Edit tour

Windows Analysis Report
bitrecover-eml-to-pdf-wizard.exe

Overview

General Information

Sample name:	bitrecover-eml-to-pdf-wizard.exe
Analysis ID:	1432195
MD5:	359250c1f24628516457451768236637
SHA1:	677cb6de1caaadada28f4f6d3a1d9914b0487c42
SHA256:	e43f392314b4f0ba5597e325cd9593c734711112cf58475d910f06c350440b35
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	51
Range:	0 - 100

Signatures

Installs new ROOT certificates

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

bitrecover-eml-to-pdf-wizard.exe (PID: 2128 cmdline: "C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe" MD5: 359250C1F24628516457451768236637)

bitrecover-eml-to-pdf-wizard.tmp (PID: 2132 cmdline: "C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp" /SL5="$10440,74753301,739328,C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe" MD5: 9DC81EA31610361FCFE670EA7EE92C56)

vcredist2010.exe (PID: 7060 cmdline: "C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe" /passive /norestart MD5: F45ADE105F9C4FE754976C820230A9E5)

Setup.exe (PID: 2300 cmdline: c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart MD5: 2AF2C1A78542975B12282ACA4300D515)

EMLTOPDFWizard.exe (PID: 5628 cmdline: "C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe" MD5: 2184C492140EC7B8E84C048B080566A4)

msiexec.exe (PID: 5432 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-P2U1O.tmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-V1LTT.tmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_01004F6B InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,FindCloseChangeNotification,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,	5_2_01004F6B
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_010045EB GetFileAttributesA,LoadLibraryA,GetProcAddress,DecryptFileA,GetLastError,	5_2_010045EB
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCB189E __EH_prolog3,CryptQueryObject,GetLastError,CertCloseStore,CryptMsgClose,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,	6_2_6BCB189E
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC97EBB CryptDecodeObject,SetLastError,	6_2_6BC97EBB
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC97E4C CryptHashPublicKeyInfo,SetLastError,	6_2_6BC97E4C
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC97E7C CryptMsgGetParam,SetLastError,	6_2_6BC97E7C
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC97E2A CryptQueryObject,	6_2_6BC97E2A
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC97E3B CryptMsgGetAndVerifySigner,	6_2_6BC97E3B

Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_164a3a70-1

Compliance

Uses 32bit PE files

Source: bitrecover-eml-to-pdf-wizard.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Found installer window with terms and condition text

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Window detected: BitRecover License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BITRECOVER LICENSE AGREEMENTIMPORTANT: READ THESE TERMS BEFORE COMPLETING INSTALLATION AND USING OF THE BITRECOVER. The BitRecover (the "Software") is not freeware. The Software is sold through the shareware market. The Software you are installing is a trial version you may evaluate the Software for a maximum period of thirty (30) days after installation. If after that time you decide to continue using it you must register it by paying a registration fee to BitRecover. The Software will no longer be fully functional after the above described thirty (30) day evaluation period. For more details concerning the Software and the license fees associated with registration of Software please see the BitRecover Documentation from this package or visit the BitRecover online web site at: http://www.bitrecover.comThis BitRecover License Agreement ("Agreement") is between you (either an individual or an entity) and BitRecover. By installing and/or using the Software you agree to be bound by the terms of this agreement.DEFINITIONS."Registered Users" are users of the Software who have received Registration Details including a user license from BitRecover."Registration Details" are a registered name and license number provided by BitRecover in return for your payment to BitRecover of the applicable Software license fees."Registered Software" is that Software for which BitRecover has supplied Registration Details to the user of the Unregistered Software."Unregistered Software" is the evaluation only copy of the Software that has no Registration Details.LICENSE TERMS.Under the terms of this license you may:1.1.Use the Unregistered Software on any number of computers at any one time; and1.2.This software may be distributed freely on online services bulletin boards or other electronic media as long as the files are distributed in their entirety keep intact all the notices that refer to this License and to the absence of any warranty and do not pass on any User Registration Details which you have received. This software may not be distributed on CD-ROM disk or other physical media for a fee without the permission of BitRecover Solutions.1.3.Registered Users are granted a non-exclusive nontransferable license to use one copy of the Registered Software personally on one or more computers. The Registered Software is "in use" when it is loaded into random access memory or installed on a hard disk or other storage device (other than a network server). Installing the Registered Software on a network server solely for the purpose of internally distributing the Registered Software shall not constitute "in use" provided that you have a personal license for each user to whom the Registered Software is distributed. You shall ensure that the number of
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Window detected: BitRecover License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BITRECOVER LICENSE AGREEMENTIMPORTANT: READ THESE TERMS BEFORE COMPLETING INSTALLATION AND USING OF THE BITRECOVER. The BitRecover (the "Software") is not freeware. The Software is sold through the shareware market. The Software you are installing is a trial version you may evaluate the Software for a maximum period of thirty (30) days after installation. If after that time you decide to continue using it you must register it by paying a registration fee to BitRecover. The Software will no longer be fully functional after the above described thirty (30) day evaluation period. For more details concerning the Software and the license fees associated with registration of Software please see the BitRecover Documentation from this package or visit the BitRecover online web site at: http://www.bitrecover.comThis BitRecover License Agreement ("Agreement") is between you (either an individual or an entity) and BitRecover. By installing and/or using the Software you agree to be bound by the terms of this agreement.DEFINITIONS."Registered Users" are users of the Software who have received Registration Details including a user license from BitRecover."Registration Details" are a registered name and license number provided by BitRecover in return for your payment to BitRecover of the applicable Software license fees."Registered Software" is that Software for which BitRecover has supplied Registration Details to the user of the Unregistered Software."Unregistered Software" is the evaluation only copy of the Software that has no Registration Details.LICENSE TERMS.Under the terms of this license you may:1.1.Use the Unregistered Software on any number of computers at any one time; and1.2.This software may be distributed freely on online services bulletin boards or other electronic media as long as the files are distributed in their entirety keep intact all the notices that refer to this License and to the absence of any warranty and do not pass on any User Registration Details which you have received. This software may not be distributed on CD-ROM disk or other physical media for a fee without the permission of BitRecover Solutions.1.3.Registered Users are granted a non-exclusive nontransferable license to use one copy of the Registered Software personally on one or more computers. The Registered Software is "in use" when it is loaded into random access memory or installed on a hard disk or other storage device (other than a network server). Installing the Registered Software on a network server solely for the purpose of internally distributing the Registered Software shall not constitute "in use" provided that you have a personal license for each user to whom the Registered Software is distributed. You shall ensure that the number of

Creates install or setup log file

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240426_170127348-MSI_vc_red.msi.txt

Jump to behavior

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1049\eula.rtf	Jump to behavior

PE / OLE file has a valid certificate

Source: bitrecover-eml-to-pdf-wizard.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Windows\System32\msiexec.exe

File opened: c:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: bitrecover-eml-to-pdf-wizard.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: sfxcab.pdb source: vcredist2010.exe, vcredist2010.exe, 00000005.00000000.2613511116.0000000001002000.00000020.00000001.01000000.00000009.sdmp, vcredist2010.exe, 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: sqmapi.pdb source: Setup.exe, Setup.exe, 00000006.00000002.2772419557.000000006BC21000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: SetupEngine.pdb source: Setup.exe, Setup.exe, 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: Setup.pdb source: Setup.exe, Setup.exe, 00000006.00000000.2641063728.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Setup.exe, 00000006.00000002.2765895024.0000000000041000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: .pdb source: EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_010046B9 SendDlgItemMessageA,strstr,SetFileAttributesA,GetLastError,CopyFileA,SendDlgItemMessageA,strstr,SetFileAttributesA,CopyFileA,GetLastError,CopyFileA,SetFileAttributesA,SendDlgItemMessageA,_strlwr,GetLastError,MoveFileA,MoveFileA,_strlwr,strstr,FindFirstFileA,strrchr,SendDlgItemMessageA,DeleteFileA,Sleep,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,strchr,strrchr,SendDlgItemMessageA,	5_2_010046B9
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC24281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,	6_2_6BC24281
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC38097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,	6_2_6BC38097
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC85BC0 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,	6_2_6BC85BC0
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC84120 FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,	6_2_6BC84120

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 4x nop then mov edi, edi

6_2_6BC35DA3

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-P2U1O.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-V1LTT.tmp, type: DROPPED

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BCC4EB6 URLDownloadToFileW,

6_2_6BCC4EB6

Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: QTcpSocket04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA1184640176120000525DigiNotar Cyber CA12000050512000051520015536DigiNotar PKIoverheid CA Overheid en Bedrijven20001983DigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202511846401751184644297120001705Digisign Server ID (Enrich)1276011370Digisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)2087*.EGO.GOV.TR2148e-islem.kktcmerkezbankasi.org204199AC DG Tr equals www.yahoo.com (Yahoo)

Source: EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://...)
Source: EMLTOPDFWizard.exe, 00000009.00000002.3364060091.000000000AD42000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://.css
Source: EMLTOPDFWizard.exe, 00000009.00000002.3364060091.000000000AD42000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://.jpg
Source: EMLTOPDFWizard.exe, 00000009.00000002.3479728370.000000000D3E5000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://besariongugushvili.spaces.live.com/http://besariongugushvili.spaces.live.com/NOTIFICATION
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugreports.qt-project.org/
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugreports.qt-project.org/ServerMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exe, 00000006.00000002.2767438900.0000000002C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro4
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fsf.org/
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geekz.co.uk/lovesraymond/archive/eler-highlights-2008
Source: Setup.exe, 00000006.00000003.2652040790.0000000002770000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000006.00000003.2654751813.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: Setup.exe, 00000006.00000003.2653294138.000000000099F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c/fwlink/?LinkId=146008
Source: EMLTOPDFWizard.exe, 00000009.00000002.3364060091.000000000AD42000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://qt-project.org/doc/qt-4.8/qapplication.html
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://qt-project.org/doc/qt-4.8/qprinter.html#PaperSize-enum
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://qt-project.org/doc/qt-4.8/qprinter.html#PaperSize-enum.For
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://qt-project.org/doc/qt-4.8/qstring.html
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://qt.nokia.com/
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://qt.nokia.com/0.1333333
Source: EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://schemas.android.com/apk/res/android
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wkhtmltopdf.org/downloads.html
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wkhtmltopdf.org/downloads.html.
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wkhtmltopdf.org/outline
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2048347776.0000000002500000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000002.3089483676.000000000081A000.00000004.00000020.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002426000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2774647723.000000000088C000.00000004.00000020.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3084955148.000000000369A000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2053111432.0000000003450000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000002.3089505261.000000000088D000.00000004.00000020.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2950146886.0000000006B40000.00000004.00000020.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002368000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3087319298.000000000088B000.00000004.00000020.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3087319298.0000000000817000.00000004.00000020.00020000.00000000.sdmp, EMLTOPDFWizard.exe, 00000009.00000002.3296165320.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.bitrecover.com
Source: EMLTOPDFWizard.exe, 00000009.00000002.3296165320.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, EMLTOPDFWizard.exe, 00000009.00000002.3296165320.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.bitrecover.com/eml-converter/pdf/
Source: EMLTOPDFWizard.exe, 00000009.00000002.3296165320.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.bitrecover.com/eml-converter/pdf/buy.htmlvhttp://www.bitrecover.com/help/convert-pdf/blac
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2048347776.0000000002500000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002334000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3084955148.000000000369A000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2053111432.0000000003450000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002368000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bitrecover.com/uninstall.html?p=bitrecover-eml-to-pdf-wizard
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2048347776.0000000002500000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2053111432.0000000003450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bitrecover.com2http://www.bitrecover.com2http://www.bitrecover.comJ
Source: EMLTOPDFWizard.exe, 00000009.00000002.3296165320.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.bitrecover.comT1
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bitrecover.comaiB
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.3091375132.0000000002203000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2048347776.0000000002500000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2053111432.0000000003450000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002368000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004FC7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004FC7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTD
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000000.2051162038.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000000.2047845566.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005169000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.pdftoword.ru/purchase.htmlKhttp://www.pdftoword.us/purchase.html
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phreedom.org/md5)2087
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000000.2051162038.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.sautinsoft.com/products/document/order.php=Get
Source: EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.sautinsoft.com/products/pdf-focus/order.php
Source: EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.sautinsoft.com/products/pdf-focus/tips-about-pdf-to-html-conversion.php
Source: EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.sautinsoft.com/products/pdf-focus/tips-about-pdf-to-word-conversion.php
Source: EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3304154154.0000000005E60000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.sautinsoft.com/products/pdf-vision/index.php
Source: EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://xamarin.com/schemas/2014/forms
Source: EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://xamarin.com/schemas/2014/forms/design
Source: EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://aka.ms/material-colors
Source: EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://aka.ms/xamarinforms-previewer
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wkhtmltopdf/wkhtmltopdf/issues
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/wkhtmltopdf/wkhtmltopdf/issueswkhtmltopdf
Source: EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3327739970.0000000007C3D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://help.syncfusion.com/es/licensing/)
Source: EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3327739970.0000000007C3D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://help.syncfusion.com/es/licensing/expired/)
Source: EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3327739970.0000000007C3D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://help.syncfusion.com/es/licensing/invalid/)
Source: EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3327739970.0000000007C3D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://help.syncfusion.com/es/licensing/platform-mismatch/)
Source: EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3327739970.0000000007C3D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://help.syncfusion.com/es/licensing/version-mismatch/)
Source: EMLTOPDFWizard.exe, 00000009.00000002.3296165320.0000000003244000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://purchase.aspose.com/policies/use-license

System Summary

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_01003972 OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,	5_2_01003972
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_0100358B NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose,	5_2_0100358B
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_010034F4 NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose,	5_2_010034F4

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

Code function: 5_2_01002B13: GetDriveTypeA,CreateFileA,DeviceIoControl,CloseHandle,

5_2_01002B13

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_01003972 OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,		5_2_01003972
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCA4B5B ExitWindowsEx,		6_2_6BCA4B5B

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\66a72c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\66a72d.msp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA1A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\atl100.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100chs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100cht.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100deu.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100enu.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100esn.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100fra.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100ita.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100jpn.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100kor.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100rus.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfc100u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfcm100.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\mfcm100u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\SysWOW64\vcomp100.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\66a730.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\66a730.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\66a731.msp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: c:\Windows\Installer\66a731.msp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\66a730.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_01008906	5_2_01008906
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_0100911E	5_2_0100911E
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_01009558	5_2_01009558
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_01008286	5_2_01008286
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_0100859D	5_2_0100859D
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_01008CC5	5_2_01008CC5
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC29A50	6_2_6BC29A50
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC3D064	6_2_6BC3D064
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC3D81C	6_2_6BC3D81C
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCBE7C2	6_2_6BCBE7C2
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCDC9DE	6_2_6BCDC9DE
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCDAD3E	6_2_6BCDAD3E
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCDC38B	6_2_6BCDC38B
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCDA292	6_2_6BCDA292
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCDA7E8	6_2_6BCDA7E8
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC7F75A	6_2_6BC7F75A
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCDB41F	6_2_6BCDB41F

Found potential string decryption / allocating functions

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: String function: 6BCA80F9 appears 578 times
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: String function: 6BCD71AA appears 551 times
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: String function: 6BC73A0D appears 43 times
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: String function: 6BCA8377 appears 56 times
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: String function: 6BCC8EA6 appears 109 times

PE file contains executable resources (Code or Archives)

Source: bitrecover-eml-to-pdf-wizard.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: bitrecover-eml-to-pdf-wizard.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-M4TSJ.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-M4TSJ.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs bitrecover-eml-to-pdf-wizard.exe
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs bitrecover-eml-to-pdf-wizard.exe
Source: bitrecover-eml-to-pdf-wizard.exe, 00000000.00000000.2048007019.00000000004B8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs bitrecover-eml-to-pdf-wizard.exe

Uses 32bit PE files

Source: bitrecover-eml-to-pdf-wizard.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: Project("{ProjectTypeGuidString}") = "{ProjectName}", "{ProjectName}\{ProjectName}.csproj", "{ProjectGuid}"
Source: EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: Project("{ProjectTypeGuidString}") = "{ProjectName}", "{ProjectName}\{ProjectName}\{ProjectName}.csproj", "{BaseProjectGuid}"
Source: EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: //<UICulture>CultureYouAreCodingWith</UICulture> in your .csproj file
Source: EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: Project("{ProjectTypeGuidString}") = "{ProjectName}.Android", "{ProjectName}\{ProjectName}.Android\{ProjectName}.Android.csproj", "{AndroidProjectGuid}"
Source: EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: *.sLN
Source: EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: <ProjectReference Include="..\{ProjectName}\{ProjectName}.csproj">

Source: classification engine

Classification label: sus24.troj.winEXE@10/205@0/0

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BCBCF6E __EH_prolog3,GetLastError,GetLastError,SetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree,

6_2_6BCBCF6E

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BCA4B28 AdjustTokenPrivileges,

6_2_6BCA4B28

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

Code function: 5_2_01004F6B InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,FindCloseChangeNotification,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,

5_2_01004F6B

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BC94F48 CreateToolhelp32Snapshot,_memset,Process32FirstW,Process32NextW,FindCloseChangeNotification,

6_2_6BC94F48

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BCB6BEF __EH_prolog3,CoInitialize,CoCreateInstance,__CxxThrowException@8,CoUninitialize,#6,

6_2_6BCB6BEF

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BCC7C0B LoadResource,LockResource,SizeofResource,

6_2_6BCC7C0B

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BC9E813 StartServiceW,

6_2_6BC9E813

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

File created: C:\Program Files (x86)\BitRecover

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Mutant created: NULL
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\VC_Redist_SetupMutex

Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe

File created: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp

Jump to behavior

Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IconInfo.iconID FROM IconInfo WHERE IconInfo.url = (?);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IconDatabaseInfo.value FROM IconDatabaseInfo WHERE IconDatabaseInfo.key = "ImportedSafari2Icons";
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO IconData (iconID, data) VALUES (?, ?);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IconData (iconID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE ON CONFLICT REPLACE, data BLOB);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IconDatabaseInfo (key TEXT NOT NULL ON CONFLICT FAIL UNIQUE ON CONFLICT REPLACE,value TEXT NOT NULL ON CONFLICT FAIL);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004FC7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT seq FROM sqlite_sequence WHERE name='Databases';
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT guid FROM Databases WHERE origin=? AND name=?;
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE PageURL (url TEXT NOT NULL ON CONFLICT FAIL UNIQUE ON CONFLICT REPLACE,iconID INTEGER NOT NULL ON CONFLICT FAIL);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT name FROM Databases where origin=?;
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO Databases (origin, name, path) VALUES (?, ?, ?);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT PageURL.url, IconInfo.url, IconInfo.stamp FROM PageURL INNER JOIN IconInfo ON PageURL.iconID=IconInfo.iconID;
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO PageURL (url, iconID) VALUES ((?), ?);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT value FROM IconDatabaseInfo WHERE key = 'Version';
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT IconData.data FROM IconData WHERE IconData.iconID IN (SELECT iconID FROM IconInfo WHERE IconInfo.url = (?));
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE Origins (origin TEXT UNIQUE ON CONFLICT REPLACE, path TEXT);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE IconInfo SET stamp = ?, url = ? WHERE iconID = ?;
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IconInfo (iconID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE ON CONFLICT REPLACE, url TEXT NOT NULL ON CONFLICT FAIL UNIQUE ON CONFLICT FAIL, stamp INTEGER);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE Origins (origin TEXT UNIQUE ON CONFLICT REPLACE, quota INTEGER NOT NULL ON CONFLICT FAIL);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004FC7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT name FROM sqlite_master WHERE type='table';
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO IconInfo (url,stamp) VALUES (?, ?);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO IconInfo (url, stamp) VALUES (?, 0);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE Databases (guid INTEGER PRIMARY KEY AUTOINCREMENT, origin TEXT, name TEXT, displayName TEXT, estimatedSize INTEGER, path TEXT);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT url FROM PageURL WHERE PageURL.iconID NOT IN (SELECT iconID FROM IconInfo) LIMIT 1;
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT rowid, url FROM PageURL;
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004FC7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT seq FROM sqlite_sequence WHERE name='Databases';%016llx.db
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT path FROM Databases WHERE origin=? AND name=?;
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE IconData SET data = ? WHERE iconID = ?;
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT value FROM IconDatabaseInfo WHERE key = 'ExcludedFromBackup';
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO IconDatabaseInfo (key, value) VALUES ("ImportedSafari2Icons", 0);
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO IconDatabaseInfo (key, value) VALUES ("ImportedSafari2Icons", 1);

Source: Setup.exe	String found in binary or memory: Pre-Installation Warnings:
Source: EMLTOPDFWizard.exe	String found in binary or memory: 78e-83ba-136e90306f24</SN> <SN>06bc48c4-36f1-4650-99d5-3d6b73e7862b</SN> <SN>3cb3be2f-f835-428e-a318-3aa60a063589</SN> <SN>8f8d7ebf-e645-4fcb-8ef4-f6f4c4542477</SN> <SN>865f5067-a939-46c3-add5-dcfea4f3b4f2</SN> <SN>400eb02d-27dc-4b6d-a
Source: EMLTOPDFWizard.exe	String found in binary or memory: --------------------------- %%EndComments /CIDInit /ProcSet findresource begin 12 dict begin begincmap /CIDSystemInfo 3 dict dup begin /Registry (Adobe) def /Ordering (Japan1) def /Supplement 1 def end def /CMapName /Add-RKSJ-H def /
Source: EMLTOPDFWizard.exe	String found in binary or memory: gistry (Adobe) def /Ordering (Japan1) def /Supplement 1 def end def /CMapName /Add-RKSJ-V def /CMapVersion 10.001 def /CMapType 1 def /UIDOffset 780 def /XUID [1 10 25327] def /WMode 1 def 57 begincidrange <8141> <8142> 7887 <8143> <814
Source: EMLTOPDFWizard.exe	String found in binary or memory: %%Copyright: certain jurisdictions. %%Copyright: ----------------------------------------------------------- %%EndComments /CIDInit /ProcSet findresource begin 12 dict begin begincmap /Add-RKSJ-H usecmap /CIDSystemInfo 3 dict dup begin /R
Source: EMLTOPDFWizard.exe	String found in binary or memory: N>e2551dc9-e5bb-4fc1-ae40-00e80ae9bddb</SN> <SN>eedbcbe5-a708-41bd-ad2e-504c9813b50a</SN> <SN>33b15114-e8d9-45ab-b209-6f9fa629edc5</SN> <SN>052ce862-18dd-4b0c-9721-add3e51fd4fd</SN> <SN>7868a7fb-3e7b-44e0-886b-5e3ba2f09261</SN> <SN>725
Source: EMLTOPDFWizard.exe	String found in binary or memory: <SN>9cd72dc5-875b-486d-867a-f7d080934a57</SN> <SN>7bdfc99f-e121-41d4-b81f-d910dd16ea0b</SN> <SN>2ada1c4c-660e-4291-b9ca-1b4ba55601e9</SN> <SN>b81f8f41-3e0d-47bc-9c57-b4e283e42ac1</SN> <SN>3edebbcd-658c-4d01-add1-633147c67354</SN> <
Source: EMLTOPDFWizard.exe	String found in binary or memory: c9</SN> <SN>b38898fc-9b7f-478e-83ba-136e90306f24</SN> <SN>06bc48c4-36f1-4650-99d5-3d6b73e7862b</SN> <SN>3cb3be2f-f835-428e-a318-3aa60a063589</SN> <SN>8f8d7ebf-e645-4fcb-8ef4-f6f4c4542477</SN> <SN>865f5067-a939-46c3-add5-dcfea4f3b4f2</S
Source: EMLTOPDFWizard.exe	String found in binary or memory: 13b50a</SN> <SN>33b15114-e8d9-45ab-b209-6f9fa629edc5</SN> <SN>052ce862-18dd-4b0c-9721-add3e51fd4fd</SN> <SN>7868a7fb-3e7b-44e0-886b-5e3ba2f09261</SN> <SN>725953ef-e0da-48d6-8419-97ab51a79419</SN> <SN>b5879d54-d607-4376-b394-9a5c583e20c
Source: EMLTOPDFWizard.exe	String found in binary or memory: f7d080934a57</SN> <SN>7bdfc99f-e121-41d4-b81f-d910dd16ea0b</SN> <SN>2ada1c4c-660e-4291-b9ca-1b4ba55601e9</SN> <SN>b81f8f41-3e0d-47bc-9c57-b4e283e42ac1</SN> <SN>3edebbcd-658c-4d01-add1-633147c67354</SN> <SN>44c5bc9a-3548-4c06-a81e-6653b
Source: EMLTOPDFWizard.exe	String found in binary or memory: <SN>e2551dc9-e5bb-4fc1-ae40-00e80ae9bddb</SN> <SN>eedbcbe5-a708-41bd-ad2e-504c9813b50a</SN> <SN>33b15114-e8d9-45ab-b209-6f9fa629edc5</SN> <SN>052ce862-18dd-4b0c-9721-add3e51fd4fd</SN> <SN>7868a7fb-3e7b-44e0-886b-5e3ba2f09261</SN> <SN>
Source: EMLTOPDFWizard.exe	String found in binary or memory: > <SN>9cd72dc5-875b-486d-867a-f7d080934a57</SN> <SN>7bdfc99f-e121-41d4-b81f-d910dd16ea0b</SN> <SN>2ada1c4c-660e-4291-b9ca-1b4ba55601e9</SN> <SN>b81f8f41-3e0d-47bc-9c57-b4e283e42ac1</SN> <SN>3edebbcd-658c-4d01-add1-633147c67354</SN>
Source: EMLTOPDFWizard.exe	String found in binary or memory: e4cc9</SN> <SN>b38898fc-9b7f-478e-83ba-136e90306f24</SN> <SN>06bc48c4-36f1-4650-99d5-3d6b73e7862b</SN> <SN>3cb3be2f-f835-428e-a318-3aa60a063589</SN> <SN>8f8d7ebf-e645-4fcb-8ef4-f6f4c4542477</SN> <SN>865f5067-a939-46c3-add5-dcfea4f3b4f2

Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe

File read: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe "C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe"
Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp "C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp" /SL5="$10440,74753301,739328,C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe "C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe" /passive /norestart
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Process created: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe "C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe"
Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp "C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp" /SL5="$10440,74753301,739328,C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe "C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe" /passive /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe "C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Process created: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart	Jump to behavior

Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: setupengine.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: sqmapi.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: setupui.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Automated click: Next >
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Automated click: Next >
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Automated click: Next >
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Automated click: OK
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Automated click: Next >

Uses Rich Edit Controls

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found installer window with terms and condition text

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Window detected: BitRecover License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BITRECOVER LICENSE AGREEMENTIMPORTANT: READ THESE TERMS BEFORE COMPLETING INSTALLATION AND USING OF THE BITRECOVER. The BitRecover (the "Software") is not freeware. The Software is sold through the shareware market. The Software you are installing is a trial version you may evaluate the Software for a maximum period of thirty (30) days after installation. If after that time you decide to continue using it you must register it by paying a registration fee to BitRecover. The Software will no longer be fully functional after the above described thirty (30) day evaluation period. For more details concerning the Software and the license fees associated with registration of Software please see the BitRecover Documentation from this package or visit the BitRecover online web site at: http://www.bitrecover.comThis BitRecover License Agreement ("Agreement") is between you (either an individual or an entity) and BitRecover. By installing and/or using the Software you agree to be bound by the terms of this agreement.DEFINITIONS."Registered Users" are users of the Software who have received Registration Details including a user license from BitRecover."Registration Details" are a registered name and license number provided by BitRecover in return for your payment to BitRecover of the applicable Software license fees."Registered Software" is that Software for which BitRecover has supplied Registration Details to the user of the Unregistered Software."Unregistered Software" is the evaluation only copy of the Software that has no Registration Details.LICENSE TERMS.Under the terms of this license you may:1.1.Use the Unregistered Software on any number of computers at any one time; and1.2.This software may be distributed freely on online services bulletin boards or other electronic media as long as the files are distributed in their entirety keep intact all the notices that refer to this License and to the absence of any warranty and do not pass on any User Registration Details which you have received. This software may not be distributed on CD-ROM disk or other physical media for a fee without the permission of BitRecover Solutions.1.3.Registered Users are granted a non-exclusive nontransferable license to use one copy of the Registered Software personally on one or more computers. The Registered Software is "in use" when it is loaded into random access memory or installed on a hard disk or other storage device (other than a network server). Installing the Registered Software on a network server solely for the purpose of internally distributing the Registered Software shall not constitute "in use" provided that you have a personal license for each user to whom the Registered Software is distributed. You shall ensure that the number of
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Window detected: BitRecover License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BITRECOVER LICENSE AGREEMENTIMPORTANT: READ THESE TERMS BEFORE COMPLETING INSTALLATION AND USING OF THE BITRECOVER. The BitRecover (the "Software") is not freeware. The Software is sold through the shareware market. The Software you are installing is a trial version you may evaluate the Software for a maximum period of thirty (30) days after installation. If after that time you decide to continue using it you must register it by paying a registration fee to BitRecover. The Software will no longer be fully functional after the above described thirty (30) day evaluation period. For more details concerning the Software and the license fees associated with registration of Software please see the BitRecover Documentation from this package or visit the BitRecover online web site at: http://www.bitrecover.comThis BitRecover License Agreement ("Agreement") is between you (either an individual or an entity) and BitRecover. By installing and/or using the Software you agree to be bound by the terms of this agreement.DEFINITIONS."Registered Users" are users of the Software who have received Registration Details including a user license from BitRecover."Registration Details" are a registered name and license number provided by BitRecover in return for your payment to BitRecover of the applicable Software license fees."Registered Software" is that Software for which BitRecover has supplied Registration Details to the user of the Unregistered Software."Unregistered Software" is the evaluation only copy of the Software that has no Registration Details.LICENSE TERMS.Under the terms of this license you may:1.1.Use the Unregistered Software on any number of computers at any one time; and1.2.This software may be distributed freely on online services bulletin boards or other electronic media as long as the files are distributed in their entirety keep intact all the notices that refer to this License and to the absence of any warranty and do not pass on any User Registration Details which you have received. This software may not be distributed on CD-ROM disk or other physical media for a fee without the permission of BitRecover Solutions.1.3.Registered Users are granted a non-exclusive nontransferable license to use one copy of the Registered Software personally on one or more computers. The Registered Software is "in use" when it is loaded into random access memory or installed on a hard disk or other storage device (other than a network server). Installing the Registered Software on a network server solely for the purpose of internally distributing the Registered Software shall not constitute "in use" provided that you have a personal license for each user to whom the Registered Software is distributed. You shall ensure that the number of

Uses Microsoft Silverlight

Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: bitrecover-eml-to-pdf-wizard.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: bitrecover-eml-to-pdf-wizard.exe

Static file information: File size 75514712 > 1048576

Uses new MSVCR Dlls

Source: C:\Windows\System32\msiexec.exe

File opened: c:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: bitrecover-eml-to-pdf-wizard.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: sfxcab.pdb source: vcredist2010.exe, vcredist2010.exe, 00000005.00000000.2613511116.0000000001002000.00000020.00000001.01000000.00000009.sdmp, vcredist2010.exe, 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: sqmapi.pdb source: Setup.exe, Setup.exe, 00000006.00000002.2772419557.000000006BC21000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: SetupEngine.pdb source: Setup.exe, Setup.exe, 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: Setup.pdb source: Setup.exe, Setup.exe, 00000006.00000000.2641063728.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Setup.exe, 00000006.00000002.2765895024.0000000000041000.00000020.00000001.01000000.0000000A.sdmp
Source:	Binary string: .pdb source: EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

Code function: 5_2_010029C2 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

5_2_010029C2

PE file contains sections with non-standard names

Source: bitrecover-eml-to-pdf-wizard.exe	Static PE information: section name: .didata
Source: bitrecover-eml-to-pdf-wizard.tmp.0.dr	Static PE information: section name: .didata
Source: is-M4TSJ.tmp.2.dr	Static PE information: section name: .didata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_010065F3 push ecx; ret	5_2_01006603
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_00043DF5 push ecx; ret	6_2_00043E08
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC21B89 push ecx; ret	6_2_6BC21B9C
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC24821 push ecx; ret	6_2_6BC24834
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCD7296 push ecx; ret	6_2_6BCD72A9
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCCE605 push ecx; ret	6_2_6BCCE618
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Code function: 9_2_07CD16C0 push cs; iretd	9_2_07CD16F5

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob			Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob			Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\1041\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Cells.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-DRSF7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-BLHAO.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-POSU8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\1049\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\isxdl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-RNQ1C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-GPTJD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-SHLSE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-V1LTT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-P980F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100esn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-K8UHR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-SNNJ3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-QUGEQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-L6OOR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\SetupEngine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Activate.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100rus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-RV6LF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-1972F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\itextsharp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-53FTM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\wkhtmltopdf.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Email.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-CPF54.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Slides.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-1FT6T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\sqmapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-J86HV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-0HRVC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	File created: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-VOANE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\3082\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Licensing.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\atl100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100chs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfFocus.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-NCMA4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\concrt140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-P2U1O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-K2CVR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100ita.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Words.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-PES40.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-JFCVR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-JCQ1B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-M4TSJ.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100fra.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-54081.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-A7AUM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Pdf.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-QOJIS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\SetupUi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: C:\adf3c205d9b19c48c6c1d481d9d6\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-QGQOS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\ucrtbase.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-LUMD1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Compression.Base.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfVision.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\NReco.PdfGenerator.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-PKGE8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-LM59E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Pdf.Base.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100jpn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-GJNME.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-UMUQA.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\atl100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm100u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc100jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86	Jump to dropped file

Creates install or setup log file

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240426_170127348-MSI_vc_red.msi.txt

Jump to behavior

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	File created: c:\adf3c205d9b19c48c6c1d481d9d6\1049\eula.rtf	Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VSSetup

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitRecover EML to PDF Wizard	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitRecover EML to PDF Wizard\Uninstall BitRecover EML to PDF Wizard.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitRecover EML to PDF Wizard\BitRecover EML to PDF Wizard.lnk	Jump to behavior

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BC9E813 StartServiceW,

6_2_6BC9E813

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Memory allocated: 1570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Memory allocated: 51C0000 memory reserve \| memory write watch	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Dropped PE file which has not been started: C:\adf3c205d9b19c48c6c1d481d9d6\1041\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Cells.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-DRSF7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-BLHAO.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Dropped PE file which has not been started: C:\adf3c205d9b19c48c6c1d481d9d6\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-POSU8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-RNQ1C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\isxdl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-SHLSE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-GPTJD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-V1LTT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-P980F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100esn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Dropped PE file which has not been started: C:\adf3c205d9b19c48c6c1d481d9d6\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-QUGEQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-K8UHR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-L6OOR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Dropped PE file which has not been started: C:\adf3c205d9b19c48c6c1d481d9d6\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Activate.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100rus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-RV6LF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-1972F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\itextsharp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-53FTM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\wkhtmltopdf.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Email.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Dropped PE file which has not been started: C:\adf3c205d9b19c48c6c1d481d9d6\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-CPF54.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Slides.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100enu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-1FT6T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-J86HV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-0HRVC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-VOANE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Dropped PE file which has not been started: C:\adf3c205d9b19c48c6c1d481d9d6\3082\SetupResources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\atl100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Licensing.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100chs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfFocus.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-NCMA4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\concrt140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-P2U1O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-K2CVR.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100ita.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Words.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Dropped PE file which has not been started: C:\adf3c205d9b19c48c6c1d481d9d6\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-PES40.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-JFCVR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-JCQ1B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100fra.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Dropped PE file which has not been started: C:\adf3c205d9b19c48c6c1d481d9d6\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-54081.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Pdf.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-A7AUM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-QOJIS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Dropped PE file which has not been started: C:\adf3c205d9b19c48c6c1d481d9d6\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Dropped PE file which has not been started: C:\adf3c205d9b19c48c6c1d481d9d6\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-QGQOS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-LUMD1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Compression.Base.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfVision.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\NReco.PdfGenerator.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-LM59E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-PKGE8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Pdf.Base.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc100jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-GJNME.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-UMUQA.tmp	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_6-56367

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-2916

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_010046B9 SendDlgItemMessageA,strstr,SetFileAttributesA,GetLastError,CopyFileA,SendDlgItemMessageA,strstr,SetFileAttributesA,CopyFileA,GetLastError,CopyFileA,SetFileAttributesA,SendDlgItemMessageA,_strlwr,GetLastError,MoveFileA,MoveFileA,_strlwr,strstr,FindFirstFileA,strrchr,SendDlgItemMessageA,DeleteFileA,Sleep,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,strchr,strrchr,SendDlgItemMessageA,	5_2_010046B9
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC24281 memset,EnterCriticalSection,FindFirstFileW,LeaveCriticalSection,ctype,FindNextFileW,FindClose,ResetEvent,CreateThread,CloseHandle,GetLastError,	6_2_6BC24281
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC38097 memset,memset,FindFirstFileW,DeleteFileW,GetLastError,FindNextFileW,FindClose,	6_2_6BC38097
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC85BC0 __EH_prolog3_GS,_memset,FindFirstFileW,FindNextFileW,FindClose,	6_2_6BC85BC0
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC84120 FindFirstFileW,GetFullPathNameW,SetLastError,_wcsrchr,_wcsrchr,	6_2_6BC84120

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BCB0D5E __EH_prolog3_GS,GetModuleHandleW,GetLastError,GetSystemInfo,GetNativeSystemInfo,GetLastError,GetLastError,GetLastError,_memset,GetNativeSystemInfo,GetLastError,

6_2_6BCB0D5E

Source: EMLTOPDFWizard.exe, 00000009.00000002.3316933078.0000000007272000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: #=zw2XO8k1559qv$xZuUvmti1RhbLbPLK4LHuuVmcIHbfvN
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000002.3090762661.0000000006B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3087319298.0000000000872000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000002.3090762661.0000000006B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3087319298.0000000000872000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3087319298.0000000000817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005169000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

API call chain: ExitProcess graph end node

graph_5-2878

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_00042BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_00042BA5

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BCCCB2B VirtualProtect ?,-00000001,00000104,?

