396eeb22e1d50250
Opcode Fuzzy Hash: 4fb380b71fc91ed9fed2560f3bf12f84870f24ff05d8a60bce2ea2591a1c97ec
Instruction Fuzzy Hash: F941C572D412399BDB25AF658C05FEA7BA8EB48710F004599E948FB280E775CE40CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 009848EF Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,00985466,?,?,?,?), ref: 00984920
GetLastError.KERNEL32(?,?,?,00985466,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00984931
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00984A6E
CloseHandle.KERNEL32(?,?,?,?,00985466,?,?,?,?,?,?,?,?,?,?,?), ref: 00984A77

Strings

Failed to allocate thread local storage for logging., xrefs: 0098495F
Failed to create the message window., xrefs: 009849CC
Failed to set elevated pipe into thread local storage for logging., xrefs: 009849A8
Failed to pump messages from parent process., xrefs: 00984A42
engine.cpp, xrefs: 00984955, 0098499E
comres.dll, xrefs: 009849DD
Failed to connect to unelevated process., xrefs: 00984916

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$comres.dll$engine.cpp
API String ID: 687263955-1790235126
Opcode ID: 0803b0d89fe0e069c689f7cdfa05142af2e1f83090531d6fca7fde07e04750ae
Instruction ID: a176fe376ac5fc365f974334e863858d82f6508f6db52bf9dadc72571dc7b98d
Opcode Fuzzy Hash: 0803b0d89fe0e069c689f7cdfa05142af2e1f83090531d6fca7fde07e04750ae
Instruction Fuzzy Hash: 3741C673D40626BBCB15ABA4CC46FDFBA6CBF44B50F01022AFA15A7240DB31A91097E5

Uniqueness

Uniqueness Score: -1.00%

Function 00993B4E Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 130COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 00993BA2
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 00993BAC
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 00993C15
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 00993C1C
CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 00993CA6

Strings

crypt32.dll, xrefs: 00993B61
logging.cpp, xrefs: 00993BD0
Failed to get length of session id string., xrefs: 00993C71
Failed to copy temp folder., xrefs: 00993CCF
Failed to format session id as a string., xrefs: 00993C4A
Failed to get length of temp folder., xrefs: 00993C06
Failed to get temp folder., xrefs: 00993BDA
%u\, xrefs: 00993C36

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$crypt32.dll$logging.cpp
API String ID: 2407829081-3274134579
Opcode ID: 1c8f0b523243a9cce4e8dc55df1d51ebb7977b3022af05dae17edaa9e2a4598a
Instruction ID: 5c898fc152b4baa673a5eebe0b6e9147ff6d81ef1b6ad743fd054f99f2875733
Opcode Fuzzy Hash: 1c8f0b523243a9cce4e8dc55df1d51ebb7977b3022af05dae17edaa9e2a4598a
Instruction Fuzzy Hash: 5F41B072D8523DABCF209B688C49FEA777CAB54710F1085A1FD18B7240EA709F808BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00987FA5 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 216COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,000000B9,00000002,?,00000000,00000000,00000000,00000000,00000001,00000000,00000002,000000B9), ref: 00987FC2
LeaveCriticalSection.KERNEL32(?), ref: 009881EA

Strings

Failed to get version., xrefs: 0098819B
Failed to write variable value as string., xrefs: 009881AE
Failed to write variable value as number., xrefs: 00988194
Unsupported variable type., xrefs: 009881A7
Failed to write variable value type., xrefs: 009881CA
Failed to get numeric., xrefs: 009881BC
Failed to write variable count., xrefs: 00987FDD
feclient.dll, xrefs: 0098809D, 009880F3, 00988134
Failed to write literal flag., xrefs: 009881C3
Failed to write included flag., xrefs: 009881D8
Failed to get string., xrefs: 009881B5
Failed to write variable name., xrefs: 009881D1

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: 46c4c24399caf6208228ca8427c28af89e03164046a5303b57696e0f121e49d0
Instruction ID: ee6a4af6db6b5393df9fe4a6a910039ac5014be4b244c279dcf4a8fa6b0d1199
Opcode Fuzzy Hash: 46c4c24399caf6208228ca8427c28af89e03164046a5303b57696e0f121e49d0
Instruction Fuzzy Hash: 3D71B172D0821AAFCB12EEA4CD49FAFBBA8BB44354F504525E90167351CF34DD129BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009865C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 009865FC

Part of subcall function 009C0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00985EB2,00000000), ref: 009C0AE0
Part of subcall function 009C0ACC: GetProcAddress.KERNEL32(00000000), ref: 009C0AE7
Part of subcall function 009C0ACC: GetLastError.KERNEL32(?,?,?,00985EB2,00000000), ref: 009C0AFE

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00986628
GetLastError.KERNEL32 ref: 00986636
GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 0098666E
GetLastError.KERNEL32 ref: 00986678
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 009866BB
GetLastError.KERNEL32 ref: 009866C5

Strings

Failed to backslash terminate system folder., xrefs: 00986708
Failed to get 32-bit system folder., xrefs: 009866A6
Failed to get 64-bit system folder., xrefs: 00986664
Failed to set system folder variant value., xrefs: 00986724
variable.cpp, xrefs: 0098665A, 0098669C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
API String ID: 325818893-1590374846
Opcode ID: cf8e10fd19a1581fbab81e6a1c1b30a704bfa9b9e4312bb3aa055517748a1f60
Instruction ID: 889cb155fb9bde1980ce5fec0dda0d60808699838b55e32cf65fbebd320726a8
Opcode Fuzzy Hash: cf8e10fd19a1581fbab81e6a1c1b30a704bfa9b9e4312bb3aa055517748a1f60
Instruction Fuzzy Hash: 4D31F372D46239A7DB20B7618C4AF9A776CAF00750F154569BD04BF380EB78DD408BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00993F9B Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00993AA6: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00993FB5,feclient.dll,?,00000000,?,?,?,00984B12), ref: 00993B42

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00984B12,?,?,009CB488,?,00000001,00000000,00000000), ref: 0099404C

Strings

crypt32.dll, xrefs: 00993FF2, 00994057, 0099405F, 009940C6, 00994100, 00994141, 00994160, 0099419E, 009941C8
Failed to copy log path to prefix., xrefs: 0099416E
Failed to get non-session specific TEMP folder., xrefs: 009940F6
msasn1.dll, xrefs: 00994162, 009941A3
log, xrefs: 00993FF3
feclient.dll, xrefs: 00993FAF, 0099405C
Failed to get current directory., xrefs: 0099402E
Failed to copy full log path to prefix., xrefs: 009941AF
clbcatq.dll, xrefs: 00994185
Failed to open log: %ls, xrefs: 009940C8
Setup, xrefs: 00993FF9
Failed to copy log extension to extension., xrefs: 00994191

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: 3b16dbb3da3e1881076116cfa3ed8e666b88281dd1be7a4df3ff39fc2ae7d201
Instruction ID: 1a70898524c168edd6a3058d8663393e8d637c60f8adce971c02406fb5f1b3fa
Opcode Fuzzy Hash: 3b16dbb3da3e1881076116cfa3ed8e666b88281dd1be7a4df3ff39fc2ae7d201
Instruction Fuzzy Hash: 5461C371A08216ABDF279F68CC46F7A77ACEF64340F058569F900DB240E771ED9187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00986DB9 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000001,?,00000000,00985445,00000006,?,009882B9,?,?,?,00000000,00000000,00000001), ref: 00986DC8

Part of subcall function 009856A9: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00986595,00986595,?,0098563D,?,?,00000000), ref: 009856E5
Part of subcall function 009856A9: GetLastError.KERNEL32(?,0098563D,?,?,00000000,?,?,00986595,?,00987F02,?,?,?,?,?), ref: 00985714

LeaveCriticalSection.KERNEL32(00000001,?,00000000,00000001,00000000,00000000,?,009882B9), ref: 00986F59

Strings

Setting numeric variable '%ls' to value %lld, xrefs: 00986EFA
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00986ED0
Failed to insert variable '%ls'., xrefs: 00986E0D
Failed to set value of variable: %ls, xrefs: 00986F41
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00986F6B
Failed to find variable value '%ls'., xrefs: 00986DE3
Attempt to set built-in variable value: %ls, xrefs: 00986E56
Unsetting variable '%ls', xrefs: 00986F15
Setting hidden variable '%ls', xrefs: 00986E86
variable.cpp, xrefs: 00986E4B
Setting string variable '%ls' to value '%ls', xrefs: 00986EED

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$variable.cpp
API String ID: 2716280545-445000439
Opcode ID: 9fd611c0e04d92e10f6d0f8740d302d8a645c40d3c08ea8816566ba28e3a5cf2
Instruction ID: 2e6e31d73022a57f52602c6fbfad2d89d8da7f692f5a3fe8551be903112b7418
Opcode Fuzzy Hash: 9fd611c0e04d92e10f6d0f8740d302d8a645c40d3c08ea8816566ba28e3a5cf2
Instruction Fuzzy Hash: F151D271E40225EBDB30AE19CD4AF6B3AACEB95714F10042DF9496F382C275D951CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00992C1C Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 299COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,002C002B,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00992C8A

Strings

Failed to add registration action for self dependent., xrefs: 00992F57
crypt32.dll, xrefs: 00992CD5, 00992DCF, 00992EC4, 00992F39
Failed to add self-dependent to ignore dependents., xrefs: 00992D0E
Failed to add dependents ignored from command-line., xrefs: 00992D3F
Failed to add registration action for dependent related bundle., xrefs: 00992F8E
wininet.dll, xrefs: 00992ED7
Failed to create the string dictionary., xrefs: 00992CC3
Failed to check for remaining dependents during planning., xrefs: 00992E30
Failed to add dependent bundle provider key to ignore dependents., xrefs: 00992DF4
Failed to allocate registration action., xrefs: 00992CF3

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: 81e87b56abe6f81d4165042d7e64fcca98ae6822431344e0cd33cba44d18036d
Instruction ID: dbb1575fb339d0fb8a0b2d719f6d5fd4744e180081456c3e322e150cdd74645a
Opcode Fuzzy Hash: 81e87b56abe6f81d4165042d7e64fcca98ae6822431344e0cd33cba44d18036d
Instruction Fuzzy Hash: F8B16B70A0421AFBDF299F68C881BAEBBB9FF54710F10816AF815AB251D734D950CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0099F90B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 187COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0099F947
UuidCreate.RPCRT4(?), ref: 0099FA2A
StringFromGUID2.OLE32(?,?,00000027), ref: 0099FA4B
LeaveCriticalSection.KERNEL32(?,?), ref: 0099FAF4

Strings

update\%ls, xrefs: 0099F9A3
Failed to recreate command-line for update bundle., xrefs: 0099FA12
EngineForApplication.cpp, xrefs: 0099FA60
Failed to convert bundle update guid into string., xrefs: 0099FA6A
Failed to default local update source, xrefs: 0099F9B7
Failed to create bundle update guid., xrefs: 0099FA37
Failed to set update bundle., xrefs: 0099FACE

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$CreateEnterFromLeaveStringUuid
String ID: EngineForApplication.cpp$Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
API String ID: 171215650-2594647487
Opcode ID: 59a75d9c914fd7fda39d8c0ceca74b1635373f9c271e76de3784e6a74c6a30f8
Instruction ID: 5f5309dd85cd7bbb07db122e58a7b317ba9d9f31bb8fc0d49c5fbeb179077261
Opcode Fuzzy Hash: 59a75d9c914fd7fda39d8c0ceca74b1635373f9c271e76de3784e6a74c6a30f8
Instruction Fuzzy Hash: 86618E31941219AFCF219FA8C855FAEBBB8EF48714F15417AF808EB251E7719C50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00984AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00984C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00984C75

Strings

Failed to set layout directory variable to value provided from command-line., xrefs: 00984C06
Failed to query registration., xrefs: 00984BAE
Failed to open log., xrefs: 00984B18
Failed to check global conditions, xrefs: 00984B49
Failed to set registration variables., xrefs: 00984BDE
Failed to create the message window., xrefs: 00984B98
WixBundleLayoutDirectory, xrefs: 00984BF5
Failed to set action variables., xrefs: 00984BC4
Failed while running , xrefs: 00984C2A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 0ac569c9ac71688c4570f44a217ab2cb38b80c01d5a4de67cd27090b56bcdf8c
Instruction ID: 47164840a01725d3365b2ae8c64d647fdc3ae72468eae0b250730dc1a1523786
Opcode Fuzzy Hash: 0ac569c9ac71688c4570f44a217ab2cb38b80c01d5a4de67cd27090b56bcdf8c
Instruction Fuzzy Hash: 42412471A02A2BBBCB267A64CC46FFAB66CFF40754F004629F841A7350EB60ED1097D1

Uniqueness

Uniqueness Score: -1.00%

Function 0099F051 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 0099F06E
LeaveCriticalSection.KERNEL32(?), ref: 0099F19B

Strings

EngineForApplication.cpp, xrefs: 0099F17C
Failed to copy the id., xrefs: 0099F100
Failed to copy the arguments., xrefs: 0099F12D
Engine is active, cannot change engine state., xrefs: 0099F089
Failed to post launch approved exe message., xrefs: 0099F186
UX requested unknown approved exe with id: %ls, xrefs: 0099F0CE

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: Engine is active, cannot change engine state.$EngineForApplication.cpp$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls
API String ID: 1367039788-528931743
Opcode ID: eabab391be646da35b3fa3f4e1e591c87a083ef038e459ba0bcdf34261ecf3a0
Instruction ID: 55fbacf42d50f7c22a33f2b2224de22c2b9199aa0882acd463f1e1de94585651
Opcode Fuzzy Hash: eabab391be646da35b3fa3f4e1e591c87a083ef038e459ba0bcdf34261ecf3a0
Instruction Fuzzy Hash: 8931BF32A48225EBCF21AF68DC16F6AB7ACAF44720B158565FD04EB351EB31DD0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 0099969D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,0099A7D4,00000000,00000000,00000000,?,00000000), ref: 009996B8
GetLastError.KERNEL32(?,0099A7D4,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 009996C6

Part of subcall function 009C4102: Sleep.KERNEL32(?,00000000,?,009985EE,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00984DBC), ref: 009C4119

CloseHandle.KERNEL32(00000000,00000000,00000001,00000003,000007D0,?,00000000,00000000,00000000), ref: 009997A4

Strings

Failed to verify container hash: %ls, xrefs: 00999727
Failed to move %ls to %ls, xrefs: 0099977C
Failed to copy %ls to %ls, xrefs: 00999792
cache.cpp, xrefs: 009996EA
Moving, xrefs: 0099973A
Copying, xrefs: 00999743, 0099974E
%ls container from working path '%ls' to path '%ls', xrefs: 0099974F
Failed to open container in working path: %ls, xrefs: 009996F5

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
API String ID: 1275171361-1187406825
Opcode ID: a3fe362374571244464d4836f7835ec7c558f29efd3a4a456a253fd8ae44fea6
Instruction ID: 0c4534430e0b45cc9e9bba128b9b28d3caeff0fb3972af385d5d4521df848125
Opcode Fuzzy Hash: a3fe362374571244464d4836f7835ec7c558f29efd3a4a456a253fd8ae44fea6
Instruction Fuzzy Hash: 5B210432E81224BBEA321A9D8C47F6B761C9FC1B64F104119FE14BB281EA619D0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 00986F85 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 227COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00986FB2
LeaveCriticalSection.KERNEL32(?), ref: 009871BE

Strings

Unsupported variable type., xrefs: 00987184
Failed to read variable literal flag., xrefs: 00987199
Failed to read variable included flag., xrefs: 009871AE
Failed to read variable value as number., xrefs: 00987178
Failed to read variable count., xrefs: 00986FD2
Failed to set variable., xrefs: 00987192
Failed to read variable value as string., xrefs: 0098718B
Failed to read variable value type., xrefs: 009871A0
Failed to read variable name., xrefs: 009871A7
Failed to set variable value., xrefs: 00987171

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: ee8d14b1c9cbf6f58a227825aee38b1435399e92dd96c913ee94daad5cdbe4d3
Instruction ID: f2eaca7d6b13e78318f5d2ef6e9a7997286049744a853801d2e58ab861c00791
Opcode Fuzzy Hash: ee8d14b1c9cbf6f58a227825aee38b1435399e92dd96c913ee94daad5cdbe4d3
Instruction Fuzzy Hash: 5E717E72C0921EBADF11EEA4CD49FAEFBB9EB84754F204525F900A6650D734DE109BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C44D1 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 009C4550
GetLastError.KERNEL32 ref: 009C4566
GetFileSizeEx.KERNEL32(00000000,?), ref: 009C45BF
GetLastError.KERNEL32 ref: 009C45C9
SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 009C461D
GetLastError.KERNEL32 ref: 009C4628
ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 009C4717
CloseHandle.KERNEL32(?), ref: 009C478A

Strings

fileutil.cpp, xrefs: 009C44F1, 009C45A8, 009C45E9, 009C476D

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
String ID: fileutil.cpp
API String ID: 3286166115-2967768451
Opcode ID: 86dca24eb7c299e65ba0600d94edb40b7f31da083037a5a136316695f9a1528b
Instruction ID: 8b19ef0903d8f772b0ca50ac3955515e85c2064aaec0fa5d2cbd7c80ce1fa0fe
Opcode Fuzzy Hash: 86dca24eb7c299e65ba0600d94edb40b7f31da083037a5a136316695f9a1528b
Instruction Fuzzy Hash: F6813532F00266EBDB218E698C65F6E36ACAB41760F21452DFD05EB280D778CD009BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00983076 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 009830C1
GetLastError.KERNEL32 ref: 009830C7
ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 00983121
GetLastError.KERNEL32 ref: 00983127
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009831DB
GetLastError.KERNEL32 ref: 009831E5
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0098323B
GetLastError.KERNEL32 ref: 00983245

Strings

@, xrefs: 0098309B
pathutil.cpp, xrefs: 009830EB

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: @$pathutil.cpp
API String ID: 1547313835-3022285739
Opcode ID: a1996f898f52848c46f20681089d5652eb00101d39d61932727d719a84a014bb
Instruction ID: 545eea797eb843b58480ba4a07512479dd6b1df995e6c37aa9d8274160c04d7b
Opcode Fuzzy Hash: a1996f898f52848c46f20681089d5652eb00101d39d61932727d719a84a014bb
Instruction Fuzzy Hash: A661A473D04229ABDB21AAE58845B9EBBA8AF04F50F11C165EE10BB350E775DF009BD0

Uniqueness

Uniqueness Score: -1.00%

Function 009C6D50 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 165COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,74DEDFD0,?,009C72C8,?,?), ref: 009C6DA6
SysFreeString.OLEAUT32(00000000), ref: 009C6E11
SysFreeString.OLEAUT32(00000000), ref: 009C6E89
SysFreeString.OLEAUT32(00000000), ref: 009C6EC8

Strings

scheme, xrefs: 009C6DB9
term, xrefs: 009C6DD9
`<u, xrefs: 009C6E11, 009C6E89, 009C6EC8
label, xrefs: 009C6D98

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$Free$Compare
String ID: `<u$label$scheme$term
API String ID: 1324494773-4028212031
Opcode ID: ebd5cc7a565ea130d91cbd95964d8165d59261ed426e2209079846f0e3e5f819
Instruction ID: 40b701eec99ff9b6b7f72c1067660c6ed2096f599b2d27ec1b0007280a40f0ef
Opcode Fuzzy Hash: ebd5cc7a565ea130d91cbd95964d8165d59261ed426e2209079846f0e3e5f819
Instruction Fuzzy Hash: 83516B39D01219FBCB15DB94CC45FAEBBB8EF44721F2442ADE511AB1A0DB30AE10DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00994D8D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 00994DC0
StringFromGUID2.OLE32(?,?,00000027), ref: 00994DEF
UuidCreate.RPCRT4(?), ref: 00994E3A
StringFromGUID2.OLE32(?,?,00000027), ref: 00994E66

Strings

Failed to convert pipe guid into string., xrefs: 00994E0C
Failed to allocate pipe name., xrefs: 00994E2F
Failed to allocate pipe secret., xrefs: 00994E8F
BurnPipe.%s, xrefs: 00994E1B
Failed to create pipe guid., xrefs: 00994DCD
pipe.cpp, xrefs: 00994E00, 00994E4D

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
API String ID: 4041566446-2510341293
Opcode ID: 2525f02fe12257c1e0be1bd8b4e6a18e11bfbc59e7ceffaf5ba1f728b6327972
Instruction ID: 27fe9bd3637ceeff8732db2d3a5a295da40d77bcc76a0975feb76ed74f81d843
Opcode Fuzzy Hash: 2525f02fe12257c1e0be1bd8b4e6a18e11bfbc59e7ceffaf5ba1f728b6327972
Instruction Fuzzy Hash: 1C418F72D44308ABDF11EBE8CD45F9EB7FCAB84710F204526E905BB240D6749946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0099EA7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,0098548E,?,?), ref: 0099EA9D
GetLastError.KERNEL32(?,0098548E,?,?), ref: 0099EAAA
CreateThread.KERNEL32(00000000,00000000,0099E7B4,?,00000000,00000000), ref: 0099EB03
GetLastError.KERNEL32(?,0098548E,?,?), ref: 0099EB10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,0098548E,?,?), ref: 0099EB4B
CloseHandle.KERNEL32(00000000,?,0098548E,?,?), ref: 0099EB6A
CloseHandle.KERNEL32(?,?,0098548E,?,?), ref: 0099EB77

Strings

Failed to create initialization event., xrefs: 0099EAD5
Failed to create the UI thread., xrefs: 0099EB3B
uithread.cpp, xrefs: 0099EACB, 0099EB31

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
API String ID: 2351989216-3599963359
Opcode ID: 1a4b83deb07be33ab570d0b40c46ce55a92d46082861ecd8f8daa674739195be
Instruction ID: b338825bb919e508824fa087e9dc5840dc07eff7346b82f36552a05f1fb255f5
Opcode Fuzzy Hash: 1a4b83deb07be33ab570d0b40c46ce55a92d46082861ecd8f8daa674739195be
Instruction Fuzzy Hash: F1317476D41229BBDB10DF9D8D85A9EBBACFF04750F114165B915F7240E6309E0096A1

Uniqueness

Uniqueness Score: -1.00%

Function 0099E645 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,0098548E,?,?), ref: 0099E666
GetLastError.KERNEL32(?,?,0098548E,?,?), ref: 0099E673
CreateThread.KERNEL32(00000000,00000000,0099E3C8,00000000,00000000,00000000), ref: 0099E6D2
GetLastError.KERNEL32(?,?,0098548E,?,?), ref: 0099E6DF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,0098548E,?,?), ref: 0099E71A
CloseHandle.KERNEL32(?,?,?,0098548E,?,?), ref: 0099E72E
CloseHandle.KERNEL32(?,?,?,0098548E,?,?), ref: 0099E73B

Strings

Failed to create UI thread., xrefs: 0099E70A
Failed to create modal event., xrefs: 0099E69E
splashscreen.cpp, xrefs: 0099E694, 0099E700

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 2351989216-1977201954
Opcode ID: 17d0358174e6b7f678a4c64647deb997ed7167ae4df8bccbd5ed9a743f8547cb
Instruction ID: 07341eb0400b3e2dcb751aaacdf8b22c5f13c08242001996e19774c1509cc034
Opcode Fuzzy Hash: 17d0358174e6b7f678a4c64647deb997ed7167ae4df8bccbd5ed9a743f8547cb
Instruction Fuzzy Hash: 07318176D40229BBDB21DB9DDC05EAFBBB8AB94710F114166FD14F7240E7305A008AA1

Uniqueness

Uniqueness Score: -1.00%

Function 009A14E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74DF2F60,?,?,00985405,009853BD,00000000,00985445), ref: 009A1506
GetLastError.KERNEL32 ref: 009A1519
GetExitCodeThread.KERNEL32(009CB488,?), ref: 009A155B
GetLastError.KERNEL32 ref: 009A1569
ResetEvent.KERNEL32(009CB460), ref: 009A15A4
GetLastError.KERNEL32 ref: 009A15AE

Strings

Failed to get extraction thread exit code., xrefs: 009A159A
cabextract.cpp, xrefs: 009A1540, 009A1590, 009A15D5
Failed to wait for operation complete event., xrefs: 009A154A
Failed to reset operation complete event., xrefs: 009A15DF

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: 95d340d4564e4d9150d531cebe79131ffee9478fd02f38268e1e12a5ad4a10b0
Instruction ID: 0de2db6249768097abd21ca47a884a1f09d4fe43cfce4f42a2b390b5c8da53b1
Opcode Fuzzy Hash: 95d340d4564e4d9150d531cebe79131ffee9478fd02f38268e1e12a5ad4a10b0
Instruction Fuzzy Hash: E2318471E40205EBDB10DFA68D05BAE77FCEB85710F10855AF906D6260E730DA00ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 009A15FE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(009CB478,?,00000000,?,0098C1D3,?,009853BD,00000000,?,0099784D,?,0098566D,00985479,00985479,00000000,?), ref: 009A161B
GetLastError.KERNEL32(?,0098C1D3,?,009853BD,00000000,?,0099784D,?,0098566D,00985479,00985479,00000000,?,00985489,FFF9E89D,00985489), ref: 009A1625
WaitForSingleObject.KERNEL32(009CB488,000000FF,?,0098C1D3,?,009853BD,00000000,?,0099784D,?,0098566D,00985479,00985479,00000000,?,00985489), ref: 009A165F
GetLastError.KERNEL32(?,0098C1D3,?,009853BD,00000000,?,0099784D,?,0098566D,00985479,00985479,00000000,?,00985489,FFF9E89D,00985489), ref: 009A1669
CloseHandle.KERNEL32(00000000,00985489,?,00000000,?,0098C1D3,?,009853BD,00000000,?,0099784D,?,0098566D,00985479,00985479,00000000), ref: 009A16B4
CloseHandle.KERNEL32(00000000,00985489,?,00000000,?,0098C1D3,?,009853BD,00000000,?,0099784D,?,0098566D,00985479,00985479,00000000), ref: 009A16C3
CloseHandle.KERNEL32(00000000,00985489,?,00000000,?,0098C1D3,?,009853BD,00000000,?,0099784D,?,0098566D,00985479,00985479,00000000), ref: 009A16D2

Strings

Failed to wait for thread to terminate., xrefs: 009A1697
cabextract.cpp, xrefs: 009A1649, 009A168D
Failed to set begin operation event., xrefs: 009A1653

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
API String ID: 1206859064-226982402
Opcode ID: b08db7205c4e2561ebd5615edc417ecdc00b1ebd646556c998e909a4a81f6cae
Instruction ID: 888858ef58a2b98c01a68b9da52e9629fc260f710406115954a0f037e015177f
Opcode Fuzzy Hash: b08db7205c4e2561ebd5615edc417ecdc00b1ebd646556c998e909a4a81f6cae
Instruction Fuzzy Hash: 37217833940A32BBC7215B61CC09B56B6A8FF09735F090225F908A2AA0D374EC60DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 009941EC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 009C0523: EnterCriticalSection.KERNEL32(009EB5FC,00000000,?,?,?,00994207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009854FA,?), ref: 009C0533
Part of subcall function 009C0523: LeaveCriticalSection.KERNEL32(009EB5FC,?,?,009EB5F4,?,00994207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009854FA,?), ref: 009C067A

OpenEventLogW.ADVAPI32(00000000,Application), ref: 00994212
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 0099421E
ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,009D39D4,00000000), ref: 0099426B
CloseEventLog.ADVAPI32(00000000), ref: 00994272

Strings

Failed to open Application event log, xrefs: 0099424C
txt, xrefs: 009941F2
logging.cpp, xrefs: 00994242
_Failed, xrefs: 009941F7
Application, xrefs: 0099420C
Setup, xrefs: 009941FC

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$logging.cpp$txt
API String ID: 1844635321-1389066741
Opcode ID: fb0ce99edb8aeefb152b7e7511bbed978561a31d2925e6b2a73822f78311ae50
Instruction ID: 969e636841daed21710e53a95af59add5b5e01a8a40397744dcca0d44743a3be
Opcode Fuzzy Hash: fb0ce99edb8aeefb152b7e7511bbed978561a31d2925e6b2a73822f78311ae50
Instruction Fuzzy Hash: 11F0F933EC5271765B3223661C0AE7F2D2CEAC2F36B01801BBD20F6241D744890240F7

Uniqueness

Uniqueness Score: -1.00%

Function 009993FE Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 226COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 0099949E
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 009994C6

Strings

Failed to encode file hash., xrefs: 00999551
Could not verify file %ls., xrefs: 00999607
Failed to allocate string., xrefs: 00999534
Failed to allocate memory, xrefs: 0099946F
Failed to get file hash., xrefs: 009994F0
cache.cpp, xrefs: 009994E6, 009995FA, 0099964B
0, xrefs: 0099955E
Could not close verify handle., xrefs: 00999655
$, xrefs: 0099959D

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
API String ID: 1452528299-4263581490
Opcode ID: b686521508b7ad3b6bc929eb08b5bdfa41d0afc27697122fef1b0b43c9a97e67
Instruction ID: 5b4c17fc45222af1ba3101512a37ed057ec5473112c5b7752aadb56fa7f8f437
Opcode Fuzzy Hash: b686521508b7ad3b6bc929eb08b5bdfa41d0afc27697122fef1b0b43c9a97e67
Instruction Fuzzy Hash: F3715472D00229ABDF11DFDCC845BEEB7B8AB48720F11412AF915BB251E7749D418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0099E56C Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0099E577
DefWindowProcW.USER32(?,00000082,?,?), ref: 0099E5B5
SetWindowLongW.USER32(?,000000EB,00000000), ref: 0099E5C2
SetWindowLongW.USER32(?,000000EB,?), ref: 0099E5D1
DefWindowProcW.USER32(?,?,?,?), ref: 0099E5DF
CreateCompatibleDC.GDI32(?), ref: 0099E5EB
SelectObject.GDI32(00000000,00000000), ref: 0099E5FC
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0099E61E
SelectObject.GDI32(00000000,00000000), ref: 0099E626
DeleteDC.GDI32(00000000), ref: 0099E629
PostQuitMessage.USER32(00000000), ref: 0099E637

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: d926345eee5591cf616b21168bae165e1d47ad10f2ebb197a96945cad9ba7588
Instruction ID: 58e8e8ede324ca2612e5550fdbdc633f072cddbf82d7dc01145a35db676b6805
Opcode Fuzzy Hash: d926345eee5591cf616b21168bae165e1d47ad10f2ebb197a96945cad9ba7588
Instruction Fuzzy Hash: 99217832518248BFDF159F68DC1ED7B3BA8FB49361F064518FA16971B4D7318810EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00982DBF Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 203sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00982E5F
GetLastError.KERNEL32 ref: 00982E69
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00982F09
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00982F96
GetLastError.KERNEL32 ref: 00982FA3
Sleep.KERNEL32(00000064), ref: 00982FB7
CloseHandle.KERNEL32(?), ref: 0098301F

Strings

%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00982F66
pathutil.cpp, xrefs: 00982E8D

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
API String ID: 3480017824-1101990113
Opcode ID: 1800613efc11cf23b2785a1b3a66944a497392db575453e6ff9de247ddfadad6
Instruction ID: f104979958273623c16e0cd90ac2787c32d5517158bc514bc140dc66c3ddf861
Opcode Fuzzy Hash: 1800613efc11cf23b2785a1b3a66944a497392db575453e6ff9de247ddfadad6
Instruction Fuzzy Hash: 9C716372D01229ABDB31AFA5DC49BAEB7B8AB08710F1041D5FA04E7291D7349E80DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0098CBC5 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,009853BD,00000000,00985489,00985445,WixBundleUILevel,840F01E8,?,00000001), ref: 0098CC1C

Strings

Failed to ensure directory exists, xrefs: 0098CCEE
Payload was not found in container: %ls, xrefs: 0098CD29
Failed to concat file paths., xrefs: 0098CCFC
Failed to find embedded payload: %ls, xrefs: 0098CC48
payload.cpp, xrefs: 0098CD1D
Failed to get directory portion of local file path, xrefs: 0098CCF5
Failed to get next stream., xrefs: 0098CD03
Failed to extract file., xrefs: 0098CCE7

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$payload.cpp
API String ID: 1825529933-1711239286
Opcode ID: f06c18097d1ba038e40ceedd6a95db805d542e13c0ee8f903c8c36e47eedf754
Instruction ID: 815c912d1d59a16e45a6aca41aa7cfa2fe73cbeef0996f702836e554b10e8752
Opcode Fuzzy Hash: f06c18097d1ba038e40ceedd6a95db805d542e13c0ee8f903c8c36e47eedf754
Instruction Fuzzy Hash: B841E4B1D00219EBCF25BF54CC81E6EBBA9BF80710F10856AE855AB391D7709D40DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00984796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 009847BB
GetCurrentThreadId.KERNEL32 ref: 009847C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0098484F

Strings

wininet.dll, xrefs: 009847EE
Unexpected return value from message pump., xrefs: 009848A5
engine.cpp, xrefs: 0098489B
Failed to create engine for UX., xrefs: 009847DB
Failed to load UX., xrefs: 00984804
Failed to start bootstrapper application., xrefs: 0098481D

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 680bde0523907a06f0e7de80f74e1e2e885e869fd668c58238fd551bbbe26c76
Instruction ID: b555fd1da9b771fd168d98bae7726392904c95959b0e314a96c54537d479fdcb
Opcode Fuzzy Hash: 680bde0523907a06f0e7de80f74e1e2e885e869fd668c58238fd551bbbe26c76
Instruction Fuzzy Hash: F6418071A0055ABFEB14EBA4CC86FBAB7ACEF48314F100529F904E7390DB35AD0597A1

Uniqueness

Uniqueness Score: -1.00%

Function 009A9C84 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,009AB03E,?,00000001,00000000), ref: 009A9D0F
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,009AB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 009A9D19
CopyFileExW.KERNEL32(00000000,00000000,009A9B69,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 009A9D67
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,009AB03E,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 009A9D96

Strings

Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 009A9DC8
copy, xrefs: 009A9CDD
Failed to clear readonly bit on payload destination path: %ls, xrefs: 009A9D48
apply.cpp, xrefs: 009A9D3D, 009A9D81, 009A9DBA
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 009A9D8F

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
API String ID: 1969131206-836986073
Opcode ID: 09f0d45f39497def13e9742797d99de9a8f9fa5d68390fc1ebf6fe884d6da122
Instruction ID: 4b4ecb80ed9a724aaa1f308084df265b6895cabd943a1d00e46858103e519009
Opcode Fuzzy Hash: 09f0d45f39497def13e9742797d99de9a8f9fa5d68390fc1ebf6fe884d6da122
Instruction Fuzzy Hash: 71310432A41625BBDB209A568C46F6B77ACFF82B20F148119BD09EF381E624DD00C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00998EBC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 00999007

Strings

Failed to allocate access for Users group to path: %ls, xrefs: 00998F72
Failed to allocate access for Administrators group to path: %ls, xrefs: 00998F0F
cache.cpp, xrefs: 00998FB0
Failed to secure cache path: %ls, xrefs: 00998FEA
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00998F30
Failed to create ACL to secure cache path: %ls, xrefs: 00998FBB
Failed to allocate access for Everyone group to path: %ls, xrefs: 00998F51

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
API String ID: 2826327444-4113288589
Opcode ID: b1d5c91bd37d01b6ca3bdb4343fca211d4c39dea05580424f72d4d27593e2e5e
Instruction ID: 348d4c711a5d78fc2b0c363227a8b0e3c03b1b810054d793ab069f16e736cec1
Opcode Fuzzy Hash: b1d5c91bd37d01b6ca3bdb4343fca211d4c39dea05580424f72d4d27593e2e5e
Instruction Fuzzy Hash: DA412E32E44329B7DF315658CC02FAB766CDB96B10F1140A9FA04B7281EF719E4487E1