6_2_6BCCCB2B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

Code function: 5_2_010029C2 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

5_2_010029C2

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

Code function: 5_2_01005899 InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateEventA,CreateThread,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,FindCloseChangeNotification,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess,

5_2_01005899

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe	Code function: 5_2_010062FF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_010062FF
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_00042BA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00042BA5
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_000445BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_000445BE
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BC2171F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6BC2171F
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCA7462 __EH_prolog3,GetModuleHandleW,GetProcAddress,SetThreadStackGuarantee,SetUnhandledExceptionFilter,GetCommandLineW,	6_2_6BCA7462
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCCEF0A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6BCCEF0A
Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe	Code function: 6_2_6BCCB431 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6BCCB431

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

5_2_01004F6B

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

Code function: 5_2_01003D02 AllocateAndInitializeSid,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLengthSid,GetTokenInformation,GetLengthSid,

5_2_01003D02

Source: Setup.exe, 00000006.00000003.2763867730.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000006.00000003.2687646796.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000006.00000003.2688592388.00000000009FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Setup.exe, 00000006.00000003.2687593760.0000000000995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [1028] [explorer.exe] [Program Manager] [Visible]ible]

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfFocus.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfVision.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Pdf.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Words.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Slides.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Licensing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

5_2_01004F6B

Source: C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Code function: 6_2_6BCA78FB __EH_prolog3_GS,GetCommandLineW,_memset,GetTimeZoneInformation,GetThreadLocale,

6_2_6BCA78FB

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

Code function: 5_2_01003972 OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,

5_2_01003972

Source: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Windows Service	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	11 Windows Service	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Process Injection	1 Install Root Certificate	NTDS	17 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	32 Masquerading	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bitrecover-eml-to-pdf-wizard.exe	0%	ReversingLabs
bitrecover-eml-to-pdf-wizard.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Cells.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Cells.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Email.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Email.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Pdf.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Pdf.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Slides.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Slides.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Words.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Words.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\NReco.PdfGenerator.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\NReco.PdfGenerator.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfFocus.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfFocus.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfVision.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfVision.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Compression.Base.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Compression.Base.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Licensing.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Licensing.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Pdf.Base.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Pdf.Base.dll (copy)	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-1972F.tmp	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-1972F.tmp	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-BLHAO.tmp	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-BLHAO.tmp	0%	Virustotal	Browse
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-DRSF7.tmp	0%	ReversingLabs
C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-DRSF7.tmp	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://go.microsoft.	0%	URL Reputation	safe
http://www.dk-soft.org/	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.phreedom.org/md5)2087	0%	Avira URL Cloud	safe
http://www.bitrecover.comT1	0%	Avira URL Cloud	safe
http://www.sautinsoft.com/products/document/order.php=Get	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
http://...)	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
http://go.microsoft.c/fwlink/?LinkId=146008	0%	Avira URL Cloud	safe
http://crl.micro4	0%	Avira URL Cloud	safe
http://www.sautinsoft.com/products/pdf-focus/tips-about-pdf-to-word-conversion.php	0%	Avira URL Cloud	safe
http://www.phreedom.org/md5)2087	1%	Virustotal		Browse
http://www.innosetup.com/	0%	Avira URL Cloud	safe
http://www.phreedom.org/md5)	0%	Avira URL Cloud	safe
http://www.sautinsoft.com/products/pdf-vision/index.php	0%	Avira URL Cloud	safe
http://www.sautinsoft.com/products/pdf-focus/order.php	0%	Avira URL Cloud	safe
http://www.innosetup.com/	2%	Virustotal		Browse
http://www.sautinsoft.com/products/pdf-focus/tips-about-pdf-to-html-conversion.php	0%	Avira URL Cloud	safe
http://www.sautinsoft.com/products/pdf-focus/tips-about-pdf-to-word-conversion.php	0%	Virustotal		Browse
http://www.sautinsoft.com/products/document/order.php=Get	0%	Virustotal		Browse
http://www.bitrecover.com2http://www.bitrecover.com2http://www.bitrecover.comJ	0%	Avira URL Cloud	safe
http://geekz.co.uk/lovesraymond/archive/eler-highlights-2008	0%	Avira URL Cloud	safe
http://www.bitrecover.comaiB	0%	Avira URL Cloud	safe
http://www.sautinsoft.com/products/pdf-vision/index.php	0%	Virustotal		Browse
http://www.phreedom.org/md5)	1%	Virustotal		Browse
http://geekz.co.uk/lovesraymond/archive/eler-highlights-2008	0%	Virustotal		Browse
http://www.sautinsoft.com/products/pdf-focus/tips-about-pdf-to-html-conversion.php	0%	Virustotal		Browse
http://www.sautinsoft.com/products/pdf-focus/order.php	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	EMLTOPDFWizard.exe, 00000009.00000002.3364060091.000000000AD42000.00000002.00000001.01000000.00000019.sdmp	false	Avira URL Cloud: safe	low
https://github.com/wkhtmltopdf/wkhtmltopdf/issueswkhtmltopdf	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://help.syncfusion.com/es/licensing/)	EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3327739970.0000000007C3D000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://wkhtmltopdf.org/downloads.html.	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.bitrecover.comT1	EMLTOPDFWizard.exe, 00000009.00000002.3296165320.000000000331D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bitrecover.com/uninstall.html?p=bitrecover-eml-to-pdf-wizard	bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2048347776.0000000002500000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002334000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3084955148.000000000369A000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2053111432.0000000003450000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002368000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	bitrecover-eml-to-pdf-wizard.exe, 00000000.00000000.2047845566.0000000000401000.00000020.00000001.01000000.00000003.sdmp	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004FC7000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.bitrecover.com/eml-converter/pdf/buy.htmlvhttp://www.bitrecover.com/help/convert-pdf/blac	EMLTOPDFWizard.exe, 00000009.00000002.3296165320.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/material-colors	EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	false		high
http://.css	EMLTOPDFWizard.exe, 00000009.00000002.3364060091.000000000AD42000.00000002.00000001.01000000.00000019.sdmp	false	Avira URL Cloud: safe	low
http://qt-project.org/doc/qt-4.8/qprinter.html#PaperSize-enum.For	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://wkhtmltopdf.org/downloads.html	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://besariongugushvili.spaces.live.com/http://besariongugushvili.spaces.live.com/NOTIFICATION	EMLTOPDFWizard.exe, 00000009.00000002.3479728370.000000000D3E5000.00000002.00000001.01000000.0000001B.sdmp	false		high
http://www.openssl.org/support/faq.html	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005169000.00000004.00001000.00020000.00000000.sdmp	false		high
https://help.syncfusion.com/es/licensing/invalid/)	EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3327739970.0000000007C3D000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://bugreports.qt-project.org/ServerMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.phreedom.org/md5)2087	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTD	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004FC7000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.sautinsoft.com/products/document/order.php=Get	EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://help.syncfusion.com/es/licensing/platform-mismatch/)	EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3327739970.0000000007C3D000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://www.google.com	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://...)	EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	low
http://go.microsoft.c/fwlink/?LinkId=146008	Setup.exe, 00000006.00000003.2653294138.000000000099F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	EMLTOPDFWizard.exe, 00000009.00000002.3364060091.000000000AD42000.00000002.00000001.01000000.00000019.sdmp	false	Avira URL Cloud: safe	low
http://bugreports.qt-project.org/	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.micro4	Setup.exe, 00000006.00000002.2767438900.0000000002C42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/wkhtmltopdf/wkhtmltopdf/issues	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.sautinsoft.com/products/pdf-focus/tips-about-pdf-to-word-conversion.php	EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://qt-project.org/doc/qt-4.8/qapplication.html	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.innosetup.com/	bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000000.2051162038.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sautinsoft.com/products/pdf-vision/index.php	EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3304154154.0000000005E60000.00000002.00000001.01000000.00000017.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/xamarinforms-previewer	EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	false		high
http://www.bitrecover.com	bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2048347776.0000000002500000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000002.3089483676.000000000081A000.00000004.00000020.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002426000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2774647723.000000000088C000.00000004.00000020.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3084955148.000000000369A000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2053111432.0000000003450000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000002.3089505261.000000000088D000.00000004.00000020.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2950146886.0000000006B40000.00000004.00000020.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002368000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3087319298.000000000088B000.00000004.00000020.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3087319298.0000000000817000.00000004.00000020.00020000.00000000.sdmp, EMLTOPDFWizard.exe, 00000009.00000002.3296165320.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.microsoft.	Setup.exe, 00000006.00000003.2652040790.0000000002770000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000006.00000003.2654751813.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bitrecover.com/eml-converter/pdf/	EMLTOPDFWizard.exe, 00000009.00000002.3296165320.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, EMLTOPDFWizard.exe, 00000009.00000002.3296165320.000000000331D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://xamarin.com/schemas/2014/forms/design	EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	false		high
http://www.sautinsoft.com/products/pdf-focus/order.php	EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://help.syncfusion.com/es/licensing/version-mismatch/)	EMLTOPDFWizard.exe, EMLTOPDFWizard.exe, 00000009.00000002.3327739970.0000000007C3D000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://qt.nokia.com/0.1333333	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	false		high
https://purchase.aspose.com/policies/use-license	EMLTOPDFWizard.exe, 00000009.00000002.3296165320.0000000003244000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.dk-soft.org/	bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.3091375132.0000000002203000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2048347776.0000000002500000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2053111432.0000000003450000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002368000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://qt-project.org/doc/qt-4.8/qstring.html	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.android.com/apk/res/android	EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	false		high
http://xamarin.com/schemas/2014/forms	EMLTOPDFWizard.exe, 00000009.00000002.3534932497.000000000FA2B000.00000002.00000001.01000000.0000001C.sdmp	false		high
http://qt-project.org/doc/qt-4.8/qprinter.html#PaperSize-enum	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.sautinsoft.com/products/pdf-focus/tips-about-pdf-to-html-conversion.php	EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://qt.nokia.com/	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000005035000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.bitrecover.com2http://www.bitrecover.com2http://www.bitrecover.comJ	bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2048347776.0000000002500000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.2053111432.0000000003450000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pdftoword.ru/purchase.htmlKhttp://www.pdftoword.us/purchase.html	EMLTOPDFWizard.exe, 00000009.00000002.3305194867.00000000064B2000.00000002.00000001.01000000.00000016.sdmp	false		high
http://www.remobjects.com/ps	bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049932487.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.exe, 00000000.00000003.2049563101.0000000002640000.00000004.00001000.00020000.00000000.sdmp, bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000000.2051162038.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://fsf.org/	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://wkhtmltopdf.org/outline	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://geekz.co.uk/lovesraymond/archive/eler-highlights-2008	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3080245178.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bitrecover.comaiB	bitrecover-eml-to-pdf-wizard.tmp, 00000002.00000003.3085998670.0000000002426000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432195
Start date and time:	2024-04-26 16:59:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bitrecover-eml-to-pdf-wizard.exe
Detection:	SUS
Classification:	sus24.troj.winEXE@10/205@0/0
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 223 Number of non-executed functions: 164
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.43.45.112
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, ocsp.digicert.com, slscr.update.microsoft.com, download.microsoft.com.edgekey.net, main.dl.ms.akadns.net, ctldl.windowsupdate.com, download.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target EMLTOPDFWizard.exe, PID 5628 because there are no executed function
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	46483
Entropy (8bit):	5.546799870222365
Encrypted:	false
SSDEEP:	768:8PWjKAxfwHQXqddMFnyTYaEhuGl1RKYsO0:xjtFq
MD5:	70582E26E1DC96F9BE222DBAE22BABF4
SHA1:	517B9850ADB8DA37D16C761F1D041B00270655C4
SHA-256:	BD5E5119165A1FD26791F9F0EE014351FB81B54736FEEFF0D0FD7C4BFB89CB49
SHA-512:	2E59D1DFB0C02B4E74691098ED8C211BFEFDE8C3F80CB77FAA797367F69243740DAF4686DF08DD491284494A2D62BF91987176A424DFBBC032C022496AF46A22
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@1..X.@.....@.....@.....@.....@.....@......&.{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219..vc_red.msi.@.....@.....@.....@........&.{461C455E-DA40-49B3-871B-14308CC7CEFF}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]#.K.c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\.@....#.V.c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\.@........ProcessComponents..Updating component registration..&.{8453C4E7-26E8-3408-B3A4-5940CA95BC60}&.{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.@......&.{1414BD84-D9A5-3EE5-AA73-118D7C072370}&.{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.@......&.{E2F46933-FF4F-46E0-B997-F64D2C6D4FA1}&.{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.@......&.{529D0A60-398C-38A2-97EF-82FAFA798A06}&.{F0C3E5D1

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Activate.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1800520
Entropy (8bit):	6.423850226295897
Encrypted:	false
SSDEEP:	49152:S8gih65tFZq5KErou7QD0FQgjeKKUTYM6enKX5HA3m1Sxv7ZpQ+UyYM:SL5tFo5tou+0FQweKKUTYMk5am1Sxv7b
MD5:	7F765E13E08B91F94FCBFCCCD8B631BA
SHA1:	53594A7032C01604C47CC8B770BBA08D9A886E57
SHA-256:	5FF1C1C390E6313E20C85D03D9F6DF9689B2C3F86B997405D0FCE53C3D0B0A51
SHA-512:	67B8C32B4E51F4F4BA01CC7B254EF04233F6D11BDB3889DA060BA84EF5A8A2DDD510958706E1E624796436313AAA7CCE4B8883811C73303EBF77B373177C9EB8
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k..B/.../.../...&.1.....&.6. ...&.&...../......4 +.....4 ......4 ......4 ..*...4 /.....4 (.....Rich/...................PE..L.....d................."...,...............@....@..................................?....@.................................<...h....................R..H'...P.......M..............................H...@............@..t............................text.... .......".................. ..`.rdata.......@.......&..............@..@.data...\........j..................@....rsrc...............................@..@.reloc......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Cells.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14145296
Entropy (8bit):	6.2177225225819095
Encrypted:	false
SSDEEP:	196608:RBKE93do/gOGda5dzPo/ydAPuYG0db2H:REE5Qzy20m
MD5:	883DD7F3C41D939FA0904A24EB1C6730
SHA1:	595A4882D0FFF78E339ECBFD81795546F9AE4701
SHA-256:	08F2CEA2627ED458EF2CB14A1A988DD72B0ACCA261285FE781E91AB0821AD9EE
SHA-512:	655569664CE811EBF63D059B342668CFF10C1697FCD7126C2A3D9044CC97825BC98B574125A4F3F1EF0AEAD1E42E97459C98675F59FB3EE652EE94C2342BF61C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7E.b...........!..................... ........@.. ....................... ......p.....@.................................t...W........................'........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......\|.....5.........LY...e............................................(2....0..N........(2....-.s3...z.ow{..,.s4...z..}......oy{.......}......(....}......(....}......2.{....ox{.....>.{....oy{....Y..{......{....B..........(........0..k........{....oy{....{......{...........o\|{..&...%...........(.......X........`,. N[u.(.R..s5...z..Y........(6......0............X.+....-....X....X3.....n.{....,..{....o.{....}...."..}........0..o........s7...}.....s7...}.....s8...

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Email.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9499784
Entropy (8bit):	6.506514925456966
Encrypted:	false
SSDEEP:	98304:0fE0jKRsEFjbHbCyzOZeYcrPBF/Xt0pNtu24mw:pMKRRFXemrPb/24z
MD5:	616FEF43C726668EEBC178C142FBCD9B
SHA1:	5107CE8759BF7530E51F6107BFA092826C1E4929
SHA-256:	300B9C41F0603C85DAB552DB3CAA26F5719DCD1D29A20D9DE751F9D05AAC5380
SHA-512:	F810AB32BF22DA7105CF636BFE5BAF5FB24BE12FE04739D2E40BFA963B861B90263D540ACC469A7716CB2C2BDBB3F1E6D6920D7174FCDB1366BAE189A8E1FA65
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b........... ................... ........@.. .......................@............@....................................W....................... ... ....................................................... ............... ..H............text...$... ..................... ..`.rsrc..............................@..@.reloc....... .....................@..B.......................H.......8aJ...F..........3>..-...`J......................................0...........,..-.+.(....+.(-...+...0..<.........P./....-.&&.(......./....-.&&..-.&+.}....+.}....+.(....+..0..+.........P./....-.&&.(.......-.&&+.}....+.(....+...0..f........{......{.....-.&..X.-.&&....{.....{.....i3+..+.}....+...{......-.&&&..}....+.(....+...{.....jX}....*...0............(.....-.&..-.&.{....,Y+.....+..+.+H.{......{.....-.&..X}........%.X.X...{.....3.+..+...{.....(......}....+...2...Y

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Pdf.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41606816
Entropy (8bit):	7.295064099822315
Encrypted:	false
SSDEEP:	393216:2iVOOeRrmztRzZMeFMxD/FxbSZDBmkF3O4d+LyYqOG6lBsr0XnQ75Grw4KodpHqw:TNztRaeFg/FxER3O4qyvO7BXGwwG7Kw
MD5:	8F822A95A256967A288A037835E305E7
SHA1:	179F25A6FD96A8BE84FE40E32D79DB01ED1B8943
SHA-256:	25BCE1E8D85E25FA199613A9FCF34499A922556E082CA9CCDBACF0ABDD52FBFB
SHA-512:	F3484E7F84C8B2FF35AF231F425864DFD4DCD0B2310E8A01172CAD94528477344C1FB7D0B84E6554830A9531452908871FD9F7863CCF20505DE96E46C9D8D3EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z.b........... ......z..........z.. ....z...@.. ........................{......E{...@.................................\|.z.W.....z...............z..J....z...................................................... ............... ..H............text....z.. ....z................. ..`.rsrc.........z.......z.............@..@.reloc........z.......z.............@..B..................z.....H.......l..............4................................................0...........-..,.+.(....+.($...+...0...........s.....,.&&.(....+.}....+...0...........(.......-.&&+.}....+...0..&........u.....-.&.,.+..+...-..,..o.....-.&+.....+.sx...*.(.....-.&.(.....-~&.E........\.......\...B.......\.......\...c.......!...\...\.......y...\...M.......7.......X...........,...#...n...+.....8y....8}...8F...s)....8A...s.....86...s.....8+...s(....8 ...s.....8....s.....8....s/....8....s

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Slides.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23923992
Entropy (8bit):	6.702059775686393
Encrypted:	false
SSDEEP:	196608:HEui5rbYJQIMknSCGDcUEcB27snV1gzaSEKSQsDPor8gZsYf9sC56zvZ1iWJAdWS:CbkOgZswsM6zvZsWJArkW1
MD5:	1D258A9135496513C91C48E8944518EF
SHA1:	E2C31D619A03230563A316D63ECCB61986F03F45
SHA-256:	A4E179B90BB241935A8BFC1EC96AC014F1B91C2DB404349EA99F9A90D2C212D4
SHA-512:	493F455FFF0FC86C03D90C71796E8BF585B60F209FEF4428A2BD5B7346C317AB76A1B26839D93FB564E55BCF92900440EA08C4E306ECBD957DA9ADB77064E0BD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!......l...........l.. ....l...@.. ....................... m.....w.m...@.................................@.l.W.....l...............l..I....m...................................................... ............... ..H............text.....l.. ....l................. ..`.rsrc.........l.......l.............@..@.reloc........m.......l.............@..B................\|.l.....H........[..H~^.............._.x[......................................r~....-.s>........~....s........ p\;,(.....0..J.......~....-=.....(....o....r...po.... .........%.....(....(....(hp.......~........(......{...."..}.........{...."..}.........{...."..}.........{ ..."..} ........{!..."..}!........{"..."..}"........{#..."..}#.......0..p........-....3...{.....{....3U.{.....{....3G.{.....{....39.{ ....{ ...3+.{!....{!...3..{"....{"...3..{#....{#........-.

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Words.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16760496
Entropy (8bit):	6.2427273767005715
Encrypted:	false
SSDEEP:	196608:1R/oIxpBomlbpoDnu3NDZztpbJQCe5Vwu36Q:1DpumlSDniztpbqRR
MD5:	ACFFD1D10FDD1137E5A2FFF6FB491578
SHA1:	5F8CF16381E707E2C7FA5D0EA13D7B6A3AC99D8B
SHA-256:	772940C2110FF981C0A8F9FBDF9203F7C56D39F73E20B809B6A4AB5B871CAB94
SHA-512:	B41238C123DE8F33680A65C536ACAB4AC7442F4E88255475B7E25F793C98CD1162DB3B8F63DBBCF4EBF3D5BB717EA2670C39C00CDF761B8A9F858E7E8915434F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..b........... ................z.... ........@.. ...............................Q....@................................. ...W.......$................ ........................................................... ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B................\.......H.......<....Y...........q..Y4..........................................(D....0..N........(D....-.sE...z.oJ...,.sF...z..}......oL........}......(....}......(....}......2.{....oK......>.{....oL.....Y..{......{....B..........(........0..k........{....oL.....{......{...........oO...&...%...........(.......X........`,. ...%(+>..sG...z..Y........(H......0............X.+....-....X....X3.....n.{....,..{....oT.....}...."..}.........(D.....-...:.(.q....}......0..4...

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	198984
Entropy (8bit):	6.524210223675941
Encrypted:	false
SSDEEP:	3072:rQJ97Jk2idAcbTBrbf8nWbZMYmF1xJ/SxiuOTD/Qayg1oyuYJ:UJxiKqTB8eM9F9SxrOTLwyL
MD5:	2184C492140EC7B8E84C048B080566A4
SHA1:	13710067EEF4B0D7A0F625AD97F6D554BCAF0AF3
SHA-256:	4C71D9973F4A37FD2E6119AF1E130F0D68C8F97707CB9BF4CA60C6550DD0120E
SHA-512:	7B0B0498C9C11D21FD804FBBBEE29708E06E754315B45EAEC7C34C80EF01F5219DFBD1F0806231864914420388DC4FCCE37F87C36DA9E2ECF32C903EC60D10E1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.e.................\|..........N.... ........@.. .......................@......w.....@.....................................W.......(`..............H'........................................................... ............... ..H............text...T{... ...\|.................. ..`.reloc...............~..............@..B.rsrc...(`.......b..................@..@................0.......H...........H............... l..........................................".(.........0.............(........0..~........(........}......}....(....o.......+C......o....%&.o.........-$.E.........-......&...(....%&}....+....X....i....-..E............0...............(....%&.+......0.............o....%&...(.....+....0.................(.....+......0..............4o ...%&...o!....+......0.............o....%&..(....%&.+...0..............4o"...%&..o#...%&.+..*...0.............(

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\NReco.PdfGenerator.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9780736
Entropy (8bit):	7.996968073482298
Encrypted:	true
SSDEEP:	196608:GXh8MV3OXmK6Sms0368tFhrVYM6fnUGzzNSTRnFEEakuY:GXhxK4yo7cpgN1aZ
MD5:	953D246F67D077561A6167E4E8BCF57A
SHA1:	BC7ACF982A8C2AAFABF9253E0926B97256125A4B
SHA-256:	DDFA4CB6EAE66D0E5FBFF05140B580BA617C074377B7CE19115A1A3C6E23DB79
SHA-512:	056C57E6677834F6C67A22294B761EAD1CFAB550A944B4570AA2C26962CEDC4571BCE1DB042249F9462263AA405A6C813BD4368BF84C39EE0A299B9BB762F12F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...RG.X...........!.....4...........S... ...`....... ..............................r....@.................................dS..W....`..............................,R............................................... ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B.................S......H...........xM...........8.....P .......................................-~.#l....^y.c..'m...L=...x3..J.....G.Fow5...0mm..:<w...z.X.....u.K.H$...AM9..h.C...Bq`..i.c.....)g..#.%...;./......+..Y..2.{....{....2.{....{....z.(.....s....}.....{.....}........0..o........(....,..(....(....-.(....r...po.....(....r=..po......(....-&.(....-....(.....(....,..(....(....-.*r}..ps....z..0............(..........(....o....o....o......-.rT..ps....zs......(.......o......o....s......(.

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfFocus.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4825600
Entropy (8bit):	6.113300126494987
Encrypted:	false
SSDEEP:	49152:Tnyr5EHiPD1cewBBVjr4FUrtY4jVGCZJg3tIyrj173EEkIMrOkc5GIvOj:TnqGiP3UrtY4ECG
MD5:	FCB29B933FA6E791C5403CFD1F6EF8F7
SHA1:	17CB3EAA91EA31763C02A078E94C6425A85CB8EB
SHA-256:	9551AC0783659CF69D7058C64E363EB3F8F7291C41BC5D7B557D536B6287ED9D
SHA-512:	85171BE3CBA9E3883926003234E8F9E739A50D702805F3A8FAD893FB4E6F16A83BAE801B65A57C411C2C5D15F8F23542A9952FFDE201B612E408ADEFDFA0E05F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ut.Y...........!......I...........I.. ....I...@.. ........................J...........@.................................k.I.J.....I.2.....................I...................................................... ............... ..H............text.....I.. ....I................. ..`.rsrc...2.....I.......I.............@..@.reloc........I.......I.............@..B..................I.....H....... ."...............;.......".......................................{......{......{......(.....0..%..........,...i........+.........X....i2.....2(.....o........0..)..........,"..i........+..............X....i2.....N..o....o.....o.....0..%..........,...i........+......g...X....i2.....F(.....(....o......2(.....o...................j..2....._c...._c..f.._bX.&..i(......r..j2....?_c...?_c.j.f.?_bX...&..i(.......0..5.........-....i..........o......-..*..

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfVision.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	806912
Entropy (8bit):	5.149704902528526
Encrypted:	false
SSDEEP:	12288:EuWrOkXECp/RIm/3rE3eDLIqrhyYYTmvyrO0:EuWLXEE/RIm/3I3eDLIqUEyrO0
MD5:	2F2AB1DA8B19B6F660ADCC2F18F9F333
SHA1:	C01A6A27C0134D6DDB373441AE4600E33D6601AA
SHA-256:	782A9233C9FCFCEB21C2B11765C600E10C4AC0A9CFE1A64AF62CE856126B4858
SHA-512:	DE8DEB5C9EE81A5B7BE4EB5764A7F9B61E1C952F7616A5EC73E223E51E69BBFFF6E32429B5983AA15A57729705DD26BBC67D91D6D2B7992A54B8E4A8CA65FD82
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..Y...........!..... ... ......z5... ...@....@.. ....................................@.................................05..J....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Compression.Base.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	200704
Entropy (8bit):	5.683346562801559
Encrypted:	false
SSDEEP:	3072:8VuWtgjI6Wq32Ng0JTtjCFL6oLOOpX8JyptgIMOfwz6:8Vu82Ik2N/PG+oLRppw
MD5:	6CE98629CF41D3FE1F5BA1159232C68F
SHA1:	3D7E2C493A53F2DA90CC811272A6A6588F946EDB
SHA-256:	A08412D6DB06FEA813FDB6055F1A0D2CD2B2B818AFC3CAAD73F10B80A4B126AC
SHA-512:	8BA7643F9DFB58423A191B2FC2839815286DF57F8AEAC3A1334621A4AE34816D3D8E9EB2F6A726A22A03D458F38F0ED5D8A959669B2EC6B218D3246E999C7D51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8.^...........!......... ........... ........... .......................@.......n....@.................................T...W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Licensing.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	815104
Entropy (8bit):	3.6952203667713746
Encrypted:	false
SSDEEP:	3072:n62IwDANNNJIZqNJIZSjdT9K0VW2pcf4K:n6bZI0IUhp
MD5:	A2428FB5D3AE10313A1782FB747F055E
SHA1:	9103B34F9A70845F84A8264892C6389FD03F3B7A
SHA-256:	0EFBF82D98B163B7835F5FEBBA2802A4A59C615B4737D2B804C6610742B5FB14
SHA-512:	BB543E7E22A0115219F6475461AA750D7415F78327236FC2185B7FDA94426E749BA03EAF96F67DD7FE08088348AC8022456203203CE1593A3C3C8A6AA8F29EEB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s.^...........!.....@... .......V... ...`....... ....................................@..................................V..S....`............................................................................... ............... ..H............text....7... ...@.................. ..`.rsrc........`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Pdf.Base.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6639616
Entropy (8bit):	6.492818623690905
Encrypted:	false
SSDEEP:	49152:SgQPii8uK1X5RIMh6Qz/yUP32rZmRKl13a+e7hfHBR81zHhTk3a+e77DaoAw4zMT:4iR5RIMhG4nClAol+
MD5:	721C23752C6539A0C0CE7F2E599F6ADF
SHA1:	98F31C5F7763231929C4A737371E424156C95D93
SHA-256:	A6C3FD3BF3B12ED883B53AAEFFB1924FA57647E446EDDB86C6E999304388752B
SHA-512:	F933046FAD05A673BC155CE973829F057BF517D0BAA95FFE3D56463CC53938F9B991D960435DA7ED2D291A1A0CAEF5982FA3C306ECA5EFB8DE95606C2AE5E4C0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^...........!..... e.. ......^;e.. ...@e...... ........................e......Ef...@..................................;e.K....@e.H....................`e...................................................... ............... ..H............text...d.e.. ... e................. ..`.rsrc...H....@e......0e.............@..@.reloc.......`e......@e.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-1972F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14145296
Entropy (8bit):	6.2177225225819095
Encrypted:	false
SSDEEP:	196608:RBKE93do/gOGda5dzPo/ydAPuYG0db2H:REE5Qzy20m
MD5:	883DD7F3C41D939FA0904A24EB1C6730
SHA1:	595A4882D0FFF78E339ECBFD81795546F9AE4701
SHA-256:	08F2CEA2627ED458EF2CB14A1A988DD72B0ACCA261285FE781E91AB0821AD9EE
SHA-512:	655569664CE811EBF63D059B342668CFF10C1697FCD7126C2A3D9044CC97825BC98B574125A4F3F1EF0AEAD1E42E97459C98675F59FB3EE652EE94C2342BF61C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7E.b...........!..................... ........@.. ....................... ......p.....@.................................t...W........................'........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......\|.....5.........LY...e............................................(2....0..N........(2....-.s3...z.ow{..,.s4...z..}......oy{.......}......(....}......(....}......2.{....ox{.....>.{....oy{....Y..{......{....B..........(........0..k........{....oy{....{......{...........o\|{..&...%...........(.......X........`,. N[u.(.R..s5...z..Y........(6......0............X.+....-....X....X3.....n.{....,..{....o.{....}...."..}........0..o........s7...}.....s7...}.....s8...

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-53FTM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1800520
Entropy (8bit):	6.423850226295897
Encrypted:	false
SSDEEP:	49152:S8gih65tFZq5KErou7QD0FQgjeKKUTYM6enKX5HA3m1Sxv7ZpQ+UyYM:SL5tFo5tou+0FQweKKUTYMk5am1Sxv7b
MD5:	7F765E13E08B91F94FCBFCCCD8B631BA
SHA1:	53594A7032C01604C47CC8B770BBA08D9A886E57
SHA-256:	5FF1C1C390E6313E20C85D03D9F6DF9689B2C3F86B997405D0FCE53C3D0B0A51
SHA-512:	67B8C32B4E51F4F4BA01CC7B254EF04233F6D11BDB3889DA060BA84EF5A8A2DDD510958706E1E624796436313AAA7CCE4B8883811C73303EBF77B373177C9EB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k..B/.../.../...&.1.....&.6. ...&.&...../......4 +.....4 ......4 ......4 ..*...4 /.....4 (.....Rich/...................PE..L.....d................."...,...............@....@..................................?....@.................................<...h....................R..H'...P.......M..............................H...@............@..t............................text.... .......".................. ..`.rdata.......@.......&..............@..@.data...\........j..................@....rsrc...............................@..@.reloc......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-BLHAO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	815104
Entropy (8bit):	3.6952203667713746
Encrypted:	false
SSDEEP:	3072:n62IwDANNNJIZqNJIZSjdT9K0VW2pcf4K:n6bZI0IUhp
MD5:	A2428FB5D3AE10313A1782FB747F055E
SHA1:	9103B34F9A70845F84A8264892C6389FD03F3B7A
SHA-256:	0EFBF82D98B163B7835F5FEBBA2802A4A59C615B4737D2B804C6610742B5FB14
SHA-512:	BB543E7E22A0115219F6475461AA750D7415F78327236FC2185B7FDA94426E749BA03EAF96F67DD7FE08088348AC8022456203203CE1593A3C3C8A6AA8F29EEB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s.^...........!.....@... .......V... ...`....... ....................................@..................................V..S....`............................................................................... ............... ..H............text....7... ...@.................. ..`.rsrc........`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-DRSF7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9780736
Entropy (8bit):	7.996968073482298
Encrypted:	true
SSDEEP:	196608:GXh8MV3OXmK6Sms0368tFhrVYM6fnUGzzNSTRnFEEakuY:GXhxK4yo7cpgN1aZ
MD5:	953D246F67D077561A6167E4E8BCF57A
SHA1:	BC7ACF982A8C2AAFABF9253E0926B97256125A4B
SHA-256:	DDFA4CB6EAE66D0E5FBFF05140B580BA617C074377B7CE19115A1A3C6E23DB79
SHA-512:	056C57E6677834F6C67A22294B761EAD1CFAB550A944B4570AA2C26962CEDC4571BCE1DB042249F9462263AA405A6C813BD4368BF84C39EE0A299B9BB762F12F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...RG.X...........!.....4...........S... ...`....... ..............................r....@.................................dS..W....`..............................,R............................................... ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B.................S......H...........xM...........8.....P .......................................-~.#l....^y.c..'m...L=...x3..J.....G.Fow5...0mm..:<w...z.X.....u.K.H$...AM9..h.C...Bq`..i.c.....)g..#.%...;./......+..Y..2.{....{....2.{....{....z.(.....s....}.....{.....}........0..o........(....,..(....(....-.(....r...po.....(....r=..po......(....-&.(....-....(.....(....,..(....(....-.*r}..ps....z..0............(..........(....o....o....o......-.rT..ps....zs......(.......o......o....s......(.

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-GJNME.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9499784
Entropy (8bit):	6.506514925456966
Encrypted:	false
SSDEEP:	98304:0fE0jKRsEFjbHbCyzOZeYcrPBF/Xt0pNtu24mw:pMKRRFXemrPb/24z
MD5:	616FEF43C726668EEBC178C142FBCD9B
SHA1:	5107CE8759BF7530E51F6107BFA092826C1E4929
SHA-256:	300B9C41F0603C85DAB552DB3CAA26F5719DCD1D29A20D9DE751F9D05AAC5380
SHA-512:	F810AB32BF22DA7105CF636BFE5BAF5FB24BE12FE04739D2E40BFA963B861B90263D540ACC469A7716CB2C2BDBB3F1E6D6920D7174FCDB1366BAE189A8E1FA65
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b........... ................... ........@.. .......................@............@....................................W....................... ... ....................................................... ............... ..H............text...$... ..................... ..`.rsrc..............................@..@.reloc....... .....................@..B.......................H.......8aJ...F..........3>..-...`J......................................0...........,..-.+.(....+.(-...+...0..<.........P./....-.&&.(......./....-.&&..-.&+.}....+.}....+.(....+..0..+.........P./....-.&&.(.......-.&&+.}....+.(....+...0..f........{......{.....-.&..X.-.&&....{.....{.....i3+..+.}....+...{......-.&&&..}....+.(....+...{.....jX}....*...0............(.....-.&..-.&.{....,Y+.....+..+.+H.{......{.....-.&..X}........%.X.X...{.....3.+..+...{.....(......}....+...2...Y

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-J86HV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6639616
Entropy (8bit):	6.492818623690905
Encrypted:	false
SSDEEP:	49152:SgQPii8uK1X5RIMh6Qz/yUP32rZmRKl13a+e7hfHBR81zHhTk3a+e77DaoAw4zMT:4iR5RIMhG4nClAol+
MD5:	721C23752C6539A0C0CE7F2E599F6ADF
SHA1:	98F31C5F7763231929C4A737371E424156C95D93
SHA-256:	A6C3FD3BF3B12ED883B53AAEFFB1924FA57647E446EDDB86C6E999304388752B
SHA-512:	F933046FAD05A673BC155CE973829F057BF517D0BAA95FFE3D56463CC53938F9B991D960435DA7ED2D291A1A0CAEF5982FA3C306ECA5EFB8DE95606C2AE5E4C0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^...........!..... e.. ......^;e.. ...@e...... ........................e......Ef...@..................................;e.K....@e.H....................`e...................................................... ............... ..H............text...d.e.. ... e................. ..`.rsrc...H....@e......0e.............@..@.reloc.......`e......@e.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-JCQ1B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22880256
Entropy (8bit):	6.56355805193121
Encrypted:	false
SSDEEP:	196608:sHtKK9V4tyInUwOR/kZVinxISJsv6tWKFdu9Cvh7KHNWlM:i3In2/qVixNJsv6tWKFdu9Cvh27
MD5:	FF394C31439D74F8BEF8730F488A82BA
SHA1:	52A71B32260FB0FD5EED03CC955F41C86629A9F1
SHA-256:	E85485FF0EB778E1EF1E1A371CB0E95054D9C8555C3FF3703161210A0F7C785E
SHA-512:	D893ACE88FD0763D73C1492A4287B5DD5F2CFC3FDF752C7C4F1DCF63A07C0D9D53D545879647F8D386D32788CD7B2D99687D9624237958D0A9F6C6BE7C3E00B3
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......`0..$Ql.$Ql.$Ql...&Ql.)...6Ql.)...1Ql.)... Ql.)...-Ql..... Ql.....%Ql.....9Ql.$Qm.YSl....qSl.....[l....%Ql.)...%Ql....%Ql.Rich$Ql.........................PE..L....g.V.................@....[.....t?.......P....@..........................0^.....p.]...@.........................`.H.4I....I.T.....N.......................N..0....................................3.@............P...............................text...;>.......@.................. ..`.rdata....G..P....G..D..............@..@.data...@\|...@I......,I.............@....unwanted.....N.......M.............@..@_RDATA..$.....N.......M.............@..@.rsrc.........N.......M.............@..@.reloc...0....N..2....M.............@..B........................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-JFCVR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4825600
Entropy (8bit):	6.113300126494987
Encrypted:	false
SSDEEP:	49152:Tnyr5EHiPD1cewBBVjr4FUrtY4jVGCZJg3tIyrj173EEkIMrOkc5GIvOj:TnqGiP3UrtY4ECG
MD5:	FCB29B933FA6E791C5403CFD1F6EF8F7
SHA1:	17CB3EAA91EA31763C02A078E94C6425A85CB8EB
SHA-256:	9551AC0783659CF69D7058C64E363EB3F8F7291C41BC5D7B557D536B6287ED9D
SHA-512:	85171BE3CBA9E3883926003234E8F9E739A50D702805F3A8FAD893FB4E6F16A83BAE801B65A57C411C2C5D15F8F23542A9952FFDE201B612E408ADEFDFA0E05F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ut.Y...........!......I...........I.. ....I...@.. ........................J...........@.................................k.I.J.....I.2.....................I...................................................... ............... ..H............text.....I.. ....I................. ..`.rsrc...2.....I.......I.............@..@.reloc........I.......I.............@..B..................I.....H....... ."...............;.......".......................................{......{......{......(.....0..%..........,...i........+.........X....i2.....2(.....o........0..)..........,"..i........+..............X....i2.....N..o....o.....o.....0..%..........,...i........+......g...X....i2.....F(.....(....o......2(.....o...................j..2....._c...._c..f.._bX.&..i(......r..j2....?_c...?_c.j.f.?_bX...&..i(.......0..5.........-....i..........o......-..*..

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-K8UHR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4079616
Entropy (8bit):	6.178269969872396
Encrypted:	false
SSDEEP:	49152:fb6Z5Mc46/SNREUT4j9jEH3q90cSqmV+tiAZ23chGAYbZkN:f2fy6qNXI
MD5:	9631963D39CDC1A06A80A6BE9AD26492
SHA1:	9E00CBF91EF843ABEAC26C0583380938163563E6
SHA-256:	5540BE0821D8303DC945FD2BD1C62082CDBA46260E5278985FA0866242DEADD2
SHA-512:	F4DAE31FD1D9FE6E78224DF15C04B876D834381ED6E0FE0B72E156505D858EED6BD8D0D0A075DF2F4656A635F50882014E4CC15D41BFAF419EC6606177FD0EA1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]...........!......>.. .......,>.. ...@>...... ........................>......<?...@.................................<,>.O....@>......................`>...................................................... ............... ..H............text.....>.. ....>................. ..`.rsrc........@>...... >.............@..@.reloc.......`>......0>.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-M4TSJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560328
Entropy (8bit):	6.3963613485801
Encrypted:	false
SSDEEP:	49152:QdrGT9oY0SAQ4+YI1Qb1oWGxblxZa0o85762:QFGTv1QtGxHZab4
MD5:	9DC81EA31610361FCFE670EA7EE92C56
SHA1:	7AFC1BC2F581B532A4B5FC0F04344493B93A9CFF
SHA-256:	9FA575F386A5EEF3F4999212D8C001994964480D84525F0E2854BB35144626EF
SHA-512:	95E12A3E2285A9E6C0A7A49FA6321220A02897B2DF66E5A5B809144BDC16D83976FC02A2633AC739CD8F3DD4FCE0940B74EB45A842CC9EFF8675E0CB7490EB6A
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...4..\..................$..*........$.......$...@...........................'.....Z)'...@......@....................&.......%..5...@&.`.............&.H'...................................0&.....................D.%.@.....&......................text...(.$.......$................. ..`.itext...&....$..(....$............. ..`.data...4Z....$..\....$.............@....bss.....q...@%..........................idata...5....%..6....%.............@....didata.......&......R%.............@....edata........&......\%.............@..@.tls....D.... &..........................rdata..]....0&......^%.............@..@.rsrc...`....@&......`%.............@..@..............'.......&.............@..@........................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-NCMA4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	806912
Entropy (8bit):	5.149704902528526
Encrypted:	false
SSDEEP:	12288:EuWrOkXECp/RIm/3rE3eDLIqrhyYYTmvyrO0:EuWLXEE/RIm/3I3eDLIqUEyrO0
MD5:	2F2AB1DA8B19B6F660ADCC2F18F9F333
SHA1:	C01A6A27C0134D6DDB373441AE4600E33D6601AA
SHA-256:	782A9233C9FCFCEB21C2B11765C600E10C4AC0A9CFE1A64AF62CE856126B4858
SHA-512:	DE8DEB5C9EE81A5B7BE4EB5764A7F9B61E1C952F7616A5EC73E223E51E69BBFFF6E32429B5983AA15A57729705DD26BBC67D91D6D2B7992A54B8E4A8CA65FD82
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..Y...........!..... ... ......z5... ...@....@.. ....................................@.................................05..J....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-P2U1O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23923992
Entropy (8bit):	6.702059775686393
Encrypted:	false
SSDEEP:	196608:HEui5rbYJQIMknSCGDcUEcB27snV1gzaSEKSQsDPor8gZsYf9sC56zvZ1iWJAdWS:CbkOgZswsM6zvZsWJArkW1
MD5:	1D258A9135496513C91C48E8944518EF
SHA1:	E2C31D619A03230563A316D63ECCB61986F03F45
SHA-256:	A4E179B90BB241935A8BFC1EC96AC014F1B91C2DB404349EA99F9A90D2C212D4
SHA-512:	493F455FFF0FC86C03D90C71796E8BF585B60F209FEF4428A2BD5B7346C317AB76A1B26839D93FB564E55BCF92900440EA08C4E306ECBD957DA9ADB77064E0BD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-P2U1O.tmp, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!......l...........l.. ....l...@.. ....................... m.....w.m...@.................................@.l.W.....l...............l..I....m...................................................... ............... ..H............text.....l.. ....l................. ..`.rsrc.........l.......l.............@..@.reloc........m.......l.............@..B................\|.l.....H........[..H~^.............._.x[......................................r~....-.s>........~....s........ p\;,(.....0..J.......~....-=.....(....o....r...po.... .........%.....(....(....(hp.......~........(......{...."..}.........{...."..}.........{...."..}.........{ ..."..} ........{!..."..}!........{"..."..}"........{#..."..}#.......0..p........-....3...{.....{....3U.{.....{....3G.{.....{....39.{ ....{ ...3+.{!....{!...3..{"....{"...3..{#....{#........-.

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-RNQ1C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	200704
Entropy (8bit):	5.683346562801559
Encrypted:	false
SSDEEP:	3072:8VuWtgjI6Wq32Ng0JTtjCFL6oLOOpX8JyptgIMOfwz6:8Vu82Ik2N/PG+oLRppw
MD5:	6CE98629CF41D3FE1F5BA1159232C68F
SHA1:	3D7E2C493A53F2DA90CC811272A6A6588F946EDB
SHA-256:	A08412D6DB06FEA813FDB6055F1A0D2CD2B2B818AFC3CAAD73F10B80A4B126AC
SHA-512:	8BA7643F9DFB58423A191B2FC2839815286DF57F8AEAC3A1334621A4AE34816D3D8E9EB2F6A726A22A03D458F38F0ED5D8A959669B2EC6B218D3246E999C7D51
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8.^...........!......... ........... ........... .......................@.......n....@.................................T...W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-RV6LF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16760496
Entropy (8bit):	6.2427273767005715
Encrypted:	false
SSDEEP:	196608:1R/oIxpBomlbpoDnu3NDZztpbJQCe5Vwu36Q:1DpumlSDniztpbqRR
MD5:	ACFFD1D10FDD1137E5A2FFF6FB491578
SHA1:	5F8CF16381E707E2C7FA5D0EA13D7B6A3AC99D8B
SHA-256:	772940C2110FF981C0A8F9FBDF9203F7C56D39F73E20B809B6A4AB5B871CAB94
SHA-512:	B41238C123DE8F33680A65C536ACAB4AC7442F4E88255475B7E25F793C98CD1162DB3B8F63DBBCF4EBF3D5BB717EA2670C39C00CDF761B8A9F858E7E8915434F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..b........... ................z.... ........@.. ...............................Q....@................................. ...W.......$................ ........................................................... ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B................\.......H.......<....Y...........q..Y4..........................................(D....0..N........(D....-.sE...z.oJ...,.sF...z..}......oL........}......(....}......(....}......2.{....oK......>.{....oL.....Y..{......{....B..........(........0..k........{....oL.....{......{...........oO...&...%...........(.......X........`,. ...%(+>..sG...z..Y........(H......0............X.+....-....X....X3.....n.{....,..{....oT.....}...."..}.........(D.....-...:.(.q....}......0..4...