Uniqueness

Uniqueness Score: -1.00%

Function 0099492F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 117fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,crypt32.dll,00000008,?,00000000,?,00000000,00000000,crypt32.dll,00000000,?,?,?,00000000,?,00000000), ref: 0099495A
GetLastError.KERNEL32 ref: 00994967
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 00994A12
GetLastError.KERNEL32 ref: 00994A1C

Strings

crypt32.dll, xrefs: 00994956
Failed to read message from pipe., xrefs: 009949E7
Failed to allocate data for message., xrefs: 009949D0
Failed to read data for message., xrefs: 00994A4A
pipe.cpp, xrefs: 009949C6, 009949DD, 00994A40

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$crypt32.dll$pipe.cpp
API String ID: 1948546556-773887359
Opcode ID: ff8317dce94a12bc0a29b9885607b881079cb537a1c4e22c999683112b4ffb3d
Instruction ID: 197fd0c181b0c4574f9b03a9f8d38ede658374da5fd88e0a95a305e126b06dbd
Opcode Fuzzy Hash: ff8317dce94a12bc0a29b9885607b881079cb537a1c4e22c999683112b4ffb3d
Instruction Fuzzy Hash: F531E732D84229BBDF129B99CC46F6FB76CBB04B65F108125FD50A7280D7749D019BD4

Uniqueness

Uniqueness Score: -1.00%

Function 009C6C29 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 114COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,74DEDFD0), ref: 009C6C88
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 009C6CA5
SysFreeString.OLEAUT32(00000000), ref: 009C6CE3
SysFreeString.OLEAUT32(00000000), ref: 009C6D27

Strings

name, xrefs: 009C6C7A
uri, xrefs: 009C6CB3
`<u, xrefs: 009C6CE3, 009C6D27
email, xrefs: 009C6C97

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$CompareFree
String ID: `<u$email$name$uri
API String ID: 3589242889-1197142144
Opcode ID: 4bb9f0a8bf96b59305909b3410cf9024b81acba6e2dca8103ee593e02d64bdeb
Instruction ID: 8dfec6904dc9af31c0bc7003b3cf76046439d6cfbb332114fbb32dc0889eb5b5
Opcode Fuzzy Hash: 4bb9f0a8bf96b59305909b3410cf9024b81acba6e2dca8103ee593e02d64bdeb
Instruction Fuzzy Hash: D7418F31E45219BBCB119B94CD45FADB778EF44725F2042A8FA61AB1E0C7319E00DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0099E2AF Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 0099E2E5
GetLastError.KERNEL32 ref: 0099E2F1
GetObjectW.GDI32(00000000,00000018,?), ref: 0099E338
GetCursorPos.USER32(?), ref: 0099E359
MonitorFromPoint.USER32(?,?,00000002), ref: 0099E36B
GetMonitorInfoW.USER32(00000000,?), ref: 0099E381

Strings

Failed to load splash screen bitmap., xrefs: 0099E31F
(, xrefs: 0099E378
splashscreen.cpp, xrefs: 0099E315

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: 1c42411b026098f4781b9f483226490a7779a8d05bd1e91cce02f8719d249893
Instruction ID: 3df23f2d2f1161a6e98a3a1321302c607566eae544a91289243e98b45f05a6a0
Opcode Fuzzy Hash: 1c42411b026098f4781b9f483226490a7779a8d05bd1e91cce02f8719d249893
Instruction Fuzzy Hash: D2314175E11219AFDB10DFA8D94AA9EBBF4FF08711F148115F904EB285DB70E9008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009950CA Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,009CB500), ref: 009950D3
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00995171
CloseHandle.KERNEL32(00000000), ref: 0099518A

Strings

open, xrefs: 0099513B, 00995149
burn.elevated, xrefs: 009950F3
Failed to allocate parameters for elevated process., xrefs: 0099510C
Failed to launch elevated child process: %ls, xrefs: 0099515E
runas, xrefs: 00995131
-q -%ls %ls %ls %u, xrefs: 009950F8

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: 125253fdd8fa0a159d6e8bdd48441b10f48bd580f95a8f81b135fc1f3120ed16
Instruction ID: 7165f52ec2bc7411ade9aae1f5abc551e0f5373c1fa152ebcf6e35a4e9b03dc9
Opcode Fuzzy Hash: 125253fdd8fa0a159d6e8bdd48441b10f48bd580f95a8f81b135fc1f3120ed16
Instruction Fuzzy Hash: 5F218B71D4460CFFCF22AF98CC41EAEBBB8EF48354B01816AF814A2211D7319F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 00986882 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 009868AC
GetProcAddress.KERNEL32(00000000), ref: 009868B3
GetLastError.KERNEL32 ref: 009868BD

Strings

Failed to set variant value., xrefs: 00986929
DllGetVersion, xrefs: 0098689E
Failed to get msi.dll version info., xrefs: 00986905
msi, xrefs: 009868A3
Failed to find DllGetVersion entry point in msi.dll., xrefs: 009868EB
variable.cpp, xrefs: 009868E1

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
API String ID: 4275029093-842451892
Opcode ID: 250847dd6129aacf45ba3f24e0a462112aaa98e4c57ee5f464e5bc08263bfd8b
Instruction ID: d050bcad4c324e9adc9dca5f467aeb7d24ac24998b4b939c1c136fc80ad0eea3
Opcode Fuzzy Hash: 250847dd6129aacf45ba3f24e0a462112aaa98e4c57ee5f464e5bc08263bfd8b
Instruction Fuzzy Hash: 2011B772E41639B6D720BBA89C42F6FBB549B44B50F010529FE05FB281D6759D0083E2

Uniqueness

Uniqueness Score: -1.00%

Function 0098D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,009847FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0098548E,?), ref: 0098D6DA
GetLastError.KERNEL32(?,009847FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0098548E,?,?), ref: 0098D6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 0098D71F
GetLastError.KERNEL32(?,009847FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,0098548E,?,?), ref: 0098D72B

Strings

userexperience.cpp, xrefs: 0098D708, 0098D74C
Failed to load UX DLL., xrefs: 0098D712
BootstrapperApplicationCreate, xrefs: 0098D719
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 0098D756
Failed to create UX., xrefs: 0098D76F

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 08f555391b4bec7a490ccfd17f8af839f0e9bc889901b262e503a90e83933eb2
Instruction ID: 623fe1d24254df2cc58d2ff68e7a69258fd526ec9c0b9e901a715142e5358671
Opcode Fuzzy Hash: 08f555391b4bec7a490ccfd17f8af839f0e9bc889901b262e503a90e83933eb2
Instruction Fuzzy Hash: AD11EF77E82B36A7CB2166958C16F1B7B98AB04B21F01092DBE51EB3C0EA20DC0087D1

Uniqueness

Uniqueness Score: -1.00%

Function 00981175 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0098111A,cabinet.dll,00000009,?,?,00000000), ref: 00981186
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0098111A,cabinet.dll,00000009,?,?,00000000), ref: 00981191
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0098119F
GetLastError.KERNEL32(?,?,?,?,?,0098111A,cabinet.dll,00000009,?,?,00000000), ref: 009811BA
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009811C2
GetLastError.KERNEL32(?,?,?,?,?,0098111A,cabinet.dll,00000009,?,?,00000000), ref: 009811D7

Strings

SetDllDirectoryW, xrefs: 009811BC
kernel32, xrefs: 0098118C
SetDefaultDllDirectories, xrefs: 00981199

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: 95123f9da263d252fded60e7be8c2487479f9332c9aabf29e0709df7f4114dc5
Instruction ID: 4c0a78a06f1bf779cb9969bc984b7e834d469d098bd03249a58b7f05e730e4f8
Opcode Fuzzy Hash: 95123f9da263d252fded60e7be8c2487479f9332c9aabf29e0709df7f4114dc5
Instruction Fuzzy Hash: 0401B131A0821ABBD710BBA69C4AE6F7B5CFB807A1F004015FA5592200EB70DA42DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0099F639 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0099F64E
LeaveCriticalSection.KERNEL32(?), ref: 0099F7C9

Strings

Failed to set download user., xrefs: 0099F751
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 0099F6B9
UX requested unknown container with id: %ls, xrefs: 0099F6F3
UX did not provide container or payload id., xrefs: 0099F7B8
Engine is active, cannot change engine state., xrefs: 0099F668
UX requested unknown payload with id: %ls, xrefs: 0099F6A3
Failed to set download URL., xrefs: 0099F728
Failed to set download password., xrefs: 0099F777

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: 884a913cb779be1825dd23709c09f0ffc9edf80e111b9b6156936a23881eb001
Instruction ID: ad3543d99751169c59b63c88eda85942d8590aa4f0c147657c97194b5f31ff5b
Opcode Fuzzy Hash: 884a913cb779be1825dd23709c09f0ffc9edf80e111b9b6156936a23881eb001
Instruction Fuzzy Hash: 77411532900615ABCF219FA8C855F6AF3ACAF44720F158536F804E7390EB35ED50C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 009C5A5E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 009C5A9B
GetLastError.KERNEL32 ref: 009C5AA9
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 009C5AEA
GetLastError.KERNEL32 ref: 009C5AF7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009C5C6A
CloseHandle.KERNEL32(?), ref: 009C5C79

Strings

dlutil.cpp, xrefs: 009C5ACD
GET, xrefs: 009C5B9E

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$dlutil.cpp
API String ID: 2028584396-3303425918
Opcode ID: 4690fc4e8e7d25711d3e06883864f6c29099baa57854ce5295bb7fe0b825848c
Instruction ID: 748144cf1c506a3c26a383cffcc3c61e0b3f09b666be2a45f80e7adb43f8690a
Opcode Fuzzy Hash: 4690fc4e8e7d25711d3e06883864f6c29099baa57854ce5295bb7fe0b825848c
Instruction Fuzzy Hash: 2E615972E00619ABDB11CFA5CC85FEEBBB8AF48750F120119FD15A7250E734AD809B91

Uniqueness

Uniqueness Score: -1.00%

Function 00990C50 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00991020: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,00990C6F,?,00000000,?,00000000,00000000), ref: 0099104F

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 00990DF3
GetLastError.KERNEL32 ref: 00990E00

Strings

Failed to append cache action., xrefs: 00990D4A
plan.cpp, xrefs: 00990E24
Failed to create syncpoint event., xrefs: 00990E2E
Failed to append package start action., xrefs: 00990C95
Failed to append payload cache action., xrefs: 00990DAA
Failed to append rollback cache action., xrefs: 00990CCF

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
API String ID: 801187047-2489563283
Opcode ID: 3db4f3f22ffb971d6df65f0750adebbd33fe386ccbf0e607551a184d270cbf3d
Instruction ID: f125406043d62799fa77056fcf3e34a2ed2117cfe60fce429dbf589095332a7a
Opcode Fuzzy Hash: 3db4f3f22ffb971d6df65f0750adebbd33fe386ccbf0e607551a184d270cbf3d
Instruction Fuzzy Hash: 4F619E75900609EFCB05DF58C980A6ABBF9FFC8314F21845AE8599B311EB31EE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009C6EFF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,74DEDFD0,000000FF,type,000000FF,?,74DEDFD0,74DEDFD0,74DEDFD0), ref: 009C6F55
SysFreeString.OLEAUT32(00000000), ref: 009C6FA0
SysFreeString.OLEAUT32(00000000), ref: 009C701C
SysFreeString.OLEAUT32(00000000), ref: 009C7068

Strings

type, xrefs: 009C6F47
url, xrefs: 009C6F68
`<u, xrefs: 009C6FA0, 009C701C, 009C7068

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$Free$Compare
String ID: `<u$type$url
API String ID: 1324494773-1686489133
Opcode ID: 39e1263b17280549cd5f6bba267e928f707424edd8408aa1eaf071fcdd73b9f5
Instruction ID: aec8789c7a464d9542438ff251a7e81dd0c80239767000833dc66f76f1d9818b
Opcode Fuzzy Hash: 39e1263b17280549cd5f6bba267e928f707424edd8408aa1eaf071fcdd73b9f5
Instruction Fuzzy Hash: 2A515A36D05219EFCB25DFA4C845FAEBBB8AF04311F2442ADE911EB1A1D7319E00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 009905A2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,009CB500,00000000,?), ref: 009906D3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,009CB500,00000000,?), ref: 009906E2

Part of subcall function 009C0BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,0099061A,?,00000000,00020006), ref: 009C0C0E

Strings

crypt32.dll, xrefs: 009905AC
%ls.RebootRequired, xrefs: 009905F0
Failed to delete registration key: %ls, xrefs: 00990681
Failed to write volatile reboot required registry key., xrefs: 0099061E
Failed to open registration key., xrefs: 0099071A
Failed to update resume mode., xrefs: 009906B7

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.$crypt32.dll
API String ID: 359002179-3398658923
Opcode ID: 180a6361213e3096497ffa39b3221d9a35b9e047eae73d611cafd11fe7da8384
Instruction ID: 71e912b973a9d2196419b239ac4455b469b9a9c55d7d878c8187fb3ef3bd7f06
Opcode Fuzzy Hash: 180a6361213e3096497ffa39b3221d9a35b9e047eae73d611cafd11fe7da8384
Instruction Fuzzy Hash: F7419E32800618FFDF22AEA4DC06FAF7BBAAFC4314F104519F565A2161D7719A60DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0098F451 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0098F48A

Part of subcall function 00984115: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,0099A0E8,00000000,00000000,?,00000000,009853BD,00000000,?,?,0098D5B5,?), ref: 00984123
Part of subcall function 00984115: GetLastError.KERNEL32(?,0099A0E8,00000000,00000000,?,00000000,009853BD,00000000,?,?,0098D5B5,?,00000000,00000000), ref: 00984131

lstrlenA.KERNEL32(009CB500,00000000,00000094,00000000,00000094,?,?,009904BF,swidtag,00000094,?,009CB518,009904BF,00000000,?,00000000), ref: 0098F4DD

Part of subcall function 009C4DB3: CreateFileW.KERNEL32(009CB500,40000000,00000001,00000000,00000002,00000080,00000000,009904BF,00000000,?,0098F4F4,?,00000080,009CB500,00000000), ref: 009C4DCB
Part of subcall function 009C4DB3: GetLastError.KERNEL32(?,0098F4F4,?,00000080,009CB500,00000000,?,009904BF,?,00000094,?,?,?,?,?,00000000), ref: 009C4DD8

Strings

Failed to allocate regid folder path., xrefs: 0098F53C
Failed to allocate regid file path., xrefs: 0098F535
swidtag, xrefs: 0098F49D
Failed to write tag xml to file: %ls, xrefs: 0098F51B
Failed to create regid folder: %ls, xrefs: 0098F525
Failed to format tag folder path., xrefs: 0098F543

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
API String ID: 904508749-1201533908
Opcode ID: 786747236589ab4e29ecb01fcbd98ad74e685e721a77209a0f5f844edb218e78
Instruction ID: 6ae4cadea777a707f7bf18ad063d3306c207086d4af88c810bc4ab7d59b6e417
Opcode Fuzzy Hash: 786747236589ab4e29ecb01fcbd98ad74e685e721a77209a0f5f844edb218e78
Instruction Fuzzy Hash: 7D318D32D40219FBCF11AFA4CC51BADBBB9EF48710F108166F910BA361D7719E509B90

Uniqueness

Uniqueness Score: -1.00%

Function 009953E2 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,0098548E,00000000,00000000,?,00000000), ref: 0099548B
GetLastError.KERNEL32(?,?,?,00984C61,?,?,00000000,?,?,?,?,?,?,009CB4A0,?,?), ref: 00995496

Strings

Failed to post terminate message to child process., xrefs: 00995476
Failed to write exit code to message buffer., xrefs: 00995406
Failed to wait for child process exit., xrefs: 009954C4
Failed to post terminate message to child process cache thread., xrefs: 0099545A
Failed to write restart to message buffer., xrefs: 0099542E
pipe.cpp, xrefs: 009954BA

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
API String ID: 1211598281-2161881128
Opcode ID: 5aef179fc46235c509b5d48e413dbcbdb85b6c21101aca036e4ce8de2279975c
Instruction ID: 93a1b608715d71048692074a5498d9716d5d3913a64cb255e0176b843aa724a7
Opcode Fuzzy Hash: 5aef179fc46235c509b5d48e413dbcbdb85b6c21101aca036e4ce8de2279975c
Instruction Fuzzy Hash: DB21D532941A29BBCF135B58DC06F9F776CAB40735F124212F910B62A0D734AE9097E0

Uniqueness

Uniqueness Score: -1.00%

Function 00999098 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00999F04,00000003,000007D0,00000003,?,000007D0), ref: 009990B2
GetLastError.KERNEL32(?,00999F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 009990BF
CloseHandle.KERNEL32(00000000,?,00999F04,00000003,000007D0,00000003,?,000007D0,00000000,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 00999187

Strings

Failed to verify catalog signature of payload: %ls, xrefs: 0099914E
cache.cpp, xrefs: 009990F6
Failed to verify signature of payload: %ls, xrefs: 0099912F
Failed to verify hash of payload: %ls, xrefs: 00999172
Failed to open payload at path: %ls, xrefs: 00999103

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
API String ID: 2528220319-2757871984
Opcode ID: 8bb09af4711cfc7a31075d04687194e1ee9d7499efbee740be62eea77fe0a08f
Instruction ID: 987791398c4d495688ebf6f2f1f621dca119a44293611b4410af28c4e992f501
Opcode Fuzzy Hash: 8bb09af4711cfc7a31075d04687194e1ee9d7499efbee740be62eea77fe0a08f
Instruction Fuzzy Hash: 3221E732948637B7DF331A5D8C4EFAA7A1DBF847A4F10821AFD14662A093319C51EAD1

Uniqueness

Uniqueness Score: -1.00%

Function 00986B1E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00986B69
GetLastError.KERNEL32 ref: 00986B73
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00986BB7
GetLastError.KERNEL32 ref: 00986BC1

Strings

Failed to set variant value., xrefs: 00986C0B
Failed to get windows directory., xrefs: 00986BA1
Failed to get volume path name., xrefs: 00986BEF
variable.cpp, xrefs: 00986B97, 00986BE5

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
API String ID: 124030351-4026719079
Opcode ID: cc41c91a27303c2c82febf243cbe31996827724725bd581ccbeea0e2f4611dd6
Instruction ID: d75317862aac6278cb6bea09af454d1e44b6ce4f7ae429a9e03fa563759e75a9
Opcode Fuzzy Hash: cc41c91a27303c2c82febf243cbe31996827724725bd581ccbeea0e2f4611dd6
Instruction Fuzzy Hash: F2210873E4523867D720A6958D06F9B77AC9B81B24F010565BE44FF341EA34EE4087E6

Uniqueness

Uniqueness Score: -1.00%

Function 00989C6D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00989C88
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,000002C0,?,0098A895,00000100,000002C0,000002C0,?,000002C0), ref: 00989CA0
GetLastError.KERNEL32(?,0098A895,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00989CAB

Strings

File search: %ls, did not find path: %ls, xrefs: 00989CFD
Failed to format variable string., xrefs: 00989C93
Failed get to file attributes. '%ls', xrefs: 00989CE8
Failed to set variable., xrefs: 00989D2B
search.cpp, xrefs: 00989CDB

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
API String ID: 1811509786-2053429945
Opcode ID: 4211bc6eca04a7181b64c698206cb93f638a9732b01852598b70bf799b56ea3f
Instruction ID: c68eaff8dfba0bb304af46b2784621f17b075bcc1a1faa95602b133718abc9ee
Opcode Fuzzy Hash: 4211bc6eca04a7181b64c698206cb93f638a9732b01852598b70bf799b56ea3f
Instruction Fuzzy Hash: D4216533D41124BAEB213A948C42FBEF66CEF51765F280229FD19763D0E7226D10A3D6

Uniqueness

Uniqueness Score: -1.00%

Function 0099AD40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 0099AD57
GetLastError.KERNEL32 ref: 0099AD61
CoInitializeEx.OLE32(00000000,00000000), ref: 0099ADA0
CoUninitialize.OLE32(?,0099C721,?,?), ref: 0099ADDD

Strings

elevation.cpp, xrefs: 0099AD85
Failed to pump messages in child process., xrefs: 0099ADCB
Failed to initialize COM., xrefs: 0099ADAC
Failed to set elevated cache pipe into thread local storage for logging., xrefs: 0099AD8F

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
API String ID: 876858697-113251691
Opcode ID: c9d35902fee5a4a7af8e30e46673a760cf4c956855c38540076eb0fcdd9d6c6c
Instruction ID: 751b0701619ccecce1ddbc217b3947837bec920c493a81ea1000144eedcb0bc6
Opcode Fuzzy Hash: c9d35902fee5a4a7af8e30e46673a760cf4c956855c38540076eb0fcdd9d6c6c
Instruction Fuzzy Hash: 65113672D46635BB8F211789CC0AE9FBA6CEF84B62B114116FC00B7690EB309D0096D2

Uniqueness

Uniqueness Score: -1.00%

Function 00985CE2 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00985D68

Part of subcall function 009C10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 009C112B
Part of subcall function 009C10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 009C1163

Strings

CommonFilesDir, xrefs: 00985CF0, 00985D24, 00985D33
ProgramFilesDir, xrefs: 00985CF7
+, xrefs: 00985CEA
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00985D05
Failed to ensure path was backslash terminated., xrefs: 00985D52
Failed to open Windows folder key., xrefs: 00985D1A
Failed to read folder path for '%ls'., xrefs: 00985D34

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: QueryValue$Close
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1979452859-3209209246
Opcode ID: 482f4ecdbac77f4352d906640176b5211e6e0fe6958c231d14b67025858cc8fb
Instruction ID: 43c0d5636778885afc3c880c164cef60b6a2a422fe2b9a6f82a499178d06ef50
Opcode Fuzzy Hash: 482f4ecdbac77f4352d906640176b5211e6e0fe6958c231d14b67025858cc8fb
Instruction Fuzzy Hash: 2801F532D45628F7CB2266549C0AF9EB7A8CB81720F16426DFC00BB3A1D7718E04D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 009AA271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000), ref: 009AA33E
GetLastError.KERNEL32 ref: 009AA348

Strings

download, xrefs: 009AA308
Failed attempt to download URL: '%ls' to: '%ls', xrefs: 009AA425
Failed to clear readonly bit on payload destination path: %ls, xrefs: 009AA377
apply.cpp, xrefs: 009AA36C
:, xrefs: 009AA3C1

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
API String ID: 1799206407-1905830404
Opcode ID: f76888a5fa70b02c592ef0514116caaa3afcd3f03b16c8f4a2757a662b3db8ad
Instruction ID: eb22279f28a18f17f3be9208624ef9f54842e84590909133a8dfb4e8bb57b23a
Opcode Fuzzy Hash: f76888a5fa70b02c592ef0514116caaa3afcd3f03b16c8f4a2757a662b3db8ad
Instruction Fuzzy Hash: F3519D71E00219ABDF21DFA9C841BAEB7B8FF59710F10805AE915EB250E775DA40CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 009C84C7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,009A9063,000002C0,00000100), ref: 009C84F5
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,009A9063,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 009C8510

Strings

type, xrefs: 009C8537
http://appsyndication.org/2006/appsyn, xrefs: 009C84E8
apuputil.cpp, xrefs: 009C85AB
application, xrefs: 009C8502

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-4206478990
Opcode ID: 9b463691a605a1d5c21e420debae219ef3baf1d8cbb1f2b163c45c6e1f906927
Instruction ID: 686266151e4d3e83c7050219d626d4742ca3c9a473ac1096bc5cc1942cbdef3c
Opcode Fuzzy Hash: 9b463691a605a1d5c21e420debae219ef3baf1d8cbb1f2b163c45c6e1f906927
Instruction Fuzzy Hash: 4551D171E44301BFDB219F15CD82F1B7BA9AB44760F20865CFA65AB2D1DBB0ED408B52

Uniqueness

Uniqueness Score: -1.00%

Function 009C64B7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009C6513
DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 009C660A
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 009C6619

Strings

WiX\Burn, xrefs: 009C6551
DownloadTimeout, xrefs: 009C654C
Burn, xrefs: 009C6502
dlutil.cpp, xrefs: 009C6537

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
API String ID: 3522763407-1704223933
Opcode ID: 1e53fca59750264517f3fe42cc518e099cfb98e217809f37ab219c41ec5b6a36
Instruction ID: eba277e42c43ea1d28938ca82b97299e51bbee82dc9fa0ea0fa33bbb2a399864
Opcode Fuzzy Hash: 1e53fca59750264517f3fe42cc518e099cfb98e217809f37ab219c41ec5b6a36
Instruction Fuzzy Hash: 58514672D00219BBCF12DFA4CD45FAEBBBDEB48710F014169FA14E6190E7319A119BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00989EC7 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 147COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00989EED
_MREFOpen@16.MSPDB140-MSVCRT ref: 00989F12

Strings

Failed to format product code string., xrefs: 00989F1D
Failed to get component path: %d, xrefs: 00989F76
Failed to set variable., xrefs: 00989FF6
Failed to format component id string., xrefs: 00989EF8
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 0098A006

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: ed5b68a0ca08c5fbaf41ed863c7fcfd0b5094ea255e85b9552f4b40c6e228473
Instruction ID: 134de9f804fc41c3a574499e02ce529d1a33df40bb61205f03120abf432e72ae
Opcode Fuzzy Hash: ed5b68a0ca08c5fbaf41ed863c7fcfd0b5094ea255e85b9552f4b40c6e228473
Instruction Fuzzy Hash: C841D532900115BACF39BAA88C46FBEB76CEF85310F2C4616F615E6391D7319E50D792

Uniqueness

Uniqueness Score: -1.00%

Function 0098F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0098F942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 0098F94F

Strings

%ls.RebootRequired, xrefs: 0098F82F
Failed to format pending restart registry key to read., xrefs: 0098F846
Resume, xrefs: 0098F8B6
Failed to read Resume value., xrefs: 0098F8D8
Failed to open registration key., xrefs: 0098F8AB

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 03d0465779e5cc49294945bc143cf0251388216114fca6f1fdec2145b403e539
Instruction ID: 30bad2494c2eaf24f62885251f547f761e620a7a42e46911d8ebce69b9220aae
Opcode Fuzzy Hash: 03d0465779e5cc49294945bc143cf0251388216114fca6f1fdec2145b403e539
Instruction Fuzzy Hash: 31415C72940119FFCF11AF98C891BADBBB8FB44310F55917AE811AB310C376AE51DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0099AA00 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to trim source folder., xrefs: 0099AA95
WixBundleLastUsedSource, xrefs: 0099AA9F, 0099AAA5, 0099AAE1
Failed to determine length of relative path., xrefs: 0099AA4D
Failed to set last source., xrefs: 0099AAF0
Failed to determine length of source path., xrefs: 0099AA30

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: 16e2fe1fcc2a7c18df7142874f5d4ded623fff8a5fc82a86bf7db998afac53f3
Instruction ID: de108d380c28bece668404ac43583b8e8b269fc395453707a4ae43f6c1fe56f4
Opcode Fuzzy Hash: 16e2fe1fcc2a7c18df7142874f5d4ded623fff8a5fc82a86bf7db998afac53f3
Instruction Fuzzy Hash: 3731C632D45129BBCF229A98CD45F9EBB7AEB44720F214256F820B72D0DB719E40D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 009AD8B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(009E0C4C,00000000,00000017,009E0C5C,?,?,00000000,00000000,?,?,?,?,?,009ADEE7,00000000,00000000), ref: 009AD8E8

Strings

Failed to create BITS job., xrefs: 009AD922
Failed to set BITS job to foreground., xrefs: 009AD969
WixBurn, xrefs: 009AD913
Failed to create IBackgroundCopyManager., xrefs: 009AD8F4
Failed to set notification flags for BITS job., xrefs: 009AD93A
Failed to set progress timeout., xrefs: 009AD952

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: e72a83d3338d8c267bd17a0c3404d3e3043778a365e72a65361b3f9172cbdd0e
Instruction ID: 5e8b773a1e93410e8a62823ac29d25fa298c09051bdac35aab936ba64143ba9b
Opcode Fuzzy Hash: e72a83d3338d8c267bd17a0c3404d3e3043778a365e72a65361b3f9172cbdd0e
Instruction Fuzzy Hash: 7131A331F42359AF9B15DFA9C845E6FBBB4AFC9710B100259E902EB350CA74EC458BD1

Uniqueness

Uniqueness Score: -1.00%

Function 009C5DAE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 009C5DF8
GetLastError.KERNEL32 ref: 009C5E05
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 009C5E4C
GetLastError.KERNEL32 ref: 009C5E80
CloseHandle.KERNEL32(00000000,dlutil.cpp,000000C8,00000000), ref: 009C5EB4

Strings

dlutil.cpp, xrefs: 009C5E29, 009C5EA4
%ls.R, xrefs: 009C5DCC

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %ls.R$dlutil.cpp
API String ID: 3160720760-657863730
Opcode ID: f3f3df7b27528570944c66319eb9bca426039019a31abbf1f22bcd0146bc2f7e
Instruction ID: 9f5e23ec6c3e623508a75b2f7266f383690cad35d70f3ea6e82140619577f175
Opcode Fuzzy Hash: f3f3df7b27528570944c66319eb9bca426039019a31abbf1f22bcd0146bc2f7e
Instruction Fuzzy Hash: 1431E472D41624BBD7208B55CC45FAE7BA8EB44761F124219FE01EB2C0D770AE4097A6

Uniqueness

Uniqueness Score: -1.00%

Function 0098C8E6 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0098CD5E: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,0098E444,000000FF,00000000,00000000,0098E444,?,?,0098DBEB,?,?,?,?), ref: 0098CD89

CreateFileW.KERNEL32(E9009CBA,80000000,00000005,00000000,00000003,08000000,00000000,009853C5,?,00000000,840F01E8,14680A79,00000001,009853BD,00000000,00985489), ref: 0098C956
GetLastError.KERNEL32(?,?,?,00997809,0098566D,00985479,00985479,00000000,?,00985489,FFF9E89D,00985489,009854BD,00985445,?,00985445), ref: 0098C99B

Strings

Failed to verify catalog signature: %ls, xrefs: 0098C994
catalog.cpp, xrefs: 0098C9BC
Failed to find payload for catalog file., xrefs: 0098C9E0
Failed to open catalog in working path: %ls, xrefs: 0098C9C9
Failed to get catalog local file path, xrefs: 0098C9D9

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
API String ID: 1774366664-48089280
Opcode ID: 28f3700d2fe76c4bcf078702002f7e0d690755fa0f470d9f2be35369830ee88d
Instruction ID: 1c9af87bad03e9c896bb116e8109eb9c0df4f68c4fa1769d4e9de7ecebced942
Opcode Fuzzy Hash: 28f3700d2fe76c4bcf078702002f7e0d690755fa0f470d9f2be35369830ee88d
Instruction Fuzzy Hash: 4B31E7B2D00625BBCB21AB54CC02F59BBA4EF04720F2145A9F904EB340E772ED109BE1

Uniqueness

Uniqueness Score: -1.00%

Function 009AD33E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,?,009AD642,?), ref: 009AD357
ReleaseMutex.KERNEL32(?,?,?,?,009AD642,?), ref: 009AD375
WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AD3B6
ReleaseMutex.KERNEL32(?), ref: 009AD3CD
SetEvent.KERNEL32(?), ref: 009AD3D6

Strings

Failed to get message from netfx chainer., xrefs: 009AD3F7
Failed to send files in use message from netfx chainer., xrefs: 009AD41C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: 8a0dba0d8ea6668166b67b9fbf3821e95a10a67c6dc75dc20a627ce9e7135773
Instruction ID: 19746e8bd88192777cc972a28bbb88ced1c07afe1182e2487bc6c316f2b592d8
Opcode Fuzzy Hash: 8a0dba0d8ea6668166b67b9fbf3821e95a10a67c6dc75dc20a627ce9e7135773
Instruction Fuzzy Hash: 30312B31904609BFCB129F94DC09FAEBBF8EF89320F108255F965E32A0C7709940DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009C093B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 009C09AB
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 009C09B5
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 009C09FE
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 009C0A0B

Strings

"%ls" %ls, xrefs: 009C0974
procutil.cpp, xrefs: 009C09D9
D, xrefs: 009C0993

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$procutil.cpp
API String ID: 161867955-2732225242
Opcode ID: a4458f1ebdd2ea6d27ac5dfe7245e696ac45cd2c754d89d46d1313be964b4900
Instruction ID: 0f19b7ec01c9c57e4dc48be33238456481533e2adb14467de3a49eff80418c83
Opcode Fuzzy Hash: a4458f1ebdd2ea6d27ac5dfe7245e696ac45cd2c754d89d46d1313be964b4900
Instruction Fuzzy Hash: 7D214A72D0025EEBDB11DFE9C941FAEBBBCAF44754F100429EA00B7211D3709E009AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00989B9A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00989BB3
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,0098A8AB,00000100,000002C0,000002C0,00000100), ref: 00989BD3
GetLastError.KERNEL32(?,0098A8AB,00000100,000002C0,000002C0,00000100), ref: 00989BDE

Strings

Failed to set directory search path variable., xrefs: 00989C0F
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00989C4A
Failed to format variable string., xrefs: 00989BBE
Failed while searching directory search: %ls, for path: %ls, xrefs: 00989C34

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: b78d489890d2101e450d36ae5d032f36762a65931dc1949496e48a0d822acf0d
Instruction ID: f8d0294ba389c6a974ed608037e2756e3cbfc5628089fe18e69f45272d2d8f60
Opcode Fuzzy Hash: b78d489890d2101e450d36ae5d032f36762a65931dc1949496e48a0d822acf0d
Instruction Fuzzy Hash: A621F633D40025F7CB227A988D02F6DBF6CAF80360F240215FD5577251D7265E50A7DA

Uniqueness

Uniqueness Score: -1.00%

Function 00989D4B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00989D64
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,0098A883,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00989D84
GetLastError.KERNEL32(?,0098A883,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00989D8F

Strings

Failed while searching file search: %ls, for path: %ls, xrefs: 00989DBD
File search: %ls, did not find path: %ls, xrefs: 00989DF3
Failed to format variable string., xrefs: 00989D6F
Failed to set variable to file search path., xrefs: 00989DE7

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: 22aa84ed4e78a423423c7fa6d9621348d0d7be1948164e392f51c85fbd970a3d
Instruction ID: 1f7588a1234adcde3048a2fea530656fe64024915ca45055781b579c325e7763
Opcode Fuzzy Hash: 22aa84ed4e78a423423c7fa6d9621348d0d7be1948164e392f51c85fbd970a3d
Instruction Fuzzy Hash: 7A11D233D40125F7DF227698CD02FADBA69AF40724F250205F910B62A2E7269E10A7D6

Uniqueness

Uniqueness Score: -1.00%

Function 0099CF25 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,0099D365,00000000,?,?,0099C7C9,00000001,?,?,?,?,?), ref: 0099CF37
GetLastError.KERNEL32(?,?,0099D365,00000000,?,?,0099C7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0099CF41
GetExitCodeThread.KERNEL32(00000001,?,?,?,0099D365,00000000,?,?,0099C7C9,00000001,?,?,?,?,?,00000000), ref: 0099CF7D
GetLastError.KERNEL32(?,?,0099D365,00000000,?,?,0099C7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0099CF87

Strings

Failed to wait for cache thread to terminate., xrefs: 0099CF6F
elevation.cpp, xrefs: 0099CF65, 0099CFAB
Failed to get cache thread exit code., xrefs: 0099CFB5

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
API String ID: 3686190907-1954264426
Opcode ID: 1276952e6c3ec524a0013fc669cf4a46013856420acdad7100c0f4519fcc78f8
Instruction ID: b4c02329eda6de12e59089d38253ab1d58c3a6b1ae912558d09269f6bab7753d
Opcode Fuzzy Hash: 1276952e6c3ec524a0013fc669cf4a46013856420acdad7100c0f4519fcc78f8
Instruction Fuzzy Hash: 9F0149B3E85635638B3057C98C06E5FBA4CDF04B71F014166BE04BB280E754CD0092E4