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-SNNJ3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	198984
Entropy (8bit):	6.524210223675941
Encrypted:	false
SSDEEP:	3072:rQJ97Jk2idAcbTBrbf8nWbZMYmF1xJ/SxiuOTD/Qayg1oyuYJ:UJxiKqTB8eM9F9SxrOTLwyL
MD5:	2184C492140EC7B8E84C048B080566A4
SHA1:	13710067EEF4B0D7A0F625AD97F6D554BCAF0AF3
SHA-256:	4C71D9973F4A37FD2E6119AF1E130F0D68C8F97707CB9BF4CA60C6550DD0120E
SHA-512:	7B0B0498C9C11D21FD804FBBBEE29708E06E754315B45EAEC7C34C80EF01F5219DFBD1F0806231864914420388DC4FCCE37F87C36DA9E2ECF32C903EC60D10E1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.e.................\|..........N.... ........@.. .......................@......w.....@.....................................W.......(`..............H'........................................................... ............... ..H............text...T{... ...\|.................. ..`.reloc...............~..............@..B.rsrc...(`.......b..................@..@................0.......H...........H............... l..........................................".(.........0.............(........0..~........(........}......}....(....o.......+C......o....%&.o.........-$.E.........-......&...(....%&}....+....X....i....-..E............0...............(....%&.+......0.............o....%&...(.....+....0.................(.....+......0..............4o ...%&...o!....+......0.............o....%&..(....%&.+...0..............4o"...%&..o#...%&.+..*...0.............(

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-V1LTT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41606816
Entropy (8bit):	7.295064099822315
Encrypted:	false
SSDEEP:	393216:2iVOOeRrmztRzZMeFMxD/FxbSZDBmkF3O4d+LyYqOG6lBsr0XnQ75Grw4KodpHqw:TNztRaeFg/FxER3O4qyvO7BXGwwG7Kw
MD5:	8F822A95A256967A288A037835E305E7
SHA1:	179F25A6FD96A8BE84FE40E32D79DB01ED1B8943
SHA-256:	25BCE1E8D85E25FA199613A9FCF34499A922556E082CA9CCDBACF0ABDD52FBFB
SHA-512:	F3484E7F84C8B2FF35AF231F425864DFD4DCD0B2310E8A01172CAD94528477344C1FB7D0B84E6554830A9531452908871FD9F7863CCF20505DE96E46C9D8D3EB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-V1LTT.tmp, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z.b........... ......z..........z.. ....z...@.. ........................{......E{...@.................................\|.z.W.....z...............z..J....z...................................................... ............... ..H............text....z.. ....z................. ..`.rsrc.........z.......z.............@..@.reloc........z.......z.............@..B..................z.....H.......l..............4................................................0...........-..,.+.(....+.($...+...0...........s.....,.&&.(....+.}....+...0...........(.......-.&&+.}....+...0..&........u.....-.&.,.+..+...-..,..o.....-.&+.....+.sx...*.(.....-.&.(.....-~&.E........\.......\...B.......\.......\...c.......!...\...\.......y...\...M.......7.......X...........,...#...n...+.....8y....8}...8F...s)....8A...s.....86...s.....8+...s(....8 ...s.....8....s.....8....s/....8....s

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\itextsharp.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4079616
Entropy (8bit):	6.178269969872396
Encrypted:	false
SSDEEP:	49152:fb6Z5Mc46/SNREUT4j9jEH3q90cSqmV+tiAZ23chGAYbZkN:f2fy6qNXI
MD5:	9631963D39CDC1A06A80A6BE9AD26492
SHA1:	9E00CBF91EF843ABEAC26C0583380938163563E6
SHA-256:	5540BE0821D8303DC945FD2BD1C62082CDBA46260E5278985FA0866242DEADD2
SHA-512:	F4DAE31FD1D9FE6E78224DF15C04B876D834381ED6E0FE0B72E156505D858EED6BD8D0D0A075DF2F4656A635F50882014E4CC15D41BFAF419EC6606177FD0EA1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]...........!......>.. .......,>.. ...@>...... ........................>......<?...@.................................<,>.O....@>......................`>...................................................... ............... ..H............text.....>.. ....>................. ..`.rsrc........@>...... >.............@..@.reloc.......`>......0>.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	InnoSetup Log BitRecover EML to PDF Wizard, version 0x418, 39629 bytes, 579569\37\user\37, C:\Program Files (x86)\BitRecover\EML to P
Category:	dropped
Size (bytes):	39629
Entropy (8bit):	4.000134276202904
Encrypted:	false
SSDEEP:	384:9mt5krDetaA2DYH/pKNyPKWvz7eTkbPIedqneSAgHn:9He6UBvBbVdSeQ
MD5:	80275C8B2D18E69968DEB6CF10F8C705
SHA1:	E913275E4C39D46E9EB9CCCACF77A7B7D9694732
SHA-256:	0E5D0D88207F2C4141189C3C69CFA4A5ED695DE773E8C84976AC5816834E8EB9
SHA-512:	F01D1CE44C7BDE8846025E396897919F2A7D48DB9E857257FF0EC90E766B81CA4BB8EDE72D72CD5E7D6E63AE0F1E6CA19D48AFF5CACF4414C66AF8BE15958E6E
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................BitRecover EML to PDF Wizard....................................................................................................BitRecover EML to PDF Wizard........................................................................................................6.......................................................................................................................7..........:................5.7.9.5.6.9......a.l.f.o.n.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.i.t.R.e.c.o.v.e.r.\.E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d..................+.... ......p......IFPS........N....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM..........................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560328
Entropy (8bit):	6.3963613485801
Encrypted:	false
SSDEEP:	49152:QdrGT9oY0SAQ4+YI1Qb1oWGxblxZa0o85762:QFGTv1QtGxHZab4
MD5:	9DC81EA31610361FCFE670EA7EE92C56
SHA1:	7AFC1BC2F581B532A4B5FC0F04344493B93A9CFF
SHA-256:	9FA575F386A5EEF3F4999212D8C001994964480D84525F0E2854BB35144626EF
SHA-512:	95E12A3E2285A9E6C0A7A49FA6321220A02897B2DF66E5A5B809144BDC16D83976FC02A2633AC739CD8F3DD4FCE0940B74EB45A842CC9EFF8675E0CB7490EB6A
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...4..\..................$..*........$.......$...@...........................'.....Z)'...@......@....................&.......%..5...@&.`.............&.H'...................................0&.....................D.%.@.....&......................text...(.$.......$................. ..`.itext...&....$..(....$............. ..`.data...4Z....$..\....$.............@....bss.....q...@%..........................idata...5....%..6....%.............@....didata.......&......R%.............@....edata........&......\%.............@..@.tls....D.... &..........................rdata..]....0&......^%.............@..@.rsrc...`....@&......`%.............@..@..............'.......&.............@..@........................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\unins000.msg

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	InnoSetup messages, version 6.0.0, 240 messages (UTF-16), Cancel installation
Category:	dropped
Size (bytes):	22859
Entropy (8bit):	3.270827100223718
Encrypted:	false
SSDEEP:	192:P19Xgkg3STsfr69FTyPanTa1tznL7VF+Afc51U5YQDztXfbKJg/Bfv+:P17vir64+WX+AQ1U5YQDzt7/B3+
MD5:	D4C5C3D36998B363CE3231E1A9AE5CF8
SHA1:	E7B2C4ABA3149F09DC07AB2BE0F025128D94E77A
SHA-256:	CDE4C2F34FF81C025CDA49E356B986FA61D140D3860FEBA088907243E4E6D7A5
SHA-512:	E0BDE95CD427DFF5D707142EDF2EFF7862FFCC42273361F1CBDD9237D7E2A7FFB7F7FAC4951779FF68CE0F3294821D0E31847B9801EDAA3C980FB285241EEC84
Malicious:	false
Preview:	Inno Setup Messages (6.0.0) (u)......................................X........'.C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22880256
Entropy (8bit):	6.56355805193121
Encrypted:	false
SSDEEP:	196608:sHtKK9V4tyInUwOR/kZVinxISJsv6tWKFdu9Cvh7KHNWlM:i3In2/qVixNJsv6tWKFdu9Cvh27
MD5:	FF394C31439D74F8BEF8730F488A82BA
SHA1:	52A71B32260FB0FD5EED03CC955F41C86629A9F1
SHA-256:	E85485FF0EB778E1EF1E1A371CB0E95054D9C8555C3FF3703161210A0F7C785E
SHA-512:	D893ACE88FD0763D73C1492A4287B5DD5F2CFC3FDF752C7C4F1DCF63A07C0D9D53D545879647F8D386D32788CD7B2D99687D9624237958D0A9F6C6BE7C3E00B3
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......`0..$Ql.$Ql.$Ql...&Ql.)...6Ql.)...1Ql.)... Ql.)...-Ql..... Ql.....%Ql.....9Ql.$Qm.YSl....qSl.....[l....%Ql.)...%Ql....%Ql.Rich$Ql.........................PE..L....g.V.................@....[.....t?.......P....@..........................0^.....p.]...@.........................`.H.4I....I.T.....N.......................N..0....................................3.@............P...............................text...;>.......@.................. ..`.rdata....G..P....G..D..............@..@.data...@\|...@I......,I.............@....unwanted.....N.......M.............@..@_RDATA..$.....N.......M.............@..@.rsrc.........N.......M.............@..@.reloc...0....N..2....M.............@..B........................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-conio-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12640
Entropy (8bit):	6.6268710535758455
Encrypted:	false
SSDEEP:	192:pj8PWOhWST71ojDBQABJphUzyqnaj9RlSIFK:pjAWOhWDDBRJpYylBRAIFK
MD5:	4296CF3A7180E10AAF6147F4AECD24E4
SHA1:	F81E09AF979A1146774D554783D1A22A03A61393
SHA-256:	147F86FF93D61FEA256B3DE9149E1B36B68A83762E62A3389466218E18359FFC
SHA-512:	60357EDDE6572C5E796F927C3E72C31A96FF700624B7366FDDA64BCF51EE00BF1E9AB477A46D8D3BA7391BA10491E69F745EFEC3607F8F49B6E1A3A3DE7A0648
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...X.nU...........!......................... ...............................0......jG....@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-convert-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15712
Entropy (8bit):	6.425222272368789
Encrypted:	false
SSDEEP:	192:fpdkKBcyxWOhWWT71ojDBQABJMIqnajsl/cqtt:JuyxWOhWXDBRJXlPqD
MD5:	5C6FD1C6A5E69313A853A224E18A7FAC
SHA1:	10BAE352F09B214EDEF2DC6ADCB364C45FAFDBEC
SHA-256:	3AA0EB4C47AC94B911F1A440324D26EEE8DDF99557A718F0905BFEE3CF56255F
SHA-512:	08C2B1150F6BF505D10085A515BBFAB6C1E18663C6EF75EC988727E3D30210532D03BFBFBB048B1A843D4FAA5D1060F9079E018A9E892BCE03F899A5A85F6034
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...`.nU...........!.........................0...............................@............@..........................................0..................`!..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-environment-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.584062596989429
Encrypted:	false
SSDEEP:	192:kWOhWaT71ojDBQABJIvqnajxcRGlPH6WE5:kWOhWbDBRJIvll7PHC5
MD5:	6A3D5701446F6635FAFF87014A836EEE
SHA1:	7BBC9DB1C9CE70E9FC7B7348A2C96681E5D8265B
SHA-256:	16BA05A1FA928501FFAEE2E9DCE449D28E8FE538DF5EC6D8D1080B610B15D466
SHA-512:	839A1277B6DBB9F2D6E572E1B50B0AD08C93256A1367F36997DB07285AA7B251346499A643A985A22D9A7618635C11964E414073AA7E1BF60D36368829DE8FB3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Z.nU...........!......................... ...............................0.......&....@............................."............ ..................`!..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-filesystem-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13664
Entropy (8bit):	6.642134226840258
Encrypted:	false
SSDEEP:	192:b7q6nWlC0i5C5WOhWWT71ojDBQABJHTTKJqnajLQvTP+8jIrF7:/q6nWm5C5WOhWXDBRJHTGJlvQyUIrF7
MD5:	4EC243792D382305DB59DC78B72D0A1E
SHA1:	63B7285646C72EE640D34CDC200BFC5863DB3563
SHA-256:	56E0BDF91EDB21F5F5041F052723025C059A11360BB745F965A9903DE9C61756
SHA-512:	88F648D45927DB65FF8CEAD4BB1959B1297410BF3F5B3B2783A173D708649260A61470342694DE8B93E9C1657DE64DB43DB40EE71ACC661B03786C0921D68D4B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Y.nU...........!......................... ...............................0............@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-heap-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12640
Entropy (8bit):	6.564400972555511
Encrypted:	false
SSDEEP:	192:8Y17aFBRkWOhWXLT71ojDBQABJz5qqnajxcRGlPHisg:9RWOhWXYDBRJ9qll7PHip
MD5:	A51CFB8CF618571215EEBA7095733B25
SHA1:	DB4215890757C7C105A8001B41AE19CE1A5D3558
SHA-256:	6501894E68A3871962731282A2E70614023EC3F63F600F933EC1785400716CE1
SHA-512:	9AE11AB21486DEA1ABA607A4262F62678C5B0E9F62B6A63C76CFDC7698D872D8696FFB1AAAE7AA2E2CF02C1C7EAA53D0CE503432960F4BE6886FAE0DE2659535
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Z.nU...........!......................... ...............................0......u?....@.......................................... ..................`!..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-locale-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.677315318089621
Encrypted:	false
SSDEEP:	192:iWOhW6UT71ojDBQABJmRqnajsl/cqt0AEV1:iWOhWQDBRJmRlPqubV1
MD5:	8D097AA5BEC8BDB5DF8F39E0DB30397C
SHA1:	56F6DA8703F8CDD4A8E4A170D1A6C0D3F2035158
SHA-256:	42C235914844CE5D1BB64002FCA34A776AE25EE658FC2B7B9DA3291E5DEF7D4D
SHA-512:	A891536E2A362FC73472FA7F5266CE29E8036959701BC0862F2B7EA5865DCD1505615EDC8E064FB2F7AAA1B129E48422EFE7B933B01FAED9C2AFADD8A64452DC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Z.nU...........!......................... ...............................0......h.....@.............................e............ ..................`!..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-math-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22368
Entropy (8bit):	6.188429412305562
Encrypted:	false
SSDEEP:	384:n47isbM4Oe5grykfIgTmLOWOhWB9DBRJelXBtpObE:41Mq5grxfIn+c91PkKE
MD5:	AB87BDAE2F62E32A533F89CD362D081C
SHA1:	40311859DD042A7E392877364568AAD892792BA9
SHA-256:	0439703E47C8FCE1F367F9E36248A738DB6ABCD9F2DD199CB190D5E59ED46978
SHA-512:	DBE0073DA8979F3D32204680015B60435226840E732B5DF964DBEEB7920C0BC5DF92D866964F905518C97CC3539F628664503FFA64E50A2EF90C459B62555444
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...X.nU...........!.........................@...............................P............@..............................+...........@...............6..`!..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-multibyte-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19808
Entropy (8bit):	6.18946421950789
Encrypted:	false
SSDEEP:	384:iy+Kr6aLPmIHJI6/CpG3t2G3t4odXLlWOhWrDBRJ2pll7PHI:iZKrZPmIHJI6Bq1PUo
MD5:	169E20A74258B182D2CDC76F1AE77FC5
SHA1:	FCE3F718E6DE505AC910CB7333A03A2C6544F654
SHA-256:	224F526871C961615DE17B5D7F7BBEF2F3A799055CAB2C8E3447B43C10C25372
SHA-512:	0881C8704421A5F6E51ABD22C55608DD7FB678491682CE86066E068B1973EBF11D6C2163BE610A49F87E800C8563EBB41ABFE36E1913D7D0B8485FD29ED81BF7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Y.nU...........!.....$...................@...............................P.......@....@.............................. ...........@...............,..`!..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-private-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64352
Entropy (8bit):	5.548808567064281
Encrypted:	false
SSDEEP:	1536:KaYDe5c4bFAcvxXWpDid3334BkZnGPMwPn7+9:6De5c4bFAcvxXWpDid3334BkZnGPMwP2
MD5:	682BF6B9C07A64929A4484DB51D6C13D
SHA1:	07672CE8F08DB3B1D745B71E9DB3E4729C70793C
SHA-256:	BDD0CCA431EE362BED4F2C1ECCAFB22AA8DD51D57014BE8297789175E5C11F2E
SHA-512:	E4AE0FC24114A58BAEDE8443CB9275811C12A321AC898CDA89EFBD07474B8E60A564C55BBD82E37F521BF46B05FC1CA876F9B33F6D4BBBAED9FE0F03C937FCE1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...X.nU...........!................................................................a.....@.............................................................`!..............8............................................................................text............................... ..`.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-process-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12640
Entropy (8bit):	6.589445465477159
Encrypted:	false
SSDEEP:	192:nRQqjd7xWOhW8T71ojDBQABJkoHqnajLQvTP+8jIrrNX:nKAWOhWRDBRJkMlvQyUIrrV
MD5:	3838DD55B0237AF0FBAC474ABB6614CC
SHA1:	0C47256F4A29BC3FA889B5FBE0B1F2D712ACF4ED
SHA-256:	51862322AE3354F254045545B4FF64B7445BC99107B4526C3430DE9CE5C60D88
SHA-512:	CCA018899156601146C5C6AA747603A62D70E3DBBBBDE377B06A78F3D0F2D83F11D7F3DB71D239F4AD8CE2E38B92C93175D2AF5AF56905F87A755B8DD59B7836
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Y.nU...........!......................... ...............................0............@.............................x............ ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-runtime-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16224
Entropy (8bit):	6.474363534458307
Encrypted:	false
SSDEEP:	192:90CjfhrpIhhf4AN5/jivWOhWXT71ojDBQABJBkQgqnajxcRGlPHei8:9b7hrKMWOhWkDBRJBEll7PHQ
MD5:	49363F3CF4671BAA6BE1ABD03033542F
SHA1:	E58902A82DF86ADF16F44EBDC558B92AD214A979
SHA-256:	505D2BDE0D4D7CD3900A9C795CB84AB9C05208D6E5132749AB7C554CCD3C0FCC
SHA-512:	98E78A607CFBB777237DC812F468EC7A1ABCBA9472E20A5780DFC526F7992DA1841FCD9E2F76F20FA161240007F185C7FBDC120FB4C3C1F2B90FDAD5913D65DD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Y.nU...........!.........................0...............................@......h.....@..........................................0..................`!..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-stdio-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17760
Entropy (8bit):	6.391701840073475
Encrypted:	false
SSDEEP:	192:5FbNpuWYFxEpahvWOhWQT71ojDBQABJ/EXqnajL1dHx3tKCJAfg7:LUFVhvWOhWVDBRJclXBtpOfm
MD5:	BE16965ACC8B0CE3A8A7C42D09329577
SHA1:	6AC0F1E759781C7E5342B20F2A200A6AAB66535E
SHA-256:	FCD55331CC1F0FF4FB44C9590A9FB8F891B161147A6947CE48B88BF708786C21
SHA-512:	7BA55FA204D43C15ACA02031F584B3396BB175365DAD88E4047B8A991F1F1DDD88D769E4D8CB93EE0ED45E060A1156E953DF794F9CB8BB687C84C4A088DA2EDF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Y.nU...........!.........................0...............................@......1.....@.............................a............0...............$..`!..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-string-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17760
Entropy (8bit):	6.3772354907724695
Encrypted:	false
SSDEEP:	384:2iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGl7WOhW0DBRJglI66YeOtOk:26S5yguNvZ5VQgx3SbwA71IkFid1P56x
MD5:	3EAE6D370F2623B37EC39C521D1F1461
SHA1:	86D43E2E69B2066333E4AFA28A27C7A74FF89991
SHA-256:	CE74BDC6999D084A1B44B2ECEA42DD28849B2825D7779EFFDC4C18360308B79B
SHA-512:	30B2B6CF5CD1BBDF68DE048E6D992133FE7AB0C847FA0D5EB8C681A9688D60794621A40178451A104036A0FFF2E1BD66A18D9F96BE6B28DBDC0BC1C8A535FC85
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...].nU...........!.........................0...............................@.......4....@..........................................0...............$..`!..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-time-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14176
Entropy (8bit):	6.536472462531097
Encrypted:	false
SSDEEP:	192:uamDOWOhWKT71ojDBQABJUBXqnajL1dHx3tKCJAH:l/WOhWLDBRJUtlXBtpOH
MD5:	A440776E10098F3A8EF1C5EACA72958E
SHA1:	7B8662714F6E44FB29A4224A038E4127964003E9
SHA-256:	40D8BC312AC7BCA072703E5F0852228CDE418F89BA9AD69551AA7A80A2B30316
SHA-512:	B043CD020D184A239510B2607C94210DC5FDC5D2A2B9285836BDCE8934CC86A1CC3F47A2F520B15DB84F755AC2E7C67E0247099648D292BBD5FB76F683D928DF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Z.nU...........!......................... ...............................0.......x....@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\api-ms-win-crt-utility-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.670008463006746
Encrypted:	false
SSDEEP:	192:jfHQduLWOhWnT71ojDBQABJcGqnajMHxxBNT06YeOh0:jf9WOhW0DBRJcGlI66YeOi
MD5:	A0A883E26BE6800508162E2A898148D9
SHA1:	4F79892E7766CB7831211864978575598C86A11B
SHA-256:	9753AE83536767C73E340C36C5F1610BC76A3E67E033B07503EC31431CBA7B90
SHA-512:	70904F2FD074073AEBCF665178B34CF7F0F42CED7223CA296F7F202F6FA0175ACE2832D9802F5BFF4D67891CA09AE14FAC47420D69107E72AA44B541A190F6C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Z.nU...........!......................... ...............................0............@.............................^............ ..................`!..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\concrt140.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243520
Entropy (8bit):	6.704974906243745
Encrypted:	false
SSDEEP:	6144:YVtg4bkcTc3uYSw5ejegvGw9xEPOL8an39bkH1r12z/WK3b+B:YI4xL+wsQ8anK1AzrG
MD5:	ABDEF5F24D965BEB17ACC7948B4BEBFD
SHA1:	D671E6FE9FB1B9A675F3EA50A15D5318E7AF0978
SHA-256:	4E822F847073F81C781BE433EFF6C68DB616EFAD49CEE50A5E19997FB46A9DA0
SHA-512:	FDE514A3BDA56FFCFEAAAA7DDF6A4C89130D5F52936C82E9D8C5D771CBC228E387D0845300BE98D7F40D4CA3B06C8A783411DDC0C1E258E10745A50D0FE1115E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<...].,.].,.].,B.I,.].,.%.,.].,.].,.].,z..-.].,z..-.].,z..-.].,z..-.].,z..-.].,z..-.].,z.},.].,z..-.].,Rich.].,................PE..L.....U.........."!.........p......0........ ............................................@A.............................K..0R.......p...............x..@?.......)...'..8...........................((..@............P..,............................text...L........................... ..`.data........ ...,..................@....idata..`....P.......8..............@..@.rsrc........p.......J..............@..@.reloc...).......*...N..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-0HRVC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64352
Entropy (8bit):	5.548808567064281
Encrypted:	false
SSDEEP:	1536:KaYDe5c4bFAcvxXWpDid3334BkZnGPMwPn7+9:6De5c4bFAcvxXWpDid3334BkZnGPMwP2
MD5:	682BF6B9C07A64929A4484DB51D6C13D
SHA1:	07672CE8F08DB3B1D745B71E9DB3E4729C70793C
SHA-256:	BDD0CCA431EE362BED4F2C1ECCAFB22AA8DD51D57014BE8297789175E5C11F2E
SHA-512:	E4AE0FC24114A58BAEDE8443CB9275811C12A321AC898CDA89EFBD07474B8E60A564C55BBD82E37F521BF46B05FC1CA876F9B33F6D4BBBAED9FE0F03C937FCE1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...X.nU...........!................................................................a.....@.............................................................`!..............8............................................................................text............................... ..`.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-1FT6T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16224
Entropy (8bit):	6.474363534458307
Encrypted:	false
SSDEEP:	192:90CjfhrpIhhf4AN5/jivWOhWXT71ojDBQABJBkQgqnajxcRGlPHei8:9b7hrKMWOhWkDBRJBEll7PHQ
MD5:	49363F3CF4671BAA6BE1ABD03033542F
SHA1:	E58902A82DF86ADF16F44EBDC558B92AD214A979
SHA-256:	505D2BDE0D4D7CD3900A9C795CB84AB9C05208D6E5132749AB7C554CCD3C0FCC
SHA-512:	98E78A607CFBB777237DC812F468EC7A1ABCBA9472E20A5780DFC526F7992DA1841FCD9E2F76F20FA161240007F185C7FBDC120FB4C3C1F2B90FDAD5913D65DD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Y.nU...........!.........................0...............................@......h.....@..........................................0..................`!..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-54081.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	85328
Entropy (8bit):	6.8770791315221285
Encrypted:	false
SSDEEP:	1536:BTXU4YQD+JZoxeu8zIrBj3hGzHRb3izsQe1o8jsu0gD/TecbOjc8WsaBmiK:pXUlQDeexZTBozHRb3izsQe1o8E8ecbg
MD5:	B77EEAEAF5F8493189B89852F3A7A712
SHA1:	C40CF51C2EADB070A570B969B0525DC3FB684339
SHA-256:	B7C13F8519340257BA6AE3129AFCE961F137E394DDE3E4E41971B9F912355F5E
SHA-512:	A09A1B60C9605969A30F99D3F6215D4BF923759B4057BA0A5375559234F17D47555A84268E340FFC9AD07E03D11F40DD1F3FB5DA108D11EB7F7933B7D87F2DE3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^$Y..E7W.E7W.E7W..W.E7W.=.W.E7W.E6W3E7W..3V.E7W..4V.E7W..2V.E7W..?V.E7W..7V.E7W...W.E7W..5V.E7WRich.E7W........................PE..L.....U.........."!......... ...............................................P......r.....@A........................`................0..................P?...@....... ..8...........................X ..@............................................text...t........................... ..`.data...............................@....idata..............................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-A7AUM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.670008463006746
Encrypted:	false
SSDEEP:	192:jfHQduLWOhWnT71ojDBQABJcGqnajMHxxBNT06YeOh0:jf9WOhW0DBRJcGlI66YeOi
MD5:	A0A883E26BE6800508162E2A898148D9
SHA1:	4F79892E7766CB7831211864978575598C86A11B
SHA-256:	9753AE83536767C73E340C36C5F1610BC76A3E67E033B07503EC31431CBA7B90
SHA-512:	70904F2FD074073AEBCF665178B34CF7F0F42CED7223CA296F7F202F6FA0175ACE2832D9802F5BFF4D67891CA09AE14FAC47420D69107E72AA44B541A190F6C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Z.nU...........!......................... ...............................0............@.............................^............ ..................`!..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-CPF54.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13664
Entropy (8bit):	6.642134226840258
Encrypted:	false
SSDEEP:	192:b7q6nWlC0i5C5WOhWWT71ojDBQABJHTTKJqnajLQvTP+8jIrF7:/q6nWm5C5WOhWXDBRJHTGJlvQyUIrF7
MD5:	4EC243792D382305DB59DC78B72D0A1E
SHA1:	63B7285646C72EE640D34CDC200BFC5863DB3563
SHA-256:	56E0BDF91EDB21F5F5041F052723025C059A11360BB745F965A9903DE9C61756
SHA-512:	88F648D45927DB65FF8CEAD4BB1959B1297410BF3F5B3B2783A173D708649260A61470342694DE8B93E9C1657DE64DB43DB40EE71ACC661B03786C0921D68D4B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Y.nU...........!......................... ...............................0............@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-GPTJD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	439608
Entropy (8bit):	6.652249319015373
Encrypted:	false
SSDEEP:	12288:oAoA7hbarg71r4RzfxjJhUgiW6QR7t5s03Ooc8dHkC2esq0Ju:oAoAN3r0Bm03Ooc8dHkC2eT0Ju
MD5:	1D8C79F293CA86E8857149FB4EFE4452
SHA1:	7474E7A5CB9C79C4B99FDF9FB50EF3011BEF7E8F
SHA-256:	C09B126E7D4C1E6EFB3FFCDA2358252CE37383572C78E56CA97497A7F7C793E4
SHA-512:	83C4D842D4B07BA5CEC559B6CD1C22AB8201941A667E7B173C405D2FC8862F7E5D9703E14BD7A1BABD75165C30E1A2C95F9D1648F318340EA5E2B145D54919B1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.C.4...4...4..t.I..4...L...4..Lm...4...4...4..Lm...4..Lm...4..Lm...4..Lm...4..Lm...4..Lm}..4..Lm...4..Rich.4..........................PE..L.....U.........."!................ ........ ...........................................@A.........................A.......R..,....................v..8?.......:..0g..8............................)..@............P......P>..@....................text..."........................... ..`.data....'... ......................@....idata..2....P......................@..@.didat..4....p.......4..............@....rsrc................6..............@..@.reloc...:.......<...:..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-K2CVR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15712
Entropy (8bit):	6.425222272368789
Encrypted:	false
SSDEEP:	192:fpdkKBcyxWOhWWT71ojDBQABJMIqnajsl/cqtt:JuyxWOhWXDBRJXlPqD
MD5:	5C6FD1C6A5E69313A853A224E18A7FAC
SHA1:	10BAE352F09B214EDEF2DC6ADCB364C45FAFDBEC
SHA-256:	3AA0EB4C47AC94B911F1A440324D26EEE8DDF99557A718F0905BFEE3CF56255F
SHA-512:	08C2B1150F6BF505D10085A515BBFAB6C1E18663C6EF75EC988727E3D30210532D03BFBFBB048B1A843D4FAA5D1060F9079E018A9E892BCE03F899A5A85F6034
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...`.nU...........!.........................0...............................@............@..........................................0..................`!..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-L6OOR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.584062596989429
Encrypted:	false
SSDEEP:	192:kWOhWaT71ojDBQABJIvqnajxcRGlPH6WE5:kWOhWbDBRJIvll7PHC5
MD5:	6A3D5701446F6635FAFF87014A836EEE
SHA1:	7BBC9DB1C9CE70E9FC7B7348A2C96681E5D8265B
SHA-256:	16BA05A1FA928501FFAEE2E9DCE449D28E8FE538DF5EC6D8D1080B610B15D466
SHA-512:	839A1277B6DBB9F2D6E572E1B50B0AD08C93256A1367F36997DB07285AA7B251346499A643A985A22D9A7618635C11964E414073AA7E1BF60D36368829DE8FB3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Z.nU...........!......................... ...............................0.......&....@............................."............ ..................`!..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-LM59E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17760
Entropy (8bit):	6.391701840073475
Encrypted:	false
SSDEEP:	192:5FbNpuWYFxEpahvWOhWQT71ojDBQABJ/EXqnajL1dHx3tKCJAfg7:LUFVhvWOhWVDBRJclXBtpOfm
MD5:	BE16965ACC8B0CE3A8A7C42D09329577
SHA1:	6AC0F1E759781C7E5342B20F2A200A6AAB66535E
SHA-256:	FCD55331CC1F0FF4FB44C9590A9FB8F891B161147A6947CE48B88BF708786C21
SHA-512:	7BA55FA204D43C15ACA02031F584B3396BB175365DAD88E4047B8A991F1F1DDD88D769E4D8CB93EE0ED45E060A1156E953DF794F9CB8BB687C84C4A088DA2EDF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Y.nU...........!.........................0...............................@......1.....@.............................a............0...............$..`!..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-LUMD1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22523904
Entropy (8bit):	6.6467611115613785
Encrypted:	false
SSDEEP:	393216:zCycW/gnN8XdA5xElNfJsv6tWKFdu9CdxG:4rqXWLEl0
MD5:	7BD00FC7725B2831DFD44F0CEE7FB653
SHA1:	10A3459869D2036C2A49D33087565D81E36B3755
SHA-256:	31E896AE04353EFB147BB1F9ECC4CA17D481E9BD0FBF3DB71E1DC33523196CAB
SHA-512:	A6ADE63C6E29B7C596009B72BF55B34B8E4F673555007959C0628A69C2F906B1185F2A3CD36F1E2BEF6726FA0DE8F0F0D871B1468406B5DDC9EDD0F968A1DE12
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......N6...W.O.W.O.W.O./iO.W.O..=O.W.O1..N.W.O1..N.W.O1..N.W.O1..N(W.O.4O.W.O.O.W.O.1O.W.O.W.O\|U.O...NEU.O...N.].O...N.W.O...O.W.O...N.W.ORich.W.O................PE..L...SI4X......................^...................@...............\|...........X....._\|X...@..........................@B..N..x.B.D.....H.......................H.P..........................L.........@............................................text............................... ..`.rdata....I.......I.................@..@.data.........B.......B.............@....unwanted.....H.......G.............@..@.gfids..<.....H.......G.............@..@.tls..........H.......G.............@..._RDATA..$.....H.......G.............@..@.rsrc.........H.......G.............@..@.reloc..P.....H.......G.............@..B........................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-P980F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	883712
Entropy (8bit):	6.824170675528273
Encrypted:	false
SSDEEP:	24576:0WmPrDND1ONC1r4pD84TfEXpS8sYsen/mKvTZuoy4YJp:DmPrBu1ygr
MD5:	8ED02A1A11CEC72B6A6A4989BF03CFCC
SHA1:	172908FF0F8D7E1C0CBF107F7075ED1DBA4B36C8
SHA-256:	4FD02F2699C49579319079B963425991198F59CB1589B8AFA8795B5D6A0E5DB3
SHA-512:	444FE62A5C324D38BDC055D298B5784C741F3CA8FAAEAED591BD6DCF94205DBF28C7D7F7D3825CCB99EFF04E3FFD831E3F98D9B314820841A0C0960AE6A5E416
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L...t.nU...........!................`k...............................................(....@A........................`...'............................<...@... ...V...u..8...........................8v..@............................................text............................... ..`.data...............................@....idata..d...........................@..@.rsrc...............................@..@.reloc...V... ...X..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-PES40.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14176
Entropy (8bit):	6.536472462531097
Encrypted:	false
SSDEEP:	192:uamDOWOhWKT71ojDBQABJUBXqnajL1dHx3tKCJAH:l/WOhWLDBRJUtlXBtpOH
MD5:	A440776E10098F3A8EF1C5EACA72958E
SHA1:	7B8662714F6E44FB29A4224A038E4127964003E9
SHA-256:	40D8BC312AC7BCA072703E5F0852228CDE418F89BA9AD69551AA7A80A2B30316
SHA-512:	B043CD020D184A239510B2607C94210DC5FDC5D2A2B9285836BDCE8934CC86A1CC3F47A2F520B15DB84F755AC2E7C67E0247099648D292BBD5FB76F683D928DF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Z.nU...........!......................... ...............................0.......x....@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-PKGE8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12640
Entropy (8bit):	6.589445465477159
Encrypted:	false
SSDEEP:	192:nRQqjd7xWOhW8T71ojDBQABJkoHqnajLQvTP+8jIrrNX:nKAWOhWRDBRJkMlvQyUIrrV
MD5:	3838DD55B0237AF0FBAC474ABB6614CC
SHA1:	0C47256F4A29BC3FA889B5FBE0B1F2D712ACF4ED
SHA-256:	51862322AE3354F254045545B4FF64B7445BC99107B4526C3430DE9CE5C60D88
SHA-512:	CCA018899156601146C5C6AA747603A62D70E3DBBBBDE377B06A78F3D0F2D83F11D7F3DB71D239F4AD8CE2E38B92C93175D2AF5AF56905F87A755B8DD59B7836
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Y.nU...........!......................... ...............................0............@.............................x............ ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-POSU8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19808
Entropy (8bit):	6.18946421950789
Encrypted:	false
SSDEEP:	384:iy+Kr6aLPmIHJI6/CpG3t2G3t4odXLlWOhWrDBRJ2pll7PHI:iZKrZPmIHJI6Bq1PUo
MD5:	169E20A74258B182D2CDC76F1AE77FC5
SHA1:	FCE3F718E6DE505AC910CB7333A03A2C6544F654
SHA-256:	224F526871C961615DE17B5D7F7BBEF2F3A799055CAB2C8E3447B43C10C25372
SHA-512:	0881C8704421A5F6E51ABD22C55608DD7FB678491682CE86066E068B1973EBF11D6C2163BE610A49F87E800C8563EBB41ABFE36E1913D7D0B8485FD29ED81BF7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Y.nU...........!.....$...................@...............................P.......@....@.............................. ...........@...............,..`!..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-QGQOS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12640
Entropy (8bit):	6.6268710535758455
Encrypted:	false
SSDEEP:	192:pj8PWOhWST71ojDBQABJphUzyqnaj9RlSIFK:pjAWOhWDDBRJpYylBRAIFK
MD5:	4296CF3A7180E10AAF6147F4AECD24E4
SHA1:	F81E09AF979A1146774D554783D1A22A03A61393
SHA-256:	147F86FF93D61FEA256B3DE9149E1B36B68A83762E62A3389466218E18359FFC
SHA-512:	60357EDDE6572C5E796F927C3E72C31A96FF700624B7366FDDA64BCF51EE00BF1E9AB477A46D8D3BA7391BA10491E69F745EFEC3607F8F49B6E1A3A3DE7A0648
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...X.nU...........!......................... ...............................0......jG....@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-QOJIS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22368
Entropy (8bit):	6.188429412305562
Encrypted:	false
SSDEEP:	384:n47isbM4Oe5grykfIgTmLOWOhWB9DBRJelXBtpObE:41Mq5grxfIn+c91PkKE
MD5:	AB87BDAE2F62E32A533F89CD362D081C
SHA1:	40311859DD042A7E392877364568AAD892792BA9
SHA-256:	0439703E47C8FCE1F367F9E36248A738DB6ABCD9F2DD199CB190D5E59ED46978
SHA-512:	DBE0073DA8979F3D32204680015B60435226840E732B5DF964DBEEB7920C0BC5DF92D866964F905518C97CC3539F628664503FFA64E50A2EF90C459B62555444
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...X.nU...........!.........................@...............................P............@..............................+...........@...............6..`!..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-QUGEQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12640
Entropy (8bit):	6.564400972555511
Encrypted:	false
SSDEEP:	192:8Y17aFBRkWOhWXLT71ojDBQABJz5qqnajxcRGlPHisg:9RWOhWXYDBRJ9qll7PHip
MD5:	A51CFB8CF618571215EEBA7095733B25
SHA1:	DB4215890757C7C105A8001B41AE19CE1A5D3558
SHA-256:	6501894E68A3871962731282A2E70614023EC3F63F600F933EC1785400716CE1
SHA-512:	9AE11AB21486DEA1ABA607A4262F62678C5B0E9F62B6A63C76CFDC7698D872D8696FFB1AAAE7AA2E2CF02C1C7EAA53D0CE503432960F4BE6886FAE0DE2659535
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Z.nU...........!......................... ...............................0......u?....@.......................................... ..................`!..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-SHLSE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.677315318089621
Encrypted:	false
SSDEEP:	192:iWOhW6UT71ojDBQABJmRqnajsl/cqt0AEV1:iWOhWQDBRJmRlPqubV1
MD5:	8D097AA5BEC8BDB5DF8F39E0DB30397C
SHA1:	56F6DA8703F8CDD4A8E4A170D1A6C0D3F2035158
SHA-256:	42C235914844CE5D1BB64002FCA34A776AE25EE658FC2B7B9DA3291E5DEF7D4D
SHA-512:	A891536E2A362FC73472FA7F5266CE29E8036959701BC0862F2B7EA5865DCD1505615EDC8E064FB2F7AAA1B129E48422EFE7B933B01FAED9C2AFADD8A64452DC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...Z.nU...........!......................... ...............................0......h.....@.............................e............ ..................`!..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-UMUQA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17760
Entropy (8bit):	6.3772354907724695
Encrypted:	false
SSDEEP:	384:2iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGl7WOhW0DBRJglI66YeOtOk:26S5yguNvZ5VQgx3SbwA71IkFid1P56x
MD5:	3EAE6D370F2623B37EC39C521D1F1461
SHA1:	86D43E2E69B2066333E4AFA28A27C7A74FF89991
SHA-256:	CE74BDC6999D084A1B44B2ECEA42DD28849B2825D7779EFFDC4C18360308B79B
SHA-512:	30B2B6CF5CD1BBDF68DE048E6D992133FE7AB0C847FA0D5EB8C681A9688D60794621A40178451A104036A0FFF2E1BD66A18D9F96BE6B28DBDC0BC1C8A535FC85
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...].nU...........!.........................0...............................@.......4....@..........................................0...............$..`!..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\is-VOANE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243520
Entropy (8bit):	6.704974906243745
Encrypted:	false
SSDEEP:	6144:YVtg4bkcTc3uYSw5ejegvGw9xEPOL8an39bkH1r12z/WK3b+B:YI4xL+wsQ8anK1AzrG
MD5:	ABDEF5F24D965BEB17ACC7948B4BEBFD
SHA1:	D671E6FE9FB1B9A675F3EA50A15D5318E7AF0978
SHA-256:	4E822F847073F81C781BE433EFF6C68DB616EFAD49CEE50A5E19997FB46A9DA0
SHA-512:	FDE514A3BDA56FFCFEAAAA7DDF6A4C89130D5F52936C82E9D8C5D771CBC228E387D0845300BE98D7F40D4CA3B06C8A783411DDC0C1E258E10745A50D0FE1115E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<...].,.].,.].,B.I,.].,.%.,.].,.].,.].,z..-.].,z..-.].,z..-.].,z..-.].,z..-.].,z..-.].,z.},.].,z..-.].,Rich.].,................PE..L.....U.........."!.........p......0........ ............................................@A.............................K..0R.......p...............x..@?.......)...'..8...........................((..@............P..,............................text...L........................... ..`.data........ ...,..................@....idata..`....P.......8..............@..@.rsrc........p.......J..............@..@.reloc...).......*...N..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\msvcp140.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	439608
Entropy (8bit):	6.652249319015373
Encrypted:	false
SSDEEP:	12288:oAoA7hbarg71r4RzfxjJhUgiW6QR7t5s03Ooc8dHkC2esq0Ju:oAoAN3r0Bm03Ooc8dHkC2eT0Ju
MD5:	1D8C79F293CA86E8857149FB4EFE4452
SHA1:	7474E7A5CB9C79C4B99FDF9FB50EF3011BEF7E8F
SHA-256:	C09B126E7D4C1E6EFB3FFCDA2358252CE37383572C78E56CA97497A7F7C793E4
SHA-512:	83C4D842D4B07BA5CEC559B6CD1C22AB8201941A667E7B173C405D2FC8862F7E5D9703E14BD7A1BABD75165C30E1A2C95F9D1648F318340EA5E2B145D54919B1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.C.4...4...4..t.I..4...L...4..Lm...4...4...4..Lm...4..Lm...4..Lm...4..Lm...4..Lm...4..Lm}..4..Lm...4..Rich.4..........................PE..L.....U.........."!................ ........ ...........................................@A.........................A.......R..,....................v..8?.......:..0g..8............................)..@............P......P>..@....................text..."........................... ..`.data....'... ......................@....idata..2....P......................@..@.didat..4....p.......4..............@....rsrc................6..............@..@.reloc...:.......<...:..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\ucrtbase.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	883712
Entropy (8bit):	6.824170675528273
Encrypted:	false
SSDEEP:	24576:0WmPrDND1ONC1r4pD84TfEXpS8sYsen/mKvTZuoy4YJp:DmPrBu1ygr
MD5:	8ED02A1A11CEC72B6A6A4989BF03CFCC
SHA1:	172908FF0F8D7E1C0CBF107F7075ED1DBA4B36C8
SHA-256:	4FD02F2699C49579319079B963425991198F59CB1589B8AFA8795B5D6A0E5DB3
SHA-512:	444FE62A5C324D38BDC055D298B5784C741F3CA8FAAEAED591BD6DCF94205DBF28C7D7F7D3825CCB99EFF04E3FFD831E3F98D9B314820841A0C0960AE6A5E416
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L...t.nU...........!................`k...............................................(....@A........................`...'............................<...@... ...V...u..8...........................8v..@............................................text............................... ..`.data...............................@....idata..d...........................@..@.rsrc...............................@..@.reloc...V... ...X..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\vcruntime140.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	85328
Entropy (8bit):	6.8770791315221285
Encrypted:	false
SSDEEP:	1536:BTXU4YQD+JZoxeu8zIrBj3hGzHRb3izsQe1o8jsu0gD/TecbOjc8WsaBmiK:pXUlQDeexZTBozHRb3izsQe1o8E8ecbg
MD5:	B77EEAEAF5F8493189B89852F3A7A712
SHA1:	C40CF51C2EADB070A570B969B0525DC3FB684339
SHA-256:	B7C13F8519340257BA6AE3129AFCE961F137E394DDE3E4E41971B9F912355F5E
SHA-512:	A09A1B60C9605969A30F99D3F6215D4BF923759B4057BA0A5375559234F17D47555A84268E340FFC9AD07E03D11F40DD1F3FB5DA108D11EB7F7933B7D87F2DE3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^$Y..E7W.E7W.E7W..W.E7W.=.W.E7W.E6W3E7W..3V.E7W..4V.E7W..2V.E7W..?V.E7W..7V.E7W...W.E7W..5V.E7WRich.E7W........................PE..L.....U.........."!......... ...............................................P......r.....@A........................`................0..................P?...@....... ..8...........................X ..@............................................text...t........................... ..`.data...............................@....idata..............................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\wkhtmltopdf\wkhtmltopdf.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22523904
Entropy (8bit):	6.6467611115613785
Encrypted:	false
SSDEEP:	393216:zCycW/gnN8XdA5xElNfJsv6tWKFdu9CdxG:4rqXWLEl0
MD5:	7BD00FC7725B2831DFD44F0CEE7FB653
SHA1:	10A3459869D2036C2A49D33087565D81E36B3755
SHA-256:	31E896AE04353EFB147BB1F9ECC4CA17D481E9BD0FBF3DB71E1DC33523196CAB
SHA-512:	A6ADE63C6E29B7C596009B72BF55B34B8E4F673555007959C0628A69C2F906B1185F2A3CD36F1E2BEF6726FA0DE8F0F0D871B1468406B5DDC9EDD0F968A1DE12
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......N6...W.O.W.O.W.O./iO.W.O..=O.W.O1..N.W.O1..N.W.O1..N.W.O1..N(W.O.4O.W.O.O.W.O.1O.W.O.W.O\|U.O...NEU.O...N.].O...N.W.O...O.W.O...N.W.ORich.W.O................PE..L...SI4X......................^...................@...............\|...........X....._\|X...@..........................@B..N..x.B.D.....H.......................H.P..........................L.........@............................................text............................... ..`.rdata....I.......I.................@..@.data.........B.......B.............@....unwanted.....H.......G.............@..@.gfids..<.....H.......G.............@..@.tls..........H.......G.............@..._RDATA..$.....H.......G.............@..@.rsrc.........H.......G.............@..@.reloc..P.....H.......G.............@..B........................................................................................................

C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	799568
Entropy (8bit):	6.395959540562793
Encrypted:	false
SSDEEP:	12288:Gsqbw+mQAhpsnL8vwCjdLkW0wxxymyYbPvvzEFtqc3KRGwZH:hhQqgLawAdLbfx1hvvgFwHGwZH
MD5:	1FC6060E2B7DA45E4E9FB7F3E75ADC0A
SHA1:	4CB47EB40457945D2E8F56471192A387C2DD0369
SHA-256:	92DA58F32E8468C86B830D88914E872558E8A6BC6D430F8CD1CF4236C8A32D51
SHA-512:	52E9DF7496AD5B2C7566E2A54FAEFBCA7F45EE8C0A88F12B95602AF78C7F8E4FB45BE52E83C600DE84D41356B1E14240807769AB6AB7B88C644FB2ABED569A5B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........../..m\|..m\|..m\|..\|..m\|}..\|..m\|.n.\|..m\|.n.\|..m\|.n.\|..m\|..\|..m\|..l\|n.m\|.n.\|..m\|.n.\|..m\|.n.\|..m\|.n.\|..m\|Rich..m\|........................PE..L...U*_M.........."!.....t..........+........................................`.......Z....@.................................z..(.......................P..............................................@...................Dx.......................text....s.......t.................. ..`.data....K.......&...x..............@....rsrc...............................@..@.reloc..............^..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitRecover EML to PDF Wizard\BitRecover EML to PDF Wizard.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Apr 26 14:01:58 2024, mtime=Fri Apr 26 14:01:58 2024, atime=Fri Feb 16 11:30:44 2024, length=198984, window=hide
Category:	dropped
Size (bytes):	1340
Entropy (8bit):	4.613112440961103
Encrypted:	false
SSDEEP:	24:8mIC2/IEHdOEKlKyWsFDV6UAT753QdoyWsHVodoyWssUU6wb/qygm:8mIZ/bHdOhB7ATqdt1adtLD9yg
MD5:	F47B670B18FCD58B586C8CD955A020C5
SHA1:	061DAC70818D739A90DD74E61A573BCFD34A2B53
SHA-256:	F6A9F12B7713D2935ACD559C5C28D8C2D98EE25645FAD746EA380BC98B0C4E0C
SHA-512:	65203B47923D03BB3872C75798AFB37FED56ED6E9109123F389F025BD1409280AA70D8A13D2F7135326C1849B98AC40B50420E34E909E1CBDB94245F6D1F4932
Malicious:	false
Preview:	L..................F.... ...h.V....h.V.....2...`..H............................P.O. .:i.....+00.../C:\.....................1......X6x..PROGRA~2.........O.I.XDx....................V......`}.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1......X6x..BITREC~1..F......X6x.XDx...........................`}.B.i.t.R.e.c.o.v.e.r.....l.1......XCx..EMLTOP~1..T......X6x.XDx.........................p...E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.....r.2.H...PX.c .EMLTOP~1.EXE..V......X@x.X@x....'.........................E.M.L.T.O.P.D.F.W.i.z.a.r.d...e.x.e.......u...............-.......t...........uX.P.....C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe..U.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.i.t.R.e.c.o.v.e.r.\.E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.\.E.M.L.T.O.P.D.F.W.i.z.a.r.d...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.i.t.R.e.c.o.v.e.r.\.E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.........*.....

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitRecover EML to PDF Wizard\Uninstall BitRecover EML to PDF Wizard.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Apr 26 14:01:43 2024, mtime=Fri Apr 26 14:01:43 2024, atime=Fri Apr 26 14:00:26 2024, length=2560328, window=hide
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	4.659611889571528
Encrypted:	false
SSDEEP:	24:8mLobEbdOEKC/jEyWszKyAF753mwdoyWsimdoyWssUU6wbDqygm:8mLlbdOhC/tFSFXdtYmdtLDxyg
MD5:	890F1FBC48F8EC240C366599C7A4A612
SHA1:	E0B4D26A889E1F1A873E5C6FB6E4B28C411D0B80
SHA-256:	CE02E113B8A74B1B004B8C41408176CE4142E185DD734E4B28C248073C2CCE8B
SHA-512:	FBB386C7C1EE532525F339EC43BF3BC6704611E2A4A90007EDB23EB3C075B3F8381CC392CCE990041C30E367F3EA90F33FAEAF21B8DAE57BAF7C42391837FDA1
Malicious:	false
Preview:	L..................F.... ...H.v......x.....V.x...H.'..........................P.O. .:i.....+00.../C:\.....................1......X.x..PROGRA~2.........O.I.X.x....................V.....G...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1......X6x..BITREC~1..F......X6x.X6x...........................`}.B.i.t.R.e.c.o.v.e.r.....l.1......XCx..EMLTOP~1..T......X6x.XCx.............................E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.....f.2.H.'..X.x .unins000.exe..J......X6x.X6x....>.....................H...u.n.i.n.s.0.0.0...e.x.e.......o...............-.......n...........uX.P.....C:\Program Files (x86)\BitRecover\EML to PDF Wizard\unins000.exe..O.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.i.t.R.e.c.o.v.e.r.\.E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.\.u.n.i.n.s.0.0.0...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.i.t.R.e.c.o.v.e.r.\.E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.........*................@Z\|...K.J.........

C:\Users\user\AppData\Local\Temp\HFI921F.tmp.html

Download File

Process:	C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe
File Type:	HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	16118
Entropy (8bit):	3.6434775915277604
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
MD5:	CD131D41791A543CC6F6ED1EA5BD257C
SHA1:	F42A2708A0B42A13530D26515274D1FCDBFE8490
SHA-256:	E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
SHA-512:	A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
Malicious:	false
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\Users\user\AppData\Local\Temp\HFIA0D7.tmp.html

Download File

Process:	C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	7338
Entropy (8bit):	3.6513445444032033
Encrypted:	false
SSDEEP:	48:35QfWK03KGJ857K45l+5UJcPq5wA845QX+5B8TK03KGEvR85ImbZfWfiH5xPlk83:cKM6vxTgKmiCgmiVminuuaql0zFw
MD5:	949BF2DB38B028F0B675B2E6AD43605C
SHA1:	865A4F9834932D3FAE5AC7E16F4D8048A8A2EC0A
SHA-256:	631D5245D701E739921B6988395072C4F0AA6F331C266C792F8E37DDAD12C7BC
SHA-512:	CC3DBF18E777B0AF003FA00FF980E196F56FDF81A4AC3FE5A5575DF638B339D6EB7E95298AA5824DF9674F89051FAD25C11B0A1B92DCBF57A16207E82101C490
Malicious:	false
Preview:	....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.4./.2.6./.2.0.2.4.,. .1.7.:.1.:.3.0.].<./.s.p.a.n.>.c.a.l.l.i.n.g. .P.e.r.f.o.r.m.A.c.t.i.o.n. .o.n. .a.n. .i.n.s.t.a.l.l.i.n.g. .p.e.r.f.o.r.m.e.r.<.B.R.>.<./.s.p.a.n.>.....<.s.p.a.n. .c.l.a.s.s.=.".a.c.t.".>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.H.d.r.".>.<.a. .h.r.e.f.=.".#.". .o.n.c.l.i.c.k.=.".t.o.g.g.l.e.S.e.c.t.i.o.n.(.).;. .e.v.e.n.t...r.e.t.u.r.n.V.a.l.u.e.=.f.a.l.s.e.;.".>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.4./.2.6./.2.0.2.4.,. .1.7.:.1.:.3.0.]. .<./.s.p.a.n.>.A.c.t.i.o.n.:. .P.e.r.f.o.r.m.i.n.g. .a.c.t.i.o.n.s. .o.n. .a.l.l. .I.t.e.m.s.<./.s.p.a.n.>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.2.".>.......<.B.R.>.<./.s.p.a.n.>.<./.a.>.<./.d.i.v.>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.".>.....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.4./.2.6./.2.0.2.4.,. .1.7.:.1.:.3.0.].<./.s.p.a.n.>.W.a.i.t. .f.o.r. .I.t.e.m. .(.v.c._.r.e.d.

C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240426_170127348-MSI_vc_red.msi.txt

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (306), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	415508
Entropy (8bit):	3.8298888384340533
Encrypted:	false
SSDEEP:	3072:04eCpa2P/CJrNOJHbaav8dJ6nfBSvfwm3JtJNsQ8UGzWLDbdcJ6lMuCV/OSGN6Gj:48jZRRo
MD5:	8908C7DCA97A057E4873B92E679EE380
SHA1:	897353E67BDE1645E9EC5EA9653F0B263FF43D6F
SHA-256:	19C3106ADB6BD50D5678E404D5832A7362881FCCA7CE4B188B68249A5AF0C195
SHA-512:	E93885D4CD2490E2040C3EF7A40C1FE38239CC2F374FF2F027CC2331FECF76EE41A4A3BDFE7837FB3625F606FEA51CA1E96978296115A646B799C9840F462389
Malicious:	false
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .2.6./.0.4./.2.0.2.4. . .1.7.:.0.1.:.3.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .c.:.\.a.d.f.3.c.2.0.5.d.9.b.1.9.c.4.8.c.6.c.1.d.4.8.1.d.9.d.6.\.S.e.t.u.p...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.F.C.:.1.0.). .[.1.7.:.0.1.:.3.1.:.0.9.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.F.C.:.1.0.). .[.1.7.:.0.1.:.3.1.:.0.9.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.F.C.:.1.0.). .[.1.7.:.0.1.:.3.1.:.0.9.8.].:. ........ .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . ........ .P.r.o.d.u.c.t.:. .c.:.\.a.d.f.3.c.2.0.5.d.9.b.1.9.c.4.8.c.6.c.1.d.4.8.1.d.9.d.6.\.v.c._.r.e.d...m.s.i..... . . . . . . . . . . ........ .A.c.t.i.o.n.:. ..... . . . . . . . . . . ........ .C.o.m.m.a.n.d.L.i.n.e.:. ...............M.S.I. .(.c.). .(.F.C.:.1.0.). .

C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20240426_170127348.html

Download File

Process:	C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe
File Type:	HTML document, Unicode text, UTF-16, little-endian text, with very long lines (356), with CRLF line terminators
Category:	dropped
Size (bytes):	87434
Entropy (8bit):	3.6906238967354383
Encrypted:	false
SSDEEP:	384:fdsOT01KcBUFJFEWUxFzvHZ7/ECCNXDxQEorx6VFtiNqt:fdsOTLyUFJFEWUxFzv5UNQzF6VaNqt
MD5:	4F9CB44A997B04BC12E93C110527CE55
SHA1:	2830AE989EEFB7FDC20886D821DEFE971597D77D
SHA-256:	BB4EDEEC0D4EC0D13E65FED7BEC420E68DBC9365D70BD7C63ACAC9613DB84124
SHA-512:	C1FA147A4047905AF60355F304EE20C2AFB72149B2EE875B61A6922B033F5577FF7087515F534642EED5E5DDBD38D9968C39A0F566063E8BFE59100851C38BC9
Malicious:	false
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\Users\user\AppData\Local\Temp\Setup_20240426_170125848.html

Download File

Process:	C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe
File Type:	HTML document, Unicode text, UTF-16, little-endian text, with very long lines (322), with CRLF line terminators
Category:	modified
Size (bytes):	29894
Entropy (8bit):	3.714479572036429
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjlh62/ECCNXP:fdsOT01KcBUFJFEWUxFzvHZ7/ECCNXP
MD5:	37D668A22BD42CED765AF67C21CA284E
SHA1:	7A982B525DC36BE66DE8C987849B32557529F51E
SHA-256:	03625B3D2D60B5E77B96833B840AF40E669DC15C427B264899FA22D7CADDEF5D
SHA-512:	11A873E12F9DFED8D2A28A8AB29A2B3D28AAD04F3A9677CC487CC95C79731FA09F5E89F042637D920010F70E5EF9B6450F42B1637DFB3E6634FA950D80B655E3
Malicious:	false
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\isxdl.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	124416
Entropy (8bit):	6.209017847933318
Encrypted:	false
SSDEEP:	1536:dohlISko4eZHOMazWpdYoEWSekaDnXUq5o5dInL:dkIM4ehDaqEpMXUq5o5dIL
MD5:	48AD1A1C893CE7BF456277A0A085ED01
SHA1:	803997EF17EEDF50969115C529A2BF8DE585DC91
SHA-256:	B0CC4697B2FD1B4163FDDCA2050FC62A9E7D221864F1BD11E739144C90B685B3
SHA-512:	7C9E7FE9F00C62CCCB5921CB55BA0DD96A0077AD52962473C1E79CDA1FD9AA101129637043955703121443E1F8B6B2860CD4DFDB71052B20A322E05DEED101A4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................;......;..........u...............................Rich....................PE..L....>.I...........!.....F...................`............................... .......)......................................\|...d........-...........................b..................................@............`..4............................text....D.......F.................. ..`.rdata...<...`...>...J..............@..@.data...............................@....rsrc....-..........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8993744
Entropy (8bit):	7.999456677820366
Encrypted:	true
SSDEEP:	196608:u9A3DAnfudQZKuNK0kMp2Wxw2tr3aA5Jegn9kaK6Hj0aaNz9ZBJ70:d3DAnGKZKuNK0SvAn9kaK6gaaNRZb0
MD5:	F45ADE105F9C4FE754976C820230A9E5
SHA1:	2222FC008E469FEC77D0D291877F357C6E1EB16D
SHA-256:	99DCE3C841CC6028560830F7866C9CE2928C98CF3256892EF8E6CF755147B0D8
SHA-512:	243564043B0B5607F7A36BB5E64E434C5AD1A927706792DAC6F56A2DBE790856A1F4E40B823FBF241D1A2A919E1BE5BC8D7710AD99D154343DA5AE2D4C87208B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................R........... .......................................................#.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp

Download File

Process:	C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560328
Entropy (8bit):	6.3963613485801
Encrypted:	false
SSDEEP:	49152:QdrGT9oY0SAQ4+YI1Qb1oWGxblxZa0o85762:QFGTv1QtGxHZab4
MD5:	9DC81EA31610361FCFE670EA7EE92C56
SHA1:	7AFC1BC2F581B532A4B5FC0F04344493B93A9CFF
SHA-256:	9FA575F386A5EEF3F4999212D8C001994964480D84525F0E2854BB35144626EF
SHA-512:	95E12A3E2285A9E6C0A7A49FA6321220A02897B2DF66E5A5B809144BDC16D83976FC02A2633AC739CD8F3DD4FCE0940B74EB45A842CC9EFF8675E0CB7490EB6A
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...4..\..................$..*........$.......$...@...........................'.....Z)'...@......@....................&.......%..5...@&.`.............&.H'...................................0&.....................D.%.@.....&......................text...(.$.......$................. ..`.itext...&....$..(....$............. ..`.data...4Z....$..\....$.............@....bss.....q...@%..........................idata...5....%..6....%.............@....didata.......&......R%.............@....edata........&......\%.............@..@.tls....D.... &..........................rdata..]....0&......^%.............@..@.rsrc...`....@&......`%.............@..@..............'.......&.............@..@........................................................

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\BitRecover EML to PDF Wizard.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Apr 26 14:01:58 2024, mtime=Fri Apr 26 14:02:07 2024, atime=Fri Feb 16 11:30:44 2024, length=198984, window=hide
Category:	dropped
Size (bytes):	1346
Entropy (8bit):	4.608549776249424
Encrypted:	false
SSDEEP:	24:8mU32/IEHdOEKlKyWsFDV6UAT753hdoyWsHVodoyWssUU6wb/qygm:8mn/bHdOhB7ATrdt1adtLD9yg
MD5:	617093E7C71EBD2666DD3E982FDE4830
SHA1:	474CBCD726D8A7035AB4F324E46134709CA19EFC
SHA-256:	E60D4744EBE5965B6E23FA372C750A79D944AB828086CE3E8C8E0669CB10E524
SHA-512:	9B8BA181F11162FD7B23F45FF141B2D576A2B87524637C82BC45499473DC6EADF2E977A92DC77627AD9E03ACA5B9A4ACD81881D71ED34C163480F84FA2290367
Malicious:	false
Preview:	L..................F.... ...h.V...........2...`..H............................P.O. .:i.....+00.../C:\.....................1......X6x..PROGRA~2.........O.I.XDx....................V......`}.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1......X6x..BITREC~1..F......X6x.XDx...........................`}.B.i.t.R.e.c.o.v.e.r.....l.1......XCx..EMLTOP~1..T......X6x.XDx.........................p...E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.....r.2.H...PX.c .EMLTOP~1.EXE..V......X@x.X@x....'.........................E.M.L.T.O.P.D.F.W.i.z.a.r.d...e.x.e.......u...............-.......t...........uX.P.....C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe..X.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.i.t.R.e.c.o.v.e.r.\.E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.\.E.M.L.T.O.P.D.F.W.i.z.a.r.d...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.i.t.R.e.c.o.v.e.r.\.E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.........

C:\Users\user\Desktop\BitRecover EML to PDF Wizard.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Apr 26 14:01:58 2024, mtime=Fri Apr 26 14:02:07 2024, atime=Fri Feb 16 11:30:44 2024, length=198984, window=hide
Category:	dropped
Size (bytes):	1322
Entropy (8bit):	4.62624540129485
Encrypted:	false
SSDEEP:	24:8mU32/IEHdOEKlKyWsFDV6UAT753VdoyWsHVodoyWssUU6wb/qygm:8mn/bHdOhB7ATfdt1adtLD9yg
MD5:	3FB9A50EA041553D8D0F078029CC010F
SHA1:	B175EDB3884E3501CB293DECEE5EAC04C7F681E7
SHA-256:	2E9CE2FF5E0D79A94737E72FCD8C4FE83C6055CBF85C7B4B294F274D3554BF9B
SHA-512:	8F32A75226325CD6FB2889C9927201DEF99362E41BB4AB84C236F967C52C19FE3ADE83A632AD67BCFAAF1E25A57075EE7329D400FFBFCFC2A7EAB81676B96E9E
Malicious:	false
Preview:	L..................F.... ...h.V...........2...`..H............................P.O. .:i.....+00.../C:\.....................1......X6x..PROGRA~2.........O.I.XDx....................V......`}.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1......X6x..BITREC~1..F......X6x.XDx...........................`}.B.i.t.R.e.c.o.v.e.r.....l.1......XCx..EMLTOP~1..T......X6x.XDx.........................p...E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.....r.2.H...PX.c .EMLTOP~1.EXE..V......X@x.X@x....'.........................E.M.L.T.O.P.D.F.W.i.z.a.r.d...e.x.e.......u...............-.......t...........uX.P.....C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe..L.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.i.t.R.e.c.o.v.e.r.\.E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.\.E.M.L.T.O.P.D.F.W.i.z.a.r.d...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.B.i.t.R.e.c.o.v.e.r.\.E.M.L. .t.o. .P.D.F. .W.i.z.a.r.d.........*................@Z\|...K

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138056
Entropy (8bit):	6.454887624220969
Encrypted:	false
SSDEEP:	3072:nHi2/YxBFZNAWH6Gk5BsyGfGM8EnwO95fF:BOFZKWaj5BstfbfDP
MD5:	00D2C06A552F782C1F16ACF77DB765A5
SHA1:	640FD59AE52C7C381D7696CE66668AEAAA25B711
SHA-256:	F54FE6535538174C139B1B0CB2AC0753B2E34412153A443482CCAE53FFBC4DC6
SHA-512:	BBDFA6945D57C49A886442A7D1032E08656D4999E614D5A0BE0D318832BE94520601D2DB9C0E3AFF5E083D7A1392C72FB38EAD2873520947E26993DAED7AC795
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&V.&V.&V..V.&V.0.V.&V.0.V..&V..V.&V.'V..&V.0.V.&V.0.V.&V.0.V.&V.0.V.&VRich.&V........PE..L...W._M.........."!.........x......5..............x.........................`......T.....@.................................T...(........"..............H....0..$....................................@..@...............\|...........................text...q........................... ..`.data....0..........................@....rsrc....".......$..................@..@.reloc..8 ...0..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397384
Entropy (8bit):	7.044986254855662
Encrypted:	false
SSDEEP:	98304:wnXVMSRMlBoIafB/I6A9Xwk2px12CqRe+RM/kXben7XTWwt52n7/YRFLOAkGkzdC:wnX1f2CYo7XTqYRFLOyomFHKnPAT
MD5:	A807596CB3CB377A1A687C9734D67A37
SHA1:	29DD7CA9AF4085C6897788C1AFAADF59DD5D8B0E
SHA-256:	496E1A21645ABAA90FA544C025E6F0DE1CBCBD5D060007A8A9E2FB5787655D0E
SHA-512:	7534CC0BF5CFCF238FEFDBE47FA895E47D08F7545CFE2E9DCEDA703E7652060821E3CFF9F839E5BC78A11205B9A0FD1A5DBA47B845AE83D05A6005F49A224E28
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.1...1...1.......1.......1.......1.'....1.......1.......1.......1.......1...0.H.1.....(.1.......1.......1.......1.Rich..1.................PE..L....)_M.........."!........d........%.......+....x..........................C.....OdC...@.........................@........).......,.H.............C.H.....@.$..../..................................@...............8.....)......................text...3......................... ..`.data.........+.......*.............@....rsrc...H.....,.......+.............@..@.reloc...a....@..b....?.............@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36176
Entropy (8bit):	5.565145082259986
Encrypted:	false
SSDEEP:	384:Z1ndBysNKvsX0W2AWAJYbRWktLiBrHuuPgldyevyBbXVLN1TLXci2jpvbY:Z5divsXxAptLkrHyTby9XVLTMi2jpvbY
MD5:	F7E75862299194C1B9103F7742EA7B25
SHA1:	51A18051A8199A826AF854D724F600F3951C715C
SHA-256:	09C2F7DD0970FA29984D8E92D8B3EE038BAC94228B30ABFB1AF11993A62C5356
SHA-512:	93C8F3149BE532345DE57126FB0CC6BA0D65BFD5618171B90A83640249807292321193F7B8C880EDAC0894734AE3363AFEC49003E2C0A57D61334743439EBB1B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...p)_M.........."!.........t....................6]................................36....@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36176
Entropy (8bit):	5.623062559496089
Encrypted:	false
SSDEEP:	768:ruufpTVI4fO7kn4TJVM3i/EhKJMi2jpv9u:fpTVI4fO4noVM3XhK6959u
MD5:	8280A96D8B44ABBFE8A22F19EAF9EC0D
SHA1:	A7DC0249591477976A88026A4F9671C25C000DBA
SHA-256:	E984EAEA8294F17D00B380B588679E209A2D87A4D77D68B58E65A0FCE979294C
SHA-512:	4B23C8E1C4954F644848EB7D96AA78CEB16039FF6A5F1770F6342707BC72DB8D319328E5B1324018ABD661538503A69B571B7BFAC6E85F2654B143C333641D3C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...p)_M.........."!.........t....................6]................................!.....@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64336
Entropy (8bit):	4.137117954467132
Encrypted:	false
SSDEEP:	1536:DVPidQr0OWqnn0BDXQPu6V4aGCWRZ+e0petNSaQhp0vcsjsr8gWt8C1dCuf9x9r/:DVidQr0OWqnnSXQPu6V4aGCWRZX0bhpW
MD5:	4AF4B6E8A4D185B75122773562D25975
SHA1:	A25E887DF095BBCC61A2DA3B9696AEA59A3B5EB0
SHA-256:	1CCAC5A935128A4DB17197F248566C1FCC798F3C4C1A62A4C05745209F527FDE
SHA-512:	0BF09D53966C6D8E5F3AF269E8DF7DEEC9EC0C73AD2CF702B1E95133212510B94116073520474A88C19BA73E86BFC3D46486B59B0FEE688BA9A716EDF8C7B985
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...p)_M.........."!..............................6].................................s....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55120
Entropy (8bit):	4.198533172081631
Encrypted:	false
SSDEEP:	768:BgIdijcuEhCgyYo6B1CLPLNq5f/nWHBNheOU2fd5SMi2jXHUQ:SI0ifyYo6B8PLNYf/nWHNTdr9rHUQ
MD5:	F908FE45F8FE9E0D4CBE65F9FF5DF6DA
SHA1:	55BDF4AD2DB61B8CD0B37011906B74A5505B3746
SHA-256:	6FEC7C478F790D0EDCC4F0EFB2594A64878AC8FC8878B03F3611311C920E29BE
SHA-512:	5F02643BC0F79129E2F48349D8594BBBAACEED50146B82AD880E27B6A512F263FCD69F2AD8E956BB147790F05AFE64729DE4A699261019AB509E89BE863F3063
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...r)_M.........."!..............................6].................................T....@.............................................0...............P............................................................................................rsrc...0...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100esn_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63824
Entropy (8bit):	4.071025332838685
Encrypted:	false
SSDEEP:	768:gYE0Kv+BU6zH6rg/PKuCOCF3OKWRElJRZRIvpGMi2jXHUU:1A+q6zH68/PKuFm3OKWkRZRIX9rHUU
MD5:	9328256796EFAD2AC9632FD9A76EED95
SHA1:	1540E2881F97E7C49E16FBEE5411E14A7019E6CB
SHA-256:	29DBDBB0B49FE25E350ECB13ACF5BDEA19EF9E650CA7D035E398974A35115705
SHA-512:	8DCCC5B29F6FEC20A49D88760D48134F0F6F6D5FBF7A23E11A63C4A6A51972DBEFF7AAD1BBBCF1B6DF24FBAA9BC61EB581B2FEBC617C49CDD34D4223A2403F54
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...p)_M.........."!..............................6]......................................@.............................................P...............P............................................................................................rsrc...P...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64336
Entropy (8bit):	4.116469441988545
Encrypted:	false
SSDEEP:	768:Yqth26iN6NjZELqoYImN8YxAaTafCp5eFQZmZUjyyyyyyyyyyyyyyyUGQFUbWo2e:ZNPqLqoQA2SCHj0j/95zN
MD5:	ECAF994DBDDE7409A4C2270CDA8177A6
SHA1:	BD2FD0318A6A036D3FE0D7C1FD4E1235556B7DC7
SHA-256:	B52BE52DEA598AB61516A35D34180BB94CE232F34E2D3482527EC9A790EFCF49
SHA-512:	E0BBF39EF49F8B94CA6A2176ABCD86DAFBEA1AFD4C73689223D7ED7CE2ED0AD967B49897407A6DC1F1B5FDE83B3540A99464E6C13A39237F29153A0D94025A43
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...q)_M.........."!..............................6]................................S-....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62288
Entropy (8bit):	4.096027904670536
Encrypted:	false
SSDEEP:	768:P6E6XaEYyqbK15MGHigDGxNIlW3gyCQQQjeqS1hDsiiUWTVHMi2jpvg:iaEOs5MGHigSxNIlW37oETK95g
MD5:	D460F47453E2E186A981E1EB0DC7F6C9
SHA1:	E00D69F5063F859D72A2622A35D3DC5EC81B3A9B
SHA-256:	DB16717FF48F8FD073ED02D186CC5F71A7FD6D4D31A52753EEAFE5F0ABE178DB
SHA-512:	1391DEC17E75D6D0BC23965518901521823C98658468C36742D0E9A358E071BC94F8511ACA6DE1AA7A7BE715111D8E78B007A82B2F48DC2CDE49977E30887B96
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...q)_M.........."!..............................6]......................................@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	43856
Entropy (8bit):	5.447621036331157
Encrypted:	false
SSDEEP:	768:NsTbayVn/K4tJxtr10/euKRHIWkMi2jpvFT:2Teyp/Kq/uMl95FT
MD5:	BF7B39A609B1C84A888158BBE6CADC3B
SHA1:	B77FE021F5B0C94CC97132C50086ED37128EDE64
SHA-256:	90F0EF59DD22008CB092029D19D1D14E60504E9A0023DC0C4C56FE444270A627
SHA-512:	A1B3FB45C938C148A96880996678AC2CF85BFC05FAC7FBA111255001B1C5F97AE0954F855C69936B6AB5C4A0079EDFC3A37FAD2B138DC6C55723CE4E7E805A5D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...q)_M.........."!..............................6]......................................@.............................................X...............P............................................................................................rsrc...X...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	43344
Entropy (8bit):	5.550778347897452
Encrypted:	false
SSDEEP:	768:IVz754LQTNharaHniJNB2I7CvqAMi2jXHUt:G51TNhDniJv2I7Cvqn9rHUt
MD5:	17F28E88C2006EB6447FB31F25D7D937
SHA1:	C80F9EA7A596DF6F7F65ADD76E6AA64F5CACC752
SHA-256:	47CEFC05B67EF82128DA16A6A007E4978D8C0DF24A2B8C2C3C34C8830E6F49FA
SHA-512:	67A7F37F83205847416BCC6D8B9FAFF5CAD14BBBEF45BFF7843F1E43A2A1CEBD5D958118056754685BDA9BF923470974547CD632B31FFA7AD58F140CED8BA68D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...q)_M.........."!..............................6]................................a.....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100rus_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60752
Entropy (8bit):	4.6890295964295685
Encrypted:	false
SSDEEP:	768:hURq/lFXOvhQuqN9TMIVhtZ3FckD+SfMi2jXHUwRM7N:nDXOvhkhTV09rHUwR6N
MD5:	E25790E6E0612B621C8EA80206036672
SHA1:	78DE33243AC083FCB57B2CFCFED52F5DC4CEC2DD
SHA-256:	136DE86F96AE881A430724AE854D902749A0A72B3EDC17DF83E83257C511CBC5
SHA-512:	E1F298A2BED0D5B632EC5EA81834FF4FD69084B79C37A63D8B5C7E7317A757E0CFCB9D311D585980A303D16640ED2C9224EE442BF3CD2ED7BB026E181599601B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...q)_M.........."!..............................6]......................................@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4422992
Entropy (8bit):	7.012472770624414
Encrypted:	false
SSDEEP:	98304:jsWbb5oF0MUVVsK3vOGH+1TSlUE7vrffTTnm7ulf67NACOub7FLOAkGkzdnEVomK:jx5x3Ii6F7FLOyomFHKnPA+
MD5:	F32077DF74EFD435A1DCDF415E189DF1
SHA1:	2771393D56FF167275BF03170377C43C28EE14E1
SHA-256:	24BB6838DEFD491DF5460A88BED2D70B903A2156C49FB63E214E2C77251ECA71
SHA-512:	FB708E0949854998FB80635138C80AC05D77DCA3089D3E5974663DDF2376D6A03535DAE1A068514C3B58BC06C8E4078B37CFB6BC90F080F7F31FEFC972A34850
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.r1..r1..r1......r1......r1....r1.'<...r1....r1....r1....r1......r1..r0.^q1...(s1....r1....r1....r1.Rich.r1.................PE..L....)_M.........."!.....P+..h......I:&......`+..._x..........................C.......C...@.........................P}.P...HE......p,.H............fC.P.....@.....`/..............................@N..@...................<)*......................text....N+......P+................. ..`.data........`+......T+.............@....rsrc...H....p,.......,.............@..@.reloc..Fc....@..d....@.............@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81744
Entropy (8bit):	6.143527599899884
Encrypted:	false
SSDEEP:	1536:Koqh1BnXr5esH5YKT5bLQVDTpZx9OBR1g95:K/hvbz5YKT5bL2TpZXOBR1g95
MD5:	DFAE4207CE3F2B3B88DABC6A7C73C450
SHA1:	432A2FDDBB87BD13E4E40428E4C6A167EEBF7BF1
SHA-256:	F7E920AB186D9F5F8218A012F9D6E603BF351C047CBFB6C4BF41850D50373A0B
SHA-512:	577FF996023D7D00584E3657C73711B921FF2904E72536DE78224C07CD960672D3D035FC06EFEE85BA1F14CA86B03B699B7085B96CF2DC7362781BB4C96A0754
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l../(.\|(.\|(.\|!.?\|.\|6./\|.\|3Q \|-.\|..$\|).\|3Q"\|).\|3Q.\|$.\|!./\|,.\|(.\|..\|3Q.\|=.\|3Q'\|).\|3Q&\|).\|3Q!\|).\|Rich(.\|................PE..L...F*_M.........."!.....B...8......0O.......`.....x.................................t....@........................../......D)..x....................(..P............b..............................0p..@............`...............b..H............text....@.......B.................. ..`.rdata.......`.......F..............@..@.data....X...@......................@....rsrc...............................@..@.reloc..$............ ..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81744
Entropy (8bit):	6.150747808645515
Encrypted:	false
SSDEEP:	1536:jIzAkByS3ilE+38F6+bLQVFHzOBhOGf9rHUf:jKAkBrilR38FdbLuHzOB0Gf9of
MD5:	0B6C9E162B102F7B819E61A80257CA92
SHA1:	E7FB9B6A36E2F9AD381D00D14E1A20B541C70D94
SHA-256:	D159D2AE0A3F73FD7489960320DF92ADEE9B481027785BC8B82F8A10C2E66808
SHA-512:	53AEFE0592CF92C6EB3DB4D6FE32F75A2B1E0EB8D9C5B7AF334F3A5043589D6918412309CADA9B6B96A98F3BE7DB00647D3BAE52BB775D1EC1DEA810E0EC8982
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l../(.\|(.\|(.\|!.?\|.\|6./\|.\|3Q \|-.\|..$\|).\|3Q"\|).\|3Q.\|$.\|!./\|,.\|(.\|..\|3Q.\|=.\|3Q'\|).\|3Q&\|).\|3Q!\|).\|Rich(.\|................PE..L...F_M.........."!.....B...P......0O.......`.....x......................................@..........................0.........x....................(..P............b..............................@p..@............`...............b..H............text....@.......B.................. ..`.rdata..@....`.......F..............@..@.data....p...@......................@....rsrc...............................@..@.reloc..8............ ..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.595802017835318
Encrypted:	false
SSDEEP:	12288:zNb8zxr1aWPaHX7dGP57rhUgiW6QR7t5qv3Ooc8UHkC2ejGH:zNb8Fpa6aHX7dGP5Kv3Ooc8UHkC2eKH
MD5:	E3C817F7FE44CC870ECDBCBC3EA36132
SHA1:	2ADA702A0C143A7AE39B7DE16A4B5CC994D2548B
SHA-256:	D769FAFA2B3232DE9FA7153212BA287F68E745257F1C00FAFB511E7A02DE7ADF
SHA-512:	4FCF3FCDD27C97A714E173AA221F53DF6C152636D77DEA49E256A9788F2D3F2C2D7315DD0B4D72ECEFC553082F9149B8580779ABB39891A88907F16EC9E13CBE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..d...d...d.......d.......d...d..Cd..K*...d.......d.......d.......d.......d.......d.......d.......d..Rich.d..........................PE..L...A._M.........."!.................<.............x.................................{....@.................................<...<.... ...............V..P....0..D;..p................................/..@...............p............................text...u........................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901569696995594
Encrypted:	false
SSDEEP:	12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
MD5:	BF38660A9125935658CFA3E53FDC7D65
SHA1:	0B51FB415EC89848F339F8989D323BEA722BFD70
SHA-256:	60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
SHA-512:	25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51024
Entropy (8bit):	6.58747423701147
Encrypted:	false
SSDEEP:	768:JS1woYlhhX8nAJ1I84lIFIKC4YWVbX+zZkaKpnnh5L2jmPGE7y/gDFMi2jpvD:8vYlL8AJMlIF7phVbeKVLSO+/H95D
MD5:	A7E63D69F1D55A3662907ECD48B345CA
SHA1:	6FD80A3C9134CC09AC7C353D64FF2B1E34D55206
SHA-256:	887C58E0B5E315F2D9714BD4D0F8126EF615D5792BAAAE4C7B75409FDECB5C45
SHA-512:	2564DE05FD1763E26A1B1E00603961EB2F53624005A11837DD1E798740AFAE3E0E7AB4D48E76CC23FECA0CCC509399659DF6E41976C3046D95CC600CAB87769E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.>. .P. .P. .P.;..-.P.;...-.P.)..%.P. .Q...P.;...-.P.;..!.P.;..!.P.;..!.P.Rich .P.........PE..L...Y*_M.........."!.................W.............r................................{O....@.........................P.......D...<.......................P.......\.......................................@............................................text.............................. ..`.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\66a72c.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Template: Intel;0, Revision Number: {461C455E-DA40-49B3-871B-14308CC7CEFF}, Create Time/Date: Sun Feb 20 07:03:10 2011, Last Saved Time/Date: Sun Feb 20 07:03:10 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	6.375644516596573
Encrypted:	false
SSDEEP:	3072:0oTMYRradauoCcJg95gTdmmYdwYNRTK0+E4mN2E2275V495u:7RWd1odm4mmYdwT1
MD5:	3FF9ACEA77AFC124BE8454269BB7143F
SHA1:	8DD6ECAB8576245CD6C8617C24E019325A3B2BDC
SHA-256:	9ECF3980B29C6AA20067F9F45C64B45AD310A3D83606CD9667895AD35F106E66
SHA-512:	8D51F692747CFDD59FC839918A34D2B6CBBB510C90DEA83BA936B3F5F39EE4CBD48F6BB7E35ED9E0945BF724D682812532191D91C8F3C2ADB6FF80A8DF89FF7A
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\66a72d.msp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:19:52 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: Intel;0, Last Saved By: Intel;0, Revision Number: {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{1F4F1D2A-D9DA-32CF-9909-48485DA06DD5}, Number of Pages: 200, Number of Characters: 153223199
Category:	dropped
Size (bytes):	4028928
Entropy (8bit):	7.99425811627881
Encrypted:	true
SSDEEP:	98304:lEpd3qZ0G3garI8w8xhB2TU01SHMMV6ZArX:KaZtC8vBy10M4
MD5:	9843DC93EA948CDDC1F480E53BB80C2F
SHA1:	D6EC9DB8B8802EC85DD0B793565401B67AD8E5E0
SHA-256:	7C969FCDA6EF09D2EB7BBBC8D81795EB60C9C69ED835FD16538369AD0A6E0F10
SHA-512:	79008CFDD8AE1EA27675588E7BA8123D08CE14047E5F167B3B5F6FBCDADEB45515BD72E18E59ABF632ECBFBB42243FBCBEBE4CBE0ED6BA195D0B2CA6D88676F9
Malicious:	false
Preview:	......................>...................>............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\66a730.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Template: Intel;0, Revision Number: {461C455E-DA40-49B3-871B-14308CC7CEFF}, Create Time/Date: Sun Feb 20 07:03:10 2011, Last Saved Time/Date: Sun Feb 20 07:03:10 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	6.375644516596573
Encrypted:	false
SSDEEP:	3072:0oTMYRradauoCcJg95gTdmmYdwYNRTK0+E4mN2E2275V495u:7RWd1odm4mmYdwT1
MD5:	3FF9ACEA77AFC124BE8454269BB7143F
SHA1:	8DD6ECAB8576245CD6C8617C24E019325A3B2BDC
SHA-256:	9ECF3980B29C6AA20067F9F45C64B45AD310A3D83606CD9667895AD35F106E66
SHA-512:	8D51F692747CFDD59FC839918A34D2B6CBBB510C90DEA83BA936B3F5F39EE4CBD48F6BB7E35ED9E0945BF724D682812532191D91C8F3C2ADB6FF80A8DF89FF7A
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\66a731.msp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:19:52 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: Intel;0, Last Saved By: Intel;0, Revision Number: {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{1F4F1D2A-D9DA-32CF-9909-48485DA06DD5}, Number of Pages: 200, Number of Characters: 153223199
Category:	dropped
Size (bytes):	4028928
Entropy (8bit):	7.99425811627881
Encrypted:	true
SSDEEP:	98304:lEpd3qZ0G3garI8w8xhB2TU01SHMMV6ZArX:KaZtC8vBy10M4
MD5:	9843DC93EA948CDDC1F480E53BB80C2F
SHA1:	D6EC9DB8B8802EC85DD0B793565401B67AD8E5E0
SHA-256:	7C969FCDA6EF09D2EB7BBBC8D81795EB60C9C69ED835FD16538369AD0A6E0F10
SHA-512:	79008CFDD8AE1EA27675588E7BA8123D08CE14047E5F167B3B5F6FBCDADEB45515BD72E18E59ABF632ECBFBB42243FBCBEBE4CBE0ED6BA195D0B2CA6D88676F9
Malicious:	false
Preview:	......................>...................>............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIAA1A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	30734
Entropy (8bit):	5.978121304594374
Encrypted:	false
SSDEEP:	768:qLWRW40qy6kJ62TGorsDx6Vi2pPYUpOls04j2rCiYF:h6reUpXZ/F
MD5:	7B718A07F4826CFA3DA58B157AFFA65B
SHA1:	ECDEF5F8EDD077DB4CE2A04913603C7A9CF4927B
SHA-256:	2477EEEF94EBC157F9A0DB6C46229B4800730A27876A1016B0EEFC5FCFA59D68
SHA-512:	772DE90B4216171A57FCD8F940D6330A6BE70EF4507196FE5D4AF9E08813169AB5C777D69EA62AB9636BCB125E9A08A8362EC2380CB6CA1A2D8C3E7ADF6C960F
Malicious:	false
Preview:	...@IXOS.@.....@0..X.@.....@.....@.....@.....@.....@......&.{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219..vc_red.msi.@.....@.....@.....@........&.{461C455E-DA40-49B3-871B-14308CC7CEFF}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@......10.0.40219...@........ProcessComponents..Updating component registration.....@O....@.....@.]....&.{8453C4E7-26E8-3408-B3A4-5940CA95BC60}@.02:\SOFTWARE\Microsoft\VisualStudio\10.0\VC\VCRedist\x86\Version.@.......@.....@.....@......&.{1414BD84-D9A5-3EE5-AA73-118D7C072370}D.02:\SOFTWARE\Microsoft\DevDiv\vc\Servicing\10.0\red\x86\1033\Install.@.......@.....@.....@......&.{E2F46933-FF4F-46E0-B997-F64D2C6D4FA1}D.c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll.@.......@.....@.....@......&.{529D0A60-398C-38A2-97EF-82FAFA798