Uniqueness

Uniqueness Score: -1.00%

Function 009969AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00996EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 009969BB
GetLastError.KERNEL32(?,00996EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 009969C5
GetExitCodeThread.KERNEL32(00000001,00000000,?,00996EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 00996A04
GetLastError.KERNEL32(?,00996EED,crypt32.dll,?,00000000,?,00000000,00000001), ref: 00996A0E

Strings

Failed to wait for cache thread to terminate., xrefs: 009969F6
core.cpp, xrefs: 009969EC, 00996A35
Failed to get cache thread exit code., xrefs: 00996A3F

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
API String ID: 3686190907-2546940223
Opcode ID: 9eb6af5b4c8dbe4f977473033b6a1244ab59b14ef6478f7d62cca221fb64715c
Instruction ID: 6a008b1a9a87815f005ad137aff77b27d103a21ff7880187a316773f94442ece
Opcode Fuzzy Hash: 9eb6af5b4c8dbe4f977473033b6a1244ab59b14ef6478f7d62cca221fb64715c
Instruction Fuzzy Hash: 99118C70785206FBDF10DFA9DE02F6E76ACEB44751F108165B914EA260DB35CE00A754

Uniqueness

Uniqueness Score: -1.00%

Function 0099F7D9 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0099F7EE
LeaveCriticalSection.KERNEL32(?), ref: 0099F8FB

Strings

Failed to set source path for container., xrefs: 0099F8E0
UX denied while trying to set source on embedded payload: %ls, xrefs: 0099F870
Failed to set source path for payload., xrefs: 0099F88A
UX requested unknown container with id: %ls, xrefs: 0099F8BA
Engine is active, cannot change engine state., xrefs: 0099F808
UX requested unknown payload with id: %ls, xrefs: 0099F85A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: 0c3b4da93680909259b6376292d351591fbeda5ed32e6f91e038dbcfdc52bc0e
Instruction ID: 13258b9ff027fd5d8b570d90b7d7dfcf7a8d593b0ed77630e1c568f8f902251f
Opcode Fuzzy Hash: 0c3b4da93680909259b6376292d351591fbeda5ed32e6f91e038dbcfdc52bc0e
Instruction Fuzzy Hash: DB313932E44215AF8F51AB5ECC56E6AF3ACAF94720B258077F801E7340DB74ED008791

Uniqueness

Uniqueness Score: -1.00%

Function 009871FD Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 00987210

Strings

Failed to append escape sequence., xrefs: 009872A3
Failed to copy string., xrefs: 009872C4
Failed to append characters., xrefs: 0098729C
Failed to format escape sequence., xrefs: 009872AA
[]{}, xrefs: 0098723A
[\%c], xrefs: 0098726F
Failed to allocate buffer for escaped string., xrefs: 00987227

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: 99c503634a9f13d14baccee0f919822f3a47c2897f5ab8b945d1c9a0ff064b6f
Instruction ID: 8214d34cf531eac47ec28c95e5da1ab6631c7f8a3b5049e76cedf54a62ad3d93
Opcode Fuzzy Hash: 99c503634a9f13d14baccee0f919822f3a47c2897f5ab8b945d1c9a0ff064b6f
Instruction Fuzzy Hash: 4621C172D08219BADB21B7D08C42FAEBBAD9B94724F300059F910B6251DA74EE419391

Uniqueness

Uniqueness Score: -1.00%

Function 009A5BDC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 207COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,009CB500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,009A67DE,?,00000001,?,009CB4A0), ref: 009A5C45

Strings

Failed grow array of ordered patches., xrefs: 009A5CDE
feclient.dll, xrefs: 009A5C3B, 009A5D65
Failed to copy target product code., xrefs: 009A5D78
Failed to insert execute action., xrefs: 009A5C9A
Failed to plan action for target product., xrefs: 009A5CF0

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: d5e3d91c411f57d0decacbb544ac71e0168b44ca9609f7f532e7c11ca7bc4e2d
Instruction ID: 3a0e6f9e99289f94c3eba3fccf5203aaafd0f34f83ec6e26f194b0024725bff0
Opcode Fuzzy Hash: d5e3d91c411f57d0decacbb544ac71e0168b44ca9609f7f532e7c11ca7bc4e2d
Instruction Fuzzy Hash: D98122B560474ADFCB14CF58C880AAA77B9BF49324B12896AFC599B356D730E811CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009BCAED Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,009BD262,00000000,00000000,00000000,00000000,00000000,009B2F1D), ref: 009BCB2F
__fassign.LIBCMT ref: 009BCBAA
__fassign.LIBCMT ref: 009BCBC5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 009BCBEB
WriteFile.KERNEL32(?,00000000,00000000,009BD262,00000000,?,?,?,?,?,?,?,?,?,009BD262,00000000), ref: 009BCC0A
WriteFile.KERNEL32(?,00000000,00000001,009BD262,00000000,?,?,?,?,?,?,?,?,?,009BD262,00000000), ref: 009BCC43

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4956288ef4122d31ac7f715298d8cc7850fa7fbac6c5ddda1d8075821674d7e2
Instruction ID: 921b7c57a44ce739487b2da1339e5be2bc0367ebffb2380bf5fd1f8181251823
Opcode Fuzzy Hash: 4956288ef4122d31ac7f715298d8cc7850fa7fbac6c5ddda1d8075821674d7e2
Instruction Fuzzy Hash: 6551B3B1E042499FDB10CFA8DD85AEEBBF8EF19320F14451AE955F7251E730A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009A9279 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,00997113,000000B8,0000001C,00000100), ref: 009A92A4
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,009CB4B8,000000FF,?,?,?,00997113,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 009A932E

Strings

detect.cpp, xrefs: 009A938E
comres.dll, xrefs: 009A93B0
BA aborted detect forward compatible bundle., xrefs: 009A9398
Failed to initialize update bundle., xrefs: 009A93D1

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
API String ID: 1825529933-439563586
Opcode ID: 07fae74d9a1c1eced42041a2cedc6ac35324d102c2fc440079ace53d70113677
Instruction ID: f1b8b7b3ea9163fbe0ef291fa340ec30a646925d3245d1deca46f1deb9b385c3
Opcode Fuzzy Hash: 07fae74d9a1c1eced42041a2cedc6ac35324d102c2fc440079ace53d70113677
Instruction Fuzzy Hash: 0F519E71600215BFDF159F64CC81FAABBBAFF06310F144269F9249A2A5C771E860DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0099AB9E Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00985479,000000FF,00AAC56B,E9009CBA,009853BD,00000000,?,E9009CBA,00000000), ref: 0099AC94
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00985479,000000FF,00AAC56B,E9009CBA,009853BD,00000000,?,E9009CBA,00000000), ref: 0099ACD8

Strings

Failed to verify expected payload against actual certificate chain., xrefs: 0099AD1E
Failed authenticode verification of payload: %ls, xrefs: 0099AC75
cache.cpp, xrefs: 0099AC6A, 0099ACB8, 0099ACFC
Failed to get signer chain from authenticode certificate., xrefs: 0099AD06
Failed to get provider state from authenticode certificate., xrefs: 0099ACC2

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast
String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$cache.cpp
API String ID: 1452528299-2590768268
Opcode ID: e26c82ed90f9aee0c709663bcd6a79b02fe3a950ebcb29d5cabc4ce92e96ca7c
Instruction ID: 8b60d3a13cd8f6738195707276fd4d5128abbcede02be4694adbf6a267b066e3
Opcode Fuzzy Hash: e26c82ed90f9aee0c709663bcd6a79b02fe3a950ebcb29d5cabc4ce92e96ca7c
Instruction Fuzzy Hash: D541A672D41229ABDB11DB98CD45BDEBBB8EF44720F114529FD40BB280E7709D008BE1

Uniqueness

Uniqueness Score: -1.00%

Function 009C02F8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 009C033C
GetComputerNameW.KERNEL32(?,?), ref: 009C0394

Strings

=== Logging started: %ls ===, xrefs: 009C03BF
--- logging level: %hs ---, xrefs: 009C0454
Computer : %ls, xrefs: 009C0402
Executable: %ls v%d.%d.%d.%d, xrefs: 009C03F0

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 2577110986-3153207428
Opcode ID: 7b0336f41f1113af565c18a43abba1afa5da924de8adc02039d94f389d009731
Instruction ID: f4daa0e50fc58eae7512cc19ab3c6a63d0a21c9128429be7e495a89a650ace63
Opcode Fuzzy Hash: 7b0336f41f1113af565c18a43abba1afa5da924de8adc02039d94f389d009731
Instruction Fuzzy Hash: 864174B2D0411CEBCB14DB64DD85FAA77BCEBC4304F0041AAF609A7152E631AE849F66

Uniqueness

Uniqueness Score: -1.00%

Function 0099D437 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,009CB500,?,00000001,000000FF,?,?,75C0B390,00000000,00000001,00000000,?,009974E6), ref: 0099D560

Strings

Failed to create pipe and cache pipe., xrefs: 0099D4BD
elevation.cpp, xrefs: 0099D46B
Failed to elevate., xrefs: 0099D542
Failed to create pipe name and client token., xrefs: 0099D4A1
UX aborted elevation requirement., xrefs: 0099D475
Failed to connect to elevated child process., xrefs: 0099D549

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
API String ID: 2962429428-3003415917
Opcode ID: 506200126e56b8f7fd8c02c949ea120e635040914d656a9afefb532197a40d35
Instruction ID: 18532cb5e4c82079f74a233354c8608421b22e4f041a030cf52383569618f40c
Opcode Fuzzy Hash: 506200126e56b8f7fd8c02c949ea120e635040914d656a9afefb532197a40d35
Instruction Fuzzy Hash: D1313072646625BBEF15A66CCC83FBAB35C9F40734F114516F904B72D1DB61AD0083D6

Uniqueness

Uniqueness Score: -1.00%

Function 0099D24B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 118threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0099AD40,?,00000000,00000000), ref: 0099D2E9
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0099D2F5

Part of subcall function 0099CF25: WaitForSingleObject.KERNEL32(00000001,000493E0,00000000,?,?,0099D365,00000000,?,?,0099C7C9,00000001,?,?,?,?,?), ref: 0099CF37
Part of subcall function 0099CF25: GetLastError.KERNEL32(?,?,0099D365,00000000,?,?,0099C7C9,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0099CF41

CloseHandle.KERNEL32(00000000,00000000,?,?,0099C7C9,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 0099D376

Strings

Failed to create elevated cache thread., xrefs: 0099D323
elevation.cpp, xrefs: 0099D319
Failed to pump messages in child process., xrefs: 0099D34D

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
API String ID: 3606931770-4134175193
Opcode ID: 1c12381794e97aa74a0c108b9a97804db496da5eedac375799afee92668db0dc
Instruction ID: ce0b92b98ae6ebff3940eb6f1135a1e6849ea484f981e50c1359c9b70919ced9
Opcode Fuzzy Hash: 1c12381794e97aa74a0c108b9a97804db496da5eedac375799afee92668db0dc
Instruction Fuzzy Hash: 944106B6D01219AF8F00DFA9D885ADEBBF8EF48314F10412AF918A7340E73099008B95

Uniqueness

Uniqueness Score: -1.00%

Function 009C159E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 117stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 009C15DA
lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 009C163C
lstrlenW.KERNEL32(?), ref: 009C1648
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 009C168B

Strings

regutil.cpp, xrefs: 009C16B3
BundleUpgradeCode, xrefs: 009C15A7

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: lstrlen$Value
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 198323757-1648651458
Opcode ID: e9d1ea4be60491d7d472f0098b88c4fe004b4efda1882001989ae34d3ac14f04
Instruction ID: 2e180ccd029a0f7268b53e6bde696975c87b5ff6a6544eccbe35a2aa8e8127cc
Opcode Fuzzy Hash: e9d1ea4be60491d7d472f0098b88c4fe004b4efda1882001989ae34d3ac14f04
Instruction Fuzzy Hash: EF419172D00629ABCB11DF98CD81FAEBBB8BB45750F050159FD10AB211C730ED119BA5

Uniqueness

Uniqueness Score: -1.00%

Function 009C0523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(009EB5FC,00000000,?,?,?,00994207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009854FA,?), ref: 009C0533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,009EB5F4,?,00994207,00000000,Setup), ref: 009C05D7
GetLastError.KERNEL32(?,00994207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009854FA,?,?,?), ref: 009C05E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00994207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009854FA,?), ref: 009C0621

Part of subcall function 00982DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00982F09

LeaveCriticalSection.KERNEL32(009EB5FC,?,?,009EB5F4,?,00994207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,009854FA,?), ref: 009C067A

Strings

logutil.cpp, xrefs: 009C0606

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp
API String ID: 4111229724-3545173039
Opcode ID: ccfcd6fa6bf4b06b65e09054885bf89f73aa17f69415f9757c5b8720eb1aa082
Instruction ID: 40667ac36144db677b834341142c34a9e9c5e00fdcd759ae7ceb5d2000586905
Opcode Fuzzy Hash: ccfcd6fa6bf4b06b65e09054885bf89f73aa17f69415f9757c5b8720eb1aa082
Instruction Fuzzy Hash: 6D31A631D04269FFDB219F65DE86F6E766CEBC0754F010229FA00AB160DB71DD60ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 009A398D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 009A39F4

Strings

Failed to escape string., xrefs: 009A3A76
Failed to format property string part., xrefs: 009A3A6F
Failed to append property string part., xrefs: 009A3A68
%s%="%s", xrefs: 009A3A27
Failed to format property value., xrefs: 009A3A7D

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
API String ID: 3613110473-515423128
Opcode ID: e117bf388529855d82e9efa28124bae06910d93dcc3aba63bc8bb97249396332
Instruction ID: 3779f70620a4ed8b51ee10f6271ea964e2a8b56bfb74b8992175823c92854078
Opcode Fuzzy Hash: e117bf388529855d82e9efa28124bae06910d93dcc3aba63bc8bb97249396332
Instruction Fuzzy Hash: C631AD72D0522AFFDB15AF98CC42AAEB768EF41714F10826AF811A6250D7719F10DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 009C41E5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,009C432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0099A063,00000001), ref: 009C4203
GetLastError.KERNEL32(00000002,?,009C432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0099A063,00000001,000007D0,00000001,00000001,00000003), ref: 009C4212
MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,009C432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0099A063,00000001), ref: 009C42A6
GetLastError.KERNEL32(?,009C432E,00000003,00000001,00000001,000007D0,00000003,00000000,?,0099A063,00000001,000007D0,00000001), ref: 009C42B0

Part of subcall function 009C4440: FindFirstFileW.KERNEL32(009A923A,?,00000100,00000000,00000000), ref: 009C447B
Part of subcall function 009C4440: FindClose.KERNEL32(00000000), ref: 009C4487

Strings

fileutil.cpp, xrefs: 009C42CF
\, xrefs: 009C4265

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: File$ErrorFindLastMove$CloseFirst
String ID: \$fileutil.cpp
API String ID: 3479031965-1689471480
Opcode ID: d3ec7b13f12836f0ca427a3e9928e19905d5c824f5ba708898c52fe153906eee
Instruction ID: f5e267b63b3201b6f457eceb17121bcce0aa4ceae47eb93c2ae42ca80d5d08d4
Opcode Fuzzy Hash: d3ec7b13f12836f0ca427a3e9928e19905d5c824f5ba708898c52fe153906eee
Instruction Fuzzy Hash: D131CE36F05236ABEB215E99CC22F6E7A6DBFA17A1F15402DFC249B210D3708C4097D2

Uniqueness

Uniqueness Score: -1.00%

Function 0098732C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00985932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 0098733E
LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,00985932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 0098741D

Strings

Failed to get variable: %ls, xrefs: 0098737F
Failed to format value '%ls' of variable: %ls, xrefs: 009873E7
Failed to get unformatted string., xrefs: 009873AE
Failed to get value as string for variable: %ls, xrefs: 0098740C
*****, xrefs: 009873D9, 009873E6

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 581db1d46d9d58003d1d3286cba05b8c473691902300cf59349df7f290b6d9f8
Instruction ID: d851ddb51f4e6057083ae7d0834bde81beec82a25dd0b74b43c3ecfd03f27b72
Opcode Fuzzy Hash: 581db1d46d9d58003d1d3286cba05b8c473691902300cf59349df7f290b6d9f8
Instruction Fuzzy Hash: 81318F32D0851AFBCF217E90CC05F9EBA69EF54321F20452AFC1466260D775EA50ABD6

Uniqueness

Uniqueness Score: -1.00%

Function 00998DEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 00998E37
GetLastError.KERNEL32 ref: 00998E41
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 00998EA1

Strings

cache.cpp, xrefs: 00998E65
Failed to allocate administrator SID., xrefs: 00998E1D
Failed to initialize ACL., xrefs: 00998E6F

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
API String ID: 669721577-1117388985
Opcode ID: 7aaa80f99880da6d6691900756d16530ca3be13fc78cc25df378d799195d3bec
Instruction ID: dcca91decd4dbf36709865b40a902537b2694e6bd4dda6f783cdc0ad53b91baf
Opcode Fuzzy Hash: 7aaa80f99880da6d6691900756d16530ca3be13fc78cc25df378d799195d3bec
Instruction Fuzzy Hash: 5D21DB33E44218B7DF21AAD95C46F9FB76DAB45B10F51412DF904F7280DA709D009790

Uniqueness

Uniqueness Score: -1.00%

Function 00984212 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,00994028,00000001,feclient.dll,?,00000000,?,?,?,00984B12), ref: 0098424D
GetLastError.KERNEL32(?,?,00994028,00000001,feclient.dll,?,00000000,?,?,?,00984B12,?,?,009CB488,?,00000001), ref: 00984259
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,00994028,00000001,feclient.dll,?,00000000,?,?,?,00984B12,?), ref: 00984294
GetLastError.KERNEL32(?,?,00994028,00000001,feclient.dll,?,00000000,?,?,?,00984B12,?,?,009CB488,?,00000001), ref: 0098429E

Strings

crypt32.dll, xrefs: 00984216
dirutil.cpp, xrefs: 009842C2

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: crypt32.dll$dirutil.cpp
API String ID: 152501406-1104880720
Opcode ID: fe5d8cb0d3e59b0b12f2cec553d81fccaeae5cc8960e2a844e0305ddaade9cec
Instruction ID: 2ce75775b2a8e75cb021ff876b0e87b4c1f5f21919ced08be6c52ecd4082c88e
Opcode Fuzzy Hash: fe5d8cb0d3e59b0b12f2cec553d81fccaeae5cc8960e2a844e0305ddaade9cec
Instruction Fuzzy Hash: 4111DA77E49637AB9721BBDA4C45B5BBA5CEF15760B150125FE10E7300E720DC0097E0

Uniqueness

Uniqueness Score: -1.00%

Function 009A0B8E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 009A0BDE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 009A0BFD
GetLastError.KERNEL32 ref: 009A0C07

Strings

Unexpected call to CabWrite()., xrefs: 009A0BC1
cabextract.cpp, xrefs: 009A0C2B
Failed to write during cabinet extraction., xrefs: 009A0C35

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
API String ID: 1970631241-3111339858
Opcode ID: 4272f518496330647a70c4e5630a823f888ecc0a6433a23b219e1b62b2b4e882
Instruction ID: 48c7afd11a15e37dd844e43d576631a6b9c908c17611ed78d478e8f220d1bbe1
Opcode Fuzzy Hash: 4272f518496330647a70c4e5630a823f888ecc0a6433a23b219e1b62b2b4e882
Instruction Fuzzy Hash: B721DE7A944204ABCB10DF58C985E5A37B9EFC9724B214159FA04C7341E632E9109BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00989AE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00989AFB
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,00000000,?,0098A8B4,00000100,000002C0,000002C0,00000100), ref: 00989B10
GetLastError.KERNEL32(?,0098A8B4,00000100,000002C0,000002C0,00000100), ref: 00989B1B

Strings

Failed to format variable string., xrefs: 00989B06
Failed while searching directory search: %ls, for path: %ls, xrefs: 00989B54
Failed to set variable., xrefs: 00989B7A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: 14072f687faf77896acb8b485d81abb8c4054604be4483490b1b5b3ca9b0afd4
Instruction ID: f4c40cfab7449739acb24ae2a22234a7fa06e36635f4ef5ec246c6b52ecded13
Opcode Fuzzy Hash: 14072f687faf77896acb8b485d81abb8c4054604be4483490b1b5b3ca9b0afd4
Instruction Fuzzy Hash: DA11D332D40529BBDB227AA8AD82F7EF65CDF80374F240325F921B6390C7219D10A7D5

Uniqueness

Uniqueness Score: -1.00%

Function 009A0C57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 009A0CC4
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009A0CD6
SetFileTime.KERNEL32(?,?,?,?), ref: 009A0CE9
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,009A08B1,?,?), ref: 009A0CF8

Strings

Invalid operation for this state., xrefs: 009A0C9D
cabextract.cpp, xrefs: 009A0C93

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$cabextract.cpp
API String ID: 609741386-1751360545
Opcode ID: f456235b466a81d7362e8d68376c6415f7801643babf99da9ef880e94f5148bb
Instruction ID: 5b1004dbed94df892f3a8862c0b8f4ed7caaadc299b83bd6b6d846d653f31e83
Opcode Fuzzy Hash: f456235b466a81d7362e8d68376c6415f7801643babf99da9ef880e94f5148bb
Instruction Fuzzy Hash: FA21D572810219AB87109FA8CD099BA7BBCFF85720B108216F865D75D0D374E921DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00994A77 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,crypt32.dll,00000000,00000000,00000000,?,0099539D), ref: 00994AC3

Strings

crypt32.dll, xrefs: 00994A7D
Failed to allocate message to write., xrefs: 00994AA2
Failed to write message type to pipe., xrefs: 00994B05
pipe.cpp, xrefs: 00994AFB

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$crypt32.dll$pipe.cpp
API String ID: 3934441357-606776022
Opcode ID: b3cedae3337d222f0ac678647e251e8df595a6ba4561d1fc4b8c141f2899dbd4
Instruction ID: a5e438f2b0bf4783e82ef4d127cc81e8b3fed29ff93be366ea9a6027f9ab920e
Opcode Fuzzy Hash: b3cedae3337d222f0ac678647e251e8df595a6ba4561d1fc4b8c141f2899dbd4
Instruction Fuzzy Hash: 42119A72981129BBCF22DF89DD05F9E7BA8EB84750F114166F900B6240E7309E51EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00994642 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

_memcpy_s.LIBCMT ref: 00994693
_memcpy_s.LIBCMT ref: 009946A6
_memcpy_s.LIBCMT ref: 009946C1

Strings

Failed to allocate memory for message., xrefs: 0099467C
feclient.dll, xrefs: 0099465B, 00994691
pipe.cpp, xrefs: 00994672

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: Failed to allocate memory for message.$feclient.dll$pipe.cpp
API String ID: 886498622-766083570
Opcode ID: eaac0170086597b87f15facae0eb7ee10b242f95b9c2e1b7387e4010ee001a3c
Instruction ID: 7c65b8378ce718ad3aa7205d1a0f15d85a634126384dbfff107fa3f584705152
Opcode Fuzzy Hash: eaac0170086597b87f15facae0eb7ee10b242f95b9c2e1b7387e4010ee001a3c
Instruction Fuzzy Hash: BB11A3B254030AABDB01EF94CC82DEB73ACEF85B14B00852AFA10DB241D771DA54C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 009C3C72 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 009C3CC0
GetLastError.KERNEL32(?,?,00000000), ref: 009C3CCA
CloseHandle.KERNEL32(?,?,?,00000000), ref: 009C3CFD

Strings

shelutil.cpp, xrefs: 009C3CEB
<, xrefs: 009C3CB2
PDu, xrefs: 009C3CC0

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$PDu$shelutil.cpp
API String ID: 3023784893-2418939910
Opcode ID: 30489859195b730290f390cbb177c4e4ea0be9d04071120f1e86947b8d16425f
Instruction ID: 262a92b22d9c1dcfb906fba504386f5ef7ceef442065c667dee2694e747d5c8b
Opcode Fuzzy Hash: 30489859195b730290f390cbb177c4e4ea0be9d04071120f1e86947b8d16425f
Instruction Fuzzy Hash: 7C11D875E01219ABCB10DFA9D845A8E7BF8AB08750F108119FD45F7340E7349A00DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00989A4D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00989AC4

Strings

Failed to get Condition inner text., xrefs: 00989A94
Failed to copy condition string from BSTR, xrefs: 00989AAE
Failed to select condition node., xrefs: 00989A7B
Condition, xrefs: 00989A5F
`<u, xrefs: 00989AC4

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FreeString
String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`<u
API String ID: 3341692771-266405526
Opcode ID: f20b7648fade4844f5ff881ce956964975118fb1e06fb47f9f6bc31d903a4317
Instruction ID: 84f93e9bed7e43a010f8a3ab2f5658f8780d56b2de3c159f1ed70c86d86d867c
Opcode Fuzzy Hash: f20b7648fade4844f5ff881ce956964975118fb1e06fb47f9f6bc31d903a4317
Instruction Fuzzy Hash: 6711A531D46228BBCB19BB54CD06FBDB768AF84715F158168FC01B6250D7759E00D791

Uniqueness

Uniqueness Score: -1.00%

Function 009C96CD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

KERNEL32.DLL, xrefs: 009C96E7
ReleaseSRWLockExclusive, xrefs: 009C970C
AcquireSRWLockExclusive, xrefs: 009C96FC

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: fa635f871a05d79d564d3f91dad9e28801b15caacf487f60b941068bd5a62d07
Instruction ID: b2067dcc670a627f99f11526a7d42e34868e665d79cf68670f055d66d88f3258
Opcode Fuzzy Hash: fa635f871a05d79d564d3f91dad9e28801b15caacf487f60b941068bd5a62d07
Instruction Fuzzy Hash: CE01F971E673A25B0F314F665CC9F97338C67067E631004BED561D7140DB11CC44A692

Uniqueness

Uniqueness Score: -1.00%

Function 009C0ACC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00985EB2,00000000), ref: 009C0AE0
GetProcAddress.KERNEL32(00000000), ref: 009C0AE7
GetLastError.KERNEL32(?,?,?,00985EB2,00000000), ref: 009C0AFE

Strings

kernel32, xrefs: 009C0AD8
procutil.cpp, xrefs: 009C0B1F
IsWow64Process, xrefs: 009C0AD1

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$kernel32$procutil.cpp
API String ID: 4275029093-1586155540
Opcode ID: 29145beeed5e44677f9c45d3281e1991c9c1c9af5d5d4c21e489377490e04473
Instruction ID: a13869e5990dc466d4b577e9f395f30c0aa0a4931ffc060d637376eacbfdbb52
Opcode Fuzzy Hash: 29145beeed5e44677f9c45d3281e1991c9c1c9af5d5d4c21e489377490e04473
Instruction Fuzzy Hash: 59F0A472E1422AE78B21DB959C0AF5BBB68AF44B95F014159BD04A7240EB70DD00D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 009BA20B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009B3479,009B3479,?,?,?,009BA45C,00000001,00000001,ECE85006), ref: 009BA265
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009BA45C,00000001,00000001,ECE85006,?,?,?), ref: 009BA2EB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,ECE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009BA3E5
__freea.LIBCMT ref: 009BA3F2

Part of subcall function 009B521A: HeapAlloc.KERNEL32(00000000,?,?,?,009B1F87,?,0000015D,?,?,?,?,009B33E0,000000FF,00000000,?,?), ref: 009B524C

__freea.LIBCMT ref: 009BA3FB
__freea.LIBCMT ref: 009BA420

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: 756c8caa09a5001074310e043697501eeb4283e321a566eeb75d922cba391bc8
Instruction ID: de9acf74553406e372320f528160dad5ae41340045434eaad6efbfa78bb60cec
Opcode Fuzzy Hash: 756c8caa09a5001074310e043697501eeb4283e321a566eeb75d922cba391bc8
Instruction Fuzzy Hash: E651FE72620216AFEB258F64CE81FEF37EAEB84760F154629FD14D6140EB35DC80C651

Uniqueness

Uniqueness Score: -1.00%

Function 00998CAC Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 00998D18

Strings

per-user, xrefs: 00998D72, 00998D77, 00998DB2, 00998DB7
per-machine, xrefs: 00998D69, 00998DA9
Failed to calculate cache path., xrefs: 00998CD5
Failed to get %hs package cache root directory., xrefs: 00998D78
Failed to get old %hs package cache root directory., xrefs: 00998DB8

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: b19795bf5ef50356d9850497e1c2db162fedf2586db58f275f71fa6fdd86bbca
Instruction ID: 9abc29c8102d0253ac951a94d4033d6e8354a6315b4aac84c60a060ca1903b35
Opcode Fuzzy Hash: b19795bf5ef50356d9850497e1c2db162fedf2586db58f275f71fa6fdd86bbca
Instruction Fuzzy Hash: B531D472940218BBEF2266688D46FBF626C9F62754F11402EFD00F62D1DB359D0057A1

Uniqueness

Uniqueness Score: -1.00%

Function 0099E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 0099E985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 0099E994
SetWindowLongW.USER32(?,000000EB,?), ref: 0099E9A8
DefWindowProcW.USER32(?,?,?,?), ref: 0099E9B8
GetWindowLongW.USER32(?,000000EB), ref: 0099E9D2
PostQuitMessage.USER32(00000000), ref: 0099EA31

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 75cdf7486d54d1d6bbfecc4a6dd8d69040c1b629b12fbc7b71507f0000b717f3
Instruction ID: abcdb43ff9644cf3cc1cdff9dd02e7206f463b4cc5a56ee5631f8b3c6ec17304
Opcode Fuzzy Hash: 75cdf7486d54d1d6bbfecc4a6dd8d69040c1b629b12fbc7b71507f0000b717f3
Instruction Fuzzy Hash: 3421D436505108BFDF119FACDC59E6A3B69FF85311F148618FA0AAA2B4C731DD10EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0099C7C9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 0099C811
CloseHandle.KERNEL32(?), ref: 0099C819

Strings

elevation.cpp, xrefs: 0099C9B8
Failed to save state., xrefs: 0099C891
Unexpected elevated message sent to child process, msg: %u, xrefs: 0099C9C4

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
API String ID: 4207627910-1576875097
Opcode ID: 9bd63d086d0054ef094cda6d63c53b1c2a180c0534062c86e5b3ab8a32c6babc
Instruction ID: 25fb75bb1b1f0bbb0da9db1d4bbfa388fda1fe61e90c07077d39a8f77db5cc25
Opcode Fuzzy Hash: 9bd63d086d0054ef094cda6d63c53b1c2a180c0534062c86e5b3ab8a32c6babc
Instruction Fuzzy Hash: 7761C37A100514EFCF129F88CE01D65BBB2FF48314715C959FAA95A632C736E820EB51

Uniqueness

Uniqueness Score: -1.00%

Function 009C7B16 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

SysFreeString.OLEAUT32(00000000), ref: 009C7C74
SysFreeString.OLEAUT32(00000000), ref: 009C7C7F
SysFreeString.OLEAUT32(00000000), ref: 009C7C8A

Strings

atomutil.cpp, xrefs: 009C7B49
`<u, xrefs: 009C7C69

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `<u$atomutil.cpp
API String ID: 2724874077-4051019476
Opcode ID: 6eb170f90d4988d85e017c6ce43acc669dbe8a2e759e3b449a004002c7ce95d4
Instruction ID: 0c4c93f6313cd08005fe37edadadca5a0fbb516543855903ec4e9ee7e4eadacd
Opcode Fuzzy Hash: 6eb170f90d4988d85e017c6ce43acc669dbe8a2e759e3b449a004002c7ce95d4
Instruction Fuzzy Hash: 84516F71D4922AAFCB21DBA4C844FAEF7BCAF44710F154198E945AB250DB71EE00DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C1217 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 009C123F
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,009970E8,00000100,000000B0,00000088,00000410,000002C0), ref: 009C1276
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 009C136E

Strings

regutil.cpp, xrefs: 009C12BF
BundleUpgradeCode, xrefs: 009C121E

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: b7493a1c1f322c1510b50b62f653b59f2be8fd0a42172be8b0fb23f72abe3117
Instruction ID: 9e96c8564e660db9241bfa6dbe244463f4b306aedca79596e5e85134b6877f55
Opcode Fuzzy Hash: b7493a1c1f322c1510b50b62f653b59f2be8fd0a42172be8b0fb23f72abe3117
Instruction Fuzzy Hash: 99410335E0015AEFDB219F95C884FAEB7ADEF46714F15406EEC01EB602C6309D00DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 009C6357 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C490D: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00998770,00000000,00000000,00000000,00000000,00000000), ref: 009C4925
Part of subcall function 009C490D: GetLastError.KERNEL32(?,?,?,00998770,00000000,00000000,00000000,00000000,00000000), ref: 009C492F

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,009C5C09,?,?,?,?,?,?,?,00010000,?), ref: 009C63C0
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,009C5C09,?,?,?,?), ref: 009C6412
GetLastError.KERNEL32(?,009C5C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 009C6458
GetLastError.KERNEL32(?,009C5C09,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 009C647E

Strings

dlutil.cpp, xrefs: 009C64A2

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: dlutil.cpp
API String ID: 133221148-2067379296
Opcode ID: 2ea0e90e57b925629041ebc4a8eec6b741dd5b0e8083ec86f910ff819f8010ca
Instruction ID: 36bf4b76bf4888a54196d1cdf899da6173b8d3c03fb6880dc050c6ac11299ade
Opcode Fuzzy Hash: 2ea0e90e57b925629041ebc4a8eec6b741dd5b0e8083ec86f910ff819f8010ca
Instruction Fuzzy Hash: 5C41A072D0022ABFDB258E94CD45FAA7B6DEF04760F154129FD00A61A0D331DD20DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00982428 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,009BFFEF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009BFFEF,009A12CF,?,00000000), ref: 0098246E
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009BFFEF,009A12CF,?,00000000,0000FDE9,?,009A12CF), ref: 0098247A

Part of subcall function 00983BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,009821CC,000001C7,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983BDB
Part of subcall function 00983BD3: HeapSize.KERNEL32(00000000,?,009821CC,000001C7,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983BE2

Strings

strutil.cpp, xrefs: 0098249E

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 0394fe1b2182f774595ad648404f7a2d90e929c713a05af871dae62e412d553f
Instruction ID: 48949ef69089a80551cab8a84dc30141dbf253ad53b71856e760112f5365f47e
Opcode Fuzzy Hash: 0394fe1b2182f774595ad648404f7a2d90e929c713a05af871dae62e412d553f
Instruction Fuzzy Hash: 9131E17134421AAFEB10BF798CC4A76339DAB45768B208629FE119B3B0E775CC019760

Uniqueness

Uniqueness Score: -1.00%

Function 009AAD44 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 009AADB3

Strings

Failed to extract all payloads from container: %ls, xrefs: 009AADF7
Failed to extract payload: %ls from container: %ls, xrefs: 009AAE3E
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 009AAE4A
Failed to open container: %ls., xrefs: 009AAD85

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareString
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1825529933-3891707333
Opcode ID: 00d58268166c5f1c9ea7c23fcaa99f16d88c24f42bb6e5faa7ebece92b717c26
Instruction ID: e64d8a883bf055bef0c57e5e278cd0b8ad816cb1bb75a1002441d47986c208f8
Opcode Fuzzy Hash: 00d58268166c5f1c9ea7c23fcaa99f16d88c24f42bb6e5faa7ebece92b717c26
Instruction Fuzzy Hash: 0731E172C00219EBCF21AAE4CC46F9E777CAF45720F204611F920A72D1E735AA54DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 009C7A10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

SysFreeString.OLEAUT32(00000000), ref: 009C7AF4
SysFreeString.OLEAUT32(?), ref: 009C7AFF
SysFreeString.OLEAUT32(00000000), ref: 009C7B0A