C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.533839660262212
Encrypted:	false
SSDEEP:	24:JkptINToy5fD0YUJegvZpD0YtdsHqt+mRZFNx:ctATFf4HUgvZp4Uuqt+aZ
MD5:	1502269FAD8495050614824E25D1B29F
SHA1:	4FC1E29ACDBBA5D34889CB811DCCDA6A714F2F84
SHA-256:	2D8CFF4E4100D3BBBF9606E9DFE1D8FBEDE17E13A6D7C160051B92ABEF09E84A
SHA-512:	D46EA6E5A670C57E09F6E9F2C36DD8C269762C744CDB0F6CC7D4A5C0344CB988D7A68A4F090F89B2CE718DC4C53DEE1ECE762FC8F8562CB77ADF1A285D4D1802
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.71763791298922
Encrypted:	false
SSDEEP:	48:18PhQuRc06WXJuFT5orYOqSyedCw1S3YwSpCuSbedCcb6QqyOMJZfe4:YhQ1FFTFN/nw1S3ZuWnLQqEZ
MD5:	7A7A87CC526084133B16345AC3AA4C14
SHA1:	B7B6809E4D005B735593DBCCC327C91112CC740B
SHA-256:	DCBBA7EBECB95EEDDC65AE9B16965B01D0962EAEFEDED8A134C7332CD268AB95
SHA-512:	B07119DA825DEA7B3C92A5E698BC75B66A54F04D093952AC10D1994BA2BFC0B669D21345306D972A474BF0ACFA200A34BB29BD04873A7F9EA31A2C3E4EA05227
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	364484
Entropy (8bit):	5.365489590865308
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauS:zTtbmkExhMJCIpE5
MD5:	E0E4D58CCAA5E35317E5E1398399FCD9
SHA1:	23A98E555A95145ECA8FF5EB25A5DBE5CB881C1B
SHA-256:	FE926B624C1D4BAEC1DCE1175F3B9EFA1C84EA05A30C6D60EDD4378AB05AEBBE
SHA-512:	FFF29D80724A707DFE14948ABCDE47B58DD858EBD62BE05685358798DBE19E7C750836EFEA263EC09D70A3B66A7857569BF0AD959B3463EF1486A55A858D8761
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\atl100.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138056
Entropy (8bit):	6.454858115300033
Encrypted:	false
SSDEEP:	3072:ZEi2/YxBFZNAWH6Gk5BsyGfGM8WzkAFoX:0OFZKWaj5BstfbZx8
MD5:	C85670AB64068F8080998AEBA6C5019C
SHA1:	EF762C375486594F6604F39311D32442156AC8BB
SHA-256:	87D88235F69C062E5B759F91253ABAF7BD055937DD119BD26858237F812D3DED
SHA-512:	870A27585F72E444FA9A2B46AB53ED420932952BE8A3C4DDD0D831D72BE0AC1B44992CF757DE76D0CD667CD5B6150E9EB96AC2A8E7161A22C7D557946A12E5C6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&V.&V.&V..V.&V.0.V.&V.0.V..&V..V.&V.'V..&V.0.V.&V.0.V.&V.0.V.&V.0.V.&VRich.&V........PE..L...c..M.........."!.........x......5..............x.........................`......Q.....@.................................T...(........"..............H....0..$....................................@..@...............\|...........................text...q........................... ..`.data....0..........................@....rsrc....".......$..................@..@.reloc..8 ...0..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc100.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4397384
Entropy (8bit):	7.044443988235452
Encrypted:	false
SSDEEP:	98304:WEWsrhmswShHpSvnB5MnhpTnWbWA7ySeAfCt0PfI9jWwg76YAvvU+uFLOAkGkzdz:W6DWbLRojDbvU+uFLOyomFHKnPA25
MD5:	493FC0F59054A6F4F3775655FB55295C
SHA1:	2AFE4F5EB626FB5C5AA5BB6C2BC61C88E37CF42F
SHA-256:	CAC58C98F7E587BA1B2A4F41874764B59BDF6CB684A4A44AEE93F91B3B9A019B
SHA-512:	9DA41078A65A6B8C731388CCF4CE2A988705305F29F0841039B96CD2649F82E8EA219F082DE184826E39F0EDAA4A1D9AFF2E60EBB8D27771222D0C7CB165598D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.1...1...1.......1.......1.......1.'....1.......1.......1.......1.......1...0.H.1.....(.1.......1.......1.......1.Rich..1.................PE..L......M.........."!........d......%.%.......+....x..........................C......\|C...@................................<.).......,.H.............C.H.....@....../..................................@...............8.....)......................text............................. ..`.data.........+.......*.............@....rsrc...H.....,.......+.............@..@.reloc...a....@..b....?.............@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfc100chs.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36176
Entropy (8bit):	5.5676133503681875
Encrypted:	false
SSDEEP:	384:/1ndBysNKvsX8WDWAFYbRWktLiBrHuuPgldyevyBbXVLN1jLb6FjXHUZP:/5divsXFEptLkrHyTby9XVL7b6FjXHUV
MD5:	C086A0AA8C39CB2EA09EA967D433733E
SHA1:	B5139ED7A2AF76AD71C1ED3625543C0C98256984
SHA-256:	21688ED8DE2A5C9E95E25E750BD6D8A7BC5446172DAE69AF9DF96FEDA022FC7E
SHA-512:	EAF03CF10669DD289E108370A6DE7484ACB0F59389ECA6DA907D579767DE919B08A6388E635E06BB3D222DC4D9303F964634A6B8820572E796279063D192E926
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...h..M.........."!.........t....................6]......................................@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\SysWOW64\mfc100cht.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36176
Entropy (8bit):	5.625769376549212
Encrypted:	false
SSDEEP:	768:suufpTVI4r67kn4TJVM3i/EhKhb6FjpvkXM:4pTVI4r64noVM3XhK16F5kM
MD5:	44EE19CB7DD5E5FD95C77FE9364DE004
SHA1:	9DDE4A75E2344932F4A91D8EF9656203C2B3B655
SHA-256:	254E83FAD56AA1A1CBA3D5E0FC32509FEE82482F210E238E81F7D8B117A69B8C
SHA-512:	2C636ABF08D44EEDF452EDF02BF4243E76E14BB95E8A24012787DDFFCCE69C1D7FC4BE98C4B5CD70532FE8420882E1ADE228900C5F36669FDD90FE0383DDE6AF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...h..M.........."!.........t....................6]................................Lh....@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\SysWOW64\mfc100deu.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64336
Entropy (8bit):	4.137941849217605
Encrypted:	false
SSDEEP:	1536:BVPidQr0OWqnn0BDTEPu6V4aGCWRZ+e0petNSaQhp0vcsjsr8gWt8C1dCuf9Z/6W:BVidQr0OWqnnSTEPu6V4aGCWRZX0bhp6
MD5:	ECA6624EFEBBE2C0C320AC942620C404
SHA1:	ACBEB473088CAC5887E9D9823A00570A102A8705
SHA-256:	2BF46F1536CE621801FC621FABBE59F32AD856AA8AE085EB6E4469885C171DA3
SHA-512:	860E7C994091418177DEDC7D4E935985DE0CEADC4EEBB569D9E38024478DAA78E621B57E722195915183C4E1935EFD98C08E1E4C8CB2E7C47306EBFC097F49AD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...i..M.........."!..............................6]................................h.....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\SysWOW64\mfc100enu.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55120
Entropy (8bit):	4.199600802944499
Encrypted:	false
SSDEEP:	768:TgIdijcuEhCgysM6B1CLPLNq5f/nWHBNheOU2fd51b6FjpvU:kI0ifysM6B8PLNYf/nWHNTdr6F5U
MD5:	2A2C442F00B45E01D4C882EEA69A01BC
SHA1:	85145F0F784D3A4EFA569DEB77B54308A1A21B92
SHA-256:	D71DB839DE0BC1FCC01A125D57CED2AAEA3F444A992426C316CE18C267C33A8C
SHA-512:	F18D9019EEE843D707AA307714A15207BE2DED2ECEAB518599FBED8A3826A1A56F815FE75FB37F36C93BE13F3D90E025F790DB6B3BA413BFD5CD040B2CC7DBF7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...j..M.........."!..............................6]................................;>....@.............................................0...............P............................................................................................rsrc...0...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\SysWOW64\mfc100esn.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63824
Entropy (8bit):	4.072824469338212
Encrypted:	false
SSDEEP:	768:mYE0Kv+BU6Hj6rg/PKuCOCF3OKWRElJRZRIvp6b6Fjpv9h:fA+q6Hj68/PKuFm3OKWkRZRIE6F5D
MD5:	B4E91C857C886C8731F7969D9A85665D
SHA1:	A639781B1DC2C7BDD855BE37FBB39B55AD5B734A
SHA-256:	7F3E218C1BF7BB0F00885AFEC8ED60C8EDD48A73622FEB2FCE7CB282AF1BE900
SHA-512:	FBB841339B216FB677DDF798D004503A1C0C8A60D17EDD502D2A893985CEFBA8B13FEBC594DCAA0ED9DF823FBCED0367D8C1074D7025E6BF6E6D4EC5CD1B2648
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...i..M.........."!..............................6]......................................@.............................................P...............P............................................................................................rsrc...P...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\SysWOW64\mfc100fra.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64336
Entropy (8bit):	4.117127086980955
Encrypted:	false
SSDEEP:	768:Xqth26iN6NjZELmcYImN8YxAaTafCp5eFQZmZUjyyyyyyyyyyyyyyyUGQFUbWo2k:eNPqLmcQA2SCHj0jE6FrHUyv
MD5:	BB21453C6707A7B5DD9F727ED375F284
SHA1:	56E7A1011221B87AF1B1EA766114161FB5DD4A3A
SHA-256:	8630D9B71A04BFCAD5ED15C11CBF88F2DE42ABFA458BC66963E6D0D207DC01C8
SHA-512:	C74BBFCD5C407FA1D8189F1805E12E2261268059C3F4D7EE5D5492811D161906B27E9623BE55649504B2888F3AAE0AD98038F420C1969CB6693328C78EC6B1C8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...i..M.........."!..............................6].................................8....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\SysWOW64\mfc100ita.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62288
Entropy (8bit):	4.096505353321104
Encrypted:	false
SSDEEP:	768:o6E6XaEYyqbK15M6LigDGxNIlW3gyCQQQjeqS1hDsiiUWTVlb6FjXHUfJ:1aEOs5M6LigSxNIlW37oETD6FrHUfJ
MD5:	A99884AEAC9C704600C6F5A44B3F7694
SHA1:	1D65B58014F1ECFFA3E8AFFA4B21AB4466732D9E
SHA-256:	54C711B8EC19AB39C881BA16AF97DFF6D1CD74C1E2FE6FF50EC51C466015AA6C
SHA-512:	DD2F6113B0D879C3699C97DB42FBEF03413DFCCAC9772596ACE7FED5850B269AC0ADC94C30439D5C37688E11FF73FFA53409D483BD2F419E16769B0213A5D46C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...i..M.........."!..............................6]................................5V....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\SysWOW64\mfc100jpn.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	43856
Entropy (8bit):	5.451944344408199
Encrypted:	false
SSDEEP:	768:8sTbayVn/G0tJxtr10/euKRHIWub6FjpvzA:ZTeyp/Gu/uM06F5zA
MD5:	76022ED341931C473D2DFB27D56E37FD
SHA1:	BE2B19CC30093069E61349908153D22383FEDA7F
SHA-256:	0C7637E3AE7E2C429807194C470A1E7BD98AE02D67D543380367F142CF08173A
SHA-512:	0C30AC2A2A1BAFB4462142ECAF059800BA262E2F82D82F229F78A0B91018D38ED101ACA29EF01458DEA6F9D34B8FD76940F7C8765FF8FE9D412EE3DBA5419F42
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...j..M.........."!..............................6].................................N....@.............................................X...............P............................................................................................rsrc...X...........................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\SysWOW64\mfc100kor.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	43344
Entropy (8bit):	5.557482266926806
Encrypted:	false
SSDEEP:	768:iVz754LQTNl2raHniJNB2I7Cvqpb6FjpvK:Q51TNlfniJv2I7Cvqt6F5K
MD5:	222BE89E34F4BB9059B7587074C5F88B
SHA1:	47EBA84CF57011765A16D0D514069C9C86AF16BB
SHA-256:	0F0E518D6B12111ED847B2F62929799D2754F6F45B21977F8929842A2CEC471E
SHA-512:	83A3A51870B356DE1330A47A79FF00032155DEBEED8A53B16142FED6A332B9B49E02076991D354F817410BFEB535C9C73AC872402194A822C877B4C9F7B15DB8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...j..M.........."!..............................6]................................m.....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\SysWOW64\mfc100rus.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60752
Entropy (8bit):	4.691759145763307
Encrypted:	false
SSDEEP:	768:TURq/lFXOv10uqN9TMIVhtZ3FckD+Sbb6FjpvimF:pDXOv1IhTVn6F5pF
MD5:	1655E43D3DBA000394CF208E95EA2B02
SHA1:	B29FE26CC85F102345619CA514A93E832A294E43
SHA-256:	B34CAFEB0DDA67F5B271E15B20E94DF4805058A37ADAD5DC3331E11FA612BC42
SHA-512:	3A040AE2B912DFECFF43C82C148E097563174C0326F8211C56FFA1D82E0C1F26F7829B52EE9D68E0737A8E05457472C800E8AA99EC6883904967B8DD2D5C3B76
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................5%......5".....Rich............................PE..L...j..M.........."!..............................6]................................!.....@.............................................................P............................................................................................rsrc...............................@..@....................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

C:\Windows\SysWOW64\mfc100u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4422992
Entropy (8bit):	7.012067538535142
Encrypted:	false
SSDEEP:	98304:veeKejRb6KYYRzl1rYBrAWpTmms3Ctm8oVXK0na6g3QAt1zwoN1R4FLOAkGkzdnr:v8NpL84jN1eFLOyomFHKnPAu
MD5:	F3DE10AABD5C7A1A186C9966F037D0C0
SHA1:	6AAAE8331A5377F4025D2D860E5872B842A41DF8
SHA-256:	BC50848AEEF466DFF4A3D8C386BF0D0EC35B8E5B438031AE885AA5371F2E1A42
SHA-512:	07D93B8ABBF8ACFAB1D8F0711A37086764000310450BA361E7D5E1369012B3A45FD394460841B0F3CCA79ACEAD2080BBE1F029BC36191C133D7CCEA182CA84E1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.r1..r1..r1......r1......r1....r1.'<...r1....r1....r1....r1......r1..r0.^q1...(s1....r1....r1....r1.Rich.r1.................PE..L......M.........."!.....P+..h.......:&......`+..._x..........................C......C...@..........................}.P....E......p,.H............fC.P.....@.....`/..............................@N..@....................)*......................text....O+......P+................. ..`.data........`+......T+.............@....rsrc...H....p,.......,.............@..@.reloc..Jc....@..d....@.............@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfcm100.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81744
Entropy (8bit):	6.142711445980364
Encrypted:	false
SSDEEP:	1536:+oqh1BCXr5esH5YKn7bLQVqTpO9OBXBn6FrHU:+/hvgz5YKn7bLbTpSOBXB6Fo
MD5:	BE83B709811FBB18DCAA03412DA0BCEB
SHA1:	F4745BA4108F276CAD6C48F1A1CCF050C2C5D716
SHA-256:	ECB4ABCE8A92F459B0DA962A629D0BEB66D417A209225FFD321EDA60666D36B1
SHA-512:	4F04AFE91FD7B38CB98928CD07222FD1BB550EE14B508BB959A2EE35EB2F51CACDAE0572B88C5B4786B2B5DAE8F47C101D13B6D01F8EBFC74540C3DB9D206F73
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l../(.\|(.\|(.\|!.?\|.\|6./\|.\|3Q \|-.\|..$\|).\|3Q"\|).\|3Q.\|$.\|!./\|,.\|(.\|..\|3Q.\|=.\|3Q'\|).\|3Q&\|).\|3Q!\|).\|Rich(.\|................PE..L...~..M.........."!.....B...8......0O.......`.....x................................d.....@........................../......D)..x....................(..P............b..............................0p..@............`...............b..H............text....@.......B.................. ..`.rdata.......`.......F..............@..@.data....X...@......................@....rsrc...............................@..@.reloc..$............ ..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfcm100u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81744
Entropy (8bit):	6.149338266663653
Encrypted:	false
SSDEEP:	1536:ZIzAkBQS3ilE+38NrtbLQVuH5OBXOa26FrHUK:ZKAkB1ilR38NBbLBH5OB+aLFoK
MD5:	D23A577EB4829A9F1B1D4EA679E98B54
SHA1:	CD364F8AE5A64DCE82225A3C9658114A1A905504
SHA-256:	5104D9B832D6BE34D8FFBFA1EACC1A95E7EF8864E2C3C5720F04D217F8DCCF51
SHA-512:	2652652D40BDB512756EA572D7F1202225CEDA89584D12725258843523FC65B51B240FFE057F8570B4B0E785BD2D429EE5BCBA782BA30A180BE7CC331C33AD69
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l../(.\|(.\|(.\|!.?\|.\|6./\|.\|3Q \|-.\|..$\|).\|3Q"\|).\|3Q.\|$.\|!./\|,.\|(.\|..\|3Q.\|=.\|3Q'\|).\|3Q&\|).\|3Q!\|).\|Rich(.\|................PE..L...~..M.........."!.....B...P......0O.......`.....x................................v.....@..........................0.......*..x....................(..P............b..............................@p..@............`...............b..H............text....@.......B.................. ..`.rdata..@....`.......F..............@..@.data....p...@......................@....rsrc...............................@..@.reloc..8............ ..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\vcomp100.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51024
Entropy (8bit):	6.586044901234663
Encrypted:	false
SSDEEP:	768:mSBwoYlhhX8nAJ1I84lIFIKC4YWVbX+zZkaKpnwh5L2jmPGgHy/gDBb6Fjpvc8P:7LYlL8AJMlIF7phVbeKmLSCS/M6F5c8P
MD5:	28D2B08D3D33670B0D010ED2BA2AB513
SHA1:	191EA62082AC776995F22B96CB3B6DFAD953C57E
SHA-256:	183729409813BA5A8501A581979530BFDDBABE5617DA1588EB8FEFDCFCBA5D7E
SHA-512:	BAC78A84E74B0A5A5171316CDE802C57B91772336F57C19903CBA139DE2BD48AE7020E9F8CE899175B67CF61F7866A112FE9014C3FBF4A08A3F2AA71D440F291
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.>. .P. .P. .P.;..-.P.;...-.P.)..%.P. .Q...P.;...-.P.;..!.P.;..!.P.;..!.P.Rich .P.........PE..L......M.........."!.................W.............r................................f.....@.........................P.......D...<.......................P.......\.......................................@............................................text.............................. ..`.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF24096C8575A37F2D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.71763791298922
Encrypted:	false
SSDEEP:	48:18PhQuRc06WXJuFT5orYOqSyedCw1S3YwSpCuSbedCcb6QqyOMJZfe4:YhQ1FFTFN/nw1S3ZuWnLQqEZ
MD5:	7A7A87CC526084133B16345AC3AA4C14
SHA1:	B7B6809E4D005B735593DBCCC327C91112CC740B
SHA-256:	DCBBA7EBECB95EEDDC65AE9B16965B01D0962EAEFEDED8A134C7332CD268AB95
SHA-512:	B07119DA825DEA7B3C92A5E698BC75B66A54F04D093952AC10D1994BA2BFC0B669D21345306D972A474BF0ACFA200A34BB29BD04873A7F9EA31A2C3E4EA05227
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF42C9C79CAB958CA7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.3632719557803545
Encrypted:	false
SSDEEP:	48:Q7YuYO+CFXJvT58DKrYOqSyedCw1S3YwSpCuSbedCcb6QqyOMJZfe4:iYWHTmtN/nw1S3ZuWnLQqEZ
MD5:	034FD27FC5FD77DD051DD6F61C421549
SHA1:	034BD1E63901B43E2F3196158E915F6C6E963F0C
SHA-256:	035500C7CB99E7FE9237B2EF1439FF908277F2C74396689D4DA23D5A9847F79C
SHA-512:	D1208FD559BFF6EDF35D7789BDAE3F29E97840A19D85D52F26F5848A969960FAB254E4B9DE2813C7E888F2B4DFE277CBCB3E3359D1CA08DBA70304234BA3380D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF44C3FA1022428DC5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF56207F0F1D0774DE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7AA982101C85FCEB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.1918397818250897
Encrypted:	false
SSDEEP:	48:6bZfeWb6QqyOMhSbedCaSyedCw1S3YwSpC4Ssx:GZOQqaWna/nw1S3Z1
MD5:	171C6AB0A98DDDDDC896FA2F74607DE4
SHA1:	B69D8282BDB1ADB9C1463E7DB2DB1F06CDAF7662
SHA-256:	B6E1EEE3858FD23767B2EA4FB26ABA811D6E2F9470E4F186B429C6B350C1DAB9
SHA-512:	A7B83B73C1F770FE8C3FA06105B0D5073A791D72F32BE925F8BE1B2DE0BF7A57541694A59A496A28C954530AFD78A0A2C7E63C569EFDB0A6D8E4617F5428F7BA
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7C901F6780418CA0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8E7D15267AA5287E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.71763791298922
Encrypted:	false
SSDEEP:	48:18PhQuRc06WXJuFT5orYOqSyedCw1S3YwSpCuSbedCcb6QqyOMJZfe4:YhQ1FFTFN/nw1S3ZuWnLQqEZ
MD5:	7A7A87CC526084133B16345AC3AA4C14
SHA1:	B7B6809E4D005B735593DBCCC327C91112CC740B
SHA-256:	DCBBA7EBECB95EEDDC65AE9B16965B01D0962EAEFEDED8A134C7332CD268AB95
SHA-512:	B07119DA825DEA7B3C92A5E698BC75B66A54F04D093952AC10D1994BA2BFC0B669D21345306D972A474BF0ACFA200A34BB29BD04873A7F9EA31A2C3E4EA05227
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF917FCE49C4972DF7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAA2F4A13765D2D4C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.33578196856874776
Encrypted:	false
SSDEEP:	12:oBWxx0i8n0itFzDHFiuBp0Ylt7EpPeJMVvh/J0yBp0YFzdIpHMsULz29cUI9cURq:vxOF0mlfD0YUJegvZpD0YtdsHqt+mR
MD5:	E062D1A015D2F223D5B29AA00AF5C304
SHA1:	456522C6326377D4540CCAC38DEEC23F7A9C8FAA
SHA-256:	EF9ABAC4C6DE39128A3B7CEBB84754D1627FAEB3C51D6C18A5585DA42B239E02
SHA-512:	9DC302075DDC4C80E89CBF79E22B70F8AC33F2ECDD015BBD68D951CD97E19ACEB9A79B81C59C71EE52E8DBDD4F2A4532D1A4203713501A7C1F060399DE962FF7
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAC58EE6D1517D958.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.3632719557803545
Encrypted:	false
SSDEEP:	48:Q7YuYO+CFXJvT58DKrYOqSyedCw1S3YwSpCuSbedCcb6QqyOMJZfe4:iYWHTmtN/nw1S3ZuWnLQqEZ
MD5:	034FD27FC5FD77DD051DD6F61C421549
SHA1:	034BD1E63901B43E2F3196158E915F6C6E963F0C
SHA-256:	035500C7CB99E7FE9237B2EF1439FF908277F2C74396689D4DA23D5A9847F79C
SHA-512:	D1208FD559BFF6EDF35D7789BDAE3F29E97840A19D85D52F26F5848A969960FAB254E4B9DE2813C7E888F2B4DFE277CBCB3E3359D1CA08DBA70304234BA3380D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAEAC4902BD4EAA73.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.3632719557803545
Encrypted:	false
SSDEEP:	48:Q7YuYO+CFXJvT58DKrYOqSyedCw1S3YwSpCuSbedCcb6QqyOMJZfe4:iYWHTmtN/nw1S3ZuWnLQqEZ
MD5:	034FD27FC5FD77DD051DD6F61C421549
SHA1:	034BD1E63901B43E2F3196158E915F6C6E963F0C
SHA-256:	035500C7CB99E7FE9237B2EF1439FF908277F2C74396689D4DA23D5A9847F79C
SHA-512:	D1208FD559BFF6EDF35D7789BDAE3F29E97840A19D85D52F26F5848A969960FAB254E4B9DE2813C7E888F2B4DFE277CBCB3E3359D1CA08DBA70304234BA3380D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB4D2F1BFFAA9379B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\$shtdwn$.req

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	data
Category:	dropped
Size (bytes):	788
Entropy (8bit):	0.09823380614560741
Encrypted:	false
SSDEEP:	3:lbll/:lB
MD5:	DF7119A5D3CAEDA80BF0FB6F8E53DE8F
SHA1:	76458E1D2E0FA4519FACB71A5F23F8799713BE2B
SHA-256:	3C418A401CBE09F64EDE6E598C5CA36717830446147C8EF6327168EDC7B1CB0C
SHA-512:	85142D1942111783303FA060348BC76B1DD361336DCCC9DC9CDD3432EC6CF215756CBA66A367E560C9D5719BA4F585434319A66D9A97D9A09F5AC4A752B00B6C
Malicious:	false
Preview:	Sdwn................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\1028\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (388), with CRLF line terminators
Category:	dropped
Size (bytes):	30672
Entropy (8bit):	4.2936704552740705
Encrypted:	false
SSDEEP:	384:4Y6C7xfsxMEYgPNRAsy50keJzH7o3oDPnv:MxLJz7
MD5:	7FC06A77D9AAFCA9FB19FAFA0F919100
SHA1:	E565740E7D582CD73F8D3B12DE2F4579FF18BB41
SHA-256:	A27F809211EA1A2D5224CD01101AA3A59BF7853168E45DE28A16EF7ED6ACD46A
SHA-512:	466DCC6A5FB015BE1619F5725FA62CA46EB0FB428E11F93FD9D82E5DF61C3950B3FB62D4DB7746CC4A2BE199E5E69EAA30B6F3354E0017CFA14D127FAD52F8CF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .x.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .I.A.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P\Omi.\|q}.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. ..SI.ce\|vWY.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c.

C:\adf3c205d9b19c48c6c1d481d9d6\1028\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13656
Entropy (8bit):	6.129239027334325
Encrypted:	false
SSDEEP:	384:NauwLmlCW1g+/kmgWpcEWvLb6FjXHUH8O:5lpffMBb6FjXHUH8O
MD5:	7F85C4CE540C34FF7251F7C588AF59AB
SHA1:	5803571D8CCB44DE52C7958CD4772F14D7A5A474
SHA-256:	682DBA4047A6BB4379FA958B3074232751E8A4F3A4BA5C0C7D86F53BBC86AAD6
SHA-512:	72F2A5A4545FBD298DCB2C0496975C9340E6B5976B988757295B50DB5E8CEDA0EE2B24218D3370DA5ED56458C46CCD71415A7F4AEA52347102F1FCF5F9374D0B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......M.........."!.........................................................@......qX....@.......................................... ..`...............X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@...............M........+...........RSDS~i...@[N.WJ..#/.....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\1028\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	16563
Entropy (8bit):	4.018763370458213
Encrypted:	false
SSDEEP:	384:32ddGEAeNy78Qh7K+PrKtLF3vKvjXEvDJivKvAvUK5CtQBuWuXGygqrbihls7oG/:lmf+qtCuqvA84h5
MD5:	A70D13852CABF5A800083E2B6581E707
SHA1:	90731A5B39CBAC28A7DBF79A56D3D8F966EF5543
SHA-256:	7A6F12DB5A1D58AA41B52299C5CE8B024E9A07683D9F37497F5280F5A2A69D19
SHA-512:	5A3FD0B962D0E367ACF73A09E44193E9D5DEA4E6844BF4CEB3F27DD8AF037FD52023534E6C4F580F6DA33EB2C76AEB69E806AC76135BE4C5C0BA5EDC7919B9B5
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset136 PMingLiU;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset2 Symbol;}{\f4\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT \lang1028\f1\'b3\'6e\'c5\'e9\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\lang1046\f0 \par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1033 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\f2\par..\pard\nowidctlpar\sb120\sa120\lang1028\b0\f1\'a5\'bb\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\'ab\'59\'a4\'40\'a5\'f7\'a5\'d1\'a1\'40\'b6\'51\'a5\'ce\'a4\'e1\'bb\'50\lang1033\f0 Microsoft \lang1028\f1\'a4\'bd\'a5\'71\lang1033\f0 (\lang1028\f1\'a9\'ce\'a8\'e4\'c3\'f6\'ab\'59\'a5\'f8\'b7\'7e\lang1033\'a1\'41\lang1028\'b5\'f8\'a1\'40\'b6\'51\'a5\'ce\'a4\'e

C:\adf3c205d9b19c48c6c1d481d9d6\1031\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (615), with CRLF line terminators
Category:	dropped
Size (bytes):	41622
Entropy (8bit):	3.577523249714746
Encrypted:	false
SSDEEP:	384:4nF+jpoHnZi8oO0GOJ2+8q6OUjEYJL/ZiITrKv:V03XjZJL/YIy
MD5:	B83C3803712E61811C438F6E98790369
SHA1:	61A0BC59388786CED045ACD82621BEE8578CAE5A
SHA-256:	2AA6E8D402E44D9EE895B18195F46BF90259DE1B6F44EFD46A7075B110F2DCD6
SHA-512:	E020F93E3A082476087E690AD051F1FEB210E0915924BB4548CC9F53A7EE2760211890EB6036CE9E5E4A311ABC0300E89E25EFBBB894C2A621FFBC9D64CC8A38
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .x.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.a.l.l.i.e.r.t. .w.e.r.d.e.n..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .I.A.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.

C:\adf3c205d9b19c48c6c1d481d9d6\1031\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.243256544465039
Encrypted:	false
SSDEEP:	384:1Io6s3rhGrcHN/USYvYVAtWjieW5Lb6FjXHUMwL:1FhCSVYvYVAL9b6FjXHUMQ
MD5:	B55BBEBB5A23F503BBE5FE3FDFE660F8
SHA1:	79ED82EEC2C114C5DC9E44C6F83029955EF091AA
SHA-256:	E93D0A2C2F7A8F756F395320961E4AAB874638EB5F50BBB96D2B7528DFBB4E76
SHA-512:	EB717799E7E30FB277F3251139ADBE7CA6EA3A23179E772EE21A337EBD4561FA072DE55224115AB9DBFED520D91D3E29A1CAAA5BB89C69A1A89D3757D8C05308
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......M.........."!.........................................................P......\|.....@.......................................... ..h+...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@...............M........+...........RSDS~i...@[N.WJ..#/.....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\1031\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10303
Entropy (8bit):	5.21810340625041
Encrypted:	false
SSDEEP:	192:efr7MR0HhNXHsKiPoDD2xOwgBI/z3ksgscx6DGC7v6yOCjIOMMP8uB2:aYRgN8mD2xiEz3ksgscx6KC7SyOCjIOy
MD5:	FC11D9C5EBFE1B71E76E4D6C4C6C862F
SHA1:	909620E4EC8B27B25CD51C2546B3700B52B05250
SHA-256:	CE75A8C844501501C8F622FC5C10495E34507ACEF33A3BABE105CEAB38D2DE47
SHA-512:	EBE807EF57DDE86ED18680D51774A3F34A25D7A6CBE589BCA039EA0B1822C16B2B84FD19E91DD2AAA5EF3CC506B12F1326E285CA08554346FE0C6B44B377694F
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1031\b\f0\fs20 MICROSOFT SOFTWARE: LIZENZBESTIMMUNGEN\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT \lang1033 VISUAL C++ 2010 RUNTIME LIBRARIES\lang1031 SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (oder einer anderen Microsoft-Konzerngesellschaft, wenn diese an dem Ort, an dem Sie die Software erwerben, die Software lizenziert). Bitte lesen Sie die Lizenzbestimmungen aufmerksam durch. Sie gelten f\'fcr die der oben genannten Software und gegebenenfalls f\'fcr die Medien, auf denen Sie diese erhalten haben, sowie f\'fcr alle von Microsoft

C:\adf3c205d9b19c48c6c1d481d9d6\1033\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (565), with CRLF line terminators
Category:	dropped
Size (bytes):	39246
Entropy (8bit):	3.5443876937052083
Encrypted:	false
SSDEEP:	192:4kVKhG9aX0SDpI53/asO0KMv+VXxwVcPIv5COQu4SLbpmQVX5FB0zJOkue6Jjfz3:4MKhJkeZsdlNl9SJOkR6NXaxu
MD5:	D642E322D1E8B739510CA540F8E779F9
SHA1:	36279C76D9F34C09EBDDC84FD33FCC7D4B9A896C
SHA-256:	5D90345FF74E177F6DA8FB6459C1CFCAC080E698215CA75FEB130D0D1F2A76B9
SHA-512:	E1E16AE14BC7CC1608E1A08D3C92B6D0518B5FABD27F2C0EB514C87AFC3D6192BF7A793A583AFC65F1899F03DC419263B29174456E1EC9AB0F0110E0258E0F0D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .

C:\adf3c205d9b19c48c6c1d481d9d6\1033\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.274185928025323
Encrypted:	false
SSDEEP:	192:/BykqnUfwTW7JQWp/eWfjp8M+9HS8bC/TJs7kFkUQKPnEtm3EFxJhjeyveCXaq:jNo7Wp/eWk9ygC/TfFkULb6Fjpvkq
MD5:	0B4E76BAF52D580F657F91972196CD91
SHA1:	E6AC8F80AB8ADE18AC7E834AC6D0536BB483988C
SHA-256:	74A7767D8893DCC1A745522D5A509561162F95BC9E8BCC3056F37A367DBA64A4
SHA-512:	ED53292C549D09DA9118E944A646AA5DC0A6231811EAFCDA4258C892B218BCF3E0363A2C974868D2D2722155983C5DC8E29BED36D58E566E1695E23CE07FEA87
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......M.........."!.........(...............................................P....../.....@.......................................... ...%...........*..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@...............M........+...........RSDS~i...@[N.WJ..#/.....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\1033\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	7346
Entropy (8bit):	4.957730247487973
Encrypted:	false
SSDEEP:	192:Ff9lHdwOQnTl2QpecglQREe931lGGgi2k90vuE9HSH/c2:bQOQnI6glQRjlGGgi24JAyE2
MD5:	0D0269DFD3FFA37529A14953A5891964
SHA1:	F4FD2C37B8AA22C1083210508DD35CB7665A36A5
SHA-256:	6BAB6A941CF861BE226207A02D2DCE79E007FA4368CF638EBBB6F6A762646729
SHA-512:	01817413168C0365B6B16A3D1A80061D94BBC8BC466528F05B42A65700847A9DE5996A8C55EC3F19FA9F35698D3790CDE572540DC7386409CB692A6A41BFC137
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT SOFTWARE LICENSE TERMS\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft\par..\pard\nowidctlpar\fi-360\li360\sb120\sa120\tx360\f1\'b7\tab\f0 updates,\par..\pard\nowidctlpar\fi-360\li360\sb120\sa120\f1\'b7\tab\

C:\adf3c205d9b19c48c6c1d481d9d6\1036\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (619), with CRLF line terminators
Category:	dropped
Size (bytes):	41492
Entropy (8bit):	3.5522209001567364
Encrypted:	false
SSDEEP:	192:4GrYAOJoFbZZ0eQiFaD4EbJeiI5hJUPu2oBknXoFDYnZCoroUnAJJFHq20/kFR/0:4GZUoRZc5ryx2fHIJR0kbG52gjfVv
MD5:	E382ABC19294F779D2833287242E7BC6
SHA1:	1CEAE32D6B24A3832F9244F5791382865B668A72
SHA-256:	43F913FF28D677316F560A0F45221F35F27CFAF5FC5BD645974A82DCA589EDBF
SHA-512:	06054C8048CADE36A3AF54F9A07FD8FA5EB4F3228790996D2ABEA7EE1EE7EB563D46BD54FF97441F9610E778194082C44E66C5F566C9C50A042ABA9EB9CAE25E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .x.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.l.l... .s.u.r. .c.e.t.t.e. .p.l.a.t.e.f.o.r.m.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .I.A.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.

C:\adf3c205d9b19c48c6c1d481d9d6\1036\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.212928118866036
Encrypted:	false
SSDEEP:	384:+Ds6rAY9li3OoDDkbCWpLeW7Lb6FjXHUVN4:+7fiZDg9Pb6FjXHUg
MD5:	DEB6DB975BD89F56742E0E35CD4C88C1
SHA1:	D81AC70EE356A73734C7817578D174C613DC5752
SHA-256:	49CC63136679D8CDAD80D9F73A8F034895B1A16B32894BBF936C568DAFA26A89
SHA-512:	AA373709E53B3CA3B04413AAF098CD584CA2E718F5BE1A128A6CA6CC8EF42A4D17856AE102CEADA444550BE4F21E93F32253BD5EBA794067C5C2BD781E7E490B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......M.........."!.........................................................P...........@.......................................... ...+...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@...............M........+...........RSDS~i...@[N.WJ..#/.....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\1036\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	8833
Entropy (8bit):	5.13980517558444
Encrypted:	false
SSDEEP:	192:LfPlz+1WZ0a5+dAKkvY+8QE3clI6/JK3aE66i8UKjxb1c2OjL8Nr7FaF5c2:rw1WKa5+dAKkvY+8QEMlI6Q3PIX034se
MD5:	6A03E425EC71137AF114A5AAB2999B18
SHA1:	794A1D545DDED6CDC355449DD72F0A8A8303C4D2
SHA-256:	495BBBEC333AC355DEEAE48A56DAD9A3CEB7CDBD2FB28712EE628A26FA539320
SHA-512:	E12648B8B37002057C83581ECC5209490A98D37CAE850EAB0C035ED6640BE130238ECDB72195DEEF03BF8E71C3E6EDADB79276C1DB030BF0BF3DD8301DA9077C
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}{\f3\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1036\b\f0\fs20 TERMES DU CONTRAT DE LICENCE D\rquote UN LOGICIEL MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\b0 Les pr\'e9sents termes ont valeur de contrat entre Microsoft Corporation (ou en fonction du lieu o\'f9 vous vivez, l\rquote un de ses affili\'e9s) et vous. Lisez-les attentivement. Ils portent sur le logiciel nomm\'e9 ci-dessus, y compris le support sur lequel vous l\rquote avez re\'e7u le cas \'e9ch\'e9ant. Ce contrat porte \'e9galement sur les produits Microsoft suivants\~:\b\f1

C:\adf3c205d9b19c48c6c1d481d9d6\1040\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (601), with CRLF line terminators
Category:	dropped
Size (bytes):	40338
Entropy (8bit):	3.5295538496820984
Encrypted:	false
SSDEEP:	384:4hZo3+Ma9e1JzNZNs4fneAEJ0o5H/PuRv:NaudsJ1u
MD5:	0AF948FE4142E34092F9DD47A4B8C275
SHA1:	B3D6DD5C126280398D9055F90E2C2C26DBAE4EAA
SHA-256:	C4C7C0DDAA6D6A3A1DC260E9C5A24BDFAA98C427C69E8A65427DD7CAC0A4B248
SHA-512:	D97B5FE2553CA78A3019D53E33D2DB80C9FA1CF1D8D2501D9DDF0576C7E6EA38DAB754FE4712123ABF34B97E10B18FB4BBD1C76D3DACB87B4682E501F93423D9
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .x.6.4... .I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .l.'.i.n.s.t.a.l.l.a.z.i.o.n.e. .s.u. .q.u.e.s.t.a. .p.i.a.t.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .I.A.6.4... .I.m.p.o.s.s.i.b.i.l.

C:\adf3c205d9b19c48c6c1d481d9d6\1040\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17752
Entropy (8bit):	5.251222570175727
Encrypted:	false
SSDEEP:	384:ADC6Tg7AtONBKHno5RW8eWRLb6FjXHUSqT:AcAbsZVb6FjXHUSqT
MD5:	FEA2C4737FEF0291589729F32FACE989
SHA1:	531BDEFE534BE10E07131C8E1754766470809004
SHA-256:	D6C6EDDE002C10CD680B2F67F7D60524F440F3138220188B926CDEA72EA7663F
SHA-512:	E52CFF86B0D905D9475E71C92FB9E1B14A8B00062008F81F234DBE1844C219D24742AE10E455C12667CC42277552AB2FF32A6B857FF9EBA3F920ABA762ACBD2A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......M.........."!.........,...............................................P......-V....@.......................................... ...)..............X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@...............M........+...........RSDS~i...@[N.WJ..#/.....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\1040\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	9245
Entropy (8bit):	5.069998443181659
Encrypted:	false
SSDEEP:	192:Lf7laOFewwU3xr3/rhdSNj6HzLCwdi/V2VXk3rLnF2gtlH4c2:fjFhpdSczL/+V2a3rLnF2g/D2
MD5:	BEDE1C7787FEA865571A7D6F010361C5
SHA1:	3853CB9585922E86AFF886F32F6739308799E062
SHA-256:	563215712674FCEB29E04FA4BBCBBEC307FB4BE9EE15C820C46164F77D79BF16
SHA-512:	A408818DCAFF109B8972D3D287221D58405C656F4A56BD389E5044FF9EB3E3A6BD95E0C4E49D1BD36A429EF1DB168CCC77747B11397EE91436D078E81519414A
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}{\f3\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1040\b\f0\fs20 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario. Il licenziatario deve leggerle con attenzione. Le presenti condizioni si applicano al software Microsoft sopra indicato, inclusi gli eventuali supporti di memorizzazione sui quali \'e8 stato ricevuto. Le presen

C:\adf3c205d9b19c48c6c1d481d9d6\1041\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (440), with CRLF line terminators
Category:	dropped
Size (bytes):	34318
Entropy (8bit):	4.3825885013202255
Encrypted:	false
SSDEEP:	192:4OTOo45ZyAYcou3LDnmUjMFsrHZmxqJOXhNCGYHre3iR7v:4OTOoMhYcRaOXJ6koIv
MD5:	7FCFBC308B0C42DCBD8365BA62BADA05
SHA1:	18A0F0E89B36818C94DE0AD795CC593D0E3E29A9
SHA-256:	01E7D24DD8E00B5C333E96D1BB83813E02E96F89AAD0C2F28F84551D28ABBBE2
SHA-512:	CD6F912A037E86D9E1982C73F0F8B3C4D5A9A6B5B108A7B89A46E6691E430A7CB55718DE9A0C05650BB194C8D4A2E309AD6221D638CFCA8E16AA5920881BA649
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .x.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .I.A.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.