Strings

atomutil.cpp, xrefs: 009C7A3D
`<u, xrefs: 009C7AE9

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `<u$atomutil.cpp
API String ID: 2724874077-4051019476
Opcode ID: 074dcf156c7b37c18a913c6dbf1db8fc5f877563e51dc54fad17e840736426fb
Instruction ID: 2176e3206d6d3757aa2719017148e04d749770ef197608831218666280596c6b
Opcode Fuzzy Hash: 074dcf156c7b37c18a913c6dbf1db8fc5f877563e51dc54fad17e840736426fb
Instruction Fuzzy Hash: 26316232D09529BBDB12ABD5CC45F9EFBACEF54750F1141A9E900AB210D7719E009B91

Uniqueness

Uniqueness Score: -1.00%

Function 0098F005 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,00990654,00000001,00000001,00000001,00990654,00000000), ref: 0098F07D
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,00990654,00000001,00000001,00000001,00990654,00000000,00000001,00000000,?,00990654,00000001), ref: 0098F09A

Strings

PackageVersion, xrefs: 0098F05E
Failed to format key for update registration., xrefs: 0098F033
Failed to remove update registration key: %ls, xrefs: 0098F0C7

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: 1fd53ff725fdf373c314b625aad42f85e3a59f6ae5ac40610609714cbf6a0120
Instruction ID: dfc63eff52ee2b437c6b3b06c40b5de7b75556a1ab64fe436fddcc09d74b98be
Opcode Fuzzy Hash: 1fd53ff725fdf373c314b625aad42f85e3a59f6ae5ac40610609714cbf6a0120
Instruction Fuzzy Hash: 2F218131D41229FECB21BFA5CD09FAEBEB8DF45720F104265F914A6251E7319A40D791

Uniqueness

Uniqueness Score: -1.00%

Function 009C433D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C4440: FindFirstFileW.KERNEL32(009A923A,?,00000100,00000000,00000000), ref: 009C447B
Part of subcall function 009C4440: FindClose.KERNEL32(00000000), ref: 009C4487

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 009C4430

Part of subcall function 009C0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009EAAA0,00000000,?,009C57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009C0F80

Part of subcall function 009C1217: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 009C123F
Part of subcall function 009C1217: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,009970E8,00000100,000000B0,00000088,00000410,000002C0), ref: 009C1276

Strings

crypt32.dll, xrefs: 009C4368
PendingFileRenameOperations, xrefs: 009C439B
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 009C436F
\, xrefs: 009C43B9

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 3313fc32e285803e9afa656140b5a6bdfd2227a136b7f66c93386d8255b9fa96
Instruction ID: fac05ee16a756f5b39aa2e26313387ffc466ded6a75e8c2e1129586d9de89d2d
Opcode Fuzzy Hash: 3313fc32e285803e9afa656140b5a6bdfd2227a136b7f66c93386d8255b9fa96
Instruction Fuzzy Hash: 7D316F31F00219AADF25AF95CC51FBEB7B9EB40750F6481BEE904A6161E3319E40DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C4019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00984DBC,00000000,?,?,00000000,?,009C412D,00000000,00984DBC,00000000,00000000,?,009985EE,?,?), ref: 009C4033
GetLastError.KERNEL32(?,009C412D,00000000,00984DBC,00000000,00000000,?,009985EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 009C4041
CopyFileW.KERNEL32(00000000,00984DBC,00000000,00984DBC,00000000,?,009C412D,00000000,00984DBC,00000000,00000000,?,009985EE,?,?,00000001), ref: 009C40AC
GetLastError.KERNEL32(?,009C412D,00000000,00984DBC,00000000,00000000,?,009985EE,?,?,00000001,00000003,000007D0,?,?,?), ref: 009C40B6

Strings

fileutil.cpp, xrefs: 009C40D5

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: fileutil.cpp
API String ID: 374144340-2967768451
Opcode ID: 4bb93eb579e121606d6c72076d1b1655c09086f3c4c219bf05724cb1126943ac
Instruction ID: 676d6b8d79507fe43388e45b2e6d650eaabe9387220d47a0381d1ca6765035d3
Opcode Fuzzy Hash: 4bb93eb579e121606d6c72076d1b1655c09086f3c4c219bf05724cb1126943ac
Instruction Fuzzy Hash: 5621CF26F8063697AB308AA64C60F3B669CEF10BA0B14053EEF04DB151E7548C4092E2

Uniqueness

Uniqueness Score: -1.00%

Function 0098EF1B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 0098EF56

Part of subcall function 009C4153: SetFileAttributesW.KERNEL32(009A923A,00000080,00000000,009A923A,000000FF,00000000,?,?,009A923A), ref: 009C4182
Part of subcall function 009C4153: GetLastError.KERNEL32(?,?,009A923A), ref: 009C418C

Part of subcall function 00983C6B: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,0098EFA1,00000001,00000000,00000095,00000001,00990663,00000095,00000000,swidtag,00000001), ref: 00983C88

Strings

Failed to allocate regid folder path., xrefs: 0098EFBC
Failed to allocate regid file path., xrefs: 0098EFB5
swidtag, xrefs: 0098EF65
Failed to format tag folder path., xrefs: 0098EFC3

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: c3ad4910731218dc218986ef021edce644ebb3bfc1161c4d5dfd70604b886703
Instruction ID: 361844cf0c44905272b4d81986c63cf501492f858964d6c83270d4add58996e7
Opcode Fuzzy Hash: c3ad4910731218dc218986ef021edce644ebb3bfc1161c4d5dfd70604b886703
Instruction Fuzzy Hash: F6217A32D00528BBCB15EB99CD51B9DFBB9EF84710F10C0A6F514A63A1D731AA40AB90

Uniqueness

Uniqueness Score: -1.00%

Function 009A8DB6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009EAAA0,00000000,?,009C57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009C0F80

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 009A8E3A
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,0098F7E0,00000001,00000100,000001B4,00000000), ref: 009A8E88

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 009A8DD7
Failed to open uninstall registry key., xrefs: 009A8DFD
Failed to enumerate uninstall key for related bundles., xrefs: 009A8E99

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: 84282f9c924d73585433a033c2cfb0060c7055e52a8f4d3456537dce3a31c34d
Instruction ID: 30c64070c24904a12d73d0d7a8434642e4f4d5e2088a936bb539824bdf522670
Opcode Fuzzy Hash: 84282f9c924d73585433a033c2cfb0060c7055e52a8f4d3456537dce3a31c34d
Instruction Fuzzy Hash: D121B532D40228FFDB11BB94CC4AFAFBA7DEB45720F244669F41066060DB350E90E6D0

Uniqueness

Uniqueness Score: -1.00%

Function 009AD259 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AD2EE
ReleaseMutex.KERNEL32(?), ref: 009AD31C
SetEvent.KERNEL32(?), ref: 009AD325

Strings

NetFxChainer.cpp, xrefs: 009AD293
Failed to allocate buffer., xrefs: 009AD29D

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$NetFxChainer.cpp
API String ID: 944053411-3611226795
Opcode ID: a2034203e22369981519d16a3771a823710c1cc0365a2b8be768103fb332f65d
Instruction ID: 851025ac5f053f15d8865784e411e04a54a3f2eb41108414e3a662260b880a55
Opcode Fuzzy Hash: a2034203e22369981519d16a3771a823710c1cc0365a2b8be768103fb332f65d
Instruction Fuzzy Hash: 1321D3B0A00206FFDB10AF68C845B99B7F9FF48324F108629F965A7351C771AD50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009C5907 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,009A6B11,00000000,?), ref: 009C591D
GetLastError.KERNEL32(?,?,009A6B11,00000000,?,?,?,?,?,?,?,?,?,009A6F28,?,?), ref: 009C592B

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,009A6B11,00000000,?), ref: 009C5965
GetLastError.KERNEL32(?,?,009A6B11,00000000,?,?,?,?,?,?,?,?,?,009A6F28,?,?), ref: 009C596F

Strings

svcutil.cpp, xrefs: 009C594E, 009C5990

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: svcutil.cpp
API String ID: 355237494-1746323212
Opcode ID: d585170716c748ff847d25a564b22b7ad6f8cf2f5ac1058cc3d2a1c8e1a0118b
Instruction ID: 8b57441709606363a4c804b3f4d37fed0e0f0e5e1c809e2d68bf3ca2780f6c78
Opcode Fuzzy Hash: d585170716c748ff847d25a564b22b7ad6f8cf2f5ac1058cc3d2a1c8e1a0118b
Instruction Fuzzy Hash: D0212636D41635F7D731AA918D05F9FBA6D9B80B70F534098FD05AB250E730AE4093E2

Uniqueness

Uniqueness Score: -1.00%

Function 009C3245 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 009C3258
VariantInit.OLEAUT32(?), ref: 009C3264
VariantClear.OLEAUT32(?), ref: 009C32D8
SysFreeString.OLEAUT32(00000000), ref: 009C32E3

Part of subcall function 009C3498: SysAllocString.OLEAUT32(?), ref: 009C34AD

Strings

`<u, xrefs: 009C32E3

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID: `<u
API String ID: 347726874-3367579956
Opcode ID: 152f108c7250e0d7f93185ae590d47190a825ef26f5c3ea69a6a3530f28814bd
Instruction ID: baba0742f9530a17b6f5698e938be301b6f817903a4283285c5dd49efbab3ff1
Opcode Fuzzy Hash: 152f108c7250e0d7f93185ae590d47190a825ef26f5c3ea69a6a3530f28814bd
Instruction Fuzzy Hash: 9F213A31E0121AAFCF14DBA4C858FAEBBB9EF48715F10815CE8129B260D7319E05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00989839 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 009898C8

Strings

Failed to find variable., xrefs: 009898B5
Failed to read next symbol., xrefs: 009898E4
condition.cpp, xrefs: 0098986A, 009898AB
Failed to parse condition '%ls' at position: %u, xrefs: 0098987A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
API String ID: 2001391462-1605196437
Opcode ID: b022bc3d4b7a3775849a9f8536861c96f6bde5fff1b2c684a816832b6a548cf4
Instruction ID: b077a90697927adba6635147c69500f340990e7713e813856bb3c1b66509b8ce
Opcode Fuzzy Hash: b022bc3d4b7a3775849a9f8536861c96f6bde5fff1b2c684a816832b6a548cf4
Instruction Fuzzy Hash: E711EB33A81215BBEF153D6C9C86FA63A58EF96720F084465FD016A3D6C662CA1087E1

Uniqueness

Uniqueness Score: -1.00%

Function 00989E16 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00989E38

Strings

Failed to format path string., xrefs: 00989E43
Failed get file version., xrefs: 00989E78
File search: %ls, did not find path: %ls, xrefs: 00989EA3
Failed to set variable., xrefs: 00989E97

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: e58b2fe584a1a190fd397156032900579e3aee0f7a93aeffca1ce53e0db432af
Instruction ID: 5f68b44c92b84754d4a5629d19a87017d176a4e00c786835f16efdf72a4ac10d
Opcode Fuzzy Hash: e58b2fe584a1a190fd397156032900579e3aee0f7a93aeffca1ce53e0db432af
Instruction Fuzzy Hash: B9118E32D40128FACB12BA94CC82EAEFF68EF94754F14416AF915A6212D6319E109B91

Uniqueness

Uniqueness Score: -1.00%

Function 0099820F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,00998E17,0000001A,00000000,?,00000000,00000000), ref: 00998258
GetLastError.KERNEL32(?,?,00998E17,0000001A,00000000,?,00000000,00000000,?,?,00000000), ref: 00998262

Strings

cache.cpp, xrefs: 00998236, 00998286
Failed to allocate memory for well known SID., xrefs: 00998240
Failed to create well known SID., xrefs: 00998290

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
API String ID: 2186923214-2110050797
Opcode ID: a7fab074dfc8f7c85e4b3b2f44df3cd5137fc8362928f371a4e7481512e09b2f
Instruction ID: 134fad01a03c3473c0794d174311faca858006b5f22210d019d50e7497abc3fa
Opcode Fuzzy Hash: a7fab074dfc8f7c85e4b3b2f44df3cd5137fc8362928f371a4e7481512e09b2f
Instruction Fuzzy Hash: B101E933555A25B7DA21679D4C06F5F6A5D9FC2FB0F11401EFD24BB240EE748D0082E0

Uniqueness

Uniqueness Score: -1.00%

Function 009ADDA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 009ADDCE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009ADDF8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,009ADFC8,00000000), ref: 009ADE00

Strings

Failed while waiting for download., xrefs: 009ADE2E
bitsengine.cpp, xrefs: 009ADE24

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$bitsengine.cpp
API String ID: 435350009-228655868
Opcode ID: a5b06be97331c8e567ca00984e0ae78fbcf7de7b28b01f586362919bf9de6562
Instruction ID: 14e3440cc3b6e493ecf69f57515801450c839fb6f3cdea1768fd471fad943d4a
Opcode Fuzzy Hash: a5b06be97331c8e567ca00984e0ae78fbcf7de7b28b01f586362919bf9de6562
Instruction Fuzzy Hash: 61114C73B4623577D7205AA99C09EDBBB6CDF5AB20F100125FE06FB5C0D6649D00C2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00985F2E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 00985F5C
GetLastError.KERNEL32 ref: 00985F66

Strings

Failed to set variant value., xrefs: 00985FAD
Failed to get computer name., xrefs: 00985F94
variable.cpp, xrefs: 00985F8A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
API String ID: 3560734967-484636765
Opcode ID: a28150d0dc154bcf11a5d51c25b3acc32192bb88cca40cc003866f20e3ffc3f9
Instruction ID: b4a58549c1593d9b8b42ab42327d5a87dbac087cd6c04bfcd6945828bd4ff261
Opcode Fuzzy Hash: a28150d0dc154bcf11a5d51c25b3acc32192bb88cca40cc003866f20e3ffc3f9
Instruction Fuzzy Hash: D911CC33E45528ABD710EAA59C06FDEB7E8AB48720F510455FE00FB380DA74AE0487E6

Uniqueness

Uniqueness Score: -1.00%

Function 009867AA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 009867E3
GetLastError.KERNEL32 ref: 009867ED

Strings

Failed to set variant value., xrefs: 00986837
Failed to get temp path., xrefs: 0098681B
variable.cpp, xrefs: 00986811

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: Failed to get temp path.$Failed to set variant value.$variable.cpp
API String ID: 1238063741-2915113195
Opcode ID: d66121294015868cccd5530d58e59b27a99c98195fe050fc1326273c0ed5383d
Instruction ID: 08408b8d7e6400fa546b0628fbd4930f5146f55a7aa24d7f4eeccabe6831acba
Opcode Fuzzy Hash: d66121294015868cccd5530d58e59b27a99c98195fe050fc1326273c0ed5383d
Instruction Fuzzy Hash: 5001D672E45239A7D720B7949C07FAA779C9B44B10F100569FE18FB382EA64AD008BD6

Uniqueness

Uniqueness Score: -1.00%

Function 009C0A28 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,?,00984F1C,?,000000FF,?,?,?,?,?,00000000,?,?), ref: 009C0A38
GetLastError.KERNEL32(?,?,00984F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 009C0A46
GetExitCodeProcess.KERNEL32(000000FF,?), ref: 009C0A8B
GetLastError.KERNEL32(?,?,00984F1C,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?), ref: 009C0A95

Strings

procutil.cpp, xrefs: 009C0A6A

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectProcessSingleWait
String ID: procutil.cpp
API String ID: 590199018-1178289305
Opcode ID: 9ad89119fe48b8fd1a02e705f9eb8c99c4fc2b77175690126bb494fd3be0ddcc
Instruction ID: 9a5e31b6a063cd4849b2b9bf82b69dda32140b53a20f3eba43cb909a3c45bc4f
Opcode Fuzzy Hash: 9ad89119fe48b8fd1a02e705f9eb8c99c4fc2b77175690126bb494fd3be0ddcc
Instruction Fuzzy Hash: 8911E537D55335EBCB208B95890DF9E7BA8EF44760F124259FD54AB280D2348D009AD2

Uniqueness

Uniqueness Score: -1.00%

Function 00985E94 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00985EA6

Part of subcall function 009C0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00985EB2,00000000), ref: 009C0AE0
Part of subcall function 009C0ACC: GetProcAddress.KERNEL32(00000000), ref: 009C0AE7
Part of subcall function 009C0ACC: GetLastError.KERNEL32(?,?,?,00985EB2,00000000), ref: 009C0AFE

Part of subcall function 009C3D1F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 009C3D4C

Strings

Failed to set variant value., xrefs: 00985F0A
Failed to get 64-bit folder., xrefs: 00985EF0
Failed to get shell folder., xrefs: 00985EDA
variable.cpp, xrefs: 00985ED0

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
API String ID: 2084161155-3906113122
Opcode ID: 364bd2464499d63ee88cd489ecfb92a48f202e99c35c8474cba93be64a95b8b6
Instruction ID: 32dd83c61c28f8016cf4c08eeedd391d41ba52d913dcea75771a0c072192e9f7
Opcode Fuzzy Hash: 364bd2464499d63ee88cd489ecfb92a48f202e99c35c8474cba93be64a95b8b6
Instruction Fuzzy Hash: E501C832D45A18B7CF12B790CC06F9E7A6CAF40720F114155F904B6241DB749F4897D2

Uniqueness

Uniqueness Score: -1.00%

Function 009C4153 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C4440: FindFirstFileW.KERNEL32(009A923A,?,00000100,00000000,00000000), ref: 009C447B
Part of subcall function 009C4440: FindClose.KERNEL32(00000000), ref: 009C4487

SetFileAttributesW.KERNEL32(009A923A,00000080,00000000,009A923A,000000FF,00000000,?,?,009A923A), ref: 009C4182
GetLastError.KERNEL32(?,?,009A923A), ref: 009C418C
DeleteFileW.KERNEL32(009A923A,00000000,009A923A,000000FF,00000000,?,?,009A923A), ref: 009C41AC
GetLastError.KERNEL32(?,?,009A923A), ref: 009C41B6

Strings

fileutil.cpp, xrefs: 009C41D1

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: fileutil.cpp
API String ID: 3967264933-2967768451
Opcode ID: 0d59b1f0a41885535efabf1a7e5d3e864fa1331536419d0a58268c13c4ec7cd2
Instruction ID: 8416857c5fa1ebaf8a85584302de39937730186ec5329685aff7e8854de34677
Opcode Fuzzy Hash: 0d59b1f0a41885535efabf1a7e5d3e864fa1331536419d0a58268c13c4ec7cd2
Instruction Fuzzy Hash: 04012632F49635A7E73246A68C25F5B7E9CAF30760F050618FD84E7190D3208E4093D2

Uniqueness

Uniqueness Score: -1.00%

Function 009ADA05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009ADA1A
LeaveCriticalSection.KERNEL32(?), ref: 009ADA5F
SetEvent.KERNEL32(?,?,?,?), ref: 009ADA73

Strings

Failure while sending progress during BITS job modification., xrefs: 009ADA4E
Failed to get state during job modification., xrefs: 009ADA33

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: 52e9d1d20375ec4ee124560ac010324859be377a3978ceecb6870c489d045090
Instruction ID: 2a323eca11cf12af3ba436599748c94f4b680708e6b7baf50df11e9a2d8d009e
Opcode Fuzzy Hash: 52e9d1d20375ec4ee124560ac010324859be377a3978ceecb6870c489d045090
Instruction Fuzzy Hash: 39019272A0A629BFCB11DF55C849E6EB7ACFF59321B004245E806D7A00D774EE04C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 009ADC7E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,009ADDEE), ref: 009ADC92
LeaveCriticalSection.KERNEL32(00000008,?,009ADDEE), ref: 009ADCD7
SetEvent.KERNEL32(?,?,009ADDEE), ref: 009ADCEB

Strings

Failure while sending progress., xrefs: 009ADCC6
Failed to get BITS job state., xrefs: 009ADCAB

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: 31cc3ad808c44aea7a7c1b0d054f8aa0737465dda399005abaa7ddde156c80f5
Instruction ID: 24987118cb3287aefe56db8e5a2545f38518700ab6ad929dbc2d7ccfa5b4f937
Opcode Fuzzy Hash: 31cc3ad808c44aea7a7c1b0d054f8aa0737465dda399005abaa7ddde156c80f5
Instruction Fuzzy Hash: 9901F132A06729ABCB129B46D849E9AB7BCFF49330B404155F90693A40DBB0EE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 009AD7E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,009ADF52,?,?), ref: 009AD802
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,009ADF52,?,?), ref: 009AD80D
GetLastError.KERNEL32(?,009ADF52,?,?), ref: 009AD81A

Strings

bitsengine.cpp, xrefs: 009AD83E
Failed to create BITS job complete event., xrefs: 009AD848

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$bitsengine.cpp
API String ID: 3069647169-3441864216
Opcode ID: f9ac2ceb5e0419cd82d0abd8c49b196f486b76099c8a5b0ddd69bf209b2a37f3
Instruction ID: ad2b18c040ad5b2c6fad621c26551d347c976ed693413756b633ac203cc4fc72
Opcode Fuzzy Hash: f9ac2ceb5e0419cd82d0abd8c49b196f486b76099c8a5b0ddd69bf209b2a37f3
Instruction Fuzzy Hash: 5E018876955636ABC3119F5AD805A86BFACFF49B60F014116FD09E7640D7B4D800CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0098D4A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00997040,000000B8,00000000,?,00000000,75C0B390), ref: 0098D4B7
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 0098D4C6
LeaveCriticalSection.KERNEL32(000000D0,?,00997040,000000B8,00000000,?,00000000,75C0B390), ref: 0098D4DB

Strings

userexperience.cpp, xrefs: 0098D4F4
Engine active cannot be changed because it was already in that state., xrefs: 0098D4FE

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
API String ID: 3376869089-1544469594
Opcode ID: a5b48e182fea9766ed28019a2f5b0c095338ea5ddad905bb44c629a62095c95a
Instruction ID: 3c2982520566364d9dbda233bf40b248bf46330299695f28f4226135f8c0e0a1
Opcode Fuzzy Hash: a5b48e182fea9766ed28019a2f5b0c095338ea5ddad905bb44c629a62095c95a
Instruction Fuzzy Hash: 89F0AF32744208AF97206EA6EC95E9777ACFBD5765B04442AF511C3290DB70E9058760

Uniqueness

Uniqueness Score: -1.00%

Function 009C1C88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 009C1CB3
GetLastError.KERNEL32(?,009849DA,00000001,?,?,00984551,?,?,?,?,00985466,?,?,?,?), ref: 009C1CC2

Strings

SRSetRestorePointW, xrefs: 009C1CA8
srputil.cpp, xrefs: 009C1CE3
srclient.dll, xrefs: 009C1C91

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
API String ID: 199729137-398595594
Opcode ID: 862b7e55a00948a64b916f8aa8495f12b8ab8721bbf29018835994a0a27c37a7
Instruction ID: b02ddccca7806314351899f9867bf4d2e38716c1a277230ca0ed61523d85501a
Opcode Fuzzy Hash: 862b7e55a00948a64b916f8aa8495f12b8ab8721bbf29018835994a0a27c37a7
Instruction Fuzzy Hash: 7301D137ED527693C32327A69C0AF1A39485B52FE1F11012AFD41AB2A2D720DC40D6DF

Uniqueness

Uniqueness Score: -1.00%

Function 009B495D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009B490E,00000000,?,009B48AE,00000000,009E7F08,0000000C,009B4A05,00000000,00000002), ref: 009B497D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009B4990
FreeLibrary.KERNEL32(00000000,?,?,?,009B490E,00000000,?,009B48AE,00000000,009E7F08,0000000C,009B4A05,00000000,00000002), ref: 009B49B3

Strings

mscoree.dll, xrefs: 009B4976
CorExitProcess, xrefs: 009B4988

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6bc8b7fced221827152e2ffb114ffc73a98b739001894d29fd34b767a2471dcb
Instruction ID: 4f96290a13bddd0a45813fd1b91619e3d057688a1479c7ed1d633254d3b8d2a8
Opcode Fuzzy Hash: 6bc8b7fced221827152e2ffb114ffc73a98b739001894d29fd34b767a2471dcb
Instruction Fuzzy Hash: 2CF0A43491420CBFCB019F50DC5ABDEBFB8EB44761F004055F805A2151CB704D40DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00999287 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009993C9

Part of subcall function 009C56CF: GetLastError.KERNEL32(?,?,0099933A,?,00000003,00000000,?), ref: 009C56EE

Strings

Failed to find expected public key in certificate chain., xrefs: 0099938A
cache.cpp, xrefs: 009993ED
Failed to get certificate public key identifier., xrefs: 009993F7
Failed to read certificate thumbprint., xrefs: 009993BD

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
API String ID: 1452528299-3408201827
Opcode ID: 4623be1f9aae753233c2f3de2bd50cd50672122d62765b523cc5de1d217db5c7
Instruction ID: 98f01fab115b37558d2a3dde56a543cfa45920df4d4adca24a2fac5c5648722a
Opcode Fuzzy Hash: 4623be1f9aae753233c2f3de2bd50cd50672122d62765b523cc5de1d217db5c7
Instruction Fuzzy Hash: C3415072E00619AFDF10DFADC842AAEB7B8AB48710F05402AF905E7291D675ED00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009821AC Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 009821F2
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 009821FE

Part of subcall function 00983BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,009821CC,000001C7,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983BDB
Part of subcall function 00983BD3: HeapSize.KERNEL32(00000000,?,009821CC,000001C7,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983BE2

Strings

strutil.cpp, xrefs: 00982222

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: strutil.cpp
API String ID: 3662877508-3612885251
Opcode ID: 7992650a3db1492456a0313e72b8cc1f2371308b34828030a67a60094ea3642f
Instruction ID: 23a4dc5a3bd7a9deca448742ab561ebe3179584975f471e7c24d2a648ca4dad0
Opcode Fuzzy Hash: 7992650a3db1492456a0313e72b8cc1f2371308b34828030a67a60094ea3642f
Instruction Fuzzy Hash: E1311A3260422AABDB28AFA5CC44F6A3B99AF55774B214325FD359F390EB31DC0097D0

Uniqueness

Uniqueness Score: -1.00%

Function 009C94FD Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009EAAA0,00000000,?,009C57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009C0F80

RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 009C95D5
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 009C9610
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 009C962C
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 009C9639
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,?), ref: 009C9646

Part of subcall function 009C0FD5: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,009C95C2,00000001), ref: 009C0FED

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID:
API String ID: 796878624-0
Opcode ID: df22e0309d3cefad14f588e4379cea262b54c7c3d9f61d2de2b7c000721f4045
Instruction ID: 89352f5c46cdc00fcb568272fc90e599604352fa21335f28fbc7976890dd2752
Opcode Fuzzy Hash: df22e0309d3cefad14f588e4379cea262b54c7c3d9f61d2de2b7c000721f4045
Instruction Fuzzy Hash: 25414D72C0162DFFDF22AF948E85EADFAB9EF54750F11416DE91076121C3314E50AA92

Uniqueness

Uniqueness Score: -1.00%

Function 00988A07 Relevance: 7.6, APIs: 5, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00988BC8,0098972D,?,0098972D,?,?,0098972D,?,?), ref: 00988A27
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00988BC8,0098972D,?,0098972D,?,?,0098972D,?,?), ref: 00988A2F
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00988BC8,0098972D,?,0098972D,?), ref: 00988A7E
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00988BC8,0098972D,?,0098972D,?), ref: 00988AE0
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00988BC8,0098972D,?,0098972D,?), ref: 00988B0D

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: 523255290234b86e31de1a22659f5bdb39760bdb5c4c3b19538c3cad4dfe5535
Instruction ID: acfff2ff147fcd185614817e725d3e4324b3fbd23b95f82665a3c0b0da613544
Opcode Fuzzy Hash: 523255290234b86e31de1a22659f5bdb39760bdb5c4c3b19538c3cad4dfe5535
Instruction Fuzzy Hash: E4314F72A04108BFCB259E59CD89AAF3F6EEB88390F544416F91987350CA759D90DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 009874B7 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(009853BD,WixBundleOriginalSource,?,?,0099A623,840F01E8,WixBundleOriginalSource,?,0G,?,00000000,00985445,00000001,?,?,00985445), ref: 009874C3
LeaveCriticalSection.KERNEL32(009853BD,009853BD,00000000,00000000,?,?,0099A623,840F01E8,WixBundleOriginalSource,?,0G,?,00000000,00985445,00000001,?), ref: 0098752A

Strings

Failed to get value of variable: %ls, xrefs: 009874FD
Failed to get value as string for variable: %ls, xrefs: 00987519
WixBundleOriginalSource, xrefs: 009874BF

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 4591fe272e85a0b411eaf2c15087953759bcf21e64813fe6079cd5d992884055
Instruction ID: b69614bd7b92aa7ef20e3180f11f3342b6fe904f085c13c45b5658eba84472d4
Opcode Fuzzy Hash: 4591fe272e85a0b411eaf2c15087953759bcf21e64813fe6079cd5d992884055
Instruction Fuzzy Hash: 5E019A32958128EBCF22AE90CC05F9EBE69EF00725F248165FD04AB220C736DA10A7D1

Uniqueness

Uniqueness Score: -1.00%

Function 009AD152 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,009AD148,00000000), ref: 009AD16D
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,009AD148,00000000), ref: 009AD179
CloseHandle.KERNEL32(009CB518,00000000,?,00000000,?,009AD148,00000000), ref: 009AD186
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,009AD148,00000000), ref: 009AD193
UnmapViewOfFile.KERNEL32(009CB4E8,00000000,?,009AD148,00000000), ref: 009AD1A2

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 957af5a7af58bf3820469846a7f1ca54cc3df1cfefa2c2c0d2f80a6e9a2fd209
Instruction ID: 1fad19e478189f3f3f04df6212b7c55de3242d3145c057c1c91c0ab1225f2b38
Opcode Fuzzy Hash: 957af5a7af58bf3820469846a7f1ca54cc3df1cfefa2c2c0d2f80a6e9a2fd209
Instruction Fuzzy Hash: 7801E476406B15DFCB31AF66D88081AF7E9EF51711315893EE1A752930C371A880DF80

Uniqueness

Uniqueness Score: -1.00%

Function 009C8713 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 009C8820
GetLastError.KERNEL32 ref: 009C882A

Strings

clbcatq.dll, xrefs: 009C8731, 009C873C
timeutil.cpp, xrefs: 009C884E

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: clbcatq.dll$timeutil.cpp
API String ID: 2781989572-961924111
Opcode ID: 6062c43ffcbcf28f4628157a76545560a1782af8d4f933e831596724f64bacdf
Instruction ID: c8552bc332072daa59a9690c00c3d9752be51d50d4d7aeeb106e2757f0c6db6d
Opcode Fuzzy Hash: 6062c43ffcbcf28f4628157a76545560a1782af8d4f933e831596724f64bacdf
Instruction Fuzzy Hash: 11411876E1021566D7209BB88D45FBF7778AF91710FA4492DB511B7280EE75DE0083B2

Uniqueness

Uniqueness Score: -1.00%

Function 009C36CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 009C36E6
SysAllocString.OLEAUT32(?), ref: 009C36F6
VariantClear.OLEAUT32(?), ref: 009C37D5

Strings

xmlutil.cpp, xrefs: 009C370E

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: xmlutil.cpp
API String ID: 2213243845-1270936966
Opcode ID: 5e2673b81020a874a9ad86f6b050a6d84fc139fb52afbde731a3f584dcc39fb8
Instruction ID: 3dc1896c14991cd0c4c40e27c9f8caffaff5bd6277a263be7f2dc62b35b739fa
Opcode Fuzzy Hash: 5e2673b81020a874a9ad86f6b050a6d84fc139fb52afbde731a3f584dcc39fb8
Instruction Fuzzy Hash: 1F4146B5D00229ABDB119FA5C888FAABBACAF45710F1585A8FC05EB211D635DE008B91

Uniqueness

Uniqueness Score: -1.00%

Function 009C0E4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,009A8E1B), ref: 009C0EAA
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009A8E1B,00000000), ref: 009C0EC8
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,009A8E1B,00000000,00000000,00000000), ref: 009C0F1E

Strings

regutil.cpp, xrefs: 009C0EEE

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: regutil.cpp
API String ID: 73471667-955085611
Opcode ID: 77ea0d7bf0281773b3a24811af79cb53e18130bf825055e6a51af72c0c3d2edd
Instruction ID: 73e1679fd9810088b9f3ab7346de48c5c2e53f64a2e1c9d6215861127fbedf49
Opcode Fuzzy Hash: 77ea0d7bf0281773b3a24811af79cb53e18130bf825055e6a51af72c0c3d2edd
Instruction Fuzzy Hash: 1831C476D01529FBDB218B858C80FAFBB6DEF84B60F15446DBD04AB210D7718E4097A1

Uniqueness

Uniqueness Score: -1.00%

Function 009A8B17 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009EAAA0,00000000,?,009C57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009C0F80

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,009A8E57,00000000,00000000), ref: 009A8BD4

Strings

Failed to ensure there is space for related bundles., xrefs: 009A8B87
Failed to open uninstall key for potential related bundle: %ls, xrefs: 009A8B43
Failed to initialize package from related bundle id: %ls, xrefs: 009A8BBA

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: 7c46eff09088e99423cb688fb37f6f3ce0012de8aa2fb3c62df9f0045fc563b3
Instruction ID: 610b208d1b0e62302fc23c6590a11500401fb078bf547533d8f9ec0bc594c5c8
Opcode Fuzzy Hash: 7c46eff09088e99423cb688fb37f6f3ce0012de8aa2fb3c62df9f0045fc563b3
Instruction Fuzzy Hash: 2121B3B2940119FBDF129E40CC46FAFBB78EF4A711F104155F910A6150DB719E20EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00983B15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,00981474,00000000,80004005,00000000,80004005,00000000,000001C7,?,009813B8), ref: 00983B33
HeapReAlloc.KERNEL32(00000000,?,00981474,00000000,80004005,00000000,80004005,00000000,000001C7,?,009813B8,000001C7,00000100,?,80004005,00000000), ref: 00983B3A

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

Part of subcall function 00983BD3: GetProcessHeap.KERNEL32(00000000,000001C7,?,009821CC,000001C7,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983BDB
Part of subcall function 00983BD3: HeapSize.KERNEL32(00000000,?,009821CC,000001C7,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983BE2

_memcpy_s.LIBCMT ref: 00983B86

Strings

memutil.cpp, xrefs: 00983BC7

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: memutil.cpp
API String ID: 3406509257-2429405624
Opcode ID: 0566b74fd08c8716e6ebad091e79860a2d7836239f5c586d73fb74a683362be8
Instruction ID: 53ddcca0bf0b4b800fd8d29a123695b1c5654ec4c6e2c94bd912be9a945bca14
Opcode Fuzzy Hash: 0566b74fd08c8716e6ebad091e79860a2d7836239f5c586d73fb74a683362be8
Instruction Fuzzy Hash: 1211D2B1905118AFDB227E68CC49E7E3A5DDB80F60B05C624FC159B362E679CF1093D0

Uniqueness

Uniqueness Score: -1.00%

Function 009C894D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009C8991
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009C89B9
GetLastError.KERNEL32 ref: 009C89C3

Strings

inetutil.cpp, xrefs: 009C89E4

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: inetutil.cpp
API String ID: 1528435940-2900720265
Opcode ID: 3f97519213625e3dec7418bb08e6cbd6d76aaeec11bc0087d680ce8c826f000a
Instruction ID: d3e98f5ddcaa04a8b7a5700205cddf68f2b6bf8c9773db7f30b7b2d4d800fd9f
Opcode Fuzzy Hash: 3f97519213625e3dec7418bb08e6cbd6d76aaeec11bc0087d680ce8c826f000a
Instruction Fuzzy Hash: E611D337E11139B7D320DAA9CC45FBFBBACAB44790F110529AE41FB240EA349D0086E3

Uniqueness

Uniqueness Score: -1.00%

Function 00993AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009EAAA0,00000000,?,009C57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009C0F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00993FB5,feclient.dll,?,00000000,?,?,?,00984B12), ref: 00993B42

Part of subcall function 009C10B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 009C112B
Part of subcall function 009C10B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 009C1163

Strings

SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00993AB7
feclient.dll, xrefs: 00993AAB
Logging, xrefs: 00993AD4

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: 1d244f8c8e5c7f6d13f1c61e3b03f1670a7262230187e49d4a276635c23e591a
Instruction ID: 309619fe42bb3613eca7593f98db29f188bafd31a3eafadf5bcc5b41e14e1610
Opcode Fuzzy Hash: 1d244f8c8e5c7f6d13f1c61e3b03f1670a7262230187e49d4a276635c23e591a
Instruction Fuzzy Hash: C3119036A40208BBDF21DF99DC86EBABBBCEB54710F408066E600AB191D6719F81D710

Uniqueness

Uniqueness Score: -1.00%

Function 009C0764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(009A12CF,00000000,00000000,?,?,?,009C0013,009A12CF,009A12CF,?,00000000,0000FDE9,?,009A12CF,8007139F,Invalid operation for this state.), ref: 009C0776
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,009C0013,009A12CF,009A12CF,?,00000000,0000FDE9,?,009A12CF,8007139F), ref: 009C07B2
GetLastError.KERNEL32(?,?,009C0013,009A12CF,009A12CF,?,00000000,0000FDE9,?,009A12CF,8007139F,Invalid operation for this state.,cabextract.cpp,000001C7,8007139F), ref: 009C07BC

Strings

logutil.cpp, xrefs: 009C07ED

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: f4c15e961c9430230d069adcd6593f68ee501a8cb8af26649bd862a79a5799ff
Instruction ID: f0e728f059badd786f166627e2ce039e06011d96dddb866738d662fb5b645114
Opcode Fuzzy Hash: f4c15e961c9430230d069adcd6593f68ee501a8cb8af26649bd862a79a5799ff
Instruction Fuzzy Hash: 5111A772D44225EB83149AA68C85FABBA6CEBC4761F010228FD01D7240E734AE00DAE1

Uniqueness

Uniqueness Score: -1.00%

Function 0098120A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,0098523F,00000000,?), ref: 00981248
GetLastError.KERNEL32(?,?,?,0098523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00981252

Strings

apputil.cpp, xrefs: 00981273
ignored , xrefs: 00981217

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: apputil.cpp$ignored
API String ID: 3459693003-568828354
Opcode ID: f5dce521359a7e2136f24f39ef58b806af4e14c7500e6d8af34809352b64140a
Instruction ID: 0bd498888a4c12abe568f140b42c6a84e2f9aba2cc880686ca850b4723b0138b
Opcode Fuzzy Hash: f5dce521359a7e2136f24f39ef58b806af4e14c7500e6d8af34809352b64140a
Instruction Fuzzy Hash: 6D118F76D0122DEB8B21EB99C805E9EBBACAF84B60F010159FD14E7310E730DE01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009AD1B3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000002,00000000,?,?,009AD3EE,00000000,00000000,00000000,?), ref: 009AD1C3
ReleaseMutex.KERNEL32(?,?,009AD3EE,00000000,00000000,00000000,?), ref: 009AD24A

Part of subcall function 0098394F: GetProcessHeap.KERNEL32(?,000001C7,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983960
Part of subcall function 0098394F: RtlAllocateHeap.NTDLL(00000000,?,00982274,000001C7,00000001,80004005,8007139F,?,?,009C0267,8007139F,?,00000000,00000000,8007139F), ref: 00983967

Strings

NetFxChainer.cpp, xrefs: 009AD208
Failed to allocate memory for message data, xrefs: 009AD212

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$NetFxChainer.cpp
API String ID: 2993511968-1624333943
Opcode ID: f6c14f43d8453daf0e147fa97f975d43def36e8f7c14f1ad086da1af13e7c92d
Instruction ID: b920faa470343b241f774fcf66d29648a909d04e7895585f1cd0a171f3b364d3
Opcode Fuzzy Hash: f6c14f43d8453daf0e147fa97f975d43def36e8f7c14f1ad086da1af13e7c92d
Instruction Fuzzy Hash: FE115BB1200215AFCB159F64D885E5AB7A8FF89724F104164F9259B7A1C771A810CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00981F69 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(0098428F,0098548E,?,00000000,00000000,00000000,?,80070656,?,?,?,0099E75C,00000000,0098548E,00000000,80070656), ref: 00981F9A
GetLastError.KERNEL32(?,?,?,0099E75C,00000000,0098548E,00000000,80070656,?,?,009940BF,0098548E,?,80070656,00000001,crypt32.dll), ref: 00981FA7
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,0099E75C,00000000,0098548E,00000000,80070656,?,?,009940BF,0098548E), ref: 00981FEE

Strings

strutil.cpp, xrefs: 00981FCB

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: strutil.cpp
API String ID: 1365068426-3612885251
Opcode ID: 681bb7d38e31e8016c61ced796bd0e1383006678b244eca2c70467edae99050f
Instruction ID: 779b12ae3060253cd60648e789d5855152c633e77920eaba41d6e628a6051e94
Opcode Fuzzy Hash: 681bb7d38e31e8016c61ced796bd0e1383006678b244eca2c70467edae99050f
Instruction Fuzzy Hash: 0D015BB6D15129BBDB20AF95CC0AEEEBAACEB04750F114165BE05E7250E7349E009BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00990721 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009EAAA0,00000000,?,009C57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009C0F80

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 00990791

Strings

Failed to update name and publisher., xrefs: 0099077B
Failed to open registration key., xrefs: 00990748
Failed to update resume mode., xrefs: 00990762

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
API String ID: 47109696-1865096027
Opcode ID: 3e0c246bca0e286c8356c28d0b197b77615617f369598edfcc6ab8e29c89f245
Instruction ID: 0a8ea0761294350d6e53ae3ff6d1c5ebf833a5064349f2fc8d18a13e000af467
Opcode Fuzzy Hash: 3e0c246bca0e286c8356c28d0b197b77615617f369598edfcc6ab8e29c89f245
Instruction Fuzzy Hash: B801D833980228FBDF1296C8DC42FAE7669AB80B30F100155F910B6250C771BE50ABD1

Uniqueness

Uniqueness Score: -1.00%

Function 009C4DB3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(009CB500,40000000,00000001,00000000,00000002,00000080,00000000,009904BF,00000000,?,0098F4F4,?,00000080,009CB500,00000000), ref: 009C4DCB
GetLastError.KERNEL32(?,0098F4F4,?,00000080,009CB500,00000000,?,009904BF,?,00000094,?,?,?,?,?,00000000), ref: 009C4DD8
CloseHandle.KERNEL32(00000000,00000000,?,0098F4F4,?,0098F4F4,?,00000080,009CB500,00000000,?,009904BF,?,00000094), ref: 009C4E2C

Strings

fileutil.cpp, xrefs: 009C4DFC

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: fileutil.cpp
API String ID: 2528220319-2967768451
Opcode ID: 6e2254778c24147337613c655d15ab4782d5245b0b9bf74412cea8633ec41569
Instruction ID: ea21665451b1b0e05a76f909965286535e75cd8736ec30af4b2146fe7c0b955c
Opcode Fuzzy Hash: 6e2254778c24147337613c655d15ab4782d5245b0b9bf74412cea8633ec41569
Instruction Fuzzy Hash: 0B01D433F41125A7D7329A699C16F5F3A58AB85BB0F024318FF21AB1D1D7709C01A6E2

Uniqueness

Uniqueness Score: -1.00%

Function 009C497A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,009A8C76,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 009C49AE
GetLastError.KERNEL32(?,009A8C76,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 009C49BB

Strings

fileutil.cpp, xrefs: 009C498F, 009C49DF

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: fileutil.cpp
API String ID: 1214770103-2967768451
Opcode ID: c627ec1ad4273cf4a864724ee5384390c4cdae59c0e1a2ac6c6b83eda2ffd248
Instruction ID: 9ac1e1a12cba2ba4d5c4dd26ad744cd28908118a6b1f5e4084fc427d373c5e1e
Opcode Fuzzy Hash: c627ec1ad4273cf4a864724ee5384390c4cdae59c0e1a2ac6c6b83eda2ffd248
Instruction Fuzzy Hash: 5301D633F80134B7E72166965C1AF6B2A5CAB41FB0F114215FF85AB2D0C7755D0052E6

Uniqueness

Uniqueness Score: -1.00%

Function 009A6BEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(009A6AFD,00000001,?,00000001,00000000,?,?,?,?,?,?,009A6AFD,00000000), ref: 009A6C13
GetLastError.KERNEL32(?,?,?,?,?,?,009A6AFD,00000000), ref: 009A6C1D

Strings

Failed to stop wusa service., xrefs: 009A6C4B
msuengine.cpp, xrefs: 009A6C41

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$msuengine.cpp
API String ID: 4114567744-2259829683
Opcode ID: ea7ef678cac04bf5198b5f8f70b135d74388daa68200272b9b35c6760f9ec510
Instruction ID: 11786df18b7a4203b41f53ca6cb970139d51cf0813eb5bc1473f99ef5aa063ce
Opcode Fuzzy Hash: ea7ef678cac04bf5198b5f8f70b135d74388daa68200272b9b35c6760f9ec510
Instruction Fuzzy Hash: C0012033E4523867D720DB659C46FAFB7A8DB49B30F014029FE40BB280DA249D0046E4

Uniqueness

Uniqueness Score: -1.00%

Function 009C39AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 009C39F4
SysFreeString.OLEAUT32(00000000), ref: 009C3A27

Strings

`<u, xrefs: 009C3A27
xmlutil.cpp, xrefs: 009C39C5, 009C3A0B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$AllocFree
String ID: `<u$xmlutil.cpp
API String ID: 344208780-3482516102
Opcode ID: 18993d346e2da6683a61fd14e7f12295c70c7d72651c2474455e86291e0c788d
Instruction ID: cb0789f577b85262029728c2bf5a142fa202d9251343f2535c51fbf753601ad2
Opcode Fuzzy Hash: 18993d346e2da6683a61fd14e7f12295c70c7d72651c2474455e86291e0c788d
Instruction Fuzzy Hash: F001F231E44255B7D7201A969C09F6B36DCDF85BA0F10C429FC44A7340C6B5CE009392

Uniqueness

Uniqueness Score: -1.00%

Function 009C3929 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 009C396E
SysFreeString.OLEAUT32(00000000), ref: 009C39A1

Strings

`<u, xrefs: 009C39A1
xmlutil.cpp, xrefs: 009C393F, 009C3985

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$AllocFree
String ID: `<u$xmlutil.cpp
API String ID: 344208780-3482516102
Opcode ID: 52d2eaea082dbe31be23ae6f26475882654bbdcc5ecd68251fe66b23f02b4341
Instruction ID: 551e765607a18057067c589bce4da073cdd9c8fb437cadef40165d866eb0b46b
Opcode Fuzzy Hash: 52d2eaea082dbe31be23ae6f26475882654bbdcc5ecd68251fe66b23f02b4341
Instruction Fuzzy Hash: 6401F231A49356EBD7201A598C05F7B36ECAF91BA0F10C839FD44E7340C6B4CE009392

Uniqueness

Uniqueness Score: -1.00%

Function 009C68B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 009C690F

Part of subcall function 009C8713: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 009C8820
Part of subcall function 009C8713: GetLastError.KERNEL32 ref: 009C882A

Strings

atomutil.cpp, xrefs: 009C68FD
clbcatq.dll, xrefs: 009C68DC
`<u, xrefs: 009C690F

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: `<u$atomutil.cpp$clbcatq.dll
API String ID: 211557998-1658759192
Opcode ID: 68943418290e68f3b248ff65c61c261924b5c29157a87ceb6e3f37c3583dc7b2
Instruction ID: ecde5af635c1cb14a9f6bfc1bcb1aaf4211adefb827d2515642535a068c0be9f
Opcode Fuzzy Hash: 68943418290e68f3b248ff65c61c261924b5c29157a87ceb6e3f37c3583dc7b2
Instruction Fuzzy Hash: A10186B1D0522AFB8B209F85C841E5AFBA8FF58764B64817EF504A7110D3715E10D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 0099ECC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 0099ECED
GetLastError.KERNEL32 ref: 0099ECF7

Strings

EngineForApplication.cpp, xrefs: 0099ED1B
Failed to post elevate message., xrefs: 0099ED25

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post elevate message.
API String ID: 2609174426-4098423239
Opcode ID: e27f43657f1ec8ff951ede7799e69877214c1f14a8428cc630530f537c5bd205
Instruction ID: 3093aa94ad7c796e27050e96a817bd17e9bc17285838882c5eaf41edb7c4d26a
Opcode Fuzzy Hash: e27f43657f1ec8ff951ede7799e69877214c1f14a8428cc630530f537c5bd205
Instruction Fuzzy Hash: 66F02B33A80231ABCB209A9C9C09F467788BF44B74F218229FE54BF2D1D725CC0183D4

Uniqueness

Uniqueness Score: -1.00%

Function 0098D8DC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 0098D903
FreeLibrary.KERNEL32(?,?,009848D7,00000000,?,?,0098548E,?,?), ref: 0098D912
GetLastError.KERNEL32(?,009848D7,00000000,?,?,0098548E,?,?), ref: 0098D91C

Strings

BootstrapperApplicationDestroy, xrefs: 0098D8FB

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: 4e8d4dd4846e3d8b8c0d5f7cb76a80e12fd67977ad0c62199ce8a57b06b852de
Instruction ID: 425bc043c3563f8de44691c750334c7e30052a5774af4bc919e744a89dd15d9a
Opcode Fuzzy Hash: 4e8d4dd4846e3d8b8c0d5f7cb76a80e12fd67977ad0c62199ce8a57b06b852de
Instruction Fuzzy Hash: D7F09C32712626ABC3145F65D805F1AF7A8FF44762B05C229E815D7660D771EC10DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 009C31EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 009C3200
SysFreeString.OLEAUT32(00000000), ref: 009C3230

Strings

`<u, xrefs: 009C3230
xmlutil.cpp, xrefs: 009C3214

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$AllocFree
String ID: `<u$xmlutil.cpp
API String ID: 344208780-3482516102
Opcode ID: 9e3157e5f9982f0eddf9c2e11bd62708cf1cf681d378e3c7a15afdab146a4669
Instruction ID: 7bb3e89b19d2f9aa51f8936f3e76e8bc85cd975f7bed3dd63f8cb38b3b9c6b54
Opcode Fuzzy Hash: 9e3157e5f9982f0eddf9c2e11bd62708cf1cf681d378e3c7a15afdab146a4669
Instruction Fuzzy Hash: A7F0B431942695A7CB311F849C08FABB7ACAB84B70F15C42DFC1457210C7758E1196E1

Uniqueness

Uniqueness Score: -1.00%

Function 009C3498 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 009C34AD
SysFreeString.OLEAUT32(00000000), ref: 009C34DD

Strings

`<u, xrefs: 009C34DD
xmlutil.cpp, xrefs: 009C34C4

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$AllocFree
String ID: `<u$xmlutil.cpp
API String ID: 344208780-3482516102
Opcode ID: 0dfc398d0cf39879bf5689f137c9d90fd243d18c4081b2476a91159359e8efea
Instruction ID: 5be4968745ad823036149ccbba07d977c70d89967abed5f02a1cc55efaae7832
Opcode Fuzzy Hash: 0dfc398d0cf39879bf5689f137c9d90fd243d18c4081b2476a91159359e8efea
Instruction Fuzzy Hash: 07F0B431A41255A7C7371F459C08F5BB7A8AB85BA1F11C11AFC0457220C775DE0096E1

Uniqueness

Uniqueness Score: -1.00%

Function 0099F2D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 0099F2EE
GetLastError.KERNEL32 ref: 0099F2F8

Strings

EngineForApplication.cpp, xrefs: 0099F31C
Failed to post plan message., xrefs: 0099F326

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: d038f3f8b6a482a7c58de6e253f085ea6b8828c8ed174a4edb332a7898133931
Instruction ID: ee545346200509c3e2cf5f0cabc50da197ed6b36322f46c8d59edb2073163fef
Opcode Fuzzy Hash: d038f3f8b6a482a7c58de6e253f085ea6b8828c8ed174a4edb332a7898133931
Instruction Fuzzy Hash: 3EF0AE33A5523567D62066995C0BE4BBF88EF44BB0F018021BD54EB251D6549C0081D5

Uniqueness

Uniqueness Score: -1.00%

Function 0099F3E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 0099F3FC
GetLastError.KERNEL32 ref: 0099F406

Strings

EngineForApplication.cpp, xrefs: 0099F42A
Failed to post shutdown message., xrefs: 0099F434

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post shutdown message.
API String ID: 2609174426-188808143
Opcode ID: 745929df414859bbb4b1da77a4221cf10d097b66e471e18a0753d3e9a1fd6301
Instruction ID: fd970083d97e9b18eef34ce4b920834840bd59d3791a34b81fdc839f1b342fbf
Opcode Fuzzy Hash: 745929df414859bbb4b1da77a4221cf10d097b66e471e18a0753d3e9a1fd6301
Instruction Fuzzy Hash: 20F0EC33B5523567CB3166996C0EF87BB98AF44B70F024035BE14FB2A1E650DC0087D5

Uniqueness

Uniqueness Score: -1.00%

Function 009A07B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(009CB478,00000000,?,009A1717,?,00000000,?,0098C287,?,00985405,?,009975A5,?,?,00985405,?), ref: 009A07BF
GetLastError.KERNEL32(?,009A1717,?,00000000,?,0098C287,?,00985405,?,009975A5,?,?,00985405,?,00985445,00000001), ref: 009A07C9

Strings

cabextract.cpp, xrefs: 009A07ED
Failed to set begin operation event., xrefs: 009A07F7

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 6f904b62547d8985b170b9b8b70e2b458223295cf4594c6d08c161df7f5bd444
Instruction ID: 00db792d87454bbd8ae23f17b27272ae16c39f8bf8873433090cbe872fcc20ca
Opcode Fuzzy Hash: 6f904b62547d8985b170b9b8b70e2b458223295cf4594c6d08c161df7f5bd444
Instruction Fuzzy Hash: 09F0EC37A8263567822066995D06F8F7A8C9F86B74F114125FE01B7240E625AC10C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 0099EBCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 0099EBE0
GetLastError.KERNEL32 ref: 0099EBEA

Strings

EngineForApplication.cpp, xrefs: 0099EC0E
Failed to post apply message., xrefs: 0099EC18

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post apply message.
API String ID: 2609174426-1304321051
Opcode ID: d722cfd7a47ca0a567bdd9f460406a9838bf68de4d9debafe878d4fa562326a3
Instruction ID: 2f04439d991b26a63c2c6be9f16b3272391a0b01db1940c755597c920479dd2e
Opcode Fuzzy Hash: d722cfd7a47ca0a567bdd9f460406a9838bf68de4d9debafe878d4fa562326a3
Instruction Fuzzy Hash: 89F0A733A5123577DA2166995C0EE4BBF88AF45B71F028015FE98BB291E660DC0092D5

Uniqueness

Uniqueness Score: -1.00%

Function 0099EC5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 0099EC71
GetLastError.KERNEL32 ref: 0099EC7B

Strings

EngineForApplication.cpp, xrefs: 0099EC9F
Failed to post detect message., xrefs: 0099ECA9

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post detect message.
API String ID: 2609174426-598219917
Opcode ID: 7208f20c65a331587bb0a8f36f7f20428cb799adc9b9fed9ccf6a3bbe22b2715
Instruction ID: a6f86568eba0243530385b38944d827a3e99d8f7b8fd21203a1b8598c15ea80a
Opcode Fuzzy Hash: 7208f20c65a331587bb0a8f36f7f20428cb799adc9b9fed9ccf6a3bbe22b2715
Instruction Fuzzy Hash: 5BF0A733A4123567DB30A79A5C0AF877F98AF45BB1F028011BE94BB291E660DC00D2D4

Uniqueness

Uniqueness Score: -1.00%

Function 009B6B76 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 009B6C01
__alldvrm.LIBCMT ref: 009B6E02
__alldvrm.LIBCMT ref: 009B6E24

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction ID: be5d53e061cde07b468333e731f0873d6892bae68efc2cc0f29353e293ad64e1
Opcode Fuzzy Hash: a43b07c52b3a46684783b2fbffe6c2b3820df8a855d7f8bf8198392ab5bcf62a
Instruction Fuzzy Hash: CAA14676A003869FDB21CF28CA917EEBFE9EF91320F18416DE5859B281C63CAD41C751

Uniqueness

Uniqueness Score: -1.00%

Function 009C5EC5 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 009C5F92
lstrlenW.KERNEL32(00000000), ref: 009C5FAA

Strings

dlutil.cpp, xrefs: 009C6033

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: lstrlen
String ID: dlutil.cpp
API String ID: 1659193697-2067379296
Opcode ID: 87d1c1d928ec39f90568a76af2c527ab4551d57b5350aae7f80766c4ee5a7df1
Instruction ID: dd4cdedec58f9f9aae48add64fca61ac2073443c4ae1aa66e75d8ab173bc031f
Opcode Fuzzy Hash: 87d1c1d928ec39f90568a76af2c527ab4551d57b5350aae7f80766c4ee5a7df1
Instruction Fuzzy Hash: 1F519E72D01619ABDB119FA58C84FAFBBBDAF88750F16402CF900B7250D771ED409BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B922B Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,ECE85006,009B2444,00000000,00000000,009B3479,?,009B3479,?,00000001,009B2444,ECE85006,00000001,009B3479,009B3479), ref: 009B9278
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009B9301
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009B9313
__freea.LIBCMT ref: 009B931C

Part of subcall function 009B521A: HeapAlloc.KERNEL32(00000000,?,?,?,009B1F87,?,0000015D,?,?,?,?,009B33E0,000000FF,00000000,?,?), ref: 009B524C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: ef0f9aff9846f5618be615c855636f1c396b8a2fa828c456a24211b6e9630c3e
Instruction ID: 2ebecd07c5b9ad7a10bcb0492afea673caf87bafa10e32efcff79767f3c492f4
Opcode Fuzzy Hash: ef0f9aff9846f5618be615c855636f1c396b8a2fa828c456a24211b6e9630c3e
Instruction Fuzzy Hash: 0731E132A2421AABDF248F64CC81EEE7BA9EF40720F040128FD14D7194E735DC50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00984FA4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,00985552,?,?,?,?,?,?), ref: 00984FFE
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,00985552,?,?,?,?,?,?), ref: 00985012
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00985552,?,?), ref: 00985101
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00985552,?,?), ref: 00985108

Part of subcall function 00981161: LocalFree.KERNEL32(?,?,00984FBB,?,00000000,?,00985552,?,?,?,?,?,?), ref: 0098116B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: e1c7623883530ce8a799432c55d2a38bddf3c9dc75127e340a60977de4cc56b2
Instruction ID: 6ab9b447dd977e2a04626e39700261ceeba3f995407ced3996d29f4c83f403d5
Opcode Fuzzy Hash: e1c7623883530ce8a799432c55d2a38bddf3c9dc75127e340a60977de4cc56b2
Instruction Fuzzy Hash: 6241FAB1900B05ABDA30FBB4C949F9B73ECAF44350F45082DB2AAD3251EB34F5498B65

Uniqueness

Uniqueness Score: -1.00%

Function 00984C86 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0098F96C: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00984CA5,?,?,00000001), ref: 0098F9BC

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00984D0C

Strings

Unable to get resume command line from the registry, xrefs: 00984CAB
Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00984CF6
Failed to get current process path., xrefs: 00984CCA

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Close$Handle
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 187904097-642631345
Opcode ID: a6ebc4a6a1d8ba2158795baf4617558d185c8885d7d49a2825725df807229b2c
Instruction ID: c28d565008d129c74cde8c6b3e565061a474d7f8877d08324c5cd874ca6a7586
Opcode Fuzzy Hash: a6ebc4a6a1d8ba2158795baf4617558d185c8885d7d49a2825725df807229b2c
Instruction Fuzzy Hash: BB113D31D01619FB8F22BB95DC02E9EBBBCAF84710F10819AF850A7311E7319A509B81

Uniqueness

Uniqueness Score: -1.00%

Function 009B88B2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009B8A56,00000000,00000000,?,009B8859,009B8A56,00000000,00000000,00000000,?,009B8A56,00000006,FlsSetValue), ref: 009B88E4
GetLastError.KERNEL32(?,009B8859,009B8A56,00000000,00000000,00000000,?,009B8A56,00000006,FlsSetValue,009E2404,009E240C,00000000,00000364,?,009B6230), ref: 009B88F0
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009B8859,009B8A56,00000000,00000000,00000000,?,009B8A56,00000006,FlsSetValue,009E2404,009E240C,00000000), ref: 009B88FE

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 0e476d49956f54edb10cc98f5d89e0ecfa2292db32445bc492cab0fba49d66af
Instruction ID: 5fa5643f514b7be4d0e8a351fb0bab55066f51b846c10d8dc2cfdcc3f83e1a09
Opcode Fuzzy Hash: 0e476d49956f54edb10cc98f5d89e0ecfa2292db32445bc492cab0fba49d66af
Instruction Fuzzy Hash: 9A01F732669226ABCF214E69DD45EAB779CEF09BB1B100A20F916E7180DB30DC00D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 009B615E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,009B1AEC,00000000,80004004,?,009B1DF0,00000000,80004004,00000000,00000000), ref: 009B6162
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 009B61CA
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 009B61D6
_abort.LIBCMT ref: 009B61DC

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: c6c93e19ce9cc74c1c2522f015126c358046e55ea2ce104dd77544ec05eb9506
Instruction ID: 5cd5b2f98b58ab6631b402061443d646bfc1e3cb69e69db08b861a27bceb04d3
Opcode Fuzzy Hash: c6c93e19ce9cc74c1c2522f015126c358046e55ea2ce104dd77544ec05eb9506
Instruction Fuzzy Hash: FFF0443550CA11A6C622372D6E4AFEF265D8BC2772F260115F925961E2FF28EC026165

Uniqueness

Uniqueness Score: -1.00%

Function 00987435 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00987441
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 009874A8

Strings

Failed to get value as numeric for variable: %ls, xrefs: 00987497
Failed to get value of variable: %ls, xrefs: 0098747B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: d79204bac50d922988e0064174b69af6c6bf6faf41b05f70b8106afd8a55870a
Instruction ID: 039481306b030b071e7b9fc0e0ec59f50a45a52824f077d3a7c895400803e9e7
Opcode Fuzzy Hash: d79204bac50d922988e0064174b69af6c6bf6faf41b05f70b8106afd8a55870a
Instruction Fuzzy Hash: 63014C32949128ABCF116EA4CC05F9EBF6AAF40761F218165FC04AA261C736DE1097D1

Uniqueness

Uniqueness Score: -1.00%

Function 009875AA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 009875B6
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0098761D

Strings

Failed to get value of variable: %ls, xrefs: 009875F0
Failed to get value as version for variable: %ls, xrefs: 0098760C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: 84d891b3ef8d104eee4c366b4121a54964d1fc5ead681a167f60a4be3060ff3d
Instruction ID: b9eb4e9a0bb09cfa0ff0377688286d894af3e55f3e4eb3e3ab5877a00632d960
Opcode Fuzzy Hash: 84d891b3ef8d104eee4c366b4121a54964d1fc5ead681a167f60a4be3060ff3d
Instruction Fuzzy Hash: 5701B132908528FBCF116E84CC09F9EBB68AF10721F204124FC04AA221E336DE10A7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00987539 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00989897,00000000,?,00000000,00000000,00000000,?,009896D6,00000000,?,00000000,00000000), ref: 00987545
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00989897,00000000,?,00000000,00000000,00000000,?,009896D6,00000000,?,00000000), ref: 0098759B

Strings

Failed to copy value of variable: %ls, xrefs: 0098758A
Failed to get value of variable: %ls, xrefs: 0098756B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: ef4b7c5788ce2246b6c3ed85713ba187ad0147f54fd0d6ccf1b050169d8196dc
Instruction ID: 92e0923f3eb3e44ee9674f1ff00814e32bd6860e897ed4c462072c8853ad88e0
Opcode Fuzzy Hash: ef4b7c5788ce2246b6c3ed85713ba187ad0147f54fd0d6ccf1b050169d8196dc
Instruction Fuzzy Hash: 19F08C72944228BBCF126F94DC0AEAE7F68EF44361F108124FC04A7260C736DE20ABD0

Uniqueness

Uniqueness Score: -1.00%

Function 009AE776 Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 009AE788
GetCurrentThreadId.KERNEL32 ref: 009AE797
GetCurrentProcessId.KERNEL32 ref: 009AE7A0
QueryPerformanceCounter.KERNEL32(?), ref: 009AE7AD

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 3d9f5addf81dbe94d8b6acd8e4df82e7ece2c0db39fd7a1b7b6142898efc6992
Instruction ID: eb735cca1d66f16309f88538870bfb9f280fb8b58f52747c1ed1913352d017ea
Opcode Fuzzy Hash: 3d9f5addf81dbe94d8b6acd8e4df82e7ece2c0db39fd7a1b7b6142898efc6992
Instruction Fuzzy Hash: 4BF04D71C2520DEBCB00DBB4D94AA9EBBF8EF18316F514895A416E7110E734AB04AB61

Uniqueness

Uniqueness Score: -1.00%

Function 009C0C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 009C0DD7

Strings

regutil.cpp, xrefs: 009C0DC4

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Close
String ID: regutil.cpp
API String ID: 3535843008-955085611
Opcode ID: 4977be59cb9f6fb54907de121460d82dd09e7a05ab6ccbaddb85cfd36564d6f2
Instruction ID: c2b571aa01469ff9320d5321f9f678d44025883e9f6f4830c346cc6aa73ffc33
Opcode Fuzzy Hash: 4977be59cb9f6fb54907de121460d82dd09e7a05ab6ccbaddb85cfd36564d6f2
Instruction Fuzzy Hash: DB41C832D4132AEBDF318AD4CC04FAE7765ABC0720F25856CF956AA190D7349D409BD2

Uniqueness

Uniqueness Score: -1.00%

Function 009C479B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009EAAA0,00000000,?,009C57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009C0F80

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 009C48FC

Strings

PendingFileRenameOperations, xrefs: 009C47EC, 009C48D4
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 009C47AC

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: d3e5f764a9ec5d67ea7c0c8101f7f1e9dcc581b39449275ecddd176c5cc9f178
Instruction ID: 2c76f19418163b060a9d38a36032ce048cd868c3e653b18369aeaefff87743e9
Opcode Fuzzy Hash: d3e5f764a9ec5d67ea7c0c8101f7f1e9dcc581b39449275ecddd176c5cc9f178
Instruction Fuzzy Hash: 6A418C35F00259EBCF20DF98C891FAEBBB9EB84B50F2140ADE600A7211D7309E40DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C10B5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 009C112B
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 009C1163

Strings

regutil.cpp, xrefs: 009C11A9

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: QueryValue
String ID: regutil.cpp
API String ID: 3660427363-955085611
Opcode ID: 1c14b9476805701d539384190a255797f22c1a9a0b4dd5f059ab48a6d53565dd
Instruction ID: 03eb84357286c92504f4b6752807af20acde648f32b6227a7495faf86ffb1640
Opcode Fuzzy Hash: 1c14b9476805701d539384190a255797f22c1a9a0b4dd5f059ab48a6d53565dd
Instruction Fuzzy Hash: 4241D532D0412AEBDB209F94CC41FAEBBBDEF41750F14456DEA00A7212D7359E109B95

Uniqueness

Uniqueness Score: -1.00%

Function 009B66D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(009CB518,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 009B67A3
GetLastError.KERNEL32 ref: 009B67BF

Strings

comres.dll, xrefs: 009B674A, 009B6798, 009B67D4

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: d6d383a80fc45ccc4b72efdc073f6bd8559631b8e5a49f55580261da6dea9131
Instruction ID: 0a52f9934bc66ae88dc94bda134d8841fd6b10fa2b11ebc8fdc0e393538c51f1
Opcode Fuzzy Hash: d6d383a80fc45ccc4b72efdc073f6bd8559631b8e5a49f55580261da6dea9131
Instruction Fuzzy Hash: F531AF31600315ABCB21AE59CAC5FEB7BA8DF81778F144069B8148A191DF78ED0087A1

Uniqueness

Uniqueness Score: -1.00%

Function 009C8F7A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C8E44: lstrlenW.KERNEL32(00000100,?,?,?,009C9217,000002C0,00000100,00000100,00000100,?,?,?,009A7D87,?,?,000001BC), ref: 009C8E69

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,009CB500,wininet.dll,?), ref: 009C907A
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,009CB500,wininet.dll,?), ref: 009C9087

Part of subcall function 009C0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009EAAA0,00000000,?,009C57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009C0F80

Part of subcall function 009C0E4F: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,009A8E1B), ref: 009C0EAA
Part of subcall function 009C0E4F: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,009A8E1B,00000000), ref: 009C0EC8

Strings

wininet.dll, xrefs: 009C8FEF, 009C903C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: 7b1620af690df6874f740fb52d467e38faef7654287305100e9b56f2b739af37
Instruction ID: 57aaa57b1a38b71061bce81519fff8199aa13b5507c69c6a940b49c9ecd3bfcf
Opcode Fuzzy Hash: 7b1620af690df6874f740fb52d467e38faef7654287305100e9b56f2b739af37
Instruction Fuzzy Hash: F6310632C0116DEB8F21EFA4C984EAEBB79EF44710F51416DEA017A121C7319E50AB92

Uniqueness

Uniqueness Score: -1.00%

Function 009C939E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C8E44: lstrlenW.KERNEL32(00000100,?,?,?,009C9217,000002C0,00000100,00000100,00000100,?,?,?,009A7D87,?,?,000001BC), ref: 009C8E69

RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,?), ref: 009C9483
RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000,00000000,?), ref: 009C949D

Part of subcall function 009C0BE9: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,0099061A,?,00000000,00020006), ref: 009C0C0E

Part of subcall function 009C14F4: RegSetValueExW.ADVAPI32(00020006,009D0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0098F335,00000000,?,00020006), ref: 009C1527

Part of subcall function 009C14F4: RegDeleteValueW.ADVAPI32(00020006,009D0D10,00000000,?,?,0098F335,00000000,?,00020006,?,009D0D10,00020006,00000000,?,?,?), ref: 009C1557

Part of subcall function 009C14A6: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,0098F28D,009D0D10,Resume,00000005,?,00000000,00000000,00000000), ref: 009C14BB

Strings

%ls\%ls, xrefs: 009C93FF

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls
API String ID: 3924016894-2125769799
Opcode ID: ee9e26a6607bb19375795cd3322146fdca174bb9382102b0ca3ece7cee929a83
Instruction ID: 85eea1c44de5473039d52111086ab48462625dcd9f452a1c10c2ecb26d192ce5
Opcode Fuzzy Hash: ee9e26a6607bb19375795cd3322146fdca174bb9382102b0ca3ece7cee929a83
Instruction Fuzzy Hash: 37313972C0016DBF8F12AFD4CC85E9EBBB9EB44350B01416AE904A6221D7319E51EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00983A4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00983AB0

Strings

crypt32.dll, xrefs: 00983A6D, 00983AAC, 00983AAE
wininet.dll, xrefs: 00983A6E

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction ID: 3173fef1cb3f2b94dacd112889f0022efd60590b333f98323ead5436dce04e2c
Opcode Fuzzy Hash: 0011009348c22b5e832ea82858c93897483b8e9d66932b506b87b8fd8fea0445
Instruction Fuzzy Hash: 3C115E71600219AFCB08EE59CDD59ABBF6DEF95794B14802AFC058B311D271EA10CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 009C14F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,009D0D10,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,0098F335,00000000,?,00020006), ref: 009C1527
RegDeleteValueW.ADVAPI32(00020006,009D0D10,00000000,?,?,0098F335,00000000,?,00020006,?,009D0D10,00020006,00000000,?,?,?), ref: 009C1557

Strings

regutil.cpp, xrefs: 009C158B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Value$Delete
String ID: regutil.cpp
API String ID: 1738766685-955085611
Opcode ID: c743fb36f3a6aab78a6067781354fe46866ccd18e6b93c4791790839601a590c
Instruction ID: a916b10d0ed688685a276a331a180a1a9a0c6ac2aa74df7fde63700fdc249450
Opcode Fuzzy Hash: c743fb36f3a6aab78a6067781354fe46866ccd18e6b93c4791790839601a590c
Instruction Fuzzy Hash: EA110A36D511BAFBDB218A944C05FAB7618AB46B70F110529BD02AE151D730CD1097EA