C:\adf3c205d9b19c48c6c1d481d9d6\1041\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15192
Entropy (8bit):	6.067848015888429
Encrypted:	false
SSDEEP:	192:pg6ujUfwtW1+/FuZhS5CSJk/lhoW5vEWPQKPnEtm3EFxJhjeyveCXmeqVt:qUC7mS53JkNaW5vEWPLb6Fjpv2Vt
MD5:	16573D635A815922B58DD44BB05DE687
SHA1:	96FD34DAB1A620E74B0E8E6D4259CEDECBB2C2EC
SHA-256:	A41ED13266FF12EC89A219E2FEA573FC5694B92181705D1B035BBB143AA7C388
SHA-512:	C956698FD6DC93DC6044BF0D41BE5BAC2B20005992836564C955A7143144706F8623A225A8C77BF19898A4B074874BF26056E22F48EE5C4F83EF7AF88BD8BBB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......M.........."!........."...............................................@......1n....@.......................................... ..p............$..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@...............M........+...........RSDS~i...@[N.WJ..#/.....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\1041\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	24099
Entropy (8bit):	3.825803656837097
Encrypted:	false
SSDEEP:	192:3fCp7l5T9Yx8Ty+HaCECL9UumM4JEjFntEjjQD3cue6IvZ2N/Fump17D5joXSEZU:6Q+EU5heUzjKSYYecnOMFjsb6RU2
MD5:	D391858950A2E53FB7CAD0EF993A0857
SHA1:	D0C433C38A62BF0FCE4285585DBDC0BC9159F60D
SHA-256:	415336BDD86FFEEAEF7FF776717F18FA83418107851800EE0EE1FD65DDCF8A97
SHA-512:	E5AB613589BACE9BA6CA91EEB82101B49CDD6BB5E667A69F9D9EA90718041BA520955E581B3C9AC4D63D613F6FD4DA220C2C7CEC5CE1A721F4D55396DB15266B
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset128 MS PGothic;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset2 Symbol;}{\f4\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1041\b\f0\fs20\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\lang1033\f1 \lang1041\f0\'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41\lang1033\f1 \lang1041\f0\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f1 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\lang1041\b0\f0\'96\'7b\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\lang1033\f1 \lang1041\f0\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\lang1033\f1 (\l

C:\adf3c205d9b19c48c6c1d481d9d6\1042\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (439), with CRLF line terminators
Category:	dropped
Size (bytes):	32962
Entropy (8bit):	4.366055142656104
Encrypted:	false
SSDEEP:	192:4cdsW0fwUrh+UgYUDQhGAtPN/2JWCTJSIQvPaLWL2C4oH/Drv:4cdszvrBgYUDQhF5N7IJSIQvkQfLH/Pv
MD5:	71DFD70AE141F1D5C1366CB661B354B2
SHA1:	C4B22590E6F6DD5D39E5158B831AE217CE17A776
SHA-256:	CCCDA55294AEB4AF166A8C0449BCA2189DDF5AA9A43D5E939DD3803E61738331
SHA-512:	5000D62F3DE41C3FB0ED8A8E9C37DBF4EB427C4F1E3AD3823D4716C6FE62250BAC11B7987A302B8A45D91AABCF332457F7AFF7D99F15EDEFFE540639E9440E8A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .x.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .I.A.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. ..... ........... .M.i.c.r.o.s.o.f.

C:\adf3c205d9b19c48c6c1d481d9d6\1042\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14680
Entropy (8bit):	6.064264278627106
Encrypted:	false
SSDEEP:	192:gE4khnUfwVWgj2sPKNS0N7gVCAMWpBeWrQKPnEtm3EFxJhjXHUz1TrOyRGK:1DY6d2Kj0lgRMWpBeWrLb6FjXHUDJ
MD5:	58A0B0927CF8C14905AB954AF86EB283
SHA1:	B9E65286F66CFF98302F1A85F45FEE501F5FD971
SHA-256:	A45694F34A2A532C4E284E16C654518EB3A5C8CCB14F266A1BC7C49BAF493506
SHA-512:	775DFEBA4CEB51378DED2B778E1C70FF4D9B05C303272682E61A60BCABCBB1FB3B44749FEABFF54F2ACF137BF3CB677553F4BDC21AD1CD7550E5D904E0B3603D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......M.........."!......... ...............................................@............@.......................................... ..............."..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@...............M........+...........RSDS~i...@[N.WJ..#/.....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\1042\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	34291
Entropy (8bit):	4.149816302442216
Encrypted:	false
SSDEEP:	384:bhPZmmiJvqtz3QN4GPstREaUmJ9S7Syd2Io3G0h16koLHlx/z+WH2wsDwCnaZVSQ:VhmHvtns/EwW+Y/ewtCY+yVcQo4
MD5:	BF5C632A7F64FAF037FCEDDFFA79F0E1
SHA1:	4CE736E4620F34B432760A6A292303522DEDD1D5
SHA-256:	74B89881C0D953DDF6E87619E5C898DADFD113AFFBA28A2C71BE3FA0D952D7BD
SHA-512:	3516F913A74F9407495F74C1E8494C8E492AC5B4592CB08A6D880BDDEE7AECD67152C1A999DC202DDA021A94943CFD5658B14AF3DAA72F0FE7B1C63A0026EEEA
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fswiss\fprq2\fcharset129 Gulim;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset2 Symbol;}{\f4\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT \lang1042\f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\lang1033\f0 \lang1042\f1\'bb\'e7\'bf\'eb\lang1033\f0 \lang1042\f1\'c1\'b6\'b0\'c7\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\f2\par..\pard\nowidctlpar\sb120\sa120\lang1042\b0\f1\'ba\'bb\lang1033\f0 \lang1042\f1\'bb\'e7\'bf\'eb\lang1033\f0 \lang1042\f1\'c1\'b6\'b0\'c7\'c0\'ba\lang1033\f0 Microsoft Corporation(\lang1042\f1\'b6\'c7\'b4\'c2\lang1033\f0 \lang1042\f1\'b0\'c5\'c1\'d6\lang1033\f0 \lang1042\f1\'c1\'f

C:\adf3c205d9b19c48c6c1d481d9d6\1049\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (634), with CRLF line terminators
Category:	dropped
Size (bytes):	40428
Entropy (8bit):	4.232828720335164
Encrypted:	false
SSDEEP:	384:4q0oG/2VrQa0inweNLvSli+CJA3aJW5cGUT3CT+v:DVFJl
MD5:	0EEB554D0B9F9FCDB22401E2532E9CD0
SHA1:	08799520B72A1EF92AC5B94A33509D1EDDF6CAF8
SHA-256:	BEEF0631C17A4FB1FF0B625C50C6CB6C8CE90A1AE62C5E60E14BF3D915AD509C
SHA-512:	2180E46A5A2EA1F59C879B729806CA02A232C66660F29C338C1FA7FBEE2AFA4B13D8777D1F7B63CF831EB42F3E55282D70AA8E53F40616B8A6E4D695C36E313D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .x.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .I.A.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C.

C:\adf3c205d9b19c48c6c1d481d9d6\1049\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.713407069931387
Encrypted:	false
SSDEEP:	192:T5BgnUfwVWBCl23DV3SD1tt9WfXHT7nME5xeWUQKPnEtm3EFxJhjeyveCXHM:T3v65URiD1vwLo8eWULb6FjpvZM
MD5:	C4E9876C6EDB5A287A2DCBF7D7DF2568
SHA1:	803270A294C9C78F889BD2920C4EEF6C2B0DED31
SHA-256:	59F7539D8E98D5CA88AD3376D4281E709344EF061B80793021E8733EEF312328
SHA-512:	071080E2F47C613CA11B243386CAB623ECB7561786ACF5CAAEDBCB37EC8EA318AB2D4D27159B07FE5AF6608BB6D254A37C08A4352E975FF68FF5BE60639E1A05
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......M.........."!.........................................................P............@.......................................... ...*...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@...............M........+...........RSDS~i...@[N.WJ..#/.....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\1049\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	26856
Entropy (8bit):	3.646005856063089
Encrypted:	false
SSDEEP:	384:spSEbldVGRw5rF7TavN0rDSIyshfe0s8q1vi8eonN7Uii6sCbDS5gLDPw9LVxOik:y/Vl6Q/u/GgXPw9JQ98aCfHZ/G
MD5:	156313549F1D699ECF7922F27B9F554C
SHA1:	C11E59A96C7FA5081AEBBD82A7CB928D18B766EB
SHA-256:	3794117C849778FE43BE7DA7EE160FDBBC41C8B6F24EFE4CEEDDD6738D731B1E
SHA-512:	02D386E6D08C581435053FF61F8104F47A58EBE1C988F6696B6C755CC99FC07C033EF717FD21EF8004B2C68A59656795990F49FBD224B635386895E43A48FAA3
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset204 Tahoma Cyr;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset2 Symbol;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}{\f4\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1049\b\f0\fs20\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'c8\'d1\'cf\'ce\'cb\'dc\'c7\'ce\'c2\'c0\'cd\'c8\'c5 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c3\'ce \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'df MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\lang1049\b0\f0\'dd\'f2\'e8 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \

C:\adf3c205d9b19c48c6c1d481d9d6\2052\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (390), with CRLF line terminators
Category:	dropped
Size (bytes):	31138
Entropy (8bit):	4.240036868712424
Encrypted:	false
SSDEEP:	192:4Qn7cJwYTzOnyquEWTOAXUewfMcqQJywXk83GJPupIoxnb/2v:4Qn7cJxTC/uEWTfXUewiQJyoknJY9b+v
MD5:	52B1DC12CE4153AA759FB3BBE04D01FC
SHA1:	BF21F8591C473D1FCE68A9FAF1E5942F486F6EBA
SHA-256:	D1735C8CFD8E10BA019D70818C19FA865E7C72F30AB6421A3748408F85FB96C3
SHA-512:	418903AE9A7BAEBF73D055E4774FF1917FBAAB9EE7ED8C120C34BB10E7303F6DD7B7DAE701596D4626387A30AE1B4D329A9AF49B8718B360E2FF619C56C19623
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .x.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .I.A.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.d\O.\|.~.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e..0"./.>..... . . . . . .<.

C:\adf3c205d9b19c48c6c1d481d9d6\2052\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13656
Entropy (8bit):	6.177429103802493
Encrypted:	false
SSDEEP:	192:Gs8nUfwVWtTXjuQShyjK7ocW7EWcQKPnEtm3EFxJhjeyveCXfnzYVG:ZTCTFhMKNW7EWcLb6FjpvlN
MD5:	A2CEB066756861F7BB4F45F6DAA1DFDA
SHA1:	AD1EB8184485AF68A58B661C5A31B72AC1E580C5
SHA-256:	3A10AE07B0FD345E6B7DD9BFCA7653F08ABC097448A4BF9C39F0DF16D0F95B99
SHA-512:	1865EE9D85D42BAABBE6D2490FD1685F075685618D874F0EC4B27FC78B84F2F43C6E7CD5E666DB3230E38B4D17EA3470EAC84750DB4C6F69DE73BD97C2DCA941
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......M.........."!.........................................................@............@.......................................... ..................X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@...............M........+...........RSDS~i...@[N.WJ..#/.....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\2052\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	16242
Entropy (8bit):	4.055338447097465
Encrypted:	false
SSDEEP:	384:6WOmTYUI1tR+PZBZNgANlPLE3o14BI3G7288GKGfPt0iswGcq8Z2:NU/+PZ5zOmqf1c
MD5:	8667C04407DF32DBAE7C7553C5963745
SHA1:	901E33C831A89062391252AE7F581CDB1D8FB275
SHA-256:	E8B2AF11A0C37B6085FAFB053EC1C66454EF1B58C65CA45422B9150B9D2D37FC
SHA-512:	79EC3C43FF5E599022EAD3B86367DD202A9138CF50EAEEB6106D8313CEACBFBC432E101BFB48CA2C6B43887B3738AE7470F2473D1A84CFFD6B2B882AE893E1B7
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fprq2\fcharset134 SimSun;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset2 Symbol;}{\f4\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT\f1\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\par..\pard\nowidctlpar\sb120\sa120\lang2052\b0\f1\'b1\'be\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\lang1033\f0 Microsoft Corporation\f1\'a3\'a8\lang2052\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\lang1033\f0 Microsoft Corporation \lang2052\f1\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\lang1033\'a3\'a9\lang2052\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\

C:\adf3c205d9b19c48c6c1d481d9d6\3082\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (616), with CRLF line terminators
Category:	dropped
Size (bytes):	40912
Entropy (8bit):	3.5296334743141515
Encrypted:	false
SSDEEP:	384:4fgA4Ukd+uYW1HCD1GO/tja2QDu7Jr++dP8z3AzOrv:tUZW1iDDdWCJi8Pg32Y
MD5:	5397A12D466D55D566B4209E0E4F92D3
SHA1:	FCFFD8961FB487995543FC173521FDF5DF6E243B
SHA-256:	F124D318138FF084B6484DEB354CCA0F72296E1341BF01169792B3E060C89E89
SHA-512:	7708F5A2AD3E4C90C4C216600435AF87A1557F60CAF880A3DD9B5F482E17399AF9F0B9DE03FF1DBDD210583E0FEC5B466E35794AC24D6D37F9BBC094E52FC77B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .x.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .I.A.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.

C:\adf3c205d9b19c48c6c1d481d9d6\3082\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.287079497384687
Encrypted:	false
SSDEEP:	192:46knnUfwVWVCe8b1S2U85ZTYG1NmWJeWWQKPnEtm3EFxJhjXHUz1TrOcm0Xg:4tq6Lbg2zZTf1NmWJeWWLb6FjXHU6b
MD5:	994CCCF4287C01153066CC3986769DBB
SHA1:	7A480E89E507D0E2863E9699CCB668C9C64DA497
SHA-256:	D79E2747AA300747A4073883B7BAAE3214196B982199B08243AD5BF73DCE18D9
SHA-512:	18BF42C30EC6BFA15ACA4B535C4A23335CBB51BD232D00B83A716C4C7B514C4F152B413556D58E7BFA16CB32900AD195C68542B26BEECFE8C356F3BC272D8379
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......M.........."!.........................................................P............@.......................................... ..(*...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@...............M........+...........RSDS~i...@[N.WJ..#/.....SetupResources.pdb..................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\3082\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	10271
Entropy (8bit):	5.161891329008937
Encrypted:	false
SSDEEP:	192:LfKlBfh7TJRSB4w6Fzm3Iuksbhu9+9GQwEeocPztyv5vFvAtUtBrCl7Yuk3LrC9w:+Pfh7TD649F63Iufbg9euEeLhMvmSQKT
MD5:	D64D283F0AA734CDB9EDF02A6D92334B
SHA1:	3D90A22FE198BA9E4A46D7CC78EC91DA05D29E80
SHA-256:	7E1B4CFDE7EA549360A3B323E720F1A6CB58C64AAE823650DA5A5FFB127FE645
SHA-512:	D54FF0BED510E84A4584F33588753B10EE7E5E2CCE95A5A834C5CE06486D683CA903F28A6E8D45C56BBE903A078367CFF8A2AFB3A2061545E5C34FA6ADDEB1CE
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}{\f3\fnil\fcharset0 Calibri;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}{\s2 heading 2;}}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1034\b\f0\fs20 T\'c9RMINOS DE LICENCIA DEL SOFTWARE DE MICROSOFT\lang3082\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1034\f0 MICROSOFT\lang3082 VISUAL C++ 2010 RUNTIME LIBRARIES WITH SERVICE PACK 1\f1\par..\pard\nowidctlpar\sb120\sa120\lang1034\b0\f0 Los presentes t\'e9rminos de licencia son un contrato entre Microsoft Corporation (o, en funci\'f3n del pa\'eds en que usted resida, una de las sociedades de su grupo) y usted.\lang3082 \lang1034 S\'edrvase leerlos detenidamente.\lang3082 \lang1034 Son de aplicaci\'f3n al software\lang3082 \lang1034 arriba mencionado, el cual incluye los s

C:\adf3c205d9b19c48c6c1d481d9d6\DHtmlHeader.html

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	16118
Entropy (8bit):	3.6434775915277604
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
MD5:	CD131D41791A543CC6F6ED1EA5BD257C
SHA1:	F42A2708A0B42A13530D26515274D1FCDBFE8490
SHA-256:	E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
SHA-512:	A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
Malicious:	false
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\adf3c205d9b19c48c6c1d481d9d6\DisplayIcon.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	88533
Entropy (8bit):	7.210526848639953
Encrypted:	false
SSDEEP:	1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
MD5:	F9657D290048E169FFABBBB9C7412BE0
SHA1:	E45531D559C38825FBDE6F25A82A638184130754
SHA-256:	B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
SHA-512:	8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
Malicious:	false
Preview:	..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.\|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..\|u..xq..\|r..\|u..rx..zy..\|w.}.y...q...d...y...{......S...]..d..i..r..\|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Print.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.923507556620034
Encrypted:	false
SSDEEP:	24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
MD5:	7E55DDC6D611176E697D01C90A1212CF
SHA1:	E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
SHA-256:	FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
SHA-512:	283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
Malicious:	false
Preview:	............ .h.......(....... ..... .....@.........................................................................................t?.fR.\|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Rotate1.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5118974066097444
Encrypted:	false
SSDEEP:	6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
MD5:	26A00597735C5F504CF8B3E7E9A7A4C1
SHA1:	D913CB26128D5CA1E1AC3DAB782DE363C9B89934
SHA-256:	37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
SHA-512:	08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
Malicious:	false
Preview:	..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l\|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+...........................................3.2%.$+...........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Rotate2.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5178766234336925
Encrypted:	false
SSDEEP:	12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
MD5:	8419CAA81F2377E09B7F2F6218E505AE
SHA1:	2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
SHA-256:	DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
SHA-512:	74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
Malicious:	false
Preview:	..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................\|.\|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Rotate3.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5189797450574103
Encrypted:	false
SSDEEP:	12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
MD5:	924FD539523541D42DAD43290E6C0DB5
SHA1:	19A161531A2C9DBC443B0F41B97CBDE7375B8983
SHA-256:	02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
SHA-512:	86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
Malicious:	false
Preview:	..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Rotate4.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5119705312617957
Encrypted:	false
SSDEEP:	6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
MD5:	BB55B5086A9DA3097FB216C065D15709
SHA1:	1206C708BD08231961F17DA3D604A8956ADDCCFE
SHA-256:	8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
SHA-512:	DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
Malicious:	false
Preview:	..............h.......(....... .............................................................................................................................................................................................................y.y...\|.\|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Rotate5.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5083713071878764
Encrypted:	false
SSDEEP:	6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
MD5:	3B4861F93B465D724C60670B64FCCFCF
SHA1:	C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
SHA-256:	7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
SHA-512:	2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
Malicious:	false
Preview:	..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Rotate6.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5043420982993396
Encrypted:	false
SSDEEP:	12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
MD5:	70006BF18A39D258012875AEFB92A3D1
SHA1:	B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
SHA-256:	19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
SHA-512:	97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
Malicious:	false
Preview:	..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Rotate7.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.4948009720290445
Encrypted:	false
SSDEEP:	6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
MD5:	FB4DFEBE83F554FAF1A5CEC033A804D9
SHA1:	6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
SHA-256:	4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
SHA-512:	3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
Malicious:	false
Preview:	..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Rotate8.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.513882730304912
Encrypted:	false
SSDEEP:	12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
MD5:	D1C53003264DCE4EFFAF462C807E2D96
SHA1:	92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
SHA-256:	5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
SHA-512:	C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
Malicious:	false
Preview:	..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Save.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.824239610266714
Encrypted:	false
SSDEEP:	24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
MD5:	7D62E82D960A938C98DA02B1D5201BD5
SHA1:	194E96B0440BF8631887E5E9D3CC485F8E90FBF5
SHA-256:	AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
SHA-512:	AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
Malicious:	false
Preview:	............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{\|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\Setup.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	36710
Entropy (8bit):	5.3785085024370805
Encrypted:	false
SSDEEP:	384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
MD5:	3D25D679E0FF0B8C94273DCD8B07049D
SHA1:	A517FC5E96BC68A02A44093673EE7E076AD57308
SHA-256:	288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
SHA-512:	3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
Malicious:	false
Preview:	..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.\|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..\|u..xq..\|r..\|u..rx..zy..\|w.}.y...q...d...y...{......S...]..d..i..r..\|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\SysReqMet.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.038533294442847
Encrypted:	false
SSDEEP:	24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
MD5:	661CBD315E9B23BA1CA19EDAB978F478
SHA1:	605685C25D486C89F872296583E1DC2F20465A2B
SHA-256:	8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
SHA-512:	802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
Malicious:	false
Preview:	............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.\|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\SysReqNotMet.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.854644771288791
Encrypted:	false
SSDEEP:	24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
MD5:	EE2C05CC9D14C29F586D40EB90C610A9
SHA1:	E571D82E81BD61B8FE4C9ECD08869A07918AC00B
SHA-256:	3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
SHA-512:	0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
Malicious:	false
Preview:	............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......\|\|..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................\|\|..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\stop.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	10134
Entropy (8bit):	6.016582854640062
Encrypted:	false
SSDEEP:	96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
MD5:	5DFA8D3ABCF4962D9EC41CFC7C0F75E3
SHA1:	4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
SHA-256:	B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
SHA-512:	69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
Malicious:	false
Preview:	...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

C:\adf3c205d9b19c48c6c1d481d9d6\Graphics\warn.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	10134
Entropy (8bit):	4.3821301214809045
Encrypted:	false
SSDEEP:	192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
MD5:	B2B1D79591FCA103959806A4BF27D036
SHA1:	481FD13A0B58299C41B3E705CB085C533038CAF5
SHA-256:	FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
SHA-512:	5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
Malicious:	false
Preview:	...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

C:\adf3c205d9b19c48c6c1d481d9d6\ParameterInfo.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (314), with CRLF line terminators
Category:	dropped
Size (bytes):	22326
Entropy (8bit):	3.4699283021317466
Encrypted:	false
SSDEEP:	384:R3vG8G6KGXaNR1ydfaWZy1EwtKRliehOxnCGYCrKFl:R3OfQqNR1ydfaWZy1EwtKRliehOxndY7
MD5:	13F8768C289476FDD103FF689D73CD2D
SHA1:	DDEBCECC02C6B1B996423D62D0DEF8760F031F58
SHA-256:	4EAE293CA91B31AAA206E5A1C655714F0FE84E39F9331CB759D2236CDB915523
SHA-512:	C72998F30EBFF8F4A757248639CF0351D03F5502BE475B4CB8F02B09AD800DBBE2F9A82C7D9BDE6D7BD748E0EE6E61B86E369192773FE726421A564E793A0139
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. . .x.8.6. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".1.0...0...4.0.2.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".U.s.e.r.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .

C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78152
Entropy (8bit):	6.011523537068061
Encrypted:	false
SSDEEP:	1536:GgNItbBL5NWiiESvRexWZnqxMQP8ZOs0Jr6FrHU0:GgNAB9NWTZvwc/gBAFo0
MD5:	2AF2C1A78542975B12282ACA4300D515
SHA1:	3216C853ED82E41DFBEB6CA48855FDCD41478507
SHA-256:	531EB45798728CB741043B28B8C1A4F75536DC75F92D100F55F9109D2D63F0D7
SHA-512:	4A70BD4B542F6001E46F827F341676C34AF1EA216C50AD981DD04F547CD67F73AAA420FCBED379DC05DAB199BF5BA00D899C49FF75DA577613209F96226227EB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........MB.j.B.j.B.j.-...@.j.Yu..K.j.Yu..J.j.Yu..u.j.K...A.j.B.k...j.-...C.j.-...A.j.-...C.j.-...C.j.-...C.j.-...C.j.RichB.j.........PE..L......M.........."......f...........+............@..........................P...........@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\SetupEngine.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	808280
Entropy (8bit):	6.359499098763113
Encrypted:	false
SSDEEP:	24576:hS62AlYAxM20z7TzuO5cEewDODLzNu/6K8lxvSU1CcweD:hS62AlYA8TEpNuV8LvSU1Ccwe
MD5:	63E7901D4FA7AC7766076720272060D0
SHA1:	72DEC0E4E12255D98CCD49937923C7B5590BBFAC
SHA-256:	A5116CCB17B242713E5645C2374ABF5827C0D2752B31553E3540C9123812E952
SHA-512:	DE2E63BC090121484191CBF23194361D761B01C0FD332F35F0DFDFD0B11431B529E5C7F542031A0E7E26F31497D94B8BAACFBF1C84C6493E66AC2AB76C11D0A0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r..{!..{!..{!.H.!..{!.H.!..{!...!..{!...!..{!...!..{!...!=.{!...!..{!..z!.{!...!..{!...!..{!...!..{!...!..{!...!..{!Rich..{!................PE..L......M.........."!.................................................................*....@.................................L...h....................>..X..............................................@............................................text...@........................... ..`.data..............................@....rsrc................j..............@..@.reloc..R............t..............@..B................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\SetupUi.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	295248
Entropy (8bit):	6.260169948333258
Encrypted:	false
SSDEEP:	3072:IDPVUK59JnkphBxIc7e+Fe2rNiw8EktfyTm0HqRi/M+sy1lQWc+pm5hxv5yDoBni:SaygowjTMi/uVwd3KP
MD5:	0D214CED87BF0B55883359160A68DACB
SHA1:	A60526505D56D447C6BBDE03DA980DB67062C4C6
SHA-256:	29CF99D7E67B4C54BAFD109577A385387A39301BCDEC8AE4BA1A8A0044306713
SHA-512:	D9004EBD42D4AA7D13343B3746CF454CA1A5144F7B0F437F1A31639CC6BD90C5DD3385612DF926BF53C3EF85CFE33756C067CB757FFF257D674A10D638FC03C5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c..X'.r.'.r.'.r.<f....r.<f..5.r.<f..N.r.....>.r.'.s...r.H...&.r.H...$.r.H...&.r.H...&.r.H...&.r.Rich'.r.........PE..L......M.........."!......................................................................@..........................................P...............j..P....`.. ?..................................hz..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\SetupUi.xsd

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
Category:	dropped
Size (bytes):	30120
Entropy (8bit):	4.990211039591874
Encrypted:	false
SSDEEP:	768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
MD5:	2FADD9E618EFF8175F2A6E8B95C0CACC
SHA1:	9AB1710A217D15B192188B19467932D947B0A4F8
SHA-256:	222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
SHA-512:	A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

C:\adf3c205d9b19c48c6c1d481d9d6\SplashScreen.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40000, resolution 3779 x 3779 px/m, cbSize 41078, bits offset 1078
Category:	dropped
Size (bytes):	41078
Entropy (8bit):	0.3169962482036715
Encrypted:	false
SSDEEP:	24:SgrNa0EfB4elU+jB+rQXJH4+Cs77hIfVHCv4ToqIzgPc8wcKHL+3:3pa0e4YjB5vAHk4E7zgPcDc53
MD5:	43B254D97B4FB6F9974AD3F935762C55
SHA1:	F94D150C94064893DAED0E5BBD348998CA9D4E62
SHA-256:	91A21EBA9F5E1674919EE3B36EFA99714CFB919491423D888CB56C0F25845969
SHA-512:	46527C88F0AED25D89833B9BE280F5E25FFCEAE6BC0653054C8B6D8EBE34EBA58818A0A02A72BD29279310186AC26D522BBF34191FBDE279A269FC9DA5840ACC
Malicious:	false
Preview:	BMv.......6...(...................@.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

C:\adf3c205d9b19c48c6c1d481d9d6\Strings.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	14246
Entropy (8bit):	3.70170676934679
Encrypted:	false
SSDEEP:	384:VAZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VAB
MD5:	332ADF643747297B9BFA9527EAEFE084
SHA1:	670F933D778ECA39938A515A39106551185205E9
SHA-256:	E49545FEEAE22198728AD04236E31E02035AF7CC4D68E10CBECFFD08669CBECA
SHA-512:	BEA95CE35C4C37B4B2E36CC1E81FC297CC4A8E17B93F10423A02B015DDB593064541B5EB7003560FBEEE512ED52869A113A6FB439C1133AF01F884A0DB0344B0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>.#.(.l.o.c...i.d.s._.c.a.p.t.i.o.n._.f.o.r.m.a.t._.1.s.).<./.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.

C:\adf3c205d9b19c48c6c1d481d9d6\UiInfo.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	36342
Entropy (8bit):	3.0936879258457686
Encrypted:	false
SSDEEP:	768:S4UR0d5v1SguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjT5fuPkfuS:S4UR0d5v1QYQLIN/6Fmhvk71sO0Nep3q
MD5:	4F90FCEF3836F5FC49426AD9938A1C60
SHA1:	89EBA3B81982D5D5C457FFA7A7096284A10DE64A
SHA-256:	66A0299CE7EE12DD9FC2CFEAD3C3211E59BFB54D6C0627D044D44CEF6E70367B
SHA-512:	4CE2731C1D32D7CA3A4F644F4B3111F06223DE96C1E241FCC86F5FE665F4DB18C8A241DAE4E8A7E278D6AFBF91B235A2C3517A40D4D22D9866880E19A7221160
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.R.e.g.K.e.y.>..... . . . . . . . .<.R.e.g.V.a.l.u.e.N.a.m.e.>.U.I.L.a.n.g.u.a.g.e._.f.a.k.e.<./.R.e.g.V.a.l.u.e.N.a.m.e.>..... . . . . . .<./.L.C.I.D.H.i.n.t.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . .

C:\adf3c205d9b19c48c6c1d481d9d6\header.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PC bitmap, Windows 3.x format, 49 x 49 x 24, image size 7254, resolution 2834 x 2834 px/m, cbSize 7308, bits offset 54
Category:	dropped
Size (bytes):	7308
Entropy (8bit):	3.7864255453272464
Encrypted:	false
SSDEEP:	48:9L9GXidTgX2bqxIS0SRosEYYgJSIf4pKTg7pDdEAeObh8EWu:R/Y2bq10Q/EY1sK8M4bb
MD5:	3AD1A8C3B96993BCDF45244BE2C00EEF
SHA1:	308F98E199F74A43D325115A8E7072D5F2C6202D
SHA-256:	133B86A4F1C67A159167489FDAEAB765BFA1050C23A7AE6D5C517188FB45F94A
SHA-512:	133442C4A65269F817675ADF01ADCF622E509AA7EC7583BCA8CD9A7EB6018D2AAB56066054F75657038EFB947CD3B3E5DC4FE7F0863C8B3B1770A8FA4FE2E658
Malicious:	false
Preview:	BM........6...(...1...1...........V.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\msp_kb2565063.msp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Create Time/Date: Wed Jun 29 03:19:52 2011, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 4, Template: Intel;0, Last Saved By: Intel;0, Revision Number: {F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}10.0.40219;{1F4F1D2A-D9DA-32CF-9909-48485DA06DD5}, Number of Pages: 200, Number of Characters: 153223199
Category:	dropped
Size (bytes):	4028928
Entropy (8bit):	7.99425811627881
Encrypted:	true
SSDEEP:	98304:lEpd3qZ0G3garI8w8xhB2TU01SHMMV6ZArX:KaZtC8vBy10M4
MD5:	9843DC93EA948CDDC1F480E53BB80C2F
SHA1:	D6EC9DB8B8802EC85DD0B793565401B67AD8E5E0
SHA-256:	7C969FCDA6EF09D2EB7BBBC8D81795EB60C9C69ED835FD16538369AD0A6E0F10
SHA-512:	79008CFDD8AE1EA27675588E7BA8123D08CE14047E5F167B3B5F6FBCDADEB45515BD72E18E59ABF632ECBFBB42243FBCBEBE4CBE0ED6BA195D0B2CA6D88676F9
Malicious:	false
Preview:	......................>...................>............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\adf3c205d9b19c48c6c1d481d9d6\sqmapi.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144416
Entropy (8bit):	6.7404750879679485
Encrypted:	false
SSDEEP:	3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
MD5:	3F0363B40376047EFF6A9B97D633B750
SHA1:	4EAF6650ECA5CE931EE771181B04263C536A948B
SHA-256:	BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
SHA-512:	537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

C:\adf3c205d9b19c48c6c1d481d9d6\vc_red.cab

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Microsoft Cabinet archive data, 4218761 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x86" +A "F_CENTRAL_mfc100_x86", flags 0x4, number 1, extra bytes 20 in head, 357 datablocks, 0x1503 compression
Category:	dropped
Size (bytes):	4224705
Entropy (8bit):	7.999824074209114
Encrypted:	true
SSDEEP:	98304:buCaO1KF/Zn4LkYytTHmuzfgnKZ9zWs2wU2Td:buCf1KF/94Lk9TPzf9Os2wU25
MD5:	C580A38F1A1A7D838076A1B897C37011
SHA1:	C689488077D1C21820797707078AF826EA676B70
SHA-256:	71C0ACC75EECDF39051819DC7C26503583F6BE6C43AB2C320853DE15BECE9978
SHA-512:	EA3A62BD312F1DDEEBE5E3C7911EB3A73BC3EE184ABB7E9B55BC962214F50BBF05D2499CAF151D0BD00735E2021FBEA9584BF3E868A1D4502B75EC3B62C7FF56
Malicious:	false
Preview:	MSCF....._@.....D............................_@.8...........Y...e...H.........S>f. .F_CENTRAL_atl100_x86.H.C.H.....S>f. .F_CENTRAL_mfc100_x86.P....4E...S>f. .F_CENTRAL_mfc100chs_x86.P.....E...S>f. .F_CENTRAL_mfc100cht_x86.P...0OF...S>f. .F_CENTRAL_mfc100deu_x86.P....JG...S>f. .F_CENTRAL_mfc100enu_x86.P....!H...S>f. .F_CENTRAL_mfc100esn_x86.P... .I...S>f. .F_CENTRAL_mfc100fra_x86.P...p.J...S>f. .F_CENTRAL_mfc100ita_x86.P.....K...S>f. .F_CENTRAL_mfc100jpn_x86.P.....K...S>f. .F_CENTRAL_mfc100kor_x86.P...`^L...S>f. .F_CENTRAL_mfc100rus_x86.P}C..KM...S>f. .F_CENTRAL_mfc100u_x86.P?.......S>f. .F_CENTRAL_mfcm100_x86.P?..P.....S>f. .F_CENTRAL_mfcm100u_x86.Pm...G....S>f. .F_CENTRAL_msvcp100_x86.P.......S>.. .F_CENTRAL_msvcr100_x86.P...@.....S>f. .F_CENTRAL_vcomp100_x86.P3...K....S>f. .FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8..^b..:..[......+.."SP$......W..de`e. .(.$.gV...2..X.A....*..y....v..a.....v......+.A.Q...k....,.<..`f..F........4.]..l.\|wq..\..\../.[.=Y..nG.

C:\adf3c205d9b19c48c6c1d481d9d6\vc_red.msi

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Template: Intel;0, Revision Number: {461C455E-DA40-49B3-871B-14308CC7CEFF}, Create Time/Date: Sun Feb 20 07:03:10 2011, Last Saved Time/Date: Sun Feb 20 07:03:10 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	6.375644516596573
Encrypted:	false
SSDEEP:	3072:0oTMYRradauoCcJg95gTdmmYdwYNRTK0+E4mN2E2275V495u:7RWd1odm4mmYdwT1
MD5:	3FF9ACEA77AFC124BE8454269BB7143F
SHA1:	8DD6ECAB8576245CD6C8617C24E019325A3B2BDC
SHA-256:	9ECF3980B29C6AA20067F9F45C64B45AD310A3D83606CD9667895AD35F106E66
SHA-512:	8D51F692747CFDD59FC839918A34D2B6CBBB510C90DEA83BA936B3F5F39EE4CBD48F6BB7E35ED9E0945BF724D682812532191D91C8F3C2ADB6FF80A8DF89FF7A
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\adf3c205d9b19c48c6c1d481d9d6\watermark.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 628 x 24, image size 308978, resolution 2834 x 2834 px/m, cbSize 309032, bits offset 54
Category:	dropped
Size (bytes):	309032
Entropy (8bit):	6.583379857106919
Encrypted:	false
SSDEEP:	3072:yUDLmozgtuVYKKKvwUbKh5+/uWLspp2e1jSaMsb1bIZU0g0WQbO//QGVYBtGKQgc:yUDLmozvygKjzbIGgBZBkUfDfc
MD5:	1A5CAAFACFC8C7766E404D019249CF67
SHA1:	35D4878DB63059A0F25899F4BE00B41F430389BF
SHA-256:	2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
SHA-512:	202C13DED002D234117F08B18CA80D603246E6A166E18BA422E30D394ADA7E47153DD3CCE9728AFFE97128FDD797FE6302C74DC6882317E2BA254C8A6DB80F46
Malicious:	false
Preview:	BM(.......6...(.......t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9993209376296495
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	bitrecover-eml-to-pdf-wizard.exe
File size:	75'514'712 bytes
MD5:	359250c1f24628516457451768236637
SHA1:	677cb6de1caaadada28f4f6d3a1d9914b0487c42
SHA256:	e43f392314b4f0ba5597e325cd9593c734711112cf58475d910f06c350440b35
SHA512:	1bc4452cbfaeff390e35a610392bc6ad7e8a1004546182158836ce81e4d8d889778216689fee8f7232d32a365c4ee72ba829e063ee6b92e334e81b1443dfcd2a
SSDEEP:	1572864:SDNgQsSygQ69KY9gqrh3JxCqTqkYskA4rMuEXGNd4O:SDNgQygQFY9gAJxxhYsOrMuEXGNd4O
TLSH:	8EF7335F6229407EE05D773602B2A15015F7BB7EF226BD1362E4D984CFB90C10FBA9A4
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	c29bb39bb3b38bf0

Static PE Info

General

Entrypoint:	0x4a7ed0
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5CC41133 [Sat Apr 27 08:22:11 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	eb5bc6ff6263b364dfbfb78bdb48ed59

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	03/03/2022 01:00:00 24/04/2025 01:59:59
Subject Chain	CN=BitRecover Software, O=BitRecover Software, L=Uttam Nagar, S=Delhi, C=IN
Version:	3
Thumbprint MD5:	4D7FF2543633F5BB9B4171E590F37EAA
Thumbprint SHA-1:	0BF590D915A331C8F23D1D70FF14647F2D7A4E3E
Thumbprint SHA-256:	DAB0D014F47BFAD1792AC4536EAA46E201F45766FAF41FA407009FC059ADC793
Serial:	0A6B5BC3A1719D1140CE3CDE34853643

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2BC0h
call 00007F7264631A2Dh
xor eax, eax
push ebp
push 004A85C2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A857Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007F72646C5B27h
call 00007F72646C567Eh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F7264647058h
mov edx, dword ptr [ebp-14h]
mov eax, 004B3708h
call 00007F726462C2B7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B3708h]
mov dl, 01h
mov eax, dword ptr [00423698h]
call 00007F72646480BFh
mov dword ptr [004B370Ch], eax
xor edx, edx
push ebp
push 004A852Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F72646C5BAFh
mov dword ptr [004B3714h], eax
mov eax, dword ptr [004B3714h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F72646CC46Ah
mov eax, dword ptr [004B3714h]
mov edx, 00000028h
call 00007F72646489B4h
mov edx, dword ptr [004B3714h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb6000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb4000	0xf1c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb9000	0x8b0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4801c10	0x2748
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb8000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb42e0	0x240	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb5000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa50e0	0xa5200	d2d65fadb7b1be676e1248ab404382da	False	0.3560172809424678	data	6.368250598681687	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1668	0x1800	73e002411a8e0d309143a3e055e89568	False	0.5411783854166666	data	5.950488815097041	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x37a4	0x3800	43e7b93b56ed2b1f2c341832da76e1f0	False	0.3604213169642857	data	5.027871318308703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x676c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb4000	0xf1c	0x1000	daddecfdccd86a491d85012d9e547c63	False	0.36474609375	data	4.791610915860562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb5000	0x1a4	0x200	be0581a07bd7d21a29f93f8752d3e826	False	0.345703125	data	2.7458225536678693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb6000	0x9a	0x200	57cd71ca96fdc064696777e5b35cf0bb	False	0.2578125	data	1.881069204504408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb7000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb8000	0x5d	0x200	967e84eb6ac477621cd1643650d7bc91	False	0.189453125	data	1.3697437648744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xb9000	0x8b0c	0x8c00	6ae490675408f3477ae706d6e565737f	False	0.325390625	data	5.666131463209248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb9528	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.7203757225433526
RT_ICON	0xb9a90	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.5961191335740073
RT_ICON	0xba338	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.4227078891257996
RT_ICON	0xbb1e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088, resolution 2834 x 2834 px/m	English	United States	0.5425531914893617
RT_ICON	0xbb648	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224, resolution 2834 x 2834 px/m	English	United States	0.2518761726078799
RT_ICON	0xbc6f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600, resolution 2834 x 2834 px/m	English	United States	0.21825726141078838
RT_STRING	0xbec98	0x360	data			0.34375
RT_STRING	0xbeff8	0x260	data			0.3256578947368421
RT_STRING	0xbf258	0x45c	data			0.4068100358422939
RT_STRING	0xbf6b4	0x40c	data			0.3754826254826255
RT_STRING	0xbfac0	0x2d4	data			0.39226519337016574
RT_STRING	0xbfd94	0xb8	data			0.6467391304347826
RT_STRING	0xbfe4c	0x9c	data			0.6410256410256411
RT_STRING	0xbfee8	0x374	data			0.4230769230769231
RT_STRING	0xc025c	0x398	data			0.3358695652173913
RT_STRING	0xc05f4	0x368	data			0.3795871559633027
RT_STRING	0xc095c	0x2a4	data			0.4275147928994083
RT_RCDATA	0xc0c00	0x10	data			1.5
RT_RCDATA	0xc0c10	0x2c4	data			0.6384180790960452
RT_RCDATA	0xc0ed4	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xc0f00	0x5a	data	English	United States	0.7
RT_VERSION	0xc0f5c	0x584	data	English	United States	0.2726628895184136
RT_MANIFEST	0xc14e0	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x453abc
__dbk_fcall_wrapper	2	0x40d3dc
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	17:00:25
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe"
Imagebase:	0x400000
File size:	75'514'712 bytes
MD5 hash:	359250C1F24628516457451768236637
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:00:26
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-GS5U5.tmp\bitrecover-eml-to-pdf-wizard.tmp" /SL5="$10440,74753301,739328,C:\Users\user\Desktop\bitrecover-eml-to-pdf-wizard.exe"
Imagebase:	0x400000
File size:	2'560'328 bytes
MD5 hash:	9DC81EA31610361FCFE670EA7EE92C56
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:01:22
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe" /passive /norestart
Imagebase:	0x1000000
File size:	8'993'744 bytes
MD5 hash:	F45ADE105F9C4FE754976C820230A9E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:01:25
Start date:	26/04/2024
Path:	C:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe
Wow64 process (32bit):	true
Commandline:	c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart
Imagebase:	0x40000
File size:	78'152 bytes
MD5 hash:	2AF2C1A78542975B12282ACA4300D515
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:01:31
Start date:	26/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff765070000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:02:09
Start date:	26/04/2024
Path:	C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe"
Imagebase:	0xe00000
File size:	198'984 bytes
MD5 hash:	2184C492140EC7B8E84C048B080566A4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	30.4%
Dynamic/Decrypted Code Coverage:	74.4%
Signature Coverage:	43.6%
Total number of Nodes:	691
Total number of Limit Nodes:	20

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01005899 Relevance: 91.4, APIs: 42, Strings: 10, Instructions: 429
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0100D060,000000FF), ref: 010058CB
#17.COMCTL32 ref: 010058DA
GetProcessHeap.KERNEL32 ref: 010058E0
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 010058FA
DeleteCriticalSection.KERNEL32(0100D060,20000001), ref: 01005E77
ExitProcess.KERNEL32 ref: 01005E86