Uniqueness

Uniqueness Score: -1.00%

Function 0098DDB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,009A7691,00000000,IGNOREDEPENDENCIES,00000000,?,009CB518), ref: 0098DE04

Strings

Failed to copy the property value., xrefs: 0098DE38
IGNOREDEPENDENCIES, xrefs: 0098DDBB

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: fe98bf040cccfaa904062d37678d4014f3beb6f733e3f1c67b6146ef27d09d30
Instruction ID: f2cc5ee3800c23cfc3e93c3b4e6f04b348e224463485475c454ad77aa5fdc394
Opcode Fuzzy Hash: fe98bf040cccfaa904062d37678d4014f3beb6f733e3f1c67b6146ef27d09d30
Instruction Fuzzy Hash: CC11E932605215AFDB116F54DC85FAA77AAAF94320F354179FA18AF3D2C7709850C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 009C563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,00998E97,?,00000001,20000004,00000000,00000000,?,00000000), ref: 009C566E
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00998E97,?), ref: 009C5689

Strings

aclutil.cpp, xrefs: 009C56AD

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: aclutil.cpp
API String ID: 2352087905-2159165307
Opcode ID: 1db9c37a3e56b4cfac2399929b166001f95b99d5e437262751c2cc60ad90b625
Instruction ID: 160aea072a1a8f8bf4cdf87c549b650aafcc79b2ea4224e88a0605d29a4475c0
Opcode Fuzzy Hash: 1db9c37a3e56b4cfac2399929b166001f95b99d5e437262751c2cc60ad90b625
Instruction Fuzzy Hash: F5015E33C01929BBCF229F85CE05F9EBF69EF84760F160159FD0466220C632AD60ABD1

Uniqueness

Uniqueness Score: -1.00%

Function 0098158C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,009970E8,00000000,009970E8,00000000,00000000,009970E8,00000000,00000000,00000000,?,00982318,00000000,00000000), ref: 009815D0
GetLastError.KERNEL32(?,00982318,00000000,00000000,009970E8,00000200,?,009C52B2,00000000,009970E8,00000000,009970E8,00000000,00000000,00000000), ref: 009815DA

Strings

strutil.cpp, xrefs: 009815FE

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastString
String ID: strutil.cpp
API String ID: 3728238275-3612885251
Opcode ID: aaf12089404f24e86cbaf5ebe5d7c5c5924545e3952acbfd50a734824af36e44
Instruction ID: f170f7fe4c15765366a74fd89557f76070e1578e9274c322ad001cbe9886a6a5
Opcode Fuzzy Hash: aaf12089404f24e86cbaf5ebe5d7c5c5924545e3952acbfd50a734824af36e44
Instruction Fuzzy Hash: 4701B13394123A778B21AE998C45E5B7BACEF85B60F050224FE50BB350E620DC1197E0

Uniqueness

Uniqueness Score: -1.00%

Function 009957BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 009957D9
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00995833

Strings

Failed to initialize COM on cache thread., xrefs: 009957E5

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 50b576b0b7bd5a9719f8d8f2a75737196d0fac646967431660fd1eaf2e0bfa06
Instruction ID: ac9ef5b2334eea3e121ea46c5b345b03f72c2a965fbd30dd2bf4b38ddd36e2fd
Opcode Fuzzy Hash: 50b576b0b7bd5a9719f8d8f2a75737196d0fac646967431660fd1eaf2e0bfa06
Instruction Fuzzy Hash: D9016D72601619BFCB059FA9D884EDAFBADFF48354B018126FA09C7221DB30AD14DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 009C3BF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C0F6C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,009EAAA0,00000000,?,009C57E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 009C0F80

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,009C3A8E,?), ref: 009C3C62

Strings

EnableLUA, xrefs: 009C3C34
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 009C3C0C

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: 8f781c2308cacf000a7d29951cc8bf17ab10433b9dcc1a375e54e169c55c783d
Instruction ID: b1e310995b7d85db15e861287bd865011d5fab36009874c932d1fd3368578011
Opcode Fuzzy Hash: 8f781c2308cacf000a7d29951cc8bf17ab10433b9dcc1a375e54e169c55c783d
Instruction Fuzzy Hash: D3018432D50228FBD7119AA4D846FEEF6BCDB54721F20C1A9AC40B3011D3755F50E6D5

Uniqueness

Uniqueness Score: -1.00%

Function 00985123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00981104,?,?,00000000), ref: 00985142
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00981104,?,?,00000000), ref: 00985172

Strings

burn.clean.room, xrefs: 0098512F, 0098513C, 00985169

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 5c1d91307d41d466bed04b0545e892cb126e4fbdb686877dbaa022974a8245e7
Instruction ID: e36ae14579717528d262d138c75f9b19083cfa80dc3f9bcb2b6ae95f40ef6878
Opcode Fuzzy Hash: 5c1d91307d41d466bed04b0545e892cb126e4fbdb686877dbaa022974a8245e7
Instruction Fuzzy Hash: 9801A27291C6206FC3305B49ACC8E33BBADE715760B114126F805C7720D330EC44D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 009C6920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 009C6985

Strings

atomutil.cpp, xrefs: 009C6941
`<u, xrefs: 009C6985

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FreeString
String ID: `<u$atomutil.cpp
API String ID: 3341692771-4051019476
Opcode ID: 37898eda6d22cf5103f79ab4c1164137d8bcb32cfe73beb309cc22ab342e9643
Instruction ID: 037319dd289cbc75eeec6d3ed65efb2f2e9af0d12ad8e8071709cdf17f680b0a
Opcode Fuzzy Hash: 37898eda6d22cf5103f79ab4c1164137d8bcb32cfe73beb309cc22ab342e9643
Instruction Fuzzy Hash: CA018132D04118FBC7226A959C06FAEF6BDAB89B60F25415DB90466150C7769E00E7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00986522 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00986534

Part of subcall function 009C0ACC: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00985EB2,00000000), ref: 009C0AE0
Part of subcall function 009C0ACC: GetProcAddress.KERNEL32(00000000), ref: 009C0AE7
Part of subcall function 009C0ACC: GetLastError.KERNEL32(?,?,?,00985EB2,00000000), ref: 009C0AFE

Part of subcall function 00985CE2: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00985D68

Strings

Failed to set variant value., xrefs: 00986571
Failed to get 64-bit folder., xrefs: 00986557

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: 1a21d7b8b37626dc0cf78c57fa2ccfed0ed046d28f1b49ef40ad24180b69c19f
Instruction ID: 08a704c30aca90d2f5bfeb298926bcd82a7c32ff4fec25cb6e7ef4d58018b5df
Opcode Fuzzy Hash: 1a21d7b8b37626dc0cf78c57fa2ccfed0ed046d28f1b49ef40ad24180b69c19f
Instruction Fuzzy Hash: 5A014B32D01228BBCB21AAA4DD06F9EBA78AB44721F11415AF800AA255DA319F50DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 009833C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,009810DD,?,00000000), ref: 009833E8
GetLastError.KERNEL32(?,?,?,?,009810DD,?,00000000), ref: 009833FF

Strings

pathutil.cpp, xrefs: 00983423

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: pathutil.cpp
API String ID: 2776309574-741606033
Opcode ID: d3b1dcf53e16fa5583432bb7e94acc743d933ecd68f61693cb7d95248ad81dd8
Instruction ID: 3fe817ca2eda7daf885da00bd375889d7280712a64b7d96c47097b75a4fb37db
Opcode Fuzzy Hash: d3b1dcf53e16fa5583432bb7e94acc743d933ecd68f61693cb7d95248ad81dd8
Instruction Fuzzy Hash: BCF0F673A4953567C33276A65C45E9BFA5CEB81F70B568122FE04BB310DBA5DD0083E0

Uniqueness

Uniqueness Score: -1.00%

Function 009AE30F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 009AEBD2

Part of subcall function 009B1380: RaiseException.KERNEL32(?,?,?,009AEBF4,?,00000000,00000000,?,?,?,?,?,009AEBF4,?,009E7EC8), ref: 009B13DF

__CxxThrowException@8.LIBVCRUNTIME ref: 009AEBEF

Strings

Unknown exception, xrefs: 009AEBFC

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 2fccf12595b5f5dcc0c78b008da6b105bccc156fb29efa42776223be2b9eef5b
Instruction ID: 41b8eaeab5529eae0189eda02dd941629bb0c0e44a30ecdb7224eafdd44d15ab
Opcode Fuzzy Hash: 2fccf12595b5f5dcc0c78b008da6b105bccc156fb29efa42776223be2b9eef5b
Instruction Fuzzy Hash: 3BF0223480030DBACF00BAA6DD5AEAC776C8A82360B904575F914924D1EF30EE5586D1

Uniqueness

Uniqueness Score: -1.00%

Function 009C4A05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,74DF34C0,?,?,?,0098BA1D,?,?,?,00000000,00000000), ref: 009C4A1D
GetLastError.KERNEL32(?,?,?,0098BA1D,?,?,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 009C4A27

Strings

fileutil.cpp, xrefs: 009C4A4B

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: fileutil.cpp
API String ID: 464720113-2967768451
Opcode ID: 56550fc2cc916de65b1f5c61b2886a3db455e4e911a78e15eacaf592d5458c58
Instruction ID: d50f5d6c9aaba61aafe691e51f0fce8540febfa2c137f72739489f468f597311
Opcode Fuzzy Hash: 56550fc2cc916de65b1f5c61b2886a3db455e4e911a78e15eacaf592d5458c58
Instruction Fuzzy Hash: 23F0AF72E5423AAB97209F898905E9AFBACEF54B60F01411AFD44A7300E770AD008BE5

Uniqueness

Uniqueness Score: -1.00%

Function 009C3D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,00985466,?,00000000,00985466,?,?,?), ref: 009C3DA7
CoCreateInstance.OLE32(00000000,00000000,00000001,009E716C,?), ref: 009C3DBF

Strings

Microsoft.Update.AutoUpdate, xrefs: 009C3DA2

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate
API String ID: 2151042543-675569418
Opcode ID: 5fedfb2d3415f0fe44735ddc34de032d3e6f93dde6e6e2ba8d4d0df50d4cc5f9
Instruction ID: afeb58cfb885120c0541986b3bb20728cbbff930f3c571e3b25d98a1c8c6cd49
Opcode Fuzzy Hash: 5fedfb2d3415f0fe44735ddc34de032d3e6f93dde6e6e2ba8d4d0df50d4cc5f9
Instruction Fuzzy Hash: EBF05471A15248BBD700EFF9DD46EEFB7BCDB49710F404465EA01E7150D671AE0487A2

Uniqueness

Uniqueness Score: -1.00%

Function 009BFDBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(75A70000,00000001,0098558A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009BFDCA
FreeLibrary.KERNEL32(00000000,00000001,0098558A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009BFDEC

Strings

`+?s, xrefs: 009BFDDC

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: FreeLibrary
String ID: `+?s
API String ID: 3664257935-3215494052
Opcode ID: 5c6e59ce950924f9a80a89cb4de65f15a7ffb158a72fd56b2935984670c5875e
Instruction ID: 128d0e5dd1a483c7b24a6943e20685382f4f95a6a78929224d1e19991df9bea5
Opcode Fuzzy Hash: 5c6e59ce950924f9a80a89cb4de65f15a7ffb158a72fd56b2935984670c5875e
Instruction Fuzzy Hash: A5E052B19382818F8700CF2BBD95A57FAECBAD4751304421BB400CA270DFB08C40BF60

Uniqueness

Uniqueness Score: -1.00%

Function 009C0E07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 009C0E28

Strings

AdvApi32.dll, xrefs: 009C0E0D
RegDeleteKeyExW, xrefs: 009C0E1D

Memory Dump Source

Source File: 00000000.00000002.2937368505.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.2937316697.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937482489.00000000009CB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937562363.00000000009EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.00000000009FA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937613561.0000000000B36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: a5fd8e97184dd07cf4046ffc8c6adeec15aff1f016f40209e399e8d0ff0e675d
Instruction ID: d53d09970a2e1a1c75e9fa08c6ddcdccdc9f3fd9cc0410237d6ae56b1e231d3d
Opcode Fuzzy Hash: a5fd8e97184dd07cf4046ffc8c6adeec15aff1f016f40209e399e8d0ff0e675d
Instruction Fuzzy Hash: 87E0EC7096A2E5DACB129B56BC89B437E90A7A0FA9F004524E4089B2B5D3B24C40EF90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Y5JXqbeNdS.exePID: 7028, Parent PID: 6864COMMON

Executed Functions

Function 00A4A8F1 Relevance: 172.2, APIs: 29, Strings: 69, Instructions: 688COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00A4B11C

Part of subcall function 00A4394F: GetProcessHeap.KERNEL32(?,?,?,00A42274,?,00000001,75C0B390,8000FFFF,?,?,00A80267,?,?,00000000,00000000,8000FFFF), ref: 00A43960
Part of subcall function 00A4394F: RtlAllocateHeap.NTDLL(00000000,?,00A42274,?,00000001,75C0B390,8000FFFF,?,?,00A80267,?,?,00000000,00000000,8000FFFF), ref: 00A43967

CompareStringW.KERNEL32(0000007F,00000000,00A8CA9C,000000FF,DirectorySearch,000000FF,00A8CA9C,Condition,feclient.dll,00A8CA9C,Variable,?,00A8CA9C,00A8CA9C,?,?), ref: 00A4AA29
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 00A4AA7E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,path,000000FF), ref: 00A4AA9A
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,FileSearch,000000FF), ref: 00A4AABE
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Type,?,?,Path,clbcatq.dll), ref: 00A4AB11
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00A4AB2B
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,RegistrySearch,000000FF), ref: 00A4AB53
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCR,000000FF,?,Root,?), ref: 00A4AB91
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKCU,000000FF), ref: 00A4ABB0
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,HKLM,000000FF), ref: 00A4ABCF
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exists,000000FF,?,Win64,msi.dll,?,Type,?,?,Value,version.dll,?), ref: 00A4AC8D
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,value,000000FF), ref: 00A4ACA7

Part of subcall function 00A832F3: VariantInit.OLEAUT32(?), ref: 00A83309
Part of subcall function 00A832F3: SysAllocString.OLEAUT32(?), ref: 00A83325
Part of subcall function 00A832F3: VariantClear.OLEAUT32(?), ref: 00A833AC
Part of subcall function 00A832F3: SysFreeString.OLEAUT32(00000000), ref: 00A833B7

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,numeric,000000FF,?,VariableType,?,?,ExpandEnvironment,cabinet.dll), ref: 00A4AD06
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,string,000000FF), ref: 00A4AD28
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00A4AD48
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,directory,000000FF), ref: 00A4AE20
SysFreeString.OLEAUT32(?), ref: 00A4AFFE

Strings

Failed to get @Variable., xrefs: 00A4B0DD
ExpandEnvironment, xrefs: 00A4ACBB
search.cpp, xrefs: 00A4A973
Key, xrefs: 00A4AC04
Failed to get @ComponentId., xrefs: 00A4B086
keyPath, xrefs: 00A4ADDB
VariableType, xrefs: 00A4ACDE
RegistrySearch, xrefs: 00A4AB46
Failed to get @Condition., xrefs: 00A4B028
HKCU, xrefs: 00A4ABA3
clbcatq.dll, xrefs: 00A4AA3A, 00A4AACD, 00A4AD83, 00A4AF75
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch, xrefs: 00A4A90D
Failed to get @FeatureId., xrefs: 00A4B0B7
HKLM, xrefs: 00A4ABC2
Value, xrefs: 00A4AC1F
value, xrefs: 00A4AC9A
Failed to get @UpgradeCode., xrefs: 00A4B08D
Failed to get @Id., xrefs: 00A4B0E4
Failed to get @ProductCode or @UpgradeCode., xrefs: 00A4B094
Win64, xrefs: 00A4AC5D
Invalid value for @Type: %ls, xrefs: 00A4B0A1
comres.dll, xrefs: 00A4ADA6, 00A4AE5B, 00A4AE8B, 00A4AF90
MsiProductSearch, xrefs: 00A4AE39
path, xrefs: 00A4AA8D, 00A4AB3A
MsiFeatureSearch, xrefs: 00A4AF53
HKCR, xrefs: 00A4AB82
language, xrefs: 00A4AEF7
state, xrefs: 00A4ADF7, 00A4AF13, 00A4AFC5
MsiComponentSearch, xrefs: 00A4AD61
Unexpected element name: %ls, xrefs: 00A4B0CD
Failed to allocate memory for search structs., xrefs: 00A4A97D
Failed to get search node count., xrefs: 00A4A945
Failed to get @Root., xrefs: 00A4B07F
HKU, xrefs: 00A4ABE1
version, xrefs: 00A4AB1E, 00A4AD3B, 00A4AEDB
Failed to get Key attribute., xrefs: 00A4B06E
Failed to get Win64 attribute., xrefs: 00A4B046
Failed to get @Path., xrefs: 00A4B032
numeric, xrefs: 00A4ACF7
ProductCode, xrefs: 00A4AD84, 00A4AE5C, 00A4AF76
directory, xrefs: 00A4AE13
cabinet.dll, xrefs: 00A4ACBA
Root, xrefs: 00A4AB69
Failed to get @Type., xrefs: 00A4B0B0
Failed to get @ProductCode., xrefs: 00A4B0BE
UpgradeCode, xrefs: 00A4AE8C
FileSearch, xrefs: 00A4AAB1
Condition, xrefs: 00A4A9F9
Failed to get next node., xrefs: 00A4B0EB
exists, xrefs: 00A4AA6F, 00A4AB02, 00A4AC7E
`<u, xrefs: 00A4AFFE, 00A4B11C
ComponentId, xrefs: 00A4ADA7
Invalid value for @Root: %ls, xrefs: 00A4B078
assignment, xrefs: 00A4AF2D
Type, xrefs: 00A4AA56, 00A4AAE9, 00A4AC42, 00A4ADC2, 00A4AEC2, 00A4AFAC
DirectorySearch, xrefs: 00A4AA1A
wininet.dll, xrefs: 00A4AC03
msi.dll, xrefs: 00A4AC5C
Variable, xrefs: 00A4A9DE
Failed to get @ExpandEnvironment., xrefs: 00A4B050
Invalid value for @VariableType: %ls, xrefs: 00A4B05D
Path, xrefs: 00A4AA3B, 00A4AACE
feclient.dll, xrefs: 00A4A9F8
FeatureId, xrefs: 00A4AF91
Failed to get Value attribute., xrefs: 00A4B03C
string, xrefs: 00A4AD1B
Failed to get @VariableType., xrefs: 00A4B064
version.dll, xrefs: 00A4AC1E
Failed to select search nodes., xrefs: 00A4A920

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: String$Compare$Free$HeapVariant$AllocAllocateClearInitProcess
String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch$ExpandEnvironment$Failed to allocate memory for search structs.$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @FeatureId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FeatureId$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiFeatureSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$`<u$assignment$cabinet.dll$clbcatq.dll$comres.dll$directory$exists$feclient.dll$keyPath$language$msi.dll$numeric$path$search.cpp$state$string$value$version$version.dll$wininet.dll
API String ID: 2748437055-56916464
Opcode ID: 9226ab7cb9b19fc84ba14aada3c41020df3bb656eec1771e70d26e61846458f2
Instruction ID: 594c7e31962b037aca256722900f4cf2915a638723bdba6f8aa75ec070400ac2
Opcode Fuzzy Hash: 9226ab7cb9b19fc84ba14aada3c41020df3bb656eec1771e70d26e61846458f2
Instruction Fuzzy Hash: 3322A635E88226FADF20EB948C46EAE7A64BB55B34F204710F534B61D0D7B0DE50DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A41070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 78fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A433C7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00A410DD,?,00000000), ref: 00A433E8

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00A410F6

Part of subcall function 00A41175: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00A4111A,cabinet.dll,00000009,?,?,00000000), ref: 00A41186
Part of subcall function 00A41175: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00A4111A,cabinet.dll,00000009,?,?,00000000), ref: 00A41191
Part of subcall function 00A41175: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A4119F
Part of subcall function 00A41175: GetLastError.KERNEL32(?,?,?,?,?,00A4111A,cabinet.dll,00000009,?,?,00000000), ref: 00A411BA
Part of subcall function 00A41175: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A411C2
Part of subcall function 00A41175: GetLastError.KERNEL32(?,?,?,?,?,00A4111A,cabinet.dll,00000009,?,?,00000000), ref: 00A411D7

CloseHandle.KERNEL32(?,?,?,?,00A8B4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00A41131

Strings

crypt32.dll, xrefs: 00A410CA
clbcatq.dll, xrefs: 00A410BC
wininet.dll, xrefs: 00A410AE
msi.dll, xrefs: 00A410A0
cabinet.dll, xrefs: 00A41099, 00A41114
comres.dll, xrefs: 00A410B5
version.dll, xrefs: 00A410A7
msasn1.dll, xrefs: 00A410C3
feclient.dll, xrefs: 00A410D1

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 3a670729503227c361f89ec11d5f1a35a0b95650272f58a857ff9aecef921614
Instruction ID: 48ec75dadac84398a1bb5543fedf769d3b5d7013dbfae135db4f0feb4b71fa33
Opcode Fuzzy Hash: 3a670729503227c361f89ec11d5f1a35a0b95650272f58a857ff9aecef921614
Instruction Fuzzy Hash: 89219F75E1021CABDB10EFA8DD06BEEBBB8EB49710F504219FA11B7292D7705944CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5A0BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

Failed create working folder., xrefs: 00A5A0EE
Failed to copy working folder., xrefs: 00A5A116
Failed to calculate working folder to ensure it exists., xrefs: 00A5A0D8

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 2c41346b9dd47e9d38a8bdd1e1904432a975e0876b0079636f826197f7f94f56
Instruction ID: cd4dd70b3b1b2b4053eea041b7d8a22680d403010b80274d26b58134ca9f3e70
Opcode Fuzzy Hash: 2c41346b9dd47e9d38a8bdd1e1904432a975e0876b0079636f826197f7f94f56
Instruction Fuzzy Hash: 62017132E01928FA8F22AB59DE06C9EBAB9FFA4761B104355FC0076210DB319E04E691

Uniqueness

Uniqueness Score: -1.00%

Function 00A84440 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00A6923A,?,00000100,00000000,00000000), ref: 00A8447B
FindClose.KERNEL32(00000000), ref: 00A84487

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: abcf4d596b5f377aaac61719afb3a8abbd02662357c58778be0a77c412c54eeb
Instruction ID: fde91d84a8778d152a2e55b83be7f42719df5a4b142eab1d605db0fab04c7a1e
Opcode Fuzzy Hash: abcf4d596b5f377aaac61719afb3a8abbd02662357c58778be0a77c412c54eeb
Instruction Fuzzy Hash: 6101F93160020D6BCB10EFA5ED8DEABB7BCEBC5315F0001A5F914C7181D7345D498764

Uniqueness

Uniqueness Score: -1.00%

Function 00A4F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get @ProviderKey., xrefs: 00A4FAE6
Comments, xrefs: 00A4FCA9
Failed to get @Tag., xrefs: 00A4FA6A
Register, xrefs: 00A4FB5D
Failed to get @HelpTelephone., xrefs: 00A4FC29
button, xrefs: 00A4FD15
ProductFamily, xrefs: 00A4FE9C
DisableRemove, xrefs: 00A4FDC9
Failed to get @Name., xrefs: 00A4FED4
Failed to get @Id., xrefs: 00A4FA49
Failed to get @AboutUrl., xrefs: 00A4FC4E
Manufacturer, xrefs: 00A4FE53
DisplayName, xrefs: 00A4FB7E
Failed to get @Register., xrefs: 00A4FB70
Failed to get @Classification., xrefs: 00A4FEF5
HelpTelephone, xrefs: 00A4FC12
Update, xrefs: 00A4FE1E
Failed to get @Manufacturer., xrefs: 00A4FE66
ExecutableName, xrefs: 00A4FAF4
Registration, xrefs: 00A4F9FD
Classification, xrefs: 00A4FEE2
ProviderKey, xrefs: 00A4FAD3
Failed to get @Publisher., xrefs: 00A4FBDF
PerMachine, xrefs: 00A4FB12
Failed to get @Comments., xrefs: 00A4FCC0
Failed to get @ExecutableName., xrefs: 00A4FB07
Failed to get @Contact., xrefs: 00A4FCE8
yes, xrefs: 00A4FD36
Failed to get @Version., xrefs: 00A4FAA4
Failed to select ARP node., xrefs: 00A4FB4F
AboutUrl, xrefs: 00A4FC37
Failed to parse related bundles, xrefs: 00A4FA83
UpdateUrl, xrefs: 00A4FC5C
Name, xrefs: 00A4FEC1
Contact, xrefs: 00A4FCD1
Failed to parse software tag., xrefs: 00A4FE10
Failed to get @DisplayVersion., xrefs: 00A4FBBA
Failed to get @ParentDisplayName., xrefs: 00A4FC98
Failed to get @UpdateUrl., xrefs: 00A4FC73
Invalid modify disabled type: %ls, xrefs: 00A4FD94
Failed to set registration paths., xrefs: 00A4FF08
Failed to get @DisableRemove., xrefs: 00A4FDE0
DisplayVersion, xrefs: 00A4FBA3
Failed to select registration node., xrefs: 00A4FA1C
Failed to get @ProductFamily., xrefs: 00A4FEB3
Failed to select Update node., xrefs: 00A4FE3C
Version, xrefs: 00A4FA91
Tag, xrefs: 00A4FA57
Failed to get @DisableModify., xrefs: 00A4FDB8
Failed to get @PerMachine., xrefs: 00A4FB25
Failed to get @DisplayName., xrefs: 00A4FB95
Arp, xrefs: 00A4FB33
Failed to get @HelpLink., xrefs: 00A4FC04
Department, xrefs: 00A4FE77
HelpLink, xrefs: 00A4FBED
Failed to parse @Version: %ls, xrefs: 00A4FAC5
Failed to get @Department., xrefs: 00A4FE8E
DisableModify, xrefs: 00A4FCF6
Publisher, xrefs: 00A4FBC8
ParentDisplayName, xrefs: 00A4FC81
registration.cpp, xrefs: 00A4FD87

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
API String ID: 760788290-2956246334
Opcode ID: 3e12d75981c22756af4d127473a1d9ef56b6cadd1a7890a586f49d74865ec39d
Instruction ID: b0d7da2e17548a8f64e87a0c79a8b6711eee1d6d0e5cf7c6da6ce911a66e4ff1
Opcode Fuzzy Hash: 3e12d75981c22756af4d127473a1d9ef56b6cadd1a7890a586f49d74865ec39d
Instruction Fuzzy Hash: 29E1033AF44266BFCF22A6A4CD42EAEB6E4BB41B10F111631FD11F7290D761AD1097C0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B502
SetFilePointerEx.KERNEL32(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B550
GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B556
ReadFile.KERNEL32(00000000,00A44461,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B59E
GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B5A4
SetFilePointerEx.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B601
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B607
ReadFile.KERNEL32(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B650
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B656
SetFilePointerEx.KERNEL32(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B6C7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B6CD
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B716
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B71C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B765
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B76B
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B7B7
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B7BD

Part of subcall function 00A4394F: GetProcessHeap.KERNEL32(?,?,?,00A42274,?,00000001,75C0B390,8000FFFF,?,?,00A80267,?,?,00000000,00000000,8000FFFF), ref: 00A43960
Part of subcall function 00A4394F: RtlAllocateHeap.NTDLL(00000000,?,00A42274,?,00000001,75C0B390,8000FFFF,?,?,00A80267,?,?,00000000,00000000,8000FFFF), ref: 00A43967

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B810
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B872
SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B8FC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A4B906

Strings

section.cpp, xrefs: 00A4B523, 00A4B577, 00A4B5C5, 00A4B628, 00A4B677, 00A4B6EE, 00A4B73D, 00A4B78C, 00A4B7E1, 00A4B898, 00A4B8D8, 00A4B92A, 00A4B98F, 00A4B9B9, 00A4B9E0, 00A4BAC7, 00A4BB07, 00A4BB26, 00A4BB63, 00A4BBA1, 00A4BBC4, 00A4BBDF
Failed to read section info., xrefs: 00A4B999
PE, xrefs: 00A4B698
Failed to find Burn section., xrefs: 00A4BB32
PE Header from file didn't match PE Header in memory., xrefs: 00A4BB11
Failed to seek to NT header., xrefs: 00A4B632
Failed to read image section header, index: %u, xrefs: 00A4BBAC
Failed to read section info, data to short: %u, xrefs: 00A4B8AA
(, xrefs: 00A4B81D
Failed to find valid NT image header in buffer., xrefs: 00A4BBD0
Failed to read signature size., xrefs: 00A4B796
Failed to read complete section info., xrefs: 00A4B9C5
Failed to read signature offset., xrefs: 00A4B747
4, xrefs: 00A4B884
Failed to read DOS header., xrefs: 00A4B5CF
Failed to seek to section info., xrefs: 00A4B6F8, 00A4B934
.wix, xrefs: 00A4B830
Failed to seek past optional headers., xrefs: 00A4B7EB
Failed to seek to start of file., xrefs: 00A4B581
Failed to read section info, unsupported version: %08x, xrefs: 00A4B9F5
Failed to allocate buffer for section info., xrefs: 00A4B8E4
Failed to allocate memory for container sizes., xrefs: 00A4BAD3
Failed to read complete image section header, index: %u, xrefs: 00A4BB75
Failed to open handle to engine process path., xrefs: 00A4B52D
burn, xrefs: 00A4B838
Failed to read NT header., xrefs: 00A4B681
Failed to get total size of bundle., xrefs: 00A4BA23
Failed to find valid DOS image header in buffer., xrefs: 00A4BBEB

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$section.cpp
API String ID: 3411815225-695169583
Opcode ID: 661d6de0f90ecff70215afbbf06fdf66ae979fa2d3acb15da062603580cec19f
Instruction ID: 5b98bf5d1ebba062876b035dfb2452addaa055348b9a15d4e900b6570e04078e
Opcode Fuzzy Hash: 661d6de0f90ecff70215afbbf06fdf66ae979fa2d3acb15da062603580cec19f
Instruction Fuzzy Hash: 0512D17AA50225FBDB20EB548D45FAAB6B4FB84B10F1141A5FE04BB281E770DD418BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00A48476 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00A45445,?,00000000,80070490,?,?,?,?,?,?,?,?,00A6C1BF,?,00A45445,?), ref: 00A484A7
LeaveCriticalSection.KERNEL32(00A45445,?,?,?,?,?,?,?,?,00A6C1BF,?,00A45445,?,00A45445,00A45445,Chain), ref: 00A48804

Strings

numeric, xrefs: 00A485BC
Persisted, xrefs: 00A4854A
Hidden, xrefs: 00A4852F
Failed to select variable nodes., xrefs: 00A484C4
Failed to get @Type., xrefs: 00A48788
Failed to change variant type., xrefs: 00A487DA
Failed to insert variable '%ls'., xrefs: 00A486C6
Failed to get next node., xrefs: 00A487F6
Failed to get @Hidden., xrefs: 00A487E8
Initializing string variable '%ls' to value '%ls', xrefs: 00A4861A
Failed to get variable node count., xrefs: 00A484E1
Initializing hidden variable '%ls', xrefs: 00A48671
Initializing version variable '%ls' to value '%ls', xrefs: 00A48653
Failed to set value of variable: %ls, xrefs: 00A487A7
Value, xrefs: 00A48565
Failed to get @Value., xrefs: 00A48796
Type, xrefs: 00A485A3
Failed to get @Id., xrefs: 00A487EF
Initializing numeric variable '%ls' to value '%ls', xrefs: 00A485E2
Invalid value for @Type: %ls, xrefs: 00A48778
Variable, xrefs: 00A484B1
Failed to set variant value., xrefs: 00A4878F
variable.cpp, xrefs: 00A487B9
Failed to find variable value '%ls'., xrefs: 00A487D2
Failed to set variant encryption, xrefs: 00A4879D
Attempt to set built-in variable value: %ls, xrefs: 00A487C8
string, xrefs: 00A485F7
Failed to get @Persisted., xrefs: 00A487E1
version, xrefs: 00A4862C

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
API String ID: 3168844106-1614826165
Opcode ID: 969409a8462bde632749ff70dd807f03e2d8e15d4cf56e684bcc9b99b2ec3765
Instruction ID: c5650d7ba2aef78b5438330d64281c5b528b23fb6e58d21228752969f49328ca
Opcode Fuzzy Hash: 969409a8462bde632749ff70dd807f03e2d8e15d4cf56e684bcc9b99b2ec3765
Instruction Fuzzy Hash: 1FB1027AD00219FBCF11EB94EC55EAEBB75BF84720F210651F910B6190DB789A40DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A416 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 299
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00A4A45A
_MREFOpen@16.MSPDB140-MSVCRT ref: 00A4A480
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 00A4A768

Strings

Failed to query registry key value., xrefs: 00A4A5DA
Unsupported registry key value type. Type = '%u', xrefs: 00A4A608
search.cpp, xrefs: 00A4A54A, 00A4A57D, 00A4A5D0, 00A4A6D3
Failed to allocate string buffer., xrefs: 00A4A667
Failed to change value type., xrefs: 00A4A70F
Failed to allocate memory registry value., xrefs: 00A4A587
Registry key not found. Key = '%ls', xrefs: 00A4A4B4
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00A4A740
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00A4A51C
Failed to format key string., xrefs: 00A4A465
Failed to get expand environment string., xrefs: 00A4A6DD
Failed to set variable., xrefs: 00A4A72B
Failed to format value string., xrefs: 00A4A48B
Failed to query registry key value size., xrefs: 00A4A554
Failed to read registry value., xrefs: 00A4A6F6
Failed to clear variable., xrefs: 00A4A4D8
Failed to open registry key., xrefs: 00A4A4ED

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
API String ID: 2348241696-3124384294
Opcode ID: d7b6eea0c8ab1ce48b6d7ef17c165663997a90c6c9c7cc0d214cd32394cdfaf9
Instruction ID: a7c0d5063e80c4ee6fb68c16a87e8fcce3e2af53f913b12d605a59ea7d0bfaf7
Opcode Fuzzy Hash: d7b6eea0c8ab1ce48b6d7ef17c165663997a90c6c9c7cc0d214cd32394cdfaf9
Instruction Fuzzy Hash: 1EA1E57AD80229FBDF22ABE4CD45EAEBA78BF64710F158511F900FA150D7719D009BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A45770 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 479
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000000,00000000,?,00A4A8B4,00000100,000002C0,000002C0,00000100), ref: 00A45795
lstrlenW.KERNEL32(000002C0,?,00A4A8B4,00000100,000002C0,000002C0,00000100), ref: 00A4579F
_wcschr.LIBVCRUNTIME ref: 00A459A7
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,00A4A8B4,00000100,000002C0,000002C0,00000100), ref: 00A45C4A

Strings

Failed to allocate buffer for format string., xrefs: 00A457BD
Failed to allocate record., xrefs: 00A45A0B
Failed to format placeholder string., xrefs: 00A45A57
Failed to set variable value., xrefs: 00A45A61
variable.cpp, xrefs: 00A459FE, 00A45A1F, 00A45A78, 00A45ACA, 00A45B56, 00A45B88, 00A45C04
[%d], xrefs: 00A45962
Failed to allocate variable array., xrefs: 00A45A85
Failed to format record., xrefs: 00A45C0E
Failed to determine variable visibility: '%ls'., xrefs: 00A45A3A
Failed to copy string., xrefs: 00A45C2E
Failed to set record string., xrefs: 00A45B60
Failed to set record format string., xrefs: 00A45AD4
Failed to reallocate variable array., xrefs: 00A45A2C
Failed to append placeholder., xrefs: 00A45A4D
*****, xrefs: 00A45913
Failed to get formatted length., xrefs: 00A45B92
Failed to allocate string., xrefs: 00A45BC1
Failed to get variable name., xrefs: 00A45A8C
Failed to append string., xrefs: 00A4581B