Strings

c:\adf3c205d9b19c48c6c1d481d9d6, xrefs: 01005B0A, 01005B9E, 01005C97
Extracting File:, xrefs: 01005AA1, 01005ABD, 01005AEA, 01005B98, 01005BB8, 01005C34, 01005DF0, 01005E07, 01005E08
_SFX_CAB_EXE_PATH, xrefs: 01005C9C
_sfx_manifest_, xrefs: 01005B99
_SFX_CAB_EXE_PACKAGE, xrefs: 01005CA8
c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart, xrefs: 01005CD0, 01005CFA, 01005D6C
To Directory:, xrefs: 01005AD4, 01005AF8
D, xrefs: 01005D5C
C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe, xrefs: 01005A2F, 01005B60, 01005CA3
_SFX_CAB_EXE_PARAMETERS, xrefs: 01005CB5

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: CriticalProcessSection$CountCreateDeleteEventExitHeapInitializeSpin
String ID: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe$D$Extracting File:$To Directory:$_SFX_CAB_EXE_PACKAGE$_SFX_CAB_EXE_PARAMETERS$_SFX_CAB_EXE_PATH$_sfx_manifest_$c:\adf3c205d9b19c48c6c1d481d9d6$c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart
API String ID: 2862019026-1018368574
Opcode ID: c3a792d8c2075a35dd7e64b05d9c3b2f4654ac4543c79ca2ca3d8c026a3f3d64
Instruction ID: c7a1a7c6920ba9a6fd8a3830312b28b74cc00901af42d7916e2ca50266dc036a
Opcode Fuzzy Hash: c3a792d8c2075a35dd7e64b05d9c3b2f4654ac4543c79ca2ca3d8c026a3f3d64
Instruction Fuzzy Hash: 06E18070540245BFFB339BA49E89F6A3BA9F705754F1042AAF2C1A50D9DBBA4C40CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01004F6B Relevance: 79.4, APIs: 35, Strings: 10, Instructions: 646timestringencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 010045EB: GetFileAttributesA.KERNELBASE(?), ref: 0100465E
Part of subcall function 010045EB: LoadLibraryA.KERNEL32(advapi32.dll), ref: 01004672
Part of subcall function 010045EB: GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 01004682
Part of subcall function 010045EB: DecryptFileA.ADVAPI32(?,00000000), ref: 01004695
Part of subcall function 010045EB: GetLastError.KERNEL32 ref: 0100469B

InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?), ref: 0100502A
InitializeAcl.ADVAPI32(?,00000100,00000002,?,?,?,?,?), ref: 01005046
AddAccessAllowedAce.ADVAPI32(?,00000002,10000000,?,?,?,?,?,?), ref: 0100506B
AddAccessAllowedAce.ADVAPI32(?,00000002,10000000,?,?,?,?,?,?), ref: 01005081
AddAccessAllowedAce.ADVAPI32(?,00000002,10000000,?,?,?,?,?,?), ref: 01005097
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,?,?,?,?), ref: 010050AB
GetCurrentDirectoryA.KERNEL32(00000104,c:\adf3c205d9b19c48c6c1d481d9d6,?,?,?,?,?), ref: 010050DB
GetSystemDirectoryA.KERNEL32(c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart,0000FFFF), ref: 010050F0
QueryDosDeviceA.KERNEL32(c:\,?,00000400), ref: 01005146
_strlwr.MSVCRT ref: 01005162
strstr.MSVCRT ref: 0100517C
strstr.MSVCRT ref: 01005190
GetDiskFreeSpaceA.KERNELBASE(005C3A63,?,?,?,?,?,?,?), ref: 010051E8
CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,?,?,?), ref: 01005357
CryptGenRandom.ADVAPI32(?,00000010,?,?,?,?,?,?), ref: 01005388
sprintf.MSVCRT ref: 0100539F
sprintf.MSVCRT ref: 010053D7
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?), ref: 0100544B
GetSystemTime.KERNEL32(?,?,?,?,?,?), ref: 0100547A
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?), ref: 0100548E
DialogBoxParamA.USER32(0000006B,Function_00003E7A,00000000,?,00000000), ref: 01005501
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 01005601
LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,cc:\), ref: 01005615
SetFileTime.KERNELBASE(DADAFEED,?,?,?,?,00000000,cc:\), ref: 01005627
FindCloseChangeNotification.KERNELBASE(DADAFEED,?,00000000,cc:\), ref: 01005630
SendDlgItemMessageA.USER32(000204BC,0000006A,00000405,00000000,00000000), ref: 01005661
MoveFileExA.KERNEL32(0100C3A0,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 01005692
strstr.MSVCRT ref: 0100571A
_stricmp.MSVCRT(?,_sfx_manifest_,?,00000000,cc:\), ref: 01005742
SendDlgItemMessageA.USER32(000204BC,00000068,0000000C,00000000,?), ref: 010057A7
GetLastError.KERNEL32(?,00000000,cc:\), ref: 010057E4

Part of subcall function 01004590: CreateDirectoryA.KERNELBASE(?,?), ref: 010045B8

CreateFileA.KERNELBASE(?,40000000,00000003,00000000,00000002,00000080,00000000,?,00000000,cc:\), ref: 0100584D
SetFilePointer.KERNELBASE(00000000,?,00000000,00000000,?,00000000,cc:\), ref: 01005865
SetEndOfFile.KERNELBASE(00000000,?,00000000,cc:\), ref: 01005868
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000,cc:\), ref: 01005872

Strings

xn`, xrefs: 010057C8
c:\adf3c205d9b19c48c6c1d481d9d6, xrefs: 01004F7E, 01004FE6, 01004FF8, 010050D1, 01005377, 0100539E, 010053EC, 010053FF, 0100545A, 0100545F, 010054B7, 010054E8, 01005540, 01005580, 0100566D, 0100567E, 010056BF, 010057B7
temp\ext, xrefs: 01005460
ramdisk, xrefs: 0100518A
harddisk, xrefs: 01005174
cdtag.1, xrefs: 01005712
_sfx_manifest_, xrefs: 0100573A
ccc:\, xrefs: 0100533B
%02x, xrefs: 010053CC
c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart, xrefs: 010050EB, 010050F6

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: File$Time$AccessAllowedCryptDirectorySystemstrstr$ContextCreateDescriptorErrorInitializeItemLastMessagePointerSecuritySendsprintf$AcquireAddressAttributesChangeCloseCurrentDaclDateDecryptDeviceDialogDiskFindFreeLibraryLoadLocalMoveNotificationParamProcQueryRandomReleaseSpace_stricmp_strlwr
String ID: %02x$_sfx_manifest_$c:\adf3c205d9b19c48c6c1d481d9d6$c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart$ccc:\$cdtag.1$harddisk$ramdisk$temp\ext$xn`
API String ID: 3434955678-3122526060
Opcode ID: fc543d989388e90af9c16f5f6d5131e38cd47ae6136f058cfd03532917dbfc3f
Instruction ID: cb34d6e19b9d76d7dc8cc1b05be71e2c05cbe8c8c636e12e1b2dadafe6b93270
Opcode Fuzzy Hash: fc543d989388e90af9c16f5f6d5131e38cd47ae6136f058cfd03532917dbfc3f
Instruction Fuzzy Hash: 6232A1719006589FFB73DB689C48BEA7BB9AB05346F0041E6E6C9E21C1DB758AC4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010046B9 Relevance: 70.6, APIs: 30, Strings: 10, Instructions: 611
filestringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?,00000000), ref: 01004730
strstr.MSVCRT ref: 010047C6
SetFileAttributesA.KERNEL32(?,00000080), ref: 01004801
GetLastError.KERNEL32 ref: 01004848
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?,?), ref: 0100496F
strstr.MSVCRT ref: 010049D2
SetFileAttributesA.KERNEL32(?,00000080), ref: 01004A0D
CopyFileA.KERNEL32(?,?,00000000), ref: 01004A22
GetLastError.KERNEL32 ref: 01004A2E
CopyFileA.KERNEL32(0100CE20,0100C3A0,00000000), ref: 01004A7C
SetFileAttributesA.KERNEL32(?,00000080), ref: 01004AB3
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?,?), ref: 01004B4D
_strlwr.MSVCRT ref: 01004B8F
GetLastError.KERNEL32 ref: 01004BCA
MoveFileA.KERNEL32(?,0100CE20), ref: 01004BEE
MoveFileA.KERNEL32(0100CE20,?), ref: 01004C1F
_strlwr.MSVCRT ref: 01004C3E
strstr.MSVCRT ref: 01004D07
FindFirstFileA.KERNEL32(?,?), ref: 01004D25
strrchr.MSVCRT ref: 01004D43
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?), ref: 01004D75
DeleteFileA.KERNEL32(?), ref: 01004D98
Sleep.KERNEL32(000001F4), ref: 01004DA7
SetFileAttributesA.KERNEL32(?,00000080), ref: 01004DB9
DeleteFileA.KERNEL32(?), ref: 01004DC6
FindNextFileA.KERNEL32(?,00000010), ref: 01004DEE
FindClose.KERNEL32(?), ref: 01004E02
strchr.MSVCRT ref: 01004E60
strrchr.MSVCRT ref: 01004F18
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,010022BB,?), ref: 01004F4B

Strings

c:\adf3c205d9b19c48c6c1d481d9d6, xrefs: 01004744, 01004778, 010047A8, 01004983, 010049BC, 01004B61, 01004CF1, 01004E99, 01004EF4
xn`, xrefs: 010047EB, 010049F7, 01004DD7
delete, xrefs: 01004CB1, 01004CB6, 01004E08
verify, xrefs: 01004AE3, 01004C8E
command, xrefs: 01004E22
options, xrefs: 01004E27, 01004E2C, 01004EAD
run, xrefs: 01004EA8
copy, xrefs: 01004906, 01004AC5
\..\, xrefs: 010047C0, 010049CC, 01004D01
deltas, xrefs: 010046D2, 010046D7, 010048F5

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: File$ItemMessageSend$Attributes$ErrorFindLaststrstr$CopyDeleteMove_strlwrstrrchr$CloseFirstNextSleepstrchr
String ID: \..\$c:\adf3c205d9b19c48c6c1d481d9d6$command$copy$delete$deltas$options$run$verify$xn`
API String ID: 3851170777-3404786401
Opcode ID: 89faf3db3762656d20157f678ec9eb14baf6df118e99a81af9509fb5c0dc1727
Instruction ID: 1687914c5463bdb562aec54404296a2838319fe0694d4148413fc6cab1dc7c20
Opcode Fuzzy Hash: 89faf3db3762656d20157f678ec9eb14baf6df118e99a81af9509fb5c0dc1727
Instruction Fuzzy Hash: 06224E71940219AEFB63DBA4DC48FEA77BDAB14740F0045E6E2C9E2081DB759AC4CF64

Uniqueness

Uniqueness Score: -1.00%

Function 010029C2 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 101
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000208), ref: 010029FC
LoadLibraryA.KERNELBASE(?), ref: 01002A2B
GetProcAddress.KERNEL32(00000000,OpenCluster), ref: 01002A47
GetProcAddress.KERNEL32(00000000,CloseCluster), ref: 01002A5D
GetProcAddress.KERNEL32(00000000,GetNodeClusterState), ref: 01002A74
GetProcAddress.KERNEL32(00000000,GetClusterQuorumResource), ref: 01002A82
FreeLibrary.KERNELBASE(00000000), ref: 01002AF6

Strings

OpenCluster, xrefs: 01002A41
\clusapi.dll, xrefs: 01002A1B
GetClusterQuorumResource, xrefs: 01002A7C
GetNodeClusterState, xrefs: 01002A6E
CloseCluster, xrefs: 01002A57

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: AddressProc$Library$DirectoryFreeLoadSystem
String ID: CloseCluster$GetClusterQuorumResource$GetNodeClusterState$OpenCluster$\clusapi.dll
API String ID: 1303522615-3927317670
Opcode ID: 19ecdf8b4e077f10c3230d29f80904c3b00e6bcb7b69bd1645e8ca2f298c8bba
Instruction ID: 58cc90120aaaae1193b9abb678c188ec05ae692f01dcb1cc6c6543d780e01115
Opcode Fuzzy Hash: 19ecdf8b4e077f10c3230d29f80904c3b00e6bcb7b69bd1645e8ca2f298c8bba
Instruction Fuzzy Hash: F13147719002299BFB72DBA88D48FDA7BFC5F4A640F0442E5E544E2141DF748AC5DF61

Uniqueness

Uniqueness Score: -1.00%

Function 01003D02 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01003D4D
GetCurrentProcess.KERNEL32(00000028,?), ref: 01003D5D
OpenProcessToken.ADVAPI32(00000000), ref: 01003D64
GetTokenInformation.KERNELBASE(?,00000004,c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart,00010000,?), ref: 01003D8F
GetLengthSid.ADVAPI32 ref: 01003DA0
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart,00010000,?), ref: 01003DE0
GetLengthSid.ADVAPI32 ref: 01003DEC

Strings

c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart, xrefs: 01003D85, 01003DB5, 01003DD1, 01003E0D

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: Token$InformationLengthProcess$AllocateCurrentInitializeOpen
String ID: c:\adf3c205d9b19c48c6c1d481d9d6\Setup.exe /passive /norestart
API String ID: 3439802213-1630929826
Opcode ID: 39bd5e7e546647ab028321304c63e802246d0dfb69878f62c748718f95d36311
Instruction ID: 50115026e131d678ab12094c5f900f2c20abbbbf56de831dd1116dd559b86531
Opcode Fuzzy Hash: 39bd5e7e546647ab028321304c63e802246d0dfb69878f62c748718f95d36311
Instruction Fuzzy Hash: 23315431600245AFEB17DBA8DC59BAF7BE9FB58740F044069FA81EB2C1DAB59904C760

Uniqueness

Uniqueness Score: -1.00%

Function 010045EB Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?), ref: 0100465E
LoadLibraryA.KERNEL32(advapi32.dll), ref: 01004672
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 01004682
DecryptFileA.ADVAPI32(?,00000000), ref: 01004695
GetLastError.KERNEL32 ref: 0100469B

Strings

advapi32.dll, xrefs: 0100466D
DecryptFileA, xrefs: 0100467C

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: File$AddressAttributesDecryptErrorLastLibraryLoadProc
String ID: DecryptFileA$advapi32.dll
API String ID: 82924815-2381948369
Opcode ID: 2afcba44abed0f4631d6c18061f481163f3b24b8efbb4aba021dffaed5c2241f
Instruction ID: dd98f6a6a96e0f5451efa8104c5849e027a4f17fe98ce00ff4f40b46ec6d0873
Opcode Fuzzy Hash: 2afcba44abed0f4631d6c18061f481163f3b24b8efbb4aba021dffaed5c2241f
Instruction Fuzzy Hash: 4521D131604605DEFB62DB68CC4CBDA7BE9AB59300F0401A4EAC5E71C1EB75DA54CB16

Uniqueness

Uniqueness Score: -1.00%

Function 01002B13 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDriveTypeA.KERNELBASE(?), ref: 01002B43
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 01002B75
DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 01002B95
CloseHandle.KERNEL32(00000000), ref: 01002BA8

Strings

\\.\?:, xrefs: 01002B26
?:\, xrefs: 01002B37

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: CloseControlCreateDeviceDriveFileHandleType
String ID: ?:\$\\.\?:
API String ID: 3103408351-3307214488
Opcode ID: 2c8683e07499ac882b6ccafdf590b753cf23b2020a389af79e37c9552ac3cdc0
Instruction ID: 96b825b74241d8912b1bf084e53a85c8b322490675edc855e8f29042fc933e05
Opcode Fuzzy Hash: 2c8683e07499ac882b6ccafdf590b753cf23b2020a389af79e37c9552ac3cdc0
Instruction Fuzzy Hash: DE119332901618BAE722DBA99C4CEEFBFADEB49360F144161F695F3180DA748645C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 01003016 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 274
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,10000000,00000000), ref: 01003040
ReadFile.KERNELBASE(00000000,?,000000F8,?,00000000), ref: 01003073
SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 010030A2
ReadFile.KERNELBASE(?,00005A4D,000000F8,?,00000000), ref: 010030CA
RtlAllocateHeap.NTDLL(00000008,00040000), ref: 01003129
SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 0100314A
ReadFile.KERNEL32(?,00000000,00040000,?,00000000), ref: 0100316B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 010032F5
HeapAlloc.KERNEL32(00000008,00000000), ref: 0100331A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0100333C
GetEnvironmentVariableA.KERNEL32(?,00000000,00000000), ref: 01003346
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01003364
HeapAlloc.KERNEL32(00000008,00000000), ref: 01003381
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 010033A0
SetEnvironmentVariableA.KERNEL32(?,00000000), ref: 010033A9
FindCloseChangeNotification.KERNELBASE(?), ref: 010033C1

Strings

PE, xrefs: 010030E0

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: File$ByteCharMultiWide$HeapRead$AllocEnvironmentPointerVariable$AllocateChangeCloseCreateFindNotification
String ID: PE
API String ID: 558715291-4258593460
Opcode ID: 7a117e422b0a1a894acefd9d8880e513f77c58c962ccde61173d9d4eb82a6e9e
Instruction ID: bf8ad80c2da08c31ae0c339a365434081412969bf7389dda4636a4a9dec36aeb
Opcode Fuzzy Hash: 7a117e422b0a1a894acefd9d8880e513f77c58c962ccde61173d9d4eb82a6e9e
Instruction Fuzzy Hash: 55A15E71804128AFEB778B58CC85BE9FBB9FB14350F1481E9E689A6290DB714DC5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0100400D Relevance: 28.4, APIs: 8, Strings: 8, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe,00000104), ref: 01004025
GetCommandLineA.KERNEL32 ref: 01004060
GetFileAttributesA.KERNELBASE(To Directory:), ref: 01004223
_strnicmp.MSVCRT ref: 0100433B
_strnicmp.MSVCRT ref: 01004372
_strnicmp.MSVCRT ref: 01004450

Strings

Extracting File:, xrefs: 010040D6, 01004116, 01004190, 01004206
passive, xrefs: 0100441E
extract, xrefs: 0100436C
extract:, xrefs: 01004335
integrate, xrefs: 0100444A
To Directory:, xrefs: 010041E1, 0100421E
quiet, xrefs: 010043EA
C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe, xrefs: 0100401D, 01004022, 01004055

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: _strnicmp$File$AttributesCommandLineModuleName
String ID: C:\Users\user\AppData\Local\Temp\is-46S4F.tmp\vcredist2010.exe$Extracting File:$To Directory:$extract$extract:$integrate$passive$quiet
API String ID: 3875041768-137259972
Opcode ID: ac494798e5bc9b3b8e97eb29fcbcefb1249f91a18fa69446e7f113a224a58319
Instruction ID: ee85d7d4dc22db283b7cf7d6e356c1cdb43bb5f1116dac34ca54e1d5d0c69bec
Opcode Fuzzy Hash: ac494798e5bc9b3b8e97eb29fcbcefb1249f91a18fa69446e7f113a224a58319
Instruction Fuzzy Hash: C2D1F130A042859EFB678B6C98583FA7FE1AB42308F4A41D4DBC1DB2CACB754546C75A

Uniqueness

Uniqueness Score: -1.00%

Function 01002D78 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(0100D060,?,?,?,01003914), ref: 01002D82
CloseHandle.KERNEL32(00000000,?,?,?,01003914), ref: 01002D98
CloseHandle.KERNEL32(FFFFFFFF,?,?,?,01003914), ref: 01002DAC
DeleteFileA.KERNELBASE(?,?,?,?,01003914), ref: 01002DD0
GetLastError.KERNEL32(?,?,?,01003914), ref: 01002DDA
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 01002DF1
RemoveDirectoryA.KERNELBASE(?,?,?,?,01003914), ref: 01002E12
GetLastError.KERNEL32(?,?,?,01003914), ref: 01002E1C
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 01002E33
LeaveCriticalSection.KERNEL32(0100D060,?,?,?,01003914), ref: 01002E44

Strings

xn`, xrefs: 01002DB5, 01002DC1
Xl`, xrefs: 01002DFD, 01002E03

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: File$CloseCriticalErrorHandleLastMoveSection$DeleteDirectoryEnterLeaveRemove
String ID: Xl`$xn`
API String ID: 3032557604-2821514802
Opcode ID: 2a2974ac5940014a36d8b734e7ae464734aed0013697c2f22aefec969e3d7cea
Instruction ID: eaeb66f063d6c446da59646d057841921a657097434ac8a43aedc69f3ce3f5a1
Opcode Fuzzy Hash: 2a2974ac5940014a36d8b734e7ae464734aed0013697c2f22aefec969e3d7cea
Instruction Fuzzy Hash: 9E219F316403409BF6B3DB58DA4DB1A7BAAEB04721F164595F6D6E31C5C739EC00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010028D9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000000), ref: 01002901
SetErrorMode.KERNELBASE(00000000), ref: 0100290D
GetTickCount.KERNEL32 ref: 0100290F
sprintf.MSVCRT ref: 01002937
CreateDirectoryA.KERNELBASE(?,00000000), ref: 0100294A
GetLastError.KERNEL32 ref: 01002954
RemoveDirectoryA.KERNELBASE(?), ref: 0100297C
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 01002990
SetErrorMode.KERNELBASE(?), ref: 010029A6

Strings

%s_%06u_, xrefs: 01002931

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: Error$Mode$Directory$CountCreateFileLastMoveRemoveTicksprintf
String ID: %s_%06u_
API String ID: 2138407651-2224866286
Opcode ID: 605b290757ffbc819f70990fed8fb14aff114087cd0563a7a2d4703900c9114f
Instruction ID: 2b5bf619bf93649879f906ab2fef4dd1de3e953bea1c10fa8e68832a185b186a
Opcode Fuzzy Hash: 605b290757ffbc819f70990fed8fb14aff114087cd0563a7a2d4703900c9114f
Instruction Fuzzy Hash: AC2162719002189BEB22DB64CC4DBDA77BEEB54341F0040A6E685E2181D7B99A84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010037BF Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 64
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableA.KERNEL32(_SFX_CAB_SHUTDOWN_REQUEST,00000000,00000000), ref: 010037CF
CreateFileA.KERNELBASE(c:\adf3c205d9b19c48c6c1d481d9d6\$shtdwn$.req,C0000000,00000003,00000000,00000001,04000002,00000000), ref: 01003804
WriteFile.KERNELBASE(00000000,Sdwn,00000314,?,00000000), ref: 01003858
SetEnvironmentVariableA.KERNEL32(_SFX_CAB_SHUTDOWN_REQUEST,c:\adf3c205d9b19c48c6c1d481d9d6\$shtdwn$.req), ref: 0100386E
CloseHandle.KERNEL32 ref: 0100387C

Strings

c:\adf3c205d9b19c48c6c1d481d9d6, xrefs: 010037E9
Sdwn, xrefs: 0100381A, 01003838
c:\adf3c205d9b19c48c6c1d481d9d6\$shtdwn$.req, xrefs: 010037DE, 010037E3, 01003803, 01003868
_SFX_CAB_SHUTDOWN_REQUEST, xrefs: 010037CA, 01003869
$shtdwn$.req, xrefs: 010037E4

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: EnvironmentFileVariable$CloseCreateHandleWrite
String ID: $shtdwn$.req$Sdwn$_SFX_CAB_SHUTDOWN_REQUEST$c:\adf3c205d9b19c48c6c1d481d9d6$c:\adf3c205d9b19c48c6c1d481d9d6\$shtdwn$.req
API String ID: 510931695-151418600
Opcode ID: 74f9ad3b8f2023380f4faa6e9c0d97565d17dc7302695f93730564ca81c6b899
Instruction ID: b0220b2b77477a676319b82448efaae5af67ee2cc9e6961861700f30aa540367
Opcode Fuzzy Hash: 74f9ad3b8f2023380f4faa6e9c0d97565d17dc7302695f93730564ca81c6b899
Instruction Fuzzy Hash: C8116D71604340ABF7338B9AAD4DF473AA9F786764F1043A9F1C1A61C8D7765641C770

Uniqueness

Uniqueness Score: -1.00%

Function 010063FF Relevance: 13.6, APIs: 9, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 01006474
__p__fmode.MSVCRT ref: 01006489
__p__commode.MSVCRT ref: 01006497
__setusermatherr.MSVCRT ref: 010064C4
_initterm.MSVCRT ref: 010064DA
__getmainargs.MSVCRT ref: 010064FD
_initterm.MSVCRT ref: 01006510
exit.MSVCRT ref: 0100653D
_cexit.MSVCRT ref: 01006543

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 1729372338-0
Opcode ID: 6af886278659cd1f87929ba10df1e95ca34e58862df1f3af71c4c3f27de72d1c
Instruction ID: 599c4623493fcb82760b158fed09b41a5123095cb67496b16860643f61b92bca
Opcode Fuzzy Hash: 6af886278659cd1f87929ba10df1e95ca34e58862df1f3af71c4c3f27de72d1c
Instruction Fuzzy Hash: 3B315874940205DFEB27DFA4D44CAEC77B2FB18312F10816AF196A62D8DB3B4A54CB21

Uniqueness

Uniqueness Score: -1.00%

Function 01002821 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(FFFFFFFF,00000000,00000000,00000000), ref: 0100283D
ReadFile.KERNELBASE(Sdwn,00000314,?,00000000), ref: 01002859
_snprintf.MSVCRT ref: 0100289F

Strings

Sdwn, xrefs: 0100284E

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: File$PointerRead_snprintf
String ID: Sdwn
API String ID: 1063975976-2102837186
Opcode ID: cbd71d36e9f98fb81e9e7a2f7e14d0f9a5e3fb102f12bd1d6d3dfab898bb688e
Instruction ID: 9dcb7796340e3617a47c656186b8592bb183c83f9254e4a58000cb69e97ca3b5
Opcode Fuzzy Hash: cbd71d36e9f98fb81e9e7a2f7e14d0f9a5e3fb102f12bd1d6d3dfab898bb688e
Instruction Fuzzy Hash: F311A176501344ABF7338768AA8DB623BD8A706374F1403D9F5D1A20DAC37A4B84C379

Uniqueness

Uniqueness Score: -1.00%

Function 01004590 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?), ref: 010045B8

Strings

Xl`, xrefs: 010045C3

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: CreateDirectory
String ID: Xl`
API String ID: 4241100979-420799465
Opcode ID: a9c93d86d7b1e126657db29aee2ea8a09b01b806f2212d3dabd863b7a028eda3
Instruction ID: 9cc6a4ee66b41767d7bcf1e787c71929ede8fd294d86324cd45e64105ddf3fa1
Opcode Fuzzy Hash: a9c93d86d7b1e126657db29aee2ea8a09b01b806f2212d3dabd863b7a028eda3
Instruction Fuzzy Hash: 7CF0B431500385AEFB334F29C804BAABFD89F91751F28809DFAC4CA582D7B58590C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01003C0F Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,08000000,00000000), ref: 01003C2A
SetFilePointer.KERNELBASE(00000000,00000000,00000000), ref: 01003C48

Part of subcall function 01003892: GetLastError.KERNEL32 ref: 010038A6
Part of subcall function 01003892: LoadStringA.USER32(20000003,?,00000080,?), ref: 010038ED
Part of subcall function 01003892: MessageBoxA.USER32(?,00000000,00010010), ref: 01003909
Part of subcall function 01003892: DeleteCriticalSection.KERNEL32(0100D060), ref: 01003927
Part of subcall function 01003892: ExitProcess.KERNEL32 ref: 01003935

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: File$CreateCriticalDeleteErrorExitLastLoadMessagePointerProcessSectionString
String ID:
API String ID: 1911058658-0
Opcode ID: 3db09fa30688c6ade57452f90a721c5f0e3047f88a1d14363bbe33cf621a1cff
Instruction ID: f747d1a96e7ed0c96837ae8def0cda9aa80c9c8a6c6ac268114b6baa7651c347
Opcode Fuzzy Hash: 3db09fa30688c6ade57452f90a721c5f0e3047f88a1d14363bbe33cf621a1cff
Instruction Fuzzy Hash: 8EE086313803247BF5332669AC0EF8579099701B71F204251FB58BA1C0C6A56A40C798

Uniqueness

Uniqueness Score: -1.00%

Function 01003C87 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(DADAFEED,?,?,?,00000000), ref: 01003CEB

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 64d857ce796dace06822de0efcd78285d4c1ff5c9f778fdfecebaa5c7ebed988
Instruction ID: 8ed4801c38d92fe31a950a2119f22d7affeb1643a363de039ab70ebeba9e11e9
Opcode Fuzzy Hash: 64d857ce796dace06822de0efcd78285d4c1ff5c9f778fdfecebaa5c7ebed988
Instruction Fuzzy Hash: 60012C3120024DAFDB12CFADD800AEA77E9FB58320F448969FA68C7190D779D951CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01003C58 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 01003C6C

Part of subcall function 01003892: GetLastError.KERNEL32 ref: 010038A6
Part of subcall function 01003892: LoadStringA.USER32(20000003,?,00000080,?), ref: 010038ED
Part of subcall function 01003892: MessageBoxA.USER32(?,00000000,00010010), ref: 01003909
Part of subcall function 01003892: DeleteCriticalSection.KERNEL32(0100D060), ref: 01003927
Part of subcall function 01003892: ExitProcess.KERNEL32 ref: 01003935

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: CriticalDeleteErrorExitFileLastLoadMessageProcessReadSectionString
String ID:
API String ID: 896096512-0
Opcode ID: c5cd25c055f1176644a0d9d6a050eae1adbf6e77802f162c6b8565da1953186c
Instruction ID: b5e608f67cd8aa0ec7224ba8d194bf05f248ddf814a44386e79e7048d07bb6a0
Opcode Fuzzy Hash: c5cd25c055f1176644a0d9d6a050eae1adbf6e77802f162c6b8565da1953186c
Instruction Fuzzy Hash: EED0173210034DBFDF129E95CC08EAA3B6DFF44220F084514BA7889090D732D520CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01002C7C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 01002C9B

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d8d5cd754932263745f338520652626db3bdb25572505ccd5790d85f059cf7dc
Instruction ID: 4670c305a0b7d71b77fc1b6fc64dcd010d39b6e931a86f05cad5b7c8d19ffb63
Opcode Fuzzy Hash: d8d5cd754932263745f338520652626db3bdb25572505ccd5790d85f059cf7dc
Instruction Fuzzy Hash: 8CD01731100208AFEB22CF48DD09FAA7BA9FB40314F058254F99C86195C776A9A4DB80

Uniqueness

Uniqueness Score: -1.00%

Function 01003BE7 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?), ref: 01003BF7

Part of subcall function 01003892: GetLastError.KERNEL32 ref: 010038A6
Part of subcall function 01003892: LoadStringA.USER32(20000003,?,00000080,?), ref: 010038ED
Part of subcall function 01003892: MessageBoxA.USER32(?,00000000,00010010), ref: 01003909
Part of subcall function 01003892: DeleteCriticalSection.KERNEL32(0100D060), ref: 01003927
Part of subcall function 01003892: ExitProcess.KERNEL32 ref: 01003935

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: AllocateCriticalDeleteErrorExitHeapLastLoadMessageProcessSectionString
String ID:
API String ID: 2723237252-0
Opcode ID: d29ed06aef175119988cce3a01b5eac88403f80cc4c048d63e3ca06fa13aed40
Instruction ID: ad55088b63a8ad1721269f3b50eb0db26e9cccda6a3b5370c978a76dbeb461c3
Opcode Fuzzy Hash: d29ed06aef175119988cce3a01b5eac88403f80cc4c048d63e3ca06fa13aed40
Instruction Fuzzy Hash: E4C012311803087BFA631BAAAC09F553F59B790651F04C051F68C4C090DA62A4555750

Uniqueness

Uniqueness Score: -1.00%

Function 01003941 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

DialogBoxParamA.USER32(00000064,00000000,01002E53,00000000), ref: 01003952

Part of subcall function 01003892: GetLastError.KERNEL32 ref: 010038A6
Part of subcall function 01003892: LoadStringA.USER32(20000003,?,00000080,?), ref: 010038ED
Part of subcall function 01003892: MessageBoxA.USER32(?,00000000,00010010), ref: 01003909
Part of subcall function 01003892: DeleteCriticalSection.KERNEL32(0100D060), ref: 01003927
Part of subcall function 01003892: ExitProcess.KERNEL32 ref: 01003935

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: CriticalDeleteDialogErrorExitLastLoadMessageParamProcessSectionString
String ID:
API String ID: 372479490-0
Opcode ID: 15e03c84a8a15e18858af6215931239894f471006d1615df1c756c50269ef313
Instruction ID: a510406ee53e3107ecf5958c8e1665ca229ba3e50066fc7eea34c27700789f19
Opcode Fuzzy Hash: 15e03c84a8a15e18858af6215931239894f471006d1615df1c756c50269ef313
Instruction Fuzzy Hash: 18D01231280340AAF6335724AE0AF5237A07720B2AF24839173E17C0D4C6EA4820CB68

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01003972 Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 178synchronizationlibraryshutdownCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100000,00000000,WFP_IDLE_TRIGGER), ref: 010039AD

Part of subcall function 0100346E: CloseHandle.KERNEL32(FFFFFFFF,?,?,?,010038D5,?,?,00000200,?), ref: 0100348A
Part of subcall function 0100346E: CreateFileA.KERNEL32(0100CD00,C0000000,00000003,00000000,00000003,00000080,00000000,?,?,?,010038D5,?,?,00000200,?), ref: 010034B4
Part of subcall function 0100346E: CloseHandle.KERNEL32(FFFFFFFF,?,?,?,010038D5,?,?,00000200,?), ref: 010034DE

WaitForSingleObject.KERNEL32(00000000,0000EA60,Shutdown Initiated in Self Extractor ), ref: 010039C9
CloseHandle.KERNEL32(00000000), ref: 010039D0
Sleep.KERNEL32(00002710,Shutdown Initiated in Self Extractor ), ref: 010039E9
LoadLibraryA.KERNEL32(advapi32.dll), ref: 01003A1F
GetProcAddress.KERNEL32(00000000,InitiateSystemShutdownExA), ref: 01003A35
WaitForSingleObject.KERNEL32(00000000), ref: 01003A48
InitiateSystemShutdownA.ADVAPI32(00000000,00000000,00000000,?,?), ref: 01003A8B
GetLastError.KERNEL32 ref: 01003A9B
WaitForSingleObject.KERNEL32(00000BB8), ref: 01003ABB
GetLastError.KERNEL32 ref: 01003ACD
GetVersionExA.KERNEL32(?,?), ref: 01003B0C
GetVersionExA.KERNEL32(00000094), ref: 01003B2C
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 01003B43
strchr.MSVCRT ref: 01003B56
CreateFileA.KERNEL32(?,C0000000,00000007,00000000,00000003,02000000,00000000), ref: 01003B78
FlushFileBuffers.KERNEL32(00000000), ref: 01003B86
CloseHandle.KERNEL32(00000000), ref: 01003B8F
NtShutdownSystem.NTDLL ref: 01003B9B
FreeLibrary.KERNEL32(?), ref: 01003BB2

Strings

advapi32.dll, xrefs: 01003A1A
Failed to Adjust ENABLE_PRIVILEGE , xrefs: 01003A09
InitiateSystemShutdownExA, xrefs: 01003A2F
InitiateSystemShutdown() Failed with error 0x%lx , xrefs: 01003AD0
WFP_IDLE_TRIGGER, xrefs: 01003984
ShutdownSystem: Failed , xrefs: 01003BC8
@, xrefs: 01003B2E
Shutdown Initiated in Self Extractor , xrefs: 010039B3

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: CloseHandle$FileObjectSingleSystemWait$CreateErrorLastLibraryShutdownVersion$AddressBuffersDirectoryEventFlushFreeInitiateLoadOpenProcSleepstrchr
String ID: @$Failed to Adjust ENABLE_PRIVILEGE $InitiateSystemShutdown() Failed with error 0x%lx $InitiateSystemShutdownExA$Shutdown Initiated in Self Extractor $ShutdownSystem: Failed $WFP_IDLE_TRIGGER$advapi32.dll
API String ID: 2638087656-3676156507
Opcode ID: 7a1c7a1b907803973f12d1bf947b1ffc3077485c6b2b2eb9657761a4e00d1aa0
Instruction ID: ea525c0ef0f58f0b04cd7f7f13f08e90f611286073571a1279888c73dc215274
Opcode Fuzzy Hash: 7a1c7a1b907803973f12d1bf947b1ffc3077485c6b2b2eb9657761a4e00d1aa0
Instruction Fuzzy Hash: D4517275900219AFFB73AB64DC8DEDE7BB9BB05304F0101A5F6C9AA081DB758A808B51

Uniqueness

Uniqueness Score: -1.00%

Function 0100358B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtOpenProcessToken.NTDLL(000000FF,00000028,?), ref: 010035A1
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 010035C1
NtClose.NTDLL ref: 010035CE

Part of subcall function 0100346E: CloseHandle.KERNEL32(FFFFFFFF,?,?,?,010038D5,?,?,00000200,?), ref: 0100348A
Part of subcall function 0100346E: CreateFileA.KERNEL32(0100CD00,C0000000,00000003,00000000,00000003,00000080,00000000,?,?,?,010038D5,?,?,00000200,?), ref: 010034B4
Part of subcall function 0100346E: CloseHandle.KERNEL32(FFFFFFFF,?,?,?,010038D5,?,?,00000200,?), ref: 010034DE

Strings

RestorePrivilege():Failed To Open Process Token, xrefs: 010035AB
RestorePrivilege(): Failed To Restore Privilege , xrefs: 010035D9

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: Close$HandleToken$AdjustCreateFileOpenPrivilegesProcess
String ID: RestorePrivilege(): Failed To Restore Privilege $RestorePrivilege():Failed To Open Process Token
API String ID: 1340415033-792189412
Opcode ID: b8a0502ae2661f499545ef8694a518087c712bcdc019db68534c528b41fb345f
Instruction ID: 6003aa7cc984a04d304c8d02ce76eb40705ba2f6e4c4443cd9f7ac574e901191
Opcode Fuzzy Hash: b8a0502ae2661f499545ef8694a518087c712bcdc019db68534c528b41fb345f
Instruction Fuzzy Hash: DAF06235101119FFEB636BA28E0EDDF7EACEF16655F114020B695980A0D732CB00E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010034F4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtOpenProcessToken.NTDLL(000000FF,00000028,?), ref: 0100352E
NtAdjustPrivilegesToken.NTDLL(?,00000000,00000000,00000000,00000000,?), ref: 01003561
NtClose.NTDLL ref: 0100356E
NtClose.NTDLL ref: 01003579

Strings

NtOpenProcessToken Failed , xrefs: 01003538

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: CloseToken$AdjustOpenPrivilegesProcess
String ID: NtOpenProcessToken Failed
API String ID: 2239692276-916547032
Opcode ID: a2bb500f86ff3c270a923705cdf631df0a80daa1bbf9043a241c06063efd5071
Instruction ID: 86087f3b1aaf02d6297fc597292e47099355ceb0a226902c4fcc6e84a4753d95
Opcode Fuzzy Hash: a2bb500f86ff3c270a923705cdf631df0a80daa1bbf9043a241c06063efd5071
Instruction Fuzzy Hash: E311A07590010AAFEB13DFA8C908BEE7BA8FB04305F008125B9A5DE090D372D5009B91

Uniqueness

Uniqueness Score: -1.00%

Function 010062FF Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 010063CE
UnhandledExceptionFilter.KERNEL32(010025D8), ref: 010063D9
GetCurrentProcess.KERNEL32(C0000409), ref: 010063EA
TerminateProcess.KERNEL32(00000000), ref: 010063F1

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 4382b4dedff7cdd383e5e3d049ffc534270b9df7dca4059a9d9760ad3e466a85
Instruction ID: 79cc3565e310fce42bdb6c08305b060dbc1bc5133d3f3caeb000c08a82c4a438
Opcode Fuzzy Hash: 4382b4dedff7cdd383e5e3d049ffc534270b9df7dca4059a9d9760ad3e466a85
Instruction Fuzzy Hash: 6C2102B4804200DBF727CF69E2586947BB0FB4A300F50839AF18987398E77A0585CF45

Uniqueness

Uniqueness Score: -1.00%

Function 01008906 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdeacfce3809adc947609343e590c714e8a037b83f6e872e5a04b82d6d4fe78
Instruction ID: 5536dabd8291dbeda9af35510c629b429d179083cdfcac66a6f3fcb092366832
Opcode Fuzzy Hash: 7cdeacfce3809adc947609343e590c714e8a037b83f6e872e5a04b82d6d4fe78
Instruction Fuzzy Hash: 40C18531D096999BEB0BCF68C0947EDBFB0BF05314F18C5AAC8D6AB682D3755585CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01008CC5 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79354d64886fc410c0814f504bfd9b30afd0e7d4cac24f3c7e689a98db7d4def
Instruction ID: 05c12d547ef16d3076343c8037f92f088cfa72b28578ee7f0be467a9befaacce
Opcode Fuzzy Hash: 79354d64886fc410c0814f504bfd9b30afd0e7d4cac24f3c7e689a98db7d4def
Instruction Fuzzy Hash: 9BC196319086959FDB0BCF68C0946EDBBB0BF05314F19C6AED9D56B282D7709A85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01008286 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4f3ed40784cb1acd205159c057e8a6439da72c959da14e5084bb7fb85de03f
Instruction ID: 73eb1ad3db2b6007352114fa4a889570cc0f90ca5fb72025f5fa2ea13681cd0c
Opcode Fuzzy Hash: 2d4f3ed40784cb1acd205159c057e8a6439da72c959da14e5084bb7fb85de03f
Instruction Fuzzy Hash: 24A19031D082959FDB0ACF58C0942EDFBB1BF45314F59C2EEC9866B282C7715A85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0100859D Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f84ed33e04a50cc75d73480d86f3b8f11bbc8851e627dfa954f843364c247
Instruction ID: 47a47e7724101b81cf1e1fdd9477815481a0082b8eb6285e44efc0e7966f3570
Opcode Fuzzy Hash: 3d9f84ed33e04a50cc75d73480d86f3b8f11bbc8851e627dfa954f843364c247
Instruction Fuzzy Hash: 24B1A735D082959FDB0BCF18C4946EDBBB0BF45310F19C6AFD8969B286C7709685CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100911E Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3974dae9ebb7a8bc4aa2b7da6efc4464a47bfbc8cab31630611c404ab64ff985
Instruction ID: 734c5ffc2d1f5eaf6f1fdea0ab5366f13342bdfd70bcbe669edc26b63f45a8e5
Opcode Fuzzy Hash: 3974dae9ebb7a8bc4aa2b7da6efc4464a47bfbc8cab31630611c404ab64ff985
Instruction Fuzzy Hash: 8F910630A0459A9EEB1BDF58C8887FEB3B1BB44708F5080AED98D961C2C7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01009558 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc727b130d8a70c901193652c7c29f7f7098ede988ec518b009589487b1a216
Instruction ID: 4a48d19044e3ec236ddfe2700c74ad1dffc8538b678a9b9864d77caf5e4adf83
Opcode Fuzzy Hash: adc727b130d8a70c901193652c7c29f7f7098ede988ec518b009589487b1a216
Instruction Fuzzy Hash: 23610531A0055A8FEF1ACF6CC4905BEB7A2EBC9344F15856DD9DAD7382DA309952CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01003E7A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 125windowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32(20000005,?,00000104), ref: 01003EEA
SHBrowseForFolderA.SHELL32(?), ref: 01003F2B
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 01003F3D
SendDlgItemMessageA.USER32(?,0000006C,0000000C,00000000,?), ref: 01003F54
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 01003F5F
SendDlgItemMessageA.USER32(?,0000006C,0000000D,00000104,?), ref: 01003F84
LoadStringA.USER32(20000005,?,00000104), ref: 01003FB0
SendMessageA.USER32(?,0000000C,00000000,?), ref: 01003FC3
SendDlgItemMessageA.USER32(?,00000067,0000000C,00000000,?), ref: 01003FDC
SendDlgItemMessageA.USER32(?,0000006C,0000000C,00000000,c:\adf3c205d9b19c48c6c1d481d9d6), ref: 01003FE9
EndDialog.USER32(?,00000000), ref: 01003FF0