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
API String ID: 1026845265-2050445661
Opcode ID: 803f9d9da73de7ae9955ae1d6c88c7bf6b1b8e0cee91b17d6c3de9ddaa7a65ed
Instruction ID: dd54e4794affb22ba2cf73de8e678413b1cfc4a65444fdd725247930bc59252b
Opcode Fuzzy Hash: 803f9d9da73de7ae9955ae1d6c88c7bf6b1b8e0cee91b17d6c3de9ddaa7a65ed
Instruction Fuzzy Hash: B1F1937AD00619FFCB11DFB48945EAF7BB4EB84B60F158529FD04AB242D7749E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A45195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A45217

Part of subcall function 00A804F8: InitializeCriticalSection.KERNEL32(00AAB5FC,?,00A45223,00000000,?,?,?,?,?,?), ref: 00A8050F

Part of subcall function 00A4120A: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00A4523F,00000000,?), ref: 00A41248
Part of subcall function 00A4120A: GetLastError.KERNEL32(?,?,?,00A4523F,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00A41252

CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00A45285

Part of subcall function 00A80E07: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00A80E28

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00A45317
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00A45321
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A4558E

Strings

Failed to run RunOnce mode., xrefs: 00A4541C
Failed to initialize COM., xrefs: 00A45291
Failed to initialize XML util., xrefs: 00A452F9
Failed to run embedded mode., xrefs: 00A45444
Failed to initialize core., xrefs: 00A453C3
Failed to run untrusted mode., xrefs: 00A454B6
Failed to run per-user mode., xrefs: 00A45494
Failed to initialize Cryputil., xrefs: 00A452A6
Failed to initialize Regutil., xrefs: 00A452C9
engine.cpp, xrefs: 00A45345
Failed to initialize engine state., xrefs: 00A4526C
3.11.1.2318, xrefs: 00A45384
Failed to run per-machine mode., xrefs: 00A4546C
Invalid run mode., xrefs: 00A453F9
Failed to initialize Wiutil., xrefs: 00A452E1
Failed to get OS info., xrefs: 00A4534F
Failed to parse command line., xrefs: 00A45245

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.1.2318$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$engine.cpp
API String ID: 3262001429-510904028
Opcode ID: 212e1c0d80b735f1819be533b2d1cec9f3b16625403f272e73c38fe49bb1c9d9
Instruction ID: 63141e14df7e978142a191ab295e4b5f82314b7765efae732a7ddd2b398f0099
Opcode Fuzzy Hash: 212e1c0d80b735f1819be533b2d1cec9f3b16625403f272e73c38fe49bb1c9d9
Instruction Fuzzy Hash: 4BB1B276D40A29ABDB32AF74CD46BED76B5BF84710F0401D6F908A6242DB709E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A5752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WixBundleOriginalSource, xrefs: 00A57759
Failed to get unique temporary folder for bootstrapper application., xrefs: 00A577CE
Failed to get source process folder from path., xrefs: 00A57725
Failed to open attached UX container., xrefs: 00A5758E
WixBundleUILevel, xrefs: 00A576D6, 00A576E7
Failed to load manifest., xrefs: 00A575E8
Failed to open manifest stream., xrefs: 00A575AB
Failed to get manifest stream from container., xrefs: 00A575CC
WixBundleElevated, xrefs: 00A576A5, 00A576B6
Failed to load catalog files., xrefs: 00A5780F
Failed to initialize internal cache functionality., xrefs: 00A5779F
Failed to extract bootstrapper application payloads., xrefs: 00A577EF
Failed to initialize variables., xrefs: 00A57571
WixBundleSourceProcessPath, xrefs: 00A576F8
Failed to set original source variable., xrefs: 00A5776A
Failed to set source process folder variable., xrefs: 00A57745
Failed to parse command line., xrefs: 00A57667
WixBundleSourceProcessFolder, xrefs: 00A57734
Failed to overwrite the %ls built-in variable., xrefs: 00A576BB
Failed to set source process path variable., xrefs: 00A57709

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: 205d69fa353e441386eebaf69a31dcafc9fa6934efdc58838ebbfbfcd7f5092d
Instruction ID: a304208fedcac4da96b68ea393e8a5d925ec85a04eee9b51cb6c29dbb6f77087
Opcode Fuzzy Hash: 205d69fa353e441386eebaf69a31dcafc9fa6934efdc58838ebbfbfcd7f5092d
Instruction Fuzzy Hash: BAA17372E44616BBDB129AA4EC45EEEB7BCBB04711F000666F915F7141E770E948CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A627FC Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

burn, xrefs: 00A628E0
Failed to parse command lines., xrefs: 00A62988
Protocol, xrefs: 00A628C3
RepairArguments, xrefs: 00A6287A
Failed to get @DetectCondition., xrefs: 00A62825
Failed to get @RepairArguments., xrefs: 00A6288B
InstallArguments, xrefs: 00A62836
Failed to get @InstallArguments., xrefs: 00A62847
Failed to parse exit codes., xrefs: 00A6290C
Failed to get @Protocol., xrefs: 00A62974
DetectCondition, xrefs: 00A62814
UninstallArguments, xrefs: 00A62858
netfx4, xrefs: 00A62915
Invalid protocol type: %ls, xrefs: 00A6295C
Failed to get @UninstallArguments., xrefs: 00A62869
Repairable, xrefs: 00A6289C
Failed to get @Repairable., xrefs: 00A628B5
none, xrefs: 00A62936

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: 3307f97e997557a9eb82fc6005321883709cac105e2c75b36126bccdf972759b
Instruction ID: 8292ad906092251a77fa07842b55508122f34453c01af599543522301c05e5fb
Opcode Fuzzy Hash: 3307f97e997557a9eb82fc6005321883709cac105e2c75b36126bccdf972759b
Instruction Fuzzy Hash: BC41DA73F94B22B6CF2156648D42FAAB6B87B20B30F240722FD24B72C1D7649D0097E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00A5756B,00A453BD,00000000,00A45445), ref: 00A4764C

Strings

0, xrefs: 00A47663
WixBundleInstalled, xrefs: 00A47E2A
WixBundleActiveParent, xrefs: 00A47E62
LogonUser, xrefs: 00A47882
WixBundleAction, xrefs: 00A47D76
#, xrefs: 00A476CB
WixBundleProviderKey, xrefs: 00A47E7E
WixBundleVersion, xrefs: 00A47ECE
WixBundleExecutePackageCacheFolder, xrefs: 00A47D98
Date, xrefs: 00A47770
WixBundleUILevel, xrefs: 00A47EBE
WixBundleExecutePackageAction, xrefs: 00A47DF8
WixBundleForcedRestartPackage, xrefs: 00A47E14
WixBundleTag, xrefs: 00A47EAE
InstallerVersion, xrefs: 00A47833
Failed to add built-in variable: %ls., xrefs: 00A47F19
InstallerName, xrefs: 00A47812
$, xrefs: 00A47D49
WixBundleElevated, xrefs: 00A47E46
', xrefs: 00A478EB
WixBundleSourceProcessPath, xrefs: 00A47E8E
WixBundleSourceProcessFolder, xrefs: 00A47E9E

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 74172c64c9dfa3c3a17d80d16435e50b3954429dbce2799b14b880cf41fb776b
Instruction ID: 59d3ebffbb6b60022cd90a7f7ce7380a32386d2c63a108d4b558535a5079ee4b
Opcode Fuzzy Hash: 74172c64c9dfa3c3a17d80d16435e50b3954429dbce2799b14b880cf41fb776b
Instruction Fuzzy Hash: 783257B4C116299FDB65DF5AC9887CDFBB4BB49314F9081EED20CAA211D7B00B888F55

Uniqueness

Uniqueness Score: -1.00%

Function 00A582BA Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00A45489), ref: 00A58310

Part of subcall function 00A80879: OpenProcessToken.ADVAPI32(?,00000008,?,00A453BD,00000000,?,?,?,?,?,?,?,00A5769D,00000000), ref: 00A80897
Part of subcall function 00A80879: GetLastError.KERNEL32(?,?,?,?,?,?,?,00A5769D,00000000), ref: 00A808A1
Part of subcall function 00A80879: FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,?,?,00A5769D,00000000), ref: 00A8092B

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00A58336
GetLastError.KERNEL32 ref: 00A58340
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00A583BD
GetLastError.KERNEL32 ref: 00A583C7
UuidCreate.RPCRT4(?), ref: 00A58406

Strings

Failed to convert working folder guid into string., xrefs: 00A58446
Failed to copy working folder path., xrefs: 00A5848B
Failed to append bundle id on to temp path for working folder., xrefs: 00A58470
Failed to ensure windows path for working folder ended in backslash., xrefs: 00A5838B
Failed to get temp path for working folder., xrefs: 00A583F5
Failed to get windows path for working folder., xrefs: 00A5836E
cache.cpp, xrefs: 00A58364, 00A583EB, 00A5843C
Temp\, xrefs: 00A58395
Failed to concat Temp directory on windows path for working folder., xrefs: 00A583AD
%ls%ls\, xrefs: 00A58458
Failed to create working folder guid., xrefs: 00A58413

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$Process$ChangeCloseCreateCurrentDirectoryFindNotificationOpenPathTempTokenUuidWindows
String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
API String ID: 2898636500-819636856
Opcode ID: 4432b0c1515ec7ab5c96820281810b40bebb35f2e4c41b9b2b72fa965c20d723
Instruction ID: 28b51660aec74730e4e12f0d696f04ced60caf531786cf60fa2712592971c8c5
Opcode Fuzzy Hash: 4432b0c1515ec7ab5c96820281810b40bebb35f2e4c41b9b2b72fa965c20d723
Instruction Fuzzy Hash: 9041D676B41726B7DB20D6E4CD4AFAA77B8BF00B51F114561BE04FB180EB789D0886E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E3C8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 146
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A5E2AF: LoadBitmapW.USER32(?,00000001), ref: 00A5E2E5
Part of subcall function 00A5E2AF: GetLastError.KERNEL32 ref: 00A5E2F1

LoadCursorW.USER32(00000000,00007F00), ref: 00A5E429
RegisterClassW.USER32(?), ref: 00A5E43D
GetLastError.KERNEL32(?,?,?), ref: 00A5E448
UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 00A5E54D
DeleteObject.GDI32(00000000), ref: 00A5E55C

Strings

WixBurnSplashScreen, xrefs: 00A5E436, 00A5E548
Failed to create window., xrefs: 00A5E4DF
Failed to register window., xrefs: 00A5E476
splashscreen.cpp, xrefs: 00A5E46C, 00A5E4D5
Unexpected return value from message pump., xrefs: 00A5E537
Failed to load splash screen., xrefs: 00A5E401

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
API String ID: 164797020-2188509422
Opcode ID: 610a87cadcc90d660d690f6f4ab4c004efdacf2d9d8bc16c96c7ce861b3db940
Instruction ID: ea5116d884ce05a09c05fce6e37cc77ba5c5a72df95be1bab986ad204d670684
Opcode Fuzzy Hash: 610a87cadcc90d660d690f6f4ab4c004efdacf2d9d8bc16c96c7ce861b3db940
Instruction Fuzzy Hash: EB41C476900619BFEB15DBE4DD48EAEB7B8FF04711F100125FE01A6150E7719E08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A610FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00A6111D
CoUninitialize.OLE32 ref: 00A61398

Strings

Failed to wait for begin operation event., xrefs: 00A61311
Failed to set operation complete event., xrefs: 00A612C4
Failed to initialize COM., xrefs: 00A61129
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00A61279
Failed to initialize cabinet.dll., xrefs: 00A6119F
Invalid operation for this state., xrefs: 00A6137C
Failed to reset begin operation event., xrefs: 00A61350
cabextract.cpp, xrefs: 00A61193, 00A612BA, 00A61307, 00A61346, 00A61372
<the>.cab, xrefs: 00A611BD

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
API String ID: 3442037557-1168358783
Opcode ID: 6a51dbb3d4e17df5216b08229f2d209684bcc865b9bb133c9b44f2680b21282f
Instruction ID: 92e85e09c58328044841acf3f17d83549785c54dc7e5ee2baee59efa540f3034
Opcode Fuzzy Hash: 6a51dbb3d4e17df5216b08229f2d209684bcc865b9bb133c9b44f2680b21282f
Instruction Fuzzy Hash: 73514977A40261E7CF2197E48D15DEB7EB4BB51760B2A4736BD12FF390D6258C0092E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A63AAD Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 571COMMON

Download Yara Rule

Strings

Failed to get product information for ProductCode: %ls, xrefs: 00A63C5E
UX aborted detect., xrefs: 00A6418A
Language, xrefs: 00A63EFC
Failed to query feature state., xrefs: 00A64157
UX aborted detect related MSI package., xrefs: 00A63C3E
Failed to enum related products., xrefs: 00A640FA
Failed to copy the installed ProductCode to the package., xrefs: 00A63D62
msiengine.cpp, xrefs: 00A63C34, 00A63D38, 00A64169, 00A64180
Failed to get version for product in user unmanaged context: %ls, xrefs: 00A640CE
Failed to convert version: %ls to DWORD64 for ProductCode: %ls, xrefs: 00A63B4D
Invalid state value., xrefs: 00A64173
Failed to get version for product in machine context: %ls, xrefs: 00A640F0
msasn1.dll, xrefs: 00A63C15, 00A63D1F, 00A63FEF, 00A6412A
UX aborted detect compatible MSI package., xrefs: 00A63D42
VersionString, xrefs: 00A63B08, 00A63C93, 00A63DEE, 00A63E25

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: lstrlen
String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to copy the installed ProductCode to the package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to query feature state.$Invalid state value.$Language$UX aborted detect compatible MSI package.$UX aborted detect related MSI package.$UX aborted detect.$VersionString$msasn1.dll$msiengine.cpp
API String ID: 1659193697-2574767977
Opcode ID: 2bbd902a9b31f1a09041f09f7eba11de018b119d92b8e9e06abbf3e6ddb2fecc
Instruction ID: 6b480dce817ca1c9dda639142d55daa97e7e43a5e600427f65e4df6802eda517
Opcode Fuzzy Hash: 2bbd902a9b31f1a09041f09f7eba11de018b119d92b8e9e06abbf3e6ddb2fecc
Instruction Fuzzy Hash: 3722AD72D00214EFDF21DFA4CD85EAEBBB9FF48700F104569E906AB256D7319985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A03E Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 215COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00A4A0B6

Strings

Unsupported product search type: %u, xrefs: 00A4A07E
Failed to enumerate related products for upgrade code., xrefs: 00A4A0F1
Failed to get product info., xrefs: 00A4A1E3
Language, xrefs: 00A4A09F
Failed to change value type., xrefs: 00A4A21D
Failed to copy upgrade code., xrefs: 00A4A116
State, xrefs: 00A4A098
Product or related product not found: %ls, xrefs: 00A4A1A1
Failed to set variable., xrefs: 00A4A23C
Failed to format GUID string., xrefs: 00A4A0C1
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 00A4A148
AssignmentType, xrefs: 00A4A091
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 00A4A175
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00A4A24F
VersionString, xrefs: 00A4A0A6, 00A4A131, 00A4A147, 00A4A15B, 00A4A174, 00A4A188

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: ca431c5aecef4a4f8eac1f7c3e482c4bf61f7c4406d3eac1205f7c3f39068e7f
Instruction ID: 8a3673a493cdd63400e425b919f5737f182f32cff493d7e56cb0f1610b9a82f9
Opcode Fuzzy Hash: ca431c5aecef4a4f8eac1f7c3e482c4bf61f7c4406d3eac1205f7c3f39068e7f
Instruction Fuzzy Hash: DF61D776D80118FBCB11EF98CD45EEE7B78EBA5710F204155F905BB251D272DE009792

Uniqueness

Uniqueness Score: -1.00%

Function 00A442D7 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00A45266,?,?,00000000,?,?), ref: 00A44303
InitializeCriticalSection.KERNEL32(000000D0,?,?,00A45266,?,?,00000000,?,?), ref: 00A4430C
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00A45266,?,?,00000000,?,?), ref: 00A44352
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00A45266,?,?,00000000,?,?), ref: 00A4435C
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00A45266,?,?,00000000,?,?), ref: 00A44370
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00A45266,?,?,00000000,?,?), ref: 00A44380
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00A45266,?,?,00000000,?,?), ref: 00A443D0
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00A45266,?,?,00000000,?,?), ref: 00A443DA
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00A45266,?,?,00000000,?,?), ref: 00A443EE
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00A45266,?,?,00000000,?,?), ref: 00A443FE

Strings

burn.filehandle.self, xrefs: 00A443CB, 00A443D3, 00A443D8, 00A443D9, 00A443F9, 00A444CB
burn.filehandle.attached, xrefs: 00A4434D, 00A44355, 00A4435A, 00A4435B, 00A4437B, 00A4449F
engine.cpp, xrefs: 00A44495, 00A444C1
Failed to parse file handle: '%ls', xrefs: 00A44482
Missing required parameter for switch: %ls, xrefs: 00A444A4
Failed to initialize engine section., xrefs: 00A44467

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$engine.cpp
API String ID: 3039292287-3209860532
Opcode ID: 3c071ff70c4f049f422ee20dbfe67c5d7854f0235d1da9d6177b56cb5eb30c7b
Instruction ID: e6de6ed91993554b8f2a8508a7e9a8b47a3a3bdff3f632ababd343588cded77f
Opcode Fuzzy Hash: 3c071ff70c4f049f422ee20dbfe67c5d7854f0235d1da9d6177b56cb5eb30c7b
Instruction Fuzzy Hash: 54518375A50216BFCB24EFA8CC86F9AB76CFF48760F104115F615AB290D7B0A950CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E7B4 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 137registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 00A5E7FF
RegisterClassW.USER32(?), ref: 00A5E82B
GetLastError.KERNEL32 ref: 00A5E836
CreateWindowExW.USER32(00000080,00A99E54,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00A5E89D
GetLastError.KERNEL32 ref: 00A5E8A7
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00A5E945

Strings

uithread.cpp, xrefs: 00A5E85A, 00A5E8CB
Failed to create window., xrefs: 00A5E8D5
Failed to register window., xrefs: 00A5E864
Unexpected return value from message pump., xrefs: 00A5E930
WixBurnMessageWindow, xrefs: 00A5E824, 00A5E940

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
API String ID: 213125376-288575659
Opcode ID: 1ceb97f9639c46a207fb8ee8a431315014a0e1ea03fe31fcd307fc8ef2cdc7b3
Instruction ID: f7242456fa3c651a395bc1c4ee082e44a90d562d009b35d301d45332bde2b1fa
Opcode Fuzzy Hash: 1ceb97f9639c46a207fb8ee8a431315014a0e1ea03fe31fcd307fc8ef2cdc7b3
Instruction Fuzzy Hash: BD418272A00225FBDB24DBE5DC44ADEBFB8FF08751F104125FD14AA290D7309A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4C28F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00A4C47F,00A45405,?,?,00A45445), ref: 00A4C2D6
GetLastError.KERNEL32(?,00A4C47F,00A45405,?,?,00A45445,00A45445,00000000,?,00000000), ref: 00A4C2E7
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00A4C47F,00A45405,?,?,00A45445,00A45445,00000000,?), ref: 00A4C336
GetCurrentProcess.KERNEL32(000000FF,00000000,?,00A4C47F,00A45405,?,?,00A45445,00A45445,00000000,?,00000000), ref: 00A4C33C
DuplicateHandle.KERNELBASE(00000000,?,00A4C47F,00A45405,?,?,00A45445,00A45445,00000000,?,00000000), ref: 00A4C33F
GetLastError.KERNEL32(?,00A4C47F,00A45405,?,?,00A45445,00A45445,00000000,?,00000000), ref: 00A4C349
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,00A4C47F,00A45405,?,?,00A45445,00A45445,00000000,?,00000000), ref: 00A4C39B
GetLastError.KERNEL32(?,00A4C47F,00A45405,?,?,00A45445,00A45445,00000000,?,00000000), ref: 00A4C3A5

Strings

crypt32.dll, xrefs: 00A4C397
Failed to open file: %ls, xrefs: 00A4C318
Failed to duplicate handle to container: %ls, xrefs: 00A4C37A
container.cpp, xrefs: 00A4C30B, 00A4C36D, 00A4C3C9
Failed to open container., xrefs: 00A4C3F1
feclient.dll, xrefs: 00A4C398
Failed to move file pointer to container offset., xrefs: 00A4C3D3

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-373955632
Opcode ID: 0cfba775a32aa56cb021b3a7ccc5b4b329613a14381d3f8256ca8c0ef557a7f3
Instruction ID: dff651518ae55896884a3f0ac5e178cd3d2b4f4d393c43defd87e41ba34b944b
Opcode Fuzzy Hash: 0cfba775a32aa56cb021b3a7ccc5b4b329613a14381d3f8256ca8c0ef557a7f3
Instruction Fuzzy Hash: B941B93A640202ABDB609F598D45E5BBBB5EBC4730F218529FD18EF291E771D801DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A8304F Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 153libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00A83609,00000000,?,00000000), ref: 00A83069
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00A6C025,?,00A45405,?,00000000,?), ref: 00A83075
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00A830B5
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A830C1
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00A830CC
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A830D6
CoCreateInstance.OLE32(00AAB6B8,00000000,00000001,00A8B818,?,?,?,?,?,?,?,?,?,?,?,00A6C025), ref: 00A83111
ExitProcess.KERNEL32 ref: 00A831C0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A830BB
kernel32.dll, xrefs: 00A83059
IsWow64Process, xrefs: 00A830AF
Wow64RevertWow64FsRedirection, xrefs: 00A830CE
Wow64EnableWow64FsRedirection, xrefs: 00A830C3
xmlutil.cpp, xrefs: 00A83099

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
API String ID: 2124981135-499589564
Opcode ID: b75e1a7fa8ebd8a168fb2450d6bf368770fd26ceee3157de0ea552483a72b475
Instruction ID: 58a7466ced611827b97503f352a254c9ac1df807ed5484a1ff43f6a91247869f
Opcode Fuzzy Hash: b75e1a7fa8ebd8a168fb2450d6bf368770fd26ceee3157de0ea552483a72b475
Instruction Fuzzy Hash: E341A232A11215ABDF24EBA8CC49FAEB7B4EF45F10F154568E901EB281D771DE418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A28B Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00A4A2B3
_MREFOpen@16.MSPDB140-MSVCRT ref: 00A4A30E
RegQueryValueExW.ADVAPI32(000002C0,00000100,00000000,000002C0,00000000,00000000,000002C0,?,00000100,00000000,?,00000000,?,000002C0,000002C0,?), ref: 00A4A32F
RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,00000100,00000000,000002C0), ref: 00A4A405

Strings

Failed to format key string., xrefs: 00A4A2BE
Failed to query registry key value., xrefs: 00A4A36A
Failed to set variable., xrefs: 00A4A3BD
Failed to format value string., xrefs: 00A4A319
search.cpp, xrefs: 00A4A360
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 00A4A3DD
Failed to open registry key. Key = '%ls', xrefs: 00A4A3C7
Registry key not found. Key = '%ls', xrefs: 00A4A396
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00A4A37A

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Open@16$CloseQueryValue
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
API String ID: 2702208347-46557908
Opcode ID: f84863fea748a180f5d38f41babd982e248dd5b2502d1bedbda8b703fa8ebe71
Instruction ID: 0c6bd5eb0b5233746dcec2f2d966fd98b8df956c26a8228d842e98da39e8befe
Opcode Fuzzy Hash: f84863fea748a180f5d38f41babd982e248dd5b2502d1bedbda8b703fa8ebe71
Instruction Fuzzy Hash: 4A41097AD80124FBDB21AF94CD06FEEBB74EB94710F104250F914BA161E771AE10A792

Uniqueness

Uniqueness Score: -1.00%

Function 00A61741 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00A4C3EB,?,00000000,?,00A4C47F), ref: 00A61778
GetLastError.KERNEL32(?,00A4C3EB,?,00000000,?,00A4C47F,00A45405,?,?,00A45445,00A45445,00000000,?,00000000), ref: 00A61781

Strings

Failed to create operation complete event., xrefs: 00A617F5
wininet.dll, xrefs: 00A61757
Failed to copy file name., xrefs: 00A61763
Failed to wait for operation complete., xrefs: 00A61854
Failed to create extraction thread., xrefs: 00A61841
Failed to create begin operation event., xrefs: 00A617AF
cabextract.cpp, xrefs: 00A617A5, 00A617EB, 00A61837

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
API String ID: 545576003-938279966
Opcode ID: b489996a13afc86bed9c04d3f3d519387092a11728758942bcc5dcccdb997e1e
Instruction ID: c560a98f65ce8dd5954b7fb48b5c596d5f5175b34c32a9f85bd0c7f76a3089a0
Opcode Fuzzy Hash: b489996a13afc86bed9c04d3f3d519387092a11728758942bcc5dcccdb997e1e
Instruction Fuzzy Hash: 3F21D977E4163777D72156A94D45F2B6DBCFB10BA0F164626BE00BB680EB60DC0086F1

Uniqueness

Uniqueness Score: -1.00%

Function 00A608C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNEL32(00000000,00000000,<the>.cab,?,?), ref: 00A608F2
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00A6090A
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00A6090F
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00A60912
GetLastError.KERNEL32(?,?), ref: 00A6091C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00A6098B
GetLastError.KERNEL32(?,?), ref: 00A60998

Strings

Failed to add virtual file pointer for cab container., xrefs: 00A60971
Failed to open cabinet file: %hs, xrefs: 00A609C9
Failed to duplicate handle to cab container., xrefs: 00A6094A
cabextract.cpp, xrefs: 00A60940, 00A609BC
<the>.cab, xrefs: 00A608EB

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
API String ID: 3030546534-3446344238
Opcode ID: 1d13f255868d0bf982aa26087dfaa39f56df51c91daa64a85f6e3033f9950d7c
Instruction ID: 6240a3eedac5b70759347caca7b2b77b13e946590820e880c3432c7fd6627cb8
Opcode Fuzzy Hash: 1d13f255868d0bf982aa26087dfaa39f56df51c91daa64a85f6e3033f9950d7c
Instruction Fuzzy Hash: E531C173A41636BBEB219B958D49F9BBEB9FF04760F110112FE04BB290E7609D0187E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A44AE5 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 144windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00A44C64
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A44C75

Strings

WixBundleLayoutDirectory, xrefs: 00A44BF5
Failed to set registration variables., xrefs: 00A44BDE
Failed to open log., xrefs: 00A44B18
Failed to set layout directory variable to value provided from command-line., xrefs: 00A44C06
Failed while running , xrefs: 00A44C2A
Failed to check global conditions, xrefs: 00A44B49
Failed to query registration., xrefs: 00A44BAE
Failed to set action variables., xrefs: 00A44BC4
Failed to create the message window., xrefs: 00A44B98

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 3acea2c10053112bfa76e574a5b7ea06260cf19ed5cf0ffdd15388dab4b7d318
Instruction ID: 2968ad26679685d67826f96cd0d9cf0b6f809706ad8b73920e1cae3d4c1af8fe
Opcode Fuzzy Hash: 3acea2c10053112bfa76e574a5b7ea06260cf19ed5cf0ffdd15388dab4b7d318
Instruction Fuzzy Hash: 12415B75A0161BBBCB16AB70CD85FBBB66CFF88751F044615F800A6150EBB0ED1597E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E645 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00A4548E,?,?), ref: 00A5E666
GetLastError.KERNEL32(?,?,00A4548E,?,?), ref: 00A5E673
CreateThread.KERNEL32(00000000,00000000,Function_0001E3C8,00000000,00000000,00000000), ref: 00A5E6D2
GetLastError.KERNEL32(?,?,00A4548E,?,?), ref: 00A5E6DF
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00A4548E,?,?), ref: 00A5E71A
FindCloseChangeNotification.KERNEL32(?,?,?,00A4548E,?,?), ref: 00A5E72E
CloseHandle.KERNEL32(?,?,?,00A4548E,?,?), ref: 00A5E73B

Strings

Failed to create modal event., xrefs: 00A5E69E
Failed to create UI thread., xrefs: 00A5E70A
splashscreen.cpp, xrefs: 00A5E694, 00A5E700

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseCreateErrorLast$ChangeEventFindHandleMultipleNotificationObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
API String ID: 1372344712-1977201954
Opcode ID: 3062e0a81781784a001e2e40109999971de65f1c8afba6b57a4b365bb176515c
Instruction ID: 0bfc7fdfa03761b1d6c38f4f68ee8ef65c07527c44b9a4b78ce7c99bd4957fa2
Opcode Fuzzy Hash: 3062e0a81781784a001e2e40109999971de65f1c8afba6b57a4b365bb176515c
Instruction Fuzzy Hash: 0B319E76D0022ABBDB20DBD9DC059AFBBF8BB48751F11416AFD10F6250E7309A00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A614E1 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,74DF2F60,?,?,00A45405,00A453BD,00000000,00A45445), ref: 00A61506
GetLastError.KERNEL32 ref: 00A61519
GetExitCodeThread.KERNEL32(00A8B488,?), ref: 00A6155B
GetLastError.KERNEL32 ref: 00A61569
ResetEvent.KERNEL32(00A8B460), ref: 00A615A4
GetLastError.KERNEL32 ref: 00A615AE

Strings

Failed to wait for operation complete event., xrefs: 00A6154A
Failed to reset operation complete event., xrefs: 00A615DF
Failed to get extraction thread exit code., xrefs: 00A6159A
cabextract.cpp, xrefs: 00A61540, 00A61590, 00A615D5

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
API String ID: 2979751695-3400260300
Opcode ID: f786426b817aefdbb3d4b8f47104dd17ce5b13fb5fea1be4495d9d534adb5438
Instruction ID: 81b8f8cc4098170517c832fe593f490ac323afcd557c232727184df99fefae86
Opcode Fuzzy Hash: f786426b817aefdbb3d4b8f47104dd17ce5b13fb5fea1be4495d9d534adb5438
Instruction Fuzzy Hash: 88319571B40205FBDB10DFA98D05AAEBBF8FB44710F10855BF907DA1A0E770DA019BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E56C Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00A5E577
DefWindowProcW.USER32(?,00000082,?,?), ref: 00A5E5B5
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00A5E5C2
SetWindowLongW.USER32(?,000000EB,?), ref: 00A5E5D1
DefWindowProcW.USER32(?,?,?,?), ref: 00A5E5DF
CreateCompatibleDC.GDI32(?), ref: 00A5E5EB
SelectObject.GDI32(00000000,00000000), ref: 00A5E5FC
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00A5E61E
SelectObject.GDI32(00000000,00000000), ref: 00A5E626
DeleteDC.GDI32(00000000), ref: 00A5E629
PostQuitMessage.USER32(00000000), ref: 00A5E637

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: e6d3775fb2d0e1ae4835da6464ffee4e7311b3e1f11c7aaecdd743b2e828b8a1
Instruction ID: 98b6889f746f008ce684a59786b18cf580147cfd3307bd3c43468af528d64193
Opcode Fuzzy Hash: e6d3775fb2d0e1ae4835da6464ffee4e7311b3e1f11c7aaecdd743b2e828b8a1
Instruction Fuzzy Hash: A6219832110214BFCB189FA8EC18D7B3AB8FB49362B014518FA169B1B0D7318911EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A44796 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00A447BB
GetCurrentThreadId.KERNEL32 ref: 00A447C1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A4484F

Strings

wininet.dll, xrefs: 00A447EE
Failed to create engine for UX., xrefs: 00A447DB
Failed to start bootstrapper application., xrefs: 00A4481D
engine.cpp, xrefs: 00A4489B
Failed to load UX., xrefs: 00A44804
Unexpected return value from message pump., xrefs: 00A448A5

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp$wininet.dll
API String ID: 673430819-2573580774
Opcode ID: 698b8ad46dd44e64eb1d01d33123becd41c806fc3237db0c0a2d5bfa90d28752
Instruction ID: de8ffc08691226e0d4cd74aa6b6ef6a01b38f388976e2c207e82c504bb1a11dc
Opcode Fuzzy Hash: 698b8ad46dd44e64eb1d01d33123becd41c806fc3237db0c0a2d5bfa90d28752
Instruction Fuzzy Hash: FB419276A00655BFEB14EBA4CC85FBAB7ACFF88714F200525F904E7291DB71AD0587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E2AF Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 104windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 00A5E2E5
GetLastError.KERNEL32 ref: 00A5E2F1
GetObjectW.GDI32(00000000,00000018,?), ref: 00A5E338
GetCursorPos.USER32(?), ref: 00A5E359
MonitorFromPoint.USER32(?,?,00000002), ref: 00A5E36B
GetMonitorInfoW.USER32(00000000,?), ref: 00A5E381

Strings

Failed to load splash screen bitmap., xrefs: 00A5E31F
(, xrefs: 00A5E378
splashscreen.cpp, xrefs: 00A5E315

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$splashscreen.cpp
API String ID: 2342928100-598475503
Opcode ID: 431b213c9bcbb77dfe222e3c536f2bb46a8e86b4d0fbf0a8a73de2a351d920c0
Instruction ID: c34e6dca14c1164273ff9fa842114ab5efc1b03556d524c296f800e8f2c26f9d
Opcode Fuzzy Hash: 431b213c9bcbb77dfe222e3c536f2bb46a8e86b4d0fbf0a8a73de2a351d920c0
Instruction Fuzzy Hash: FB312F75A00219AFDB14DFA8D949A9EBBF4FF08711F148119ED04EB285EB70E905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D6C9 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,00A447FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00A4548E,?), ref: 00A4D6DA
GetLastError.KERNEL32(?,00A447FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00A4548E,?,?), ref: 00A4D6E7
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00A4D71F
GetLastError.KERNEL32(?,00A447FE,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00A4548E,?,?), ref: 00A4D72B

Strings

Failed to create UX., xrefs: 00A4D76F
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00A4D756
BootstrapperApplicationCreate, xrefs: 00A4D719
userexperience.cpp, xrefs: 00A4D708, 00A4D74C
Failed to load UX DLL., xrefs: 00A4D712

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
API String ID: 1866314245-2276003667
Opcode ID: 0846e2e22b329272ec572ff9b85fa530108d29636e4a135874df610026f937f5
Instruction ID: eaf36f8c3364d29cb7437df792dc65baf45c26099e7a5902ed654d8bc4e72329
Opcode Fuzzy Hash: 0846e2e22b329272ec572ff9b85fa530108d29636e4a135874df610026f937f5
Instruction Fuzzy Hash: 5711B63BA80732ABCB2166949C05F5B6A54BB45721F114925BF50BB290EB20EC0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A80523 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00AAB5FC,00000000,?,?,?,00A54207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00A454FA,?), ref: 00A80533
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,xi,?,00A54207,00000000,Setup), ref: 00A805D7
GetLastError.KERNEL32(?,00A54207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00A454FA,?,?,?), ref: 00A805E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00A54207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00A454FA,?), ref: 00A80621

Part of subcall function 00A42DBF: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00A42F09

LeaveCriticalSection.KERNEL32(00AAB5FC,?,?,xi,?,00A54207,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00A454FA,?), ref: 00A8067A

Strings

logutil.cpp, xrefs: 00A80606
xi, xrefs: 00A8054A, 00A8056D

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: logutil.cpp$xi
API String ID: 4111229724-2851243583
Opcode ID: 5db71016ccf01cfc2c73ead3d1a383cc61a49bd8fa23379cff7c1e4d6eae47e6
Instruction ID: 5b73be01a7d2bc0a28480d103251165c3a4a3e93d0ded0ead274f087e5b31c5b
Opcode Fuzzy Hash: 5db71016ccf01cfc2c73ead3d1a383cc61a49bd8fa23379cff7c1e4d6eae47e6
Instruction Fuzzy Hash: 5E31C431D1022BFFDB21AFB4DE45E6A7A69EB41750F404234F911AB1A1E7B0CD609BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4F812 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00A4F942
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00A4F94F