Strings

c:\adf3c205d9b19c48c6c1d481d9d6, xrefs: 01003FDE

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: MessageSend$Item$LoadString$BrowseDialogFolderFromListPath
String ID: c:\adf3c205d9b19c48c6c1d481d9d6
API String ID: 4196404735-3477769282
Opcode ID: 8ff38ef0283e2243d984189d5b9706cb04c242c77a24033a99f4f0c10035e197
Instruction ID: ca6d105f0d69831a8513d52e48f8c2b8b825066bcb4f2ed050d46bdd4aedea35
Opcode Fuzzy Hash: 8ff38ef0283e2243d984189d5b9706cb04c242c77a24033a99f4f0c10035e197
Instruction Fuzzy Hash: 1F416A75504219BEFB63DB649C8DFEE7BB8EB18300F0041A5B6C5E60C0DAB59A858F60

Uniqueness

Uniqueness Score: -1.00%

Function 0100360C Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0100367A
LoadLibraryA.KERNEL32(?), ref: 0100369F
GetProcAddress.KERNEL32(00000000,GetFilePatchSignatureA), ref: 010036BA
GetProcAddress.KERNEL32(ApplyPatchToFileA), ref: 010036CC

Strings

c:\adf3c205d9b19c48c6c1d481d9d6, xrefs: 0100366B
GetFilePatchSignatureA, xrefs: 010036B4
ApplyPatchToFileA, xrefs: 010036BC
options, xrefs: 01003635
mspatcha.dll, xrefs: 01003687
patchdll, xrefs: 01003630

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: ApplyPatchToFileA$GetFilePatchSignatureA$c:\adf3c205d9b19c48c6c1d481d9d6$mspatcha.dll$options$patchdll
API String ID: 2141747552-1054338622
Opcode ID: d75fadbb291985e4ccfd5039247aea78be2d5ca5f0885812797b6874b77ceae2
Instruction ID: 86fcc2cc3a29359986d7a0763a20f979a07127794a10d9aeb92e6956b3d7621c
Opcode Fuzzy Hash: d75fadbb291985e4ccfd5039247aea78be2d5ca5f0885812797b6874b77ceae2
Instruction Fuzzy Hash: 012121B1900218AFFB37DBA9DD0DBD637ACBB09304F0085A5B6C997284D7B99684CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010044AD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 010044CE
_stricmp.MSVCRT(00000000,.sys), ref: 010044E2
sprintf.MSVCRT ref: 0100450C
GetFileAttributesA.KERNEL32(?), ref: 01004516

Strings

xn`, xrefs: 01004522
.%03u, xrefs: 01004506
.sys, xrefs: 010044DC

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: AttributesFile_stricmpsprintfstrrchr
String ID: .%03u$.sys$xn`
API String ID: 3323407637-1939107879
Opcode ID: 1ff158e2bc5fa47faf8acc8ac29c6469c21ce8e7ed94fe9ef2c6fd643a7bfcd0
Instruction ID: 49d5ea88e9c73088097ed9a15219229db482fa6d83c04b0c91c0a0ec1b993438
Opcode Fuzzy Hash: 1ff158e2bc5fa47faf8acc8ac29c6469c21ce8e7ed94fe9ef2c6fd643a7bfcd0
Instruction Fuzzy Hash: 9D0190352042005FF3134B6DAC889A73BE9DFCA622F10812EF7C4C31C1CE7588018364

Uniqueness

Uniqueness Score: -1.00%

Function 010033DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(75922EE0,?,?,?,?,010034CC,?,?,?,010038D5,?,?,00000200,?), ref: 010033E4
SetFilePointer.KERNEL32(FFFFFFFF,00000000,00000000,00000002,?,?,?,?,010034CC,?,?,?,010038D5,?,?,00000200), ref: 010033FD
WriteFile.KERNEL32(?,?,00000000,00000000,?,?,?,?,010034CC,?,?,?,010038D5,?,?,00000200), ref: 01003427
WriteFile.KERNEL32(***,***,00000000,00000000,?,?,?,?,?,010034CC,?,?,?,010038D5,?,?), ref: 0100344E
SetLastError.KERNEL32(?,?,?,?,?,010034CC,?,?,?,010038D5,?,?,00000200,?), ref: 0100345B

Strings

***, xrefs: 0100342D, 01003446, 01003447

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: File$ErrorLastWrite$Pointer
String ID: ***
API String ID: 1741213463-1787515470
Opcode ID: f259f0daa3fa8cc644dd96105249b9c34566c8285c111745a810dfbc4c84cd6b
Instruction ID: 44ff794e02d1a3db74c08f5772ca78b3d7dcc110a49943917282bb4f95e92f64
Opcode Fuzzy Hash: f259f0daa3fa8cc644dd96105249b9c34566c8285c111745a810dfbc4c84cd6b
Instruction Fuzzy Hash: 4211E5B5600108BFEB138FE8DC8CDAA3FADEB49240F014165BB81DB155EA76AD09C760

Uniqueness

Uniqueness Score: -1.00%

Function 01003892 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 010038A6
LoadStringA.USER32(20000003,?,00000080,?), ref: 010038ED
MessageBoxA.USER32(?,00000000,00010010), ref: 01003909
DeleteCriticalSection.KERNEL32(0100D060), ref: 01003927
ExitProcess.KERNEL32 ref: 01003935

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: CriticalDeleteErrorExitLastLoadMessageProcessSectionString
String ID:
API String ID: 3880362259-0
Opcode ID: 0930090407c2940a87bd685511672d1101a90b25c2312edca6e979305b6cca41
Instruction ID: 95fc673a3485858558866d3e75a01873537341b781b9074dca4c1e746b7b8f2d
Opcode Fuzzy Hash: 0930090407c2940a87bd685511672d1101a90b25c2312edca6e979305b6cca41
Instruction Fuzzy Hash: C2018435401118AFFB73EBA4DD8CBE977B8BB04315F140295FAC0A60C4DB795A48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0100628C Relevance: 7.5, APIs: 5, Instructions: 36timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 010062A9
GetCurrentProcessId.KERNEL32 ref: 010062B5
GetCurrentThreadId.KERNEL32 ref: 010062BD
GetTickCount.KERNEL32 ref: 010062C5
QueryPerformanceCounter.KERNEL32(?), ref: 010062D1

Memory Dump Source

Source File: 00000005.00000002.2774309361.0000000001002000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000005.00000002.2774287706.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774332787.000000000100C000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2774356273.000000000101E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1000000_vcredist2010.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 9f9a8a372e71f4ba5fd6d590d704713b28d7a18848ebf7ccacbe1fec22a7f2bd
Instruction ID: cb9998d7c512c76f87658832ca3486ab159dbae6228a0cd13093ddd9b699de7a
Opcode Fuzzy Hash: 9f9a8a372e71f4ba5fd6d590d704713b28d7a18848ebf7ccacbe1fec22a7f2bd
Instruction Fuzzy Hash: 00F03C36D002189BEB22EBF8E44C59AB7F9EF0C310F4106A1F591E7146DB3AE900CB80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Setup.exePID: 2300, Parent PID: 7060COMMON

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	6.8%
Signature Coverage:	1.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	49

Executed Functions

Function 6BCBE7C2 Relevance: 44.9, APIs: 7, Strings: 18, Instructions: 1148
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(?,6BC6895C,6BCBCB9B,?,?,?,?,00000001), ref: 6BCBE7E1
_free.LIBCMT ref: 6BCBE7F6
GetLastError.KERNEL32 ref: 6BCBE9BF
__aulldiv.LIBCMT ref: 6BCBEB32

Part of subcall function 6BCB1A94: __recalloc.LIBCMT ref: 6BCB1AD2

#6.OLEAUT32(?), ref: 6BCBEE4F
_free.LIBCMT ref: 6BCBF886

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

PathCompactPathExW.SHLWAPI(00000000,00000010,0000003C,00000000), ref: 6BCBEFCB

Part of subcall function 6BCC8E28: _wcsnlen.LIBCMT ref: 6BCC8E38

Part of subcall function 6BCAFF5C: _wcsnlen.LIBCMT ref: 6BCAFF8F
Part of subcall function 6BCAFF5C: _memcpy_s.LIBCMT ref: 6BCAFFC5

Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Part of subcall function 6BCA8D59: PathStripPathW.SHLWAPI(00000000,?,?,6BCBF83A), ref: 6BCA8D69

Part of subcall function 6BCBB172: __EH_prolog3.LIBCMT ref: 6BCBB179
Part of subcall function 6BCBB172: EnterCriticalSection.KERNEL32(00000001,00000014,6BCBFB33,00000000,00000002,00000007,00000000,6BCAFAA0,.tmp,?,00000000,00000000,00000018,6BCBF721,?), ref: 6BCBB185
Part of subcall function 6BCBB172: LeaveCriticalSection.KERNEL32(00000000,-00000960,?,-00000960,00000000,-00000960,?,00000001,00000001), ref: 6BCBB222

Part of subcall function 6BCA8A35: __EH_prolog3.LIBCMT ref: 6BCA8A3C

Part of subcall function 6BCAACC1: __EH_prolog3.LIBCMT ref: 6BCAACC8

Strings

Success, xrefs: 6BCBF09D
://, xrefs: 6BCBF3C1
Downloading , xrefs: 6BCBF4A8
6, xrefs: 6BCBF774
2, xrefs: 6BCBF4F1
Downloading and/or Verifying Items, xrefs: 6BCBE8A7
Failed to record SKU, xrefs: 6BCBE9D9
Failed to verify and authenticate the file -%s, xrefs: 6BCBF1D9
Verifying Digital Signatures: , xrefs: 6BCBEF6F
complete, xrefs: 6BCBE868
Please delete the file, %s and run the package again, xrefs: 6BCBF1FC
to , xrefs: 6BCBF4C6
Action, xrefs: 6BCBE888, 6BCBE88D, 6BCBE8BC
Item %s's download size has not been set or is set to zero. This means no space will be allocated for this item's download on the , xrefs: 6BCBEC5A
Package Files, xrefs: 6BCBED45, 6BCBED4A, 6BCBEDA7
Item %s's download size has not been set or is set to zero. This means no space will be allocated for this item's verification on , xrefs: 6BCBEB18
", xrefs: 6BCBF366
Copy of package file to download location failed with error code: 0x%x - %s , xrefs: 6BCBEE35

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3Path$CriticalSection_free_memcpy_s_wcsnlen$CloseCompactEnterErrorHandleLastLeaveStrip__aulldiv__recalloc
String ID: Success$ complete$ to $"$2$6$://$Action$Copy of package file to download location failed with error code: 0x%x - %s $Downloading $Downloading and/or Verifying Items$Failed to record SKU$Failed to verify and authenticate the file -%s$Item %s's download size has not been set or is set to zero. This means no space will be allocated for this item's download on the $Item %s's download size has not been set or is set to zero. This means no space will be allocated for this item's verification on $Package Files$Please delete the file, %s and run the package again$Verifying Digital Signatures:
API String ID: 904772178-1323978009
Opcode ID: d884a1c3d7558c767845f4151b991551accfcfa64fae9c219f4862fad79e52bf
Instruction ID: 80af963624b79fe82fa54472114b3797f08c72ab393a1f1b596c37d35c7e2813
Opcode Fuzzy Hash: d884a1c3d7558c767845f4151b991551accfcfa64fae9c219f4862fad79e52bf
Instruction Fuzzy Hash: 7CB27B711183818FC721CF68C889B9FBBE5AF89318F044A5DF19597292E778DA05CB63

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB0D5E Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6BCB0D68
GetModuleHandleW.KERNEL32(kernel32.dll,0000029C,6BCAA2CB,?,6BC6A78C,?,-00000960,?,00000000,?,Failed to record current state name), ref: 6BCB0D7A
GetLastError.KERNEL32(?,Failed to record OSFullBuildNumber), ref: 6BCB0D99

Part of subcall function 6BCB1303: __EH_prolog3.LIBCMT ref: 6BCB130A

GetNativeSystemInfo.KERNELBASE(?), ref: 6BCB0DEE
GetLastError.KERNEL32(?,00000000,?,Failed to record OSFullBuildNumber,000001C5,00000000), ref: 6BCB0E7F
GetLastError.KERNEL32(?,00000000,?,Failed to record OSAbbr,?,00000000,?,Failed to record OSFullBuildNumber,000001C5,00000000), ref: 6BCB0F05

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

Failed to record OsSpLevel, xrefs: 6BCB0F1F
kernel32.dll, xrefs: 6BCB0D6F
Failed to record OSAbbr, xrefs: 6BCB0E99
GetNativeSystemInfo, xrefs: 6BCB0DB9
Failed to record OSComplete, xrefs: 6BCB1046
Failed to record WindowsInstallerVersion, xrefs: 6BCB10AC
Failed to record SystemLocale, xrefs: 6BCB0F86
Failed to record OSFullBuildNumber, xrefs: 6BCB0D84, 6BCB0E2E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorLast$H_prolog3$H_prolog3_HandleInfoModuleNativeSystem
String ID: Failed to record OSAbbr$Failed to record OSComplete$Failed to record OSFullBuildNumber$Failed to record OsSpLevel$Failed to record SystemLocale$Failed to record WindowsInstallerVersion$GetNativeSystemInfo$kernel32.dll
API String ID: 684166175-3561000745
Opcode ID: 2496eb3e820f9fa3acf4ddbd89e1f8b571f6d432521b6f38e6c29fc9331a5b0e
Instruction ID: 1bafe83d1787bad4bfc45788d0bab754c63f712ece7fd884cfb5d490ea150c8a
Opcode Fuzzy Hash: 2496eb3e820f9fa3acf4ddbd89e1f8b571f6d432521b6f38e6c29fc9331a5b0e
Instruction Fuzzy Hash: 68A191329205569FDB20DBB4CD4AB8EB7B8AF85319F1045D4E404E7281FB7CEB848B65

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB6BEF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 235comCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB6BF6

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCB9C8F: __EH_prolog3.LIBCMT ref: 6BCB9C96
Part of subcall function 6BCB9C8F: GetCommandLineW.KERNEL32(0000002C,6BCBD857,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BCB9CB7
Part of subcall function 6BCB9C8F: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6BCB9D71

Part of subcall function 6BC7A8EC: __EH_prolog3.LIBCMT ref: 6BC7A8F3
Part of subcall function 6BC7A8EC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A92B
Part of subcall function 6BC7A8EC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A984
Part of subcall function 6BC7A8EC: __CxxThrowException@8.LIBCMT ref: 6BC7AA48

CoInitialize.OLE32(00000000,?,?,?,?,UiInfo.xml,?,00000000,00000044,6BCB380B,-00000960,?,00000000,?), ref: 6BCB6C4A
CoCreateInstance.OLE32(6BC6A974,00000000,00000017,6BC6A9A4,6BCAFAA0,?,?,?,UiInfo.xml,?,00000000,00000044,6BCB380B,-00000960,?,00000000), ref: 6BCB6C68
__CxxThrowException@8.LIBCMT ref: 6BCB6E91
CoUninitialize.OLE32(?,6BCEC200,?,?,?,UiInfo.xml,?,00000000,00000044,6BCB380B,-00000960,?,00000000,?), ref: 6BCB6EA7
#6.OLEAUT32(?,?,?,?,UiInfo.xml,?,00000000,00000044,6BCB380B,-00000960,?,00000000,?), ref: 6BCB6EB0

Strings

Xml Document load failure, xrefs: 6BCB6E01
LCIDHints, xrefs: 6BCB6CEE
UiInfo.xml, xrefs: 6BCB6C07
ParameterInfo.xml, xrefs: 6BCB6E0F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8PathRelativeThrow$CommandCreateFileInitializeInstanceLineModuleNameUninitialize
String ID: LCIDHints$ParameterInfo.xml$UiInfo.xml$Xml Document load failure
API String ID: 612960323-2443555527
Opcode ID: 2aea4ec7c9e409944ed094c0540a09b73be81dc61e431af934b5248e0f90a117
Instruction ID: 56a2a3f5f216da6e363c6295f584763ad774a6ca2c96d1b1c30ff79170845db4
Opcode Fuzzy Hash: 2aea4ec7c9e409944ed094c0540a09b73be81dc61e431af934b5248e0f90a117
Instruction Fuzzy Hash: AC917E71910548EFCB01DFF8C985EEDBBB8AF49308F248199E115AB281E7799F05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB189E Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB18A5
CryptQueryObject.CRYPT32(00000001,00000000,00000400,0000000E,00000000,00000000,00000000,00000000,?,6BCAFAA0,00000000,00000034,6BCAB913,?,-00000960), ref: 6BCB18ED
GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?,00000054,6BCC3044), ref: 6BCB18F8
CertCloseStore.CRYPT32(?,00000000,?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?), ref: 6BCB19E2
CryptMsgClose.CRYPT32(6BCAFAA0,?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?,00000054), ref: 6BCB19F3
GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?,00000054,6BCC3044), ref: 6BCB1A27
CertFreeCertificateContext.CRYPT32(00000000,-00000960,6BCAFAA0,?,00000000,?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ), ref: 6BCB1A5C
CertCloseStore.CRYPT32(?,00000000,-00000960,6BCAFAA0,?,00000000,?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?), ref: 6BCB1A6E
CryptMsgClose.CRYPT32(6BCAFAA0,-00000960,6BCAFAA0,?,00000000,?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ), ref: 6BCB1A7F

Strings

: failed to get certificate. Error: , xrefs: 6BCB195E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Close$CertCrypt$ErrorLastStore$CertificateContextFreeH_prolog3ObjectQuery
String ID: : failed to get certificate. Error:
API String ID: 3710956895-1883283244
Opcode ID: 275a957df1e4f1a31f0c7e616d9b63e645ec4fea2187ac5dbb16503b1c62fb98
Instruction ID: d9b42ac6ae3575c508e890e2488bb7f2f7e57db9fb042a14d3a889a473fc7d82
Opcode Fuzzy Hash: 275a957df1e4f1a31f0c7e616d9b63e645ec4fea2187ac5dbb16503b1c62fb98
Instruction Fuzzy Hash: F0514F7692015AEFDB01DFE8C885AEEBBB4BF09314F144259E115B3280E7749B45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA7462 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 99libraryloaderthreadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA7469

Part of subcall function 6BCCC44A: _malloc.LIBCMT ref: 6BCCC464

GetModuleHandleW.KERNEL32(kernel32.dll,00000020,6BCAF877,?), ref: 6BCA7503
GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6BCA7513
SetThreadStackGuarantee.KERNELBASE(00020000), ref: 6BCA7528
SetUnhandledExceptionFilter.KERNEL32(6BCB41DE), ref: 6BCA752F
GetCommandLineW.KERNEL32 ref: 6BCA7535

Part of subcall function 6BC77CB6: __EH_prolog3.LIBCMT ref: 6BC77CBD

Strings

kernel32.dll, xrefs: 6BCA74F9
SetThreadStackGuarantee, xrefs: 6BCA750D
passive, xrefs: 6BCA7572

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$AddressCommandExceptionFilterGuaranteeHandleLineModuleProcStackThreadUnhandled_malloc
String ID: SetThreadStackGuarantee$kernel32.dll$passive
API String ID: 4088884676-825548933
Opcode ID: 5182bee53cc0e56379ca349fe1fe40727bf4f8d5837e1b344f7cc8347a919bbd
Instruction ID: d2bedeec5c27c6d0fd3f4e23c58daacb6fef4b0ea2f05a31bda1aa39d201b497
Opcode Fuzzy Hash: 5182bee53cc0e56379ca349fe1fe40727bf4f8d5837e1b344f7cc8347a919bbd
Instruction Fuzzy Hash: 2941BDB18213458FDB20DFB9C889A9EBBF4BB19304F50847ED05AAB601F7389345CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA78FB Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 95timethreadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BCA7905

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

GetCommandLineW.KERNEL32 ref: 6BCA796F
_memset.LIBCMT ref: 6BCA79AF
GetTimeZoneInformation.KERNELBASE(?), ref: 6BCA79BE
GetThreadLocale.KERNEL32(00000007,?), ref: 6BCA79FA

Strings

Initial LCID = %u, xrefs: 6BCA7A0A
TimeZone = %s, xrefs: 6BCA79E0
Environment details, xrefs: 6BCA7920, 6BCA7925, 6BCA794B
CommandLine = %s, xrefs: 6BCA797C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CommandH_prolog3H_prolog3_InformationLineLocaleThreadTimeZone_memset
String ID: CommandLine = %s$Environment details$Initial LCID = %u$TimeZone = %s
API String ID: 1050886296-4009495903
Opcode ID: c088d747208b165861c58b80c17df5153c32ce77bbff43425eaed11f497b4d21
Instruction ID: bd606fd55d435b94420623ee4a8be8ff15127f5f2b76beda210c998b5d44e5e2
Opcode Fuzzy Hash: c088d747208b165861c58b80c17df5153c32ce77bbff43425eaed11f497b4d21
Instruction Fuzzy Hash: EC314A71920218DBDB20DBA8CC89F8EBBB9BF45705F0445DAE149E7281F7789B44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC85BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BC85BCA
_memset.LIBCMT ref: 6BC85BF9

Part of subcall function 6BCA8C05: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6BCB9E00,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6BCA8C29

FindFirstFileW.KERNELBASE(?,?,????), ref: 6BC85C18
FindNextFileW.KERNELBASE(?,?), ref: 6BC85CE6
FindClose.KERNELBASE(?), ref: 6BC85CFF

Strings

????, xrefs: 6BC85C01

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Find$File$AppendCloseFirstH_prolog3_NextPath_memset
String ID: ????
API String ID: 2365859831-1216582215
Opcode ID: a59358cfec0d276e3eb109db1f7491f73192c5b39de658454d4d25017c7f83e9
Instruction ID: f125c8e87d28f947874a98a754d55cc9f752d2b75809baee2486eb142e2bcda6
Opcode Fuzzy Hash: a59358cfec0d276e3eb109db1f7491f73192c5b39de658454d4d25017c7f83e9
Instruction Fuzzy Hash: 8E31BE768112299ADB109FB4CC89BAF77B8AF05319F1042D6E945E6180EB7DDB84DF10

Uniqueness

Uniqueness Score: -1.00%

Function 6BC94F48 Relevance: 7.5, APIs: 5, Instructions: 49processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6BC94F64
_memset.LIBCMT ref: 6BC94F7E
Process32FirstW.KERNEL32(00000000,?), ref: 6BC94F98
Process32NextW.KERNEL32(00000000,0000022C), ref: 6BC94FB3
FindCloseChangeNotification.KERNELBASE(00000000), ref: 6BC94FC7

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32_memset
String ID:
API String ID: 949835396-0
Opcode ID: fde6591b324d8153bc49842859261aabeb44ecfcf16c8015b293ec47455a2832
Instruction ID: f5b26f4ef6729260abffb6897f2602c3e9ff149aab7e11476ca1fd4ea0b307b6
Opcode Fuzzy Hash: fde6591b324d8153bc49842859261aabeb44ecfcf16c8015b293ec47455a2832
Instruction Fuzzy Hash: C6019632521028ABD720EFA9EC4DDAF7778FB86315F400595E815D3280E738DF45CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAD874 Relevance: 58.9, APIs: 4, Strings: 29, Instructions: 1110
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCB1A94: __recalloc.LIBCMT ref: 6BCB1AD2

Sleep.KERNELBASE(000003E8), ref: 6BCADA91
GetCommandLineW.KERNEL32(?,6BC6AB1C), ref: 6BCADBD1

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

Part of subcall function 6BC77F2C: __EH_prolog3.LIBCMT ref: 6BC77F33

_free.LIBCMT ref: 6BCAE323

Part of subcall function 6BC9B5FE: __EH_prolog3.LIBCMT ref: 6BC9B605

Part of subcall function 6BC9AF59: __EH_prolog3.LIBCMT ref: 6BC9AF60

_free.LIBCMT ref: 6BCAE83D

Strings

, xrefs: 6BCAE13D
Global\_MSIExecute, xrefs: 6BCADB8F, 6BCADC4F
, xrefs: 6BCAE16D
Item Failed. OnFailureBehavior for this item is not specified., xrefs: 6BCAE22C
Other installation completed, continuing., xrefs: 6BCADCB7
Failed to record Current Phase (sdpFaultPhase) , xrefs: 6BCAE0EB, 6BCAE466, 6BCAE679
Default behavior for Repair and Uninstall is to continue and report this failure., xrefs: 6BCAE236
Created new DoNothingPerformer for File item, xrefs: 6BCADE03
User has aborted the install, exit from the wait., xrefs: 6BCAE35E
Item ignored as it is not available and is ignorable, xrefs: 6BCADB31
OnFailureBehavior for this item is to Stop., xrefs: 6BCAE7AB
Another installation is already running, waiting up to %i seconds for it to finish, xrefs: 6BCADC0C
) to be available, xrefs: 6BCADA13
MSIBusy, xrefs: 6BCAE377
Another installation is already running and the user has chosen to wait for it to finish before continuing, xrefs: 6BCADC8E
Another installation is already running and the user has chosen to cancel rather than wait, xrefs: 6BCAE3B4
Failed to record current Item Name, xrefs: 6BCAE199, 6BCAE514, 6BCAE727
", xrefs: 6BCAE1AE
Performing actions on all Items, xrefs: 6BCAD8E4
complete, xrefs: 6BCAD8AE
<, xrefs: 6BCADBC9
Msi Handle released., xrefs: 6BCADCA9
Action, xrefs: 6BCAD8C8, 6BCAD8CD, 6BCAD8F3
Aborting. OnFailureBehavior for current item will be ignored., xrefs: 6BCAE803
Item Requested Reboot., xrefs: 6BCAE289
Wait for Item (, xrefs: 6BCAD9F7
OnFailureBehavior for this item is to Rollback., xrefs: 6BCAE598
Item Failed. OnFailureBehavior for this item is to Continue., xrefs: 6BCAE23F
is now available to install, xrefs: 6BCADABC

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$_free$CommandLineSleep__recalloc
String ID: $ $ Item ignored as it is not available and is ignorable$ complete$ is now available to install$"$) to be available$<$Aborting. OnFailureBehavior for current item will be ignored.$Action$Another installation is already running and the user has chosen to cancel rather than wait$Another installation is already running and the user has chosen to wait for it to finish before continuing$Another installation is already running, waiting up to %i seconds for it to finish$Created new DoNothingPerformer for File item$Default behavior for Repair and Uninstall is to continue and report this failure.$Failed to record Current Phase (sdpFaultPhase) $Failed to record current Item Name$Global\_MSIExecute$Item Failed. OnFailureBehavior for this item is not specified.$Item Failed. OnFailureBehavior for this item is to Continue.$Item Requested Reboot.$MSIBusy$Msi Handle released.$OnFailureBehavior for this item is to Rollback.$OnFailureBehavior for this item is to Stop.$Other installation completed, continuing.$Performing actions on all Items$User has aborted the install, exit from the wait.$Wait for Item (
API String ID: 4092982380-977886159
Opcode ID: 341933f1a3fbe3887fafa9d74a6c7d563c09cf7d754126e67678056ee7474fea
Instruction ID: a7ce9c3640b94769e781d3406ef9529667ac1eea395e8b30a587f1d22df12ddd
Opcode Fuzzy Hash: 341933f1a3fbe3887fafa9d74a6c7d563c09cf7d754126e67678056ee7474fea
Instruction Fuzzy Hash: 6AA2B2711183818FD724DF78C885F9ABBE4BF89308F10455CE9959B391EB78DA44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBB732 Relevance: 50.5, APIs: 12, Strings: 16, Instructions: 1496
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 6BCBB73C

Part of subcall function 6BCBD773: __EH_prolog3_catch.LIBCMT ref: 6BCBD77A
Part of subcall function 6BCBD773: GetCommandLineW.KERNEL32(0000006C,6BCBB758,?,00000738,6BCAFAA0,?,6BC6A78C,-00000960), ref: 6BCBD7BB
Part of subcall function 6BCBD773: CoInitialize.OLE32(00000000,?,nosplashscreen,00000000,?,00000000), ref: 6BCBD81C

Part of subcall function 6BCBDA40: CreateThread.KERNEL32(00000000,00000000,6BCC274B,?,00000000,00000000), ref: 6BCBDA56

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCB9C8F: __EH_prolog3.LIBCMT ref: 6BCB9C96
Part of subcall function 6BCB9C8F: GetCommandLineW.KERNEL32(0000002C,6BCBD857,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BCB9CB7
Part of subcall function 6BCB9C8F: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6BCB9D71

Part of subcall function 6BCA4BBE: __EH_prolog3.LIBCMT ref: 6BCA4BC5
Part of subcall function 6BCA4BBE: __CxxThrowException@8.LIBCMT ref: 6BCA4CB6
Part of subcall function 6BCA4BBE: ReadFile.KERNELBASE(?,?,00000002,?,00000000,?,80000000,00000001,00000003,00000080,00000000,?,?,?,?,0000002C), ref: 6BCA4CCC
Part of subcall function 6BCA4BBE: FindCloseChangeNotification.KERNELBASE(?), ref: 6BCA4CEF

Part of subcall function 6BC7A8EC: __EH_prolog3.LIBCMT ref: 6BC7A8F3
Part of subcall function 6BC7A8EC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A92B
Part of subcall function 6BC7A8EC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A984
Part of subcall function 6BC7A8EC: __CxxThrowException@8.LIBCMT ref: 6BC7AA48

Part of subcall function 6BCA4D81: __EH_prolog3.LIBCMT ref: 6BCA4D88
Part of subcall function 6BCA4D81: __CxxThrowException@8.LIBCMT ref: 6BCA4E04

Part of subcall function 6BCA4F0E: __EH_prolog3_catch.LIBCMT ref: 6BCA4F15
Part of subcall function 6BCA4F0E: CoInitialize.OLE32(00000000,0000005C,6BCBB810,?,?,?,?,?,?,?,?,?,ParameterInfo.xml,?,00000000,?), ref: 6BCA4F2A

#6.OLEAUT32(?,?,?,?,?,?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6BCBB813

Part of subcall function 6BCBD34B: __EH_prolog3.LIBCMT ref: 6BCBD352
Part of subcall function 6BCBD34B: PathFileExistsW.KERNELBASE(?,6BC661DC,graphics,?,00000054,6BCBB82C,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6BCBD3EB

Part of subcall function 6BC859F6: __EH_prolog3.LIBCMT ref: 6BC859FD

Part of subcall function 6BC860C0: __EH_prolog3_catch.LIBCMT ref: 6BC860C7

GetCommandLineW.KERNEL32(?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml,?,?,00000738,6BCAFAA0,?), ref: 6BCBB8C1

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BCBB8B1

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Part of subcall function 6BC73A76: __EH_prolog3.LIBCMT ref: 6BC73A7D

GetThreadLocale.KERNEL32(?,passive,00000000), ref: 6BCBBA6A

Part of subcall function 6BCA7644: __EH_prolog3.LIBCMT ref: 6BCA764B

Part of subcall function 6BCA7B6B: __EH_prolog3.LIBCMT ref: 6BCA7B72

Part of subcall function 6BCA7A59: __EH_prolog3.LIBCMT ref: 6BCA7A60

Part of subcall function 6BCA7C33: __EH_prolog3.LIBCMT ref: 6BCA7C3A

Part of subcall function 6BC74424: __EH_prolog3.LIBCMT ref: 6BC7442B

Part of subcall function 6BC75E89: __EH_prolog3.LIBCMT ref: 6BC75E90
Part of subcall function 6BC75E89: PathFindFileNameW.SHLWAPI(?,?,?,0000000C,6BC75E5B,?,6BCA80D8,?,0000000C,6BC77D85,?,00000000,?,?,6BC6AB1C,00000008), ref: 6BC75ECB
Part of subcall function 6BC75E89: PathFindExtensionW.SHLWAPI(?), ref: 6BC75EE8

Part of subcall function 6BCA6B86: GetCommandLineW.KERNEL32(CC4203FA,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,?,?,00000000,?,?), ref: 6BCA6BD1

Part of subcall function 6BCA5699: __EH_prolog3.LIBCMT ref: 6BCA56A0

CloseHandle.KERNEL32(?,?,?,?,OneInstance,?,00000000,?,ParameterInfo.xml,?,?,00000738,6BCAFAA0,?,6BC6A78C,-00000960), ref: 6BCBC276

Part of subcall function 6BCAAB8E: __EH_prolog3.LIBCMT ref: 6BCAAB95

CloseHandle.KERNEL32(?,?,00000000,?,00000001,00000007,?,OneInstance,?,?,00000000,?,?,?,?,?), ref: 6BCBC1C4

Part of subcall function 6BC96CBC: __EH_prolog3.LIBCMT ref: 6BC96CC3

Part of subcall function 6BCAB149: _free.LIBCMT ref: 6BCAB171
Part of subcall function 6BCAB149: _free.LIBCMT ref: 6BCAB182

CloseHandle.KERNEL32(?), ref: 6BCBC2D0

Strings

InvalidArguments, xrefs: 6BCBC048, 6BCBC0CD
Parameterinfo.xml or UiInfo.xml has a #Loc that is not defined in LocalizeData.xml , xrefs: 6BCBB84D
Command-line option error: , xrefs: 6BCBC081
W, xrefs: 6BCBC0B5
CreateFilesInUser, xrefs: 6BCBBFCC
CreateHelpUsage, xrefs: 6BCBBE79
FactoryInitialization, xrefs: 6BCBBDC9
ParameterInfo.xml, xrefs: 6BCBB76C, 6BCBB771, 6BCBB7A3, 6BCBB85B, 6BCBB8FD
Blocker, xrefs: 6BCBC40F
%TEMP%\, xrefs: 6BCBBB4A
CreateUiMode, xrefs: 6BCBC8F7
#(loc.ids_wer_message), xrefs: 6BCBB930
OneInstance, xrefs: 6BCBC184, 6BCBC24F
PISemanticChecker, xrefs: 6BCBBC72
!, xrefs: 6BCBCC26
passive, xrefs: 6BCBBA52

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Path$CloseCommandException@8FileH_prolog3_catchLineThrow$FindHandle$InitializeNameRelativeThread_free$ChangeCreateDispatcherExceptionExistsExtensionLocaleModuleNotificationReadUser
String ID: !$#(loc.ids_wer_message)$%TEMP%\$Blocker$Command-line option error: $CreateFilesInUser$CreateHelpUsage$CreateUiMode$FactoryInitialization$InvalidArguments$OneInstance$PISemanticChecker$ParameterInfo.xml$Parameterinfo.xml or UiInfo.xml has a #Loc that is not defined in LocalizeData.xml $W$passive
API String ID: 2606967904-280204926
Opcode ID: 38485045e0d3d0c9a91f75ceca48cf1fd86f5a7cd48e37bb0b90bafe93996600
Instruction ID: 93c618bbc3a2dbe59486b5e5e06d6348bb02e063d7ebdc7955a549493084a1df
Opcode Fuzzy Hash: 38485045e0d3d0c9a91f75ceca48cf1fd86f5a7cd48e37bb0b90bafe93996600
Instruction Fuzzy Hash: 5FE26871D10258DBCF11DFB8C885ADDBBB4AF09318F108199E458B7291EB78AB85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9AF59 Relevance: 46.0, APIs: 2, Strings: 24, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6BC9AF60

Strings

No CustomError defined for this item., xrefs: 6BC9AF73
HelperItems not found : , xrefs: 6BC9B2C0
Helper item execution failed., xrefs: 6BC9B459
Argument provided: , xrefs: 6BC9B3D9
Overwrite the current error to S_OK., xrefs: 6BC9B596
Retry count over existing limit, not going to retry again., xrefs: 6BC9B140
HelperItem verification failed. Cannot run the retry helper : , xrefs: 6BC9B282
Delaying for %u seconds before retrying., xrefs: 6BC9B539
Log File name: , xrefs: 6BC9B40A
Failure, xrefs: 6BC9B5B5
Success, xrefs: 6BC9B583
Delaying for Starting to delay, xrefs: 6BC9B54C
is mapped to Custom Error: , xrefs: 6BC9AFB9
Executing Helper item with the following parameters:, xrefs: 6BC9B392
Helper Item name: , xrefs: 6BC9B3A8
Retry, xrefs: 6BC9B018
Existing custom error found in the map., xrefs: 6BC9B0CF
New custom error, add to the map, xrefs: 6BC9B0A2
Helper item execution succeed., xrefs: 6BC9B4BE
Overwrite the current error to E_FAIL., xrefs: 6BC9B5C8
HelperItems can't be read., xrefs: 6BC9B201
Retry %u of %u of custom error handling, xrefs: 6BC9B118
Error , xrefs: 6BC9AFAB
HelperItem is not Exe item., xrefs: 6BC9B312

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: is mapped to Custom Error: $Argument provided: $Delaying for %u seconds before retrying.$Delaying for Starting to delay$Error $Executing Helper item with the following parameters:$Existing custom error found in the map.$Failure$Helper Item name: $Helper item execution failed.$Helper item execution succeed.$HelperItem is not Exe item.$HelperItem verification failed. Cannot run the retry helper : $HelperItems can't be read.$HelperItems not found : $Log File name: $New custom error, add to the map$No CustomError defined for this item.$Overwrite the current error to E_FAIL.$Overwrite the current error to S_OK.$Retry$Retry %u of %u of custom error handling$Retry count over existing limit, not going to retry again.$Success
API String ID: 431132790-3612092767
Opcode ID: 3c5b9dfa6e07fcab5b353dd89a6fd7319d55c994d14b22d616930a966df50ef0
Instruction ID: 4ebd6d469f5f59c6765b33f57a93d6bc6757ca2f5c82ba57d674aef3345d7c32
Opcode Fuzzy Hash: 3c5b9dfa6e07fcab5b353dd89a6fd7319d55c994d14b22d616930a966df50ef0
Instruction Fuzzy Hash: 1F22A271920249EFDB00DFA4C885F9E7BB5FF05318F148284E524AB292E778EB55CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB0AB0 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 228
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6BCB0ABA

Part of subcall function 6BC75788: GetModuleHandleW.KERNEL32(kernel32.dll,?,6BC757E3,00000000,6BCA80D8), ref: 6BC75792
Part of subcall function 6BC75788: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 6BC757A2

GetLastError.KERNEL32 ref: 6BCB0AF4
GetLastError.KERNEL32 ref: 6BCB0B4F
RegOpenKeyExW.KERNELBASE(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?,?,00000000,?,Failed to record NumberOfProcessor), ref: 6BCB0BAB
RegQueryValueExW.KERNELBASE(?,~MHz,00000000,00000000,?,?), ref: 6BCB0BDA
RegQueryValueExW.ADVAPI32(?,~Mhz,00000000,00000000,?,?), ref: 6BCB0BFA
RegQueryValueExW.ADVAPI32(?,~mhz,00000000,00000000,?,?), ref: 6BCB0C1A
RegCloseKey.KERNELBASE(?), ref: 6BCB0C22
GetLastError.KERNEL32 ref: 6BCB0C42
_memset.LIBCMT ref: 6BCB0C99
GlobalMemoryStatusEx.KERNELBASE(?,?,?,6BC6A730,?,?,00000738,6BCAFAA0,?,6BC6A78C,-00000960), ref: 6BCB0CB7
GetLastError.KERNEL32(?,?,00000738,6BCAFAA0,?,6BC6A78C,-00000960), ref: 6BCB0CE2

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

GetLastError.KERNEL32(?,GlobalMemoryStatusEx failed,?,?,00000738,6BCAFAA0,?,6BC6A78C,-00000960), ref: 6BCB0D2D

Part of subcall function 6BCB1303: __EH_prolog3.LIBCMT ref: 6BCB130A

Strings

~MHz, xrefs: 6BCB0BC6
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 6BCB0BA1
~mhz, xrefs: 6BCB0C0F
Failed to record NumberOfProcessor, xrefs: 6BCB0B69, 6BCB0C5C
GlobalMemoryStatusEx failed, xrefs: 6BCB0D1C
Failed to record SystemMemory, xrefs: 6BCB0CF8
~Mhz, xrefs: 6BCB0BEF
Failed to record CpuArchitecture, xrefs: 6BCB0B0E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorLast$QueryValue$H_prolog3$AddressCloseGlobalH_prolog3_HandleMemoryModuleOpenProcStatus_memset
String ID: Failed to record CpuArchitecture$Failed to record NumberOfProcessor$Failed to record SystemMemory$GlobalMemoryStatusEx failed$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz$~Mhz$~mhz
API String ID: 2659457873-2309824155
Opcode ID: 6ca512f85c4bc9cb7b5d5e76733633d802a266129fee7e992da28c17d825d608
Instruction ID: 51dcb3a555ea2d56ac56d6cfd87ea1bf5594dda17701261365bf66c6b94f6667
Opcode Fuzzy Hash: 6ca512f85c4bc9cb7b5d5e76733633d802a266129fee7e992da28c17d825d608
Instruction Fuzzy Hash: D0819072920259AFDB20CFF8CD4AF9E7BB9AF45314F204166E515EB181E738DB018B60

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBD34B Relevance: 35.1, APIs: 3, Strings: 17, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6BCBD352

Part of subcall function 6BC75D87: __EH_prolog3.LIBCMT ref: 6BC75D8E
Part of subcall function 6BC75D87: GetModuleFileNameW.KERNEL32(6BC50000,00000010,00000104,?,6BCA80D8,00000000), ref: 6BC75DDB

Part of subcall function 6BCA8C05: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6BCB9E00,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6BCA8C29

PathFileExistsW.KERNELBASE(?,6BC661DC,graphics,?,00000054,6BCBB82C,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6BCBD3EB
__CxxThrowException@8.LIBCMT ref: 6BCBD49B

Part of subcall function 6BCA8D2E: PathRemoveFileSpecW.SHLWAPI(00000000,2006C750,00000010,80004005,6BC75E00,6BCAF877,00000010,?,6BCA80D8,00000000), ref: 6BCA8D3F

Strings

Graphic file %s does not exists, xrefs: 6BCBD440
Rotate1.ico, xrefs: 6BCBD3A2
SysReqMet.ico, xrefs: 6BCBD394
Rotate3.ico, xrefs: 6BCBD3B0
Rotate7.ico, xrefs: 6BCBD3CC
Save.ico, xrefs: 6BCBD37F
Rotate2.ico, xrefs: 6BCBD3A9
SysReqNotMet.ico, xrefs: 6BCBD39B
Rotate8.ico, xrefs: 6BCBD3D3
Setup.ico, xrefs: 6BCBD371
Print.ico, xrefs: 6BCBD378
graphics, xrefs: 6BCBD364
Rotate5.ico, xrefs: 6BCBD3BE
Rotate4.ico, xrefs: 6BCBD3B7
Rotate6.ico, xrefs: 6BCBD3C5
warn.ico, xrefs: 6BCBD386
stop.ico, xrefs: 6BCBD38D

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: FilePath$H_prolog3$AppendException@8ExistsModuleNameRemoveSpecThrow
String ID: Graphic file %s does not exists$Print.ico$Rotate1.ico$Rotate2.ico$Rotate3.ico$Rotate4.ico$Rotate5.ico$Rotate6.