Strings

Failed to open registration key., xrefs: 00A4F8AB
Resume, xrefs: 00A4F8B6
Failed to format pending restart registry key to read., xrefs: 00A4F846
Failed to read Resume value., xrefs: 00A4F8D8
%ls.RebootRequired, xrefs: 00A4F82F

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: efc095502e727fd2058052026ab31c23f158000d3ed49a8b64857c1042f6b8f9
Instruction ID: 074cbe328ef08de0b57cc640eb891b0fc536babe2ddd0aa7f61fe8c3c3a0f86b
Opcode Fuzzy Hash: efc095502e727fd2058052026ab31c23f158000d3ed49a8b64857c1042f6b8f9
Instruction Fuzzy Hash: 9D415B7A900119FFDF129FA8CD81BADBBB4FB84310F259176E910AB251C371AE41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A4732C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00A45932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 00A4733E
LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,00A45932,00000100,00000100,00000000,00000000,00000001,00000000,00000100), ref: 00A4741D

Strings

Failed to format value '%ls' of variable: %ls, xrefs: 00A473E7
*****, xrefs: 00A473D9, 00A473E6
Failed to get variable: %ls, xrefs: 00A4737F
Failed to get unformatted string., xrefs: 00A473AE
Failed to get value as string for variable: %ls, xrefs: 00A4740C

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 6530872c0cee25c00b92bf760503baaf61818f8a28120a8b52f1c428cac8a768
Instruction ID: 21f66cbf891d7316fb7ec2a7f6bbbf534b5f815c0ebc996336819e9e1a4d5b4d
Opcode Fuzzy Hash: 6530872c0cee25c00b92bf760503baaf61818f8a28120a8b52f1c428cac8a768
Instruction Fuzzy Hash: 9731C03A94495AFBCF226F54CC09FAE7B64FF50321F004625FD046A161D771EA509BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00A832F3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A83309
SysAllocString.OLEAUT32(?), ref: 00A83325
VariantClear.OLEAUT32(?), ref: 00A833AC
SysFreeString.OLEAUT32(00000000), ref: 00A833B7

Strings

`<u, xrefs: 00A833B7
xmlutil.cpp, xrefs: 00A8333C

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `<u$xmlutil.cpp
API String ID: 760788290-3482516102
Opcode ID: b6bda14a3cea8827f5fd8330daf8fd155cbea267cf95370947a2a8f5352c6fc1
Instruction ID: df41328e4b5b7ec6a2a1045206fd57eb0e69e84c9fe7234970500dfae4108f2c
Opcode Fuzzy Hash: b6bda14a3cea8827f5fd8330daf8fd155cbea267cf95370947a2a8f5352c6fc1
Instruction Fuzzy Hash: 4C219136901219AFCF11EF98C848EAEBBB9EF85B11F154158F901AF260DB719E018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A80879 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,00A453BD,00000000,?,?,?,?,?,?,?,00A5769D,00000000), ref: 00A80897
GetLastError.KERNEL32(?,?,?,?,?,?,?,00A5769D,00000000), ref: 00A808A1
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00A5769D,00000000), ref: 00A808D3
GetLastError.KERNEL32(?,?,?,?,?,?,?,00A5769D,00000000), ref: 00A808EC
FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,?,?,00A5769D,00000000), ref: 00A8092B

Strings

procutil.cpp, xrefs: 00A80919

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastToken$ChangeCloseFindInformationNotificationOpenProcess
String ID: procutil.cpp
API String ID: 3650908616-1178289305
Opcode ID: 569a6ffce4f3eaea7413c9685648ca921c58cdafb82371a90ad1de96ea499db5
Instruction ID: 0888f20eab92ae964b26b07b67bcd9739ad7d6d9ca0e51cdb0b08eb1e1f75bac
Opcode Fuzzy Hash: 569a6ffce4f3eaea7413c9685648ca921c58cdafb82371a90ad1de96ea499db5
Instruction Fuzzy Hash: 3D21C632D40229EFDB61EB958805E9EBBB8EF10710F114156ED55FB291E3708E04DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00A83565 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A83574
InterlockedIncrement.KERNEL32(00AAB6C8), ref: 00A83591
CLSIDFromProgID.OLE32(Msxml2.DOMDocument,00AAB6B8,?,?,?,?,?,?), ref: 00A835AC
CLSIDFromProgID.OLE32(MSXML.DOMDocument,00AAB6B8,?,?,?,?,?,?), ref: 00A835B8

Strings

MSXML.DOMDocument, xrefs: 00A835B3
Msxml2.DOMDocument, xrefs: 00A835A7

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 7377e5c4b5cea673a2560a5f347961973790eb0874725bdcad7433864817fa36
Instruction ID: be359ccc4bbe566a0c8b2b0d32695e4745611a69c0dec5bb41a7796b3312f6b2
Opcode Fuzzy Hash: 7377e5c4b5cea673a2560a5f347961973790eb0874725bdcad7433864817fa36
Instruction Fuzzy Hash: 76F065327611366FDB25ABE6BD09B572E65EB82F55F080829E800D71D4D3B0CA438BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5E956 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 00A5E985
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00A5E994
SetWindowLongW.USER32(?,000000EB,?), ref: 00A5E9A8
DefWindowProcW.USER32(?,?,?,?), ref: 00A5E9B8
GetWindowLongW.USER32(?,000000EB), ref: 00A5E9D2
PostQuitMessage.USER32(00000000), ref: 00A5EA31

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: a9cb0566c2c840ce5ec33a3be70244fa5cedc9318679a815a2504935afb4d98a
Instruction ID: 60b28c4ec9e8b5a7dbc9e7dc75f5a6529dbe259ca2ac0c8d17c5e052e7ef8c27
Opcode Fuzzy Hash: a9cb0566c2c840ce5ec33a3be70244fa5cedc9318679a815a2504935afb4d98a
Instruction Fuzzy Hash: AE21AE32104204BFDF15DFA8DC08E6A7B75FF49392F144618FE0AAA1A4C7319E249B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A81217 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00A8123F
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,00A570E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00A81276
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 00A8136E

Strings

regutil.cpp, xrefs: 00A812BF
BundleUpgradeCode, xrefs: 00A8121E

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$regutil.cpp
API String ID: 3790715954-1648651458
Opcode ID: cc16027efba080d71a5a35304ea04851b1473ce24ba998e8b670e3a38eed611d
Instruction ID: 40d60173ed15e1c978d0b690da1653cea587658e74f6054067fdabe8571af5c5
Opcode Fuzzy Hash: cc16027efba080d71a5a35304ea04851b1473ce24ba998e8b670e3a38eed611d
Instruction Fuzzy Hash: F141827AA0021AEFDB21EF95C884AAEB7BDEB44710F154169FD01EF640D7309D129BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A60A81 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A60B27
GetLastError.KERNEL32(?,?,?), ref: 00A60B31

Strings

Failed to move file pointer 0x%x bytes., xrefs: 00A60B62
Invalid seek type., xrefs: 00A60ABD
cabextract.cpp, xrefs: 00A60B55

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
API String ID: 2976181284-417918914
Opcode ID: d7382c7226e777f93360be88b27c9d5acee2d2011182c559a757b096a40b7fd2
Instruction ID: 946b4131e67b0ecc3cc2fd6f006ea3074599e0cf8c56beb8b58bb18f6cc67f2e
Opcode Fuzzy Hash: d7382c7226e777f93360be88b27c9d5acee2d2011182c559a757b096a40b7fd2
Instruction Fuzzy Hash: B731AF32A4021AFFCB11DFA8D884DAEBBB9FB04764B148215F914A7250E770ED50CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00A8433D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A84440: FindFirstFileW.KERNEL32(00A6923A,?,00000100,00000000,00000000), ref: 00A8447B
Part of subcall function 00A84440: FindClose.KERNEL32(00000000), ref: 00A84487

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00A84430

Part of subcall function 00A80F6C: RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00AAAAA0,00000000,?,00A857E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A80F80

Part of subcall function 00A81217: RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00A8123F
Part of subcall function 00A81217: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,00A570E8,00000100,000000B0,00000088,00000410,000002C0), ref: 00A81276

Strings

crypt32.dll, xrefs: 00A84368
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00A8436F
PendingFileRenameOperations, xrefs: 00A8439B
\, xrefs: 00A843B9

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: ea1c7aa15edda953d7ba9a864476dca74825bc712186733380081926101b3d15
Instruction ID: d59c43cc0bf42d5543785d4fa33bbb25e610fb3f440e29081fcd242ac3e37a0b
Opcode Fuzzy Hash: ea1c7aa15edda953d7ba9a864476dca74825bc712186733380081926101b3d15
Instruction Fuzzy Hash: 57319F3194021AABDF21BF95CC41AAEBB75EB08750F64817AF904AA151E3319E40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A44115 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,840F01E8,00000000,00000000,?,00A5A0E8,00000000,00000000,?,00000000,00A453BD,00000000,?,?,00A4D5B5,?), ref: 00A44123
GetLastError.KERNEL32(?,00A5A0E8,00000000,00000000,?,00000000,00A453BD,00000000,?,?,00A4D5B5,?,00000000,00000000), ref: 00A44131
CreateDirectoryW.KERNEL32(?,840F01E8,00A45489,?,00A5A0E8,00000000,00000000,?,00000000,00A453BD,00000000,?,?,00A4D5B5,?,00000000), ref: 00A4419A
GetLastError.KERNEL32(?,00A5A0E8,00000000,00000000,?,00000000,00A453BD,00000000,?,?,00A4D5B5,?,00000000,00000000), ref: 00A441A4

Strings

dirutil.cpp, xrefs: 00A441D4

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: dirutil.cpp
API String ID: 1375471231-2193988115
Opcode ID: 1327667cf880c16cfaf6cf826ec8bba4f8ca07b8a1abbbe17c2c73a4610187d8
Instruction ID: 9093836aa1594424055c4763965e8061fb712ce7dde0c890899ef3a8b67f4c7f
Opcode Fuzzy Hash: 1327667cf880c16cfaf6cf826ec8bba4f8ca07b8a1abbbe17c2c73a4610187d8
Instruction Fuzzy Hash: F111D57E60073597E7315BAD4C84B7BA664EFFDB61F114321FD05EB240E3609C819291

Uniqueness

Uniqueness Score: -1.00%

Function 00A461DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A4620F
GetLastError.KERNEL32 ref: 00A46219

Strings

Failed to get the user name., xrefs: 00A46242
Failed to set variant value., xrefs: 00A4625E
variable.cpp, xrefs: 00A46238

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
API String ID: 2054405381-1522884404
Opcode ID: d23929bf8f7703eadca9e5627d0b14616bb145a67deb13f11fdcb784132873fc
Instruction ID: 265425fb557e06f05fd7e87b3166ba8335203dd6a832abc57bb6969b90ade849
Opcode Fuzzy Hash: d23929bf8f7703eadca9e5627d0b14616bb145a67deb13f11fdcb784132873fc
Instruction Fuzzy Hash: 3601D636E0123977C720EBA4DD05AEBB7B8AB51720F110255FC14E7281EBB09D458BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A474B7 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00A453BD,WixBundleOriginalSource,?,?,00A5A623,840F01E8,WixBundleOriginalSource,?,00AAAA90,?,00000000,00A45445,00000001,?,?,00A45445), ref: 00A474C3
LeaveCriticalSection.KERNEL32(00A453BD,00A453BD,00000000,00000000,?,?,00A5A623,840F01E8,WixBundleOriginalSource,?,00AAAA90,?,00000000,00A45445,00000001,?), ref: 00A4752A

Strings

WixBundleOriginalSource, xrefs: 00A474BF
Failed to get value of variable: %ls, xrefs: 00A474FD
Failed to get value as string for variable: %ls, xrefs: 00A47519

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 05ab1eea966b791ea1ad7aed76aafc4d954179c0145174e0ad6aefffb8f419ac
Instruction ID: a2e86b4b377e66188ea6ae5c211ed65ea2b177a77f7ee3d815cf0fb789220540
Opcode Fuzzy Hash: 05ab1eea966b791ea1ad7aed76aafc4d954179c0145174e0ad6aefffb8f419ac
Instruction Fuzzy Hash: 3301BC3A954169FBCF22AF94CC09AAE3F68EF40321F104160FD04AA221C3369E109BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A53AA6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A80F6C: RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00AAAAA0,00000000,?,00A857E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A80F80

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000001,feclient.dll,?,?,?,00A53FB5,feclient.dll,?,00000000,?,?,?,00A44B12), ref: 00A53B42

Part of subcall function 00A810B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A8112B
Part of subcall function 00A810B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00A81163

Strings

SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00A53AB7
Logging, xrefs: 00A53AD4
feclient.dll, xrefs: 00A53AAB

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$feclient.dll
API String ID: 1586453840-3596319545
Opcode ID: df18837d4fcc488e987196e48ac6725e06d00485f7ac369a86abc48d7cd767f0
Instruction ID: c203f1c05c8c8107da28c3e6b7a1dba4fce0bb609c59ee6305cfd6f869acf0b4
Opcode Fuzzy Hash: df18837d4fcc488e987196e48ac6725e06d00485f7ac369a86abc48d7cd767f0
Instruction Fuzzy Hash: F911B637B40208BBDF21DB95DD86EAEB7B8FB80782F514065FA019B051D6719F85D710

Uniqueness

Uniqueness Score: -1.00%

Function 00A80764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(00A5E93B,00000000,00000000,?,?,?,00A80013,00A5E93B,00A5E93B,?,00000000,0000FDE9,?,00A5E93B,8000FFFF,Unexpected return value from message pump.), ref: 00A80776
WriteFile.KERNEL32(00000200,00000000,00000000,?,00000000,?,?,00A80013,00A5E93B,00A5E93B,?,00000000,0000FDE9,?,00A5E93B,8000FFFF), ref: 00A807B2
GetLastError.KERNEL32(?,?,00A80013,00A5E93B,00A5E93B,?,00000000,0000FDE9,?,00A5E93B,8000FFFF,Unexpected return value from message pump.), ref: 00A807BC

Strings

logutil.cpp, xrefs: 00A807ED

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: logutil.cpp
API String ID: 606256338-3545173039
Opcode ID: 8b40a97d61d4ed55650bb54d8350bff9d3829be85c98a450c1128b013066424a
Instruction ID: bd800ba4ac0b340e9842b901347820933d350f9e1e45771fc1ca6c2afdcc7265
Opcode Fuzzy Hash: 8b40a97d61d4ed55650bb54d8350bff9d3829be85c98a450c1128b013066424a
Instruction Fuzzy Hash: 57118A76A41925AB8710EBB9CD44EABBA6CEB85760B114214FD01EB280D770AD04CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A609EA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6140C: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,?,00A60A19,?,?,?), ref: 00A61434
Part of subcall function 00A6140C: GetLastError.KERNEL32(?,00A60A19,?,?,?), ref: 00A6143E

ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?), ref: 00A60A27
GetLastError.KERNEL32 ref: 00A60A31

Strings

Failed to read during cabinet extraction., xrefs: 00A60A5F
cabextract.cpp, xrefs: 00A60A55

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$cabextract.cpp
API String ID: 2170121939-2426083571
Opcode ID: 7d01eb332fb9d1081a0594eac4d985addbaa536a0534b80091f646255012c319
Instruction ID: a0b85ecd6d13853e50e6724f7a458d4240bd0262c02c5d93897bfe315b6788e1
Opcode Fuzzy Hash: 7d01eb332fb9d1081a0594eac4d985addbaa536a0534b80091f646255012c319
Instruction Fuzzy Hash: AA118E76A40229BBCB219FD5DD08E9B7FB8FB157A0B114155FD14A7290D7309911C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A6140C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,?,00A60A19,?,?,?), ref: 00A61434
GetLastError.KERNEL32(?,00A60A19,?,?,?), ref: 00A6143E

Strings

Failed to move to virtual file pointer., xrefs: 00A6146C
cabextract.cpp, xrefs: 00A61462

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$cabextract.cpp
API String ID: 2976181284-3005670968
Opcode ID: b092f961a6bd50df3404fbbd630aecff3ec9ba1a921529cc00cc2fbf0d2c70d3
Instruction ID: 731f686c60f134b8d8083e9216cdf7f0684ab3786717cffb6a7ae710ce6fa763
Opcode Fuzzy Hash: b092f961a6bd50df3404fbbd630aecff3ec9ba1a921529cc00cc2fbf0d2c70d3
Instruction Fuzzy Hash: 57018477A40636778B215A968C08E8BBF78FF407B07158126FD285B251DB31D810C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5F2D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 00A5F2EE
GetLastError.KERNEL32 ref: 00A5F2F8

Strings

EngineForApplication.cpp, xrefs: 00A5F31C
Failed to post plan message., xrefs: 00A5F326

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: EngineForApplication.cpp$Failed to post plan message.
API String ID: 2609174426-2952114608
Opcode ID: d4005fe20b8abcc07a5f87a44a50f717675dbdd0ae9ccd59393799bdb4f0add4
Instruction ID: 337030492fca18e7dbe0453ec8ddd935a83e58f4ba4420eef574f3616fc5ddd0
Opcode Fuzzy Hash: d4005fe20b8abcc07a5f87a44a50f717675dbdd0ae9ccd59393799bdb4f0add4
Instruction Fuzzy Hash: DDF0A7337512317BEA2067D9AC09E8BBF94FF04B71B024021BE64AF191E6709C0082E4

Uniqueness

Uniqueness Score: -1.00%

Function 00A607B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00A8B478,00000000,?,00A61717,?,00000000,?,00A4C287,?,00A45405,?,00A575A5,?,?,00A45405,?), ref: 00A607BF
GetLastError.KERNEL32(?,00A61717,?,00000000,?,00A4C287,?,00A45405,?,00A575A5,?,?,00A45405,?,00A45445,00000001), ref: 00A607C9

Strings

Failed to set begin operation event., xrefs: 00A607F7
cabextract.cpp, xrefs: 00A607ED

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$cabextract.cpp
API String ID: 3848097054-4159625223
Opcode ID: 603af4909e62587bc525c00b1cf60e272e9dde2fe743221ab292025bd1ba479c
Instruction ID: ca8bd6d8207012b7b50ba304e49b11fe5fa307778055e63f37c97d0770803153
Opcode Fuzzy Hash: 603af4909e62587bc525c00b1cf60e272e9dde2fe743221ab292025bd1ba479c
Instruction Fuzzy Hash: E2F0EC37642631678620A3D95D05E8F76B4AF04BB0B120125FE01BB240FA20AC40C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00A47435 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00A47441
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00A474A8

Strings

Failed to get value as numeric for variable: %ls, xrefs: 00A47497
Failed to get value of variable: %ls, xrefs: 00A4747B

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: 08cfcad91d40d00fc2ee6f338e5fad240b59b998815260e495e393a3dfbdd60c
Instruction ID: 23abfaa1e00c4eed259c5e7a869f8785e6a9e7a4abd58bc212f8690209e50586
Opcode Fuzzy Hash: 08cfcad91d40d00fc2ee6f338e5fad240b59b998815260e495e393a3dfbdd60c
Instruction Fuzzy Hash: A2018F3A954168FBCF11AF98CD09EAE7F74AF40721F018161FD04AA221D3769E549BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A45123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00A41104,?,?,00000000), ref: 00A45142
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00A41104,?,?,00000000), ref: 00A45172

Strings

burn.clean.room, xrefs: 00A4512F, 00A4513C, 00A45169

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 4009564a47e5476307ab1afd90e4552bc7d9d68903ec8c7be9a74091ceb0d335
Instruction ID: 6f9539cb5cbcc1870ef0da43358c068ee4e30fab20c334eea6883fb7b9c2f81c
Opcode Fuzzy Hash: 4009564a47e5476307ab1afd90e4552bc7d9d68903ec8c7be9a74091ceb0d335
Instruction Fuzzy Hash: 9E016276A105266F8734DBAC9D88A73F7ECEB667A0B104316F505C7651D3709C42C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A43838 Relevance: 4.6, APIs: 3, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A43877
GetLastError.KERNEL32 ref: 00A43881
LoadLibraryW.KERNEL32(?,?,00000104,?), ref: 00A438EA

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 0029d2a5c08d71aea0cb19f2d88ccd31e93643e9abe0ce27cc2548451cb82ce7
Instruction ID: 852be961e9d241adeeacc0f4321e53a287a97c0fd4a984c754a4ea05d6dd29c6
Opcode Fuzzy Hash: 0029d2a5c08d71aea0cb19f2d88ccd31e93643e9abe0ce27cc2548451cb82ce7
Instruction Fuzzy Hash: 7F21D8BBD0123E67DF20DB949C45F9AB7789B80710F1101A1BD14EB241D770DE4087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A464B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A464C5
CoUninitialize.OLE32(?,?,?,?), ref: 00A46512

Strings

Failed to set reboot pending variant value., xrefs: 00A46501

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to set reboot pending variant value.
API String ID: 3442037557-1870475249
Opcode ID: a666b921c5bf01a2443a98622ef66af20ef99574bf3adbe6230d21992ebb2811
Instruction ID: 87a1a7957ed444da1374d7c6873503af0d34a9a86e5274efb7cae836cb1be980
Opcode Fuzzy Hash: a666b921c5bf01a2443a98622ef66af20ef99574bf3adbe6230d21992ebb2811
Instruction Fuzzy Hash: 48F06876A00535A75F61AB99DE058AFB7ACEFD6B20721415AF804D7100E770DE0197D2

Uniqueness

Uniqueness Score: -1.00%

Function 00A46745 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00A46762

Strings

Failed to set variant value., xrefs: 00A46794

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: InfoNativeSystem
String ID: Failed to set variant value.
API String ID: 1721193555-2610885892
Opcode ID: 8c0eeb0ded79a7923b39f0a246821922594ede6043be73dd11ef375207399edd
Instruction ID: d4bfd2792a599f02822007b72dabe784277367bbb9619dd2c22a6c0f855dbf07
Opcode Fuzzy Hash: 8c0eeb0ded79a7923b39f0a246821922594ede6043be73dd11ef375207399edd
Instruction Fuzzy Hash: CEF0C832D0021DBADF11AB98E8069DEBBF9EF44324F204016FA10EA250EB719988C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4F755 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A80F6C: RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00AAAAA0,00000000,?,00A857E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A80F80

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00A57D59,?,?,?), ref: 00A4F7B9

Part of subcall function 00A81026: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,?,00000000,?,?,?,00A4F78E,00000000,Installed,00000000,?), ref: 00A8104B

Strings

Installed, xrefs: 00A4F781

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: cec9e53a7b7acc0eae11f7fbb282aa0307e0f82f6533429e75102f6d4692ece6
Instruction ID: 0086988c618d02e10987bf7a62aead8dfb2a5d3f8f13a850be3c31e423592918
Opcode Fuzzy Hash: cec9e53a7b7acc0eae11f7fbb282aa0307e0f82f6533429e75102f6d4692ece6
Instruction Fuzzy Hash: D0014F36921118FFCB11DB94CD46FDEBBB8EF04751F1141A5E900A7110D7799E509790

Uniqueness

Uniqueness Score: -1.00%

Function 00A7F4AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A7F491

Part of subcall function 00A8998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00A899A1
Part of subcall function 00A8998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A89A09
Part of subcall function 00A8998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A89A1A

Strings

PA`n, xrefs: 00A7F48B

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: PA`n
API String ID: 697777088-1424363697
Opcode ID: d243fafa69f5fd3ae9926ff70efad50eef7b38aacdb7a6fe3af65556a3df38ea
Instruction ID: 8241c409beb03c0b16ccb1ef26a0dc62f70115f08dd548c24591c1865e492f25
Opcode Fuzzy Hash: d243fafa69f5fd3ae9926ff70efad50eef7b38aacdb7a6fe3af65556a3df38ea
Instruction Fuzzy Hash: E4B012B13695017E724461145D02D37125CD1D7F21330C66EF024C30D0EA501D444133

Uniqueness

Uniqueness Score: -1.00%

Function 00A7F49A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A7F491

Part of subcall function 00A8998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00A899A1
Part of subcall function 00A8998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A89A09
Part of subcall function 00A8998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A89A1A

Strings

PA`n, xrefs: 00A7F48B

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: PA`n
API String ID: 697777088-1424363697
Opcode ID: d848e4e73e6d79d26de25e1197d395a60a80346b30e7e858090e00507b80c234
Instruction ID: 3caa56c0b249b1c6223c09643906742da09749b4e72ee88de4316c7c39926439
Opcode Fuzzy Hash: d848e4e73e6d79d26de25e1197d395a60a80346b30e7e858090e00507b80c234
Instruction Fuzzy Hash: 85B012B13694017F724461149E03D37125CD1D7F21330C56EF015C30D0EA441D054133

Uniqueness

Uniqueness Score: -1.00%

Function 00A7F479 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A7F491

Part of subcall function 00A8998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00A899A1
Part of subcall function 00A8998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A89A09
Part of subcall function 00A8998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A89A1A

Strings

PA`n, xrefs: 00A7F479, 00A7F48B

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: PA`n
API String ID: 697777088-1424363697
Opcode ID: e84d01c2ed59f762b8d7a1b61197a81064d90dc405ddac1c822ffabf0d134188
Instruction ID: e25ce74a5cc5827b37156842e8b071e3f8455a30f18b7c365283774d4480236e
Opcode Fuzzy Hash: e84d01c2ed59f762b8d7a1b61197a81064d90dc405ddac1c822ffabf0d134188
Instruction Fuzzy Hash: 21B012B53694017E720421105D02C37121CD1D3F21330C66EF410D20D0AA401D044073

Uniqueness

Uniqueness Score: -1.00%

Function 00A4394F Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00A42274,?,00000001,75C0B390,8000FFFF,?,?,00A80267,?,?,00000000,00000000,8000FFFF), ref: 00A43960
RtlAllocateHeap.NTDLL(00000000,?,00A42274,?,00000001,75C0B390,8000FFFF,?,?,00A80267,?,?,00000000,00000000,8000FFFF), ref: 00A43967

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: dcb6710c74bc99123459ed6067fef0be92c3171e4af145645f2b51a9d3cdd07e
Instruction ID: fa1a2354d072486bf63e4d73de99cf7ac766ee0769304bb78c5cc0ecfd909655
Opcode Fuzzy Hash: dcb6710c74bc99123459ed6067fef0be92c3171e4af145645f2b51a9d3cdd07e
Instruction Fuzzy Hash: 97C012321A420CA7CB009FF4DC0DC56379CB714A027048500B505C6120C738E0108770

Uniqueness

Uniqueness Score: -1.00%

Function 00A835C3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A835F8

Part of subcall function 00A8304F: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00A83609,00000000,?,00000000), ref: 00A83069
Part of subcall function 00A8304F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00A6C025,?,00A45405,?,00000000,?), ref: 00A83075

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: 356c0435715a8d4103a542ddc5d59a180f1dc254f35ee714fa32bd0c3ae1a849
Instruction ID: 3aa48c9a374f2d42748f59ac9b138e99daf6b62d243f732efef7fa4206dfcd42
Opcode Fuzzy Hash: 356c0435715a8d4103a542ddc5d59a180f1dc254f35ee714fa32bd0c3ae1a849
Instruction Fuzzy Hash: 44310D76E01229ABCB11DFA9D884ADFB7F8EF08710F01457AED15AB311E6759D008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A891FC Relevance: 1.6, APIs: 1, Instructions: 82registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A88E44: lstrlenW.KERNEL32(00000100,?,?,?,00A89217,000002C0,00000100,00000100,00000100,?,?,?,00A67D87,?,?,000001BC), ref: 00A88E69

RegCloseKey.ADVAPI32(000002C0,000002C0,00000100,00000100,00000100,?,?,?,00A67D87,?,?,000001BC,00000000,00000000,00000000,00000100), ref: 00A892B4

Part of subcall function 00A80F6C: RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00AAAAA0,00000000,?,00A857E1,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A80F80

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: CloseOpenlstrlen
String ID:
API String ID: 514153755-0
Opcode ID: d794eb33b532347efbf55ab8fcd51353d5d93f77a3e1c2a5a48f16a7db5dd402
Instruction ID: 47a00e658367cffaba0fb8faca73a3e006e1b60ee14b15b4939f65b39324adda
Opcode Fuzzy Hash: d794eb33b532347efbf55ab8fcd51353d5d93f77a3e1c2a5a48f16a7db5dd402
Instruction Fuzzy Hash: 46212C33C00129BB8F22AFA4CD418EEBAB9EB44750F194366FD41B6125E7324E51EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A85870 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,00AAAAA0,00000000,80070490,?,?,00A58B19,WiX\Burn,PackageCache,00000000,00AAAAA0,00000000,00000000,80070490), ref: 00A858CA

Part of subcall function 00A810B5: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A8112B
Part of subcall function 00A810B5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00A81163

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: f8bcfb38345654d017cb440b98571ce0101dc344305c594a0db66425cdaa6049
Instruction ID: 2717ac0378c7df66ef47ea46e989bfecec71b1a471b1e996d1cc996875fef1b9
Opcode Fuzzy Hash: f8bcfb38345654d017cb440b98571ce0101dc344305c594a0db66425cdaa6049
Instruction Fuzzy Hash: AA117336C00629EFCB21BFB4C9415AEBB68EF04360B15417AED4267111D7314E50E7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A434B5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00A58BD3,0000001C,80070490,00000000,00000000,80070490), ref: 00A434D5

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: f1c4b07794dd4a7930d47716acac784e38e191ba171d3cb08cd4e3d6ca64e713
Instruction ID: bd506f4791f3b8dbc3b8aa3380439e4ea9e4597c4b32b752faf51b5b5784e7e8
Opcode Fuzzy Hash: f1c4b07794dd4a7930d47716acac784e38e191ba171d3cb08cd4e3d6ca64e713
Instruction Fuzzy Hash: 16E05B7B2011247BEB436FA59C06EFB7B5CDF457557008451FE40D6010D772D55187B4

Uniqueness

Uniqueness Score: -1.00%

Function 00A441E7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,?,00A5A42F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,80070490), ref: 00A441F0

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4062da8517251e233d490c13a40f8b1219a7ba2294825d6b274ad08f888de5ec
Instruction ID: a32653130bf12230ae4241319d2ee8917619dc73ae3f848c36f35b756579c344
Opcode Fuzzy Hash: 4062da8517251e233d490c13a40f8b1219a7ba2294825d6b274ad08f888de5ec
Instruction Fuzzy Hash: 76D02E32201128578B288FFA88086EABF88EF4A7B03814315FE25CB1A0E3708C12C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00A89684 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A8966B

Part of subcall function 00A8998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00A899A1
Part of subcall function 00A8998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A89A09
Part of subcall function 00A8998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A89A1A

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: cf6ba4cd89dce7c0d056543ff0f746b5c25fc9cd1176e5e27a43852f9032b876
Instruction ID: cf14fcc5a3409e89b1210bb574a1b9efbcb3f8322b9353e973b1b428ac868b80
Opcode Fuzzy Hash: cf6ba4cd89dce7c0d056543ff0f746b5c25fc9cd1176e5e27a43852f9032b876
Instruction Fuzzy Hash: B4B012B12683027C3A4471446F43D37425CD5C2B11334452FF014E30D0FA480C054333

Uniqueness

Uniqueness Score: -1.00%

Function 00A89674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A8966B

Part of subcall function 00A8998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00A899A1
Part of subcall function 00A8998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A89A09
Part of subcall function 00A8998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A89A1A

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: f4f40724764504d278c8abd0f24974689146ef96bc95e849d5e894949836898e
Instruction ID: 95a2b1c2fbbc57b1e51cfb09c61f447e15f16720c0fea7d95b4b4aba4492e837
Opcode Fuzzy Hash: f4f40724764504d278c8abd0f24974689146ef96bc95e849d5e894949836898e
Instruction Fuzzy Hash: 29B012B12685037C364571041D03D37025CD1C2B11334C52FF400D30D0FA440C0C4333

Uniqueness

Uniqueness Score: -1.00%

Function 00A89653 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A8966B

Part of subcall function 00A8998C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00A899A1
Part of subcall function 00A8998C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A89A09
Part of subcall function 00A8998C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A89A1A

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 27ff7de49f58a5d44ebf2a59526e9ff520c38de91a0fa171cae750101928bf12
Instruction ID: e4dd958d49cb1a5cfb1d37d33ba505c4fac214c0d11f833f6351b08701c4df84
Opcode Fuzzy Hash: 27ff7de49f58a5d44ebf2a59526e9ff520c38de91a0fa171cae750101928bf12
Instruction Fuzzy Hash: 46B012B12682027C3A4431006D82C37421CE5C2B11334852FF010F20D0BA440C044333

Uniqueness

Uniqueness Score: -1.00%

Function 00A41361 Relevance: 1.3, APIs: 1, Instructions: 88stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A43BD3: GetProcessHeap.KERNEL32(00000000,?,?,00A421CC,?,75C0B390,8000FFFF,?,?,00A80267,?,?,00000000,00000000,8000FFFF), ref: 00A43BDB
Part of subcall function 00A43BD3: HeapSize.KERNEL32(00000000,?,00A421CC,?,75C0B390,8000FFFF,?,?,00A80267,?,?,00000000,00000000,8000FFFF), ref: 00A43BE2

lstrlenW.KERNEL32(?,?,75C0B390,00000000,?), ref: 00A4139C

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: ad0b2360ab774a1ec571439270656cb3774403fd1acba9a7c4ace3691e5def49
Instruction ID: cad5d22ad297c7b0ad61ba8a105640e016713b11fc14157ddb063cc1134df15e
Opcode Fuzzy Hash: ad0b2360ab774a1ec571439270656cb3774403fd1acba9a7c4ace3691e5def49
Instruction Fuzzy Hash: E621E27EE00218AFCF128FA9C8407ADBBB9EFC4360F158165ED50AB250D7359D929BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00A414B6 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00A421A8,?,00000000,?,00000000,?,00A4390C,00000000,?,00000104), ref: 00A414E8

Part of subcall function 00A43BD3: GetProcessHeap.KERNEL32(00000000,?,?,00A421CC,?,75C0B390,8000FFFF,?,?,00A80267,?,?,00000000,00000000,8000FFFF), ref: 00A43BDB
Part of subcall function 00A43BD3: HeapSize.KERNEL32(00000000,?,00A421CC,?,75C0B390,8000FFFF,?,?,00A80267,?,?,00000000,00000000,8000FFFF), ref: 00A43BE2

Memory Dump Source

Source File: 00000002.00000002.2937806652.0000000000A41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000002.00000002.2937763154.0000000000A40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2937927958.0000000000A8B000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938031493.0000000000AAA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000AAD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000ABA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2938106404.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a40000_Y5JXqbeNdS.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 8891d0a985052e17dc8175cc438f748d9d22f4ad7a07a4bee035a9425b552395
Instruction ID: 27f034ce2723e13aff915d5c0fc0b17700c9e4645061c5ad54cb7c9b18882eff
Opcode Fuzzy Hash: 8891d0a985052e17dc8175cc438f748d9d22f4ad7a07a4bee035a9425b552395
Instruction Fuzzy Hash: 1F016D7B20021CABCF215F55DCC0FDA77659FC4750F104215FA165B151D7319C8087E1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Y5JXqbeNdS.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Thermo_Chromeleon_7.2.10_ES_MUa_20240403070104.log

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperApplicationData.xml

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.config

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Eula.rtf

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Installation Guide - Chromeleon 7.2.10.pdf

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.png

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.thm

C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.wxl

C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Windows Analysis Report
Y5JXqbeNdS.exe

Function 00985195 Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 315
COMMON

Function 0098F9E3 Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 446
COMMON

Function 0098B48B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 578
fileCOMMON

Function 0098CDBD Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 366
COMMON

Function 00988476 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331
COMMON

Function 009A0D16 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Function 00984D39 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 220
COMMON

Function 0099752A Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 291
COMMON

Function 009A27FC Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145
COMMON

Function 009986D0 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 209
fileCOMMON

Function 0098762C Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 420
COMMON

Function 009982BA Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 153
COMMON

Function 009A10FB Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 217
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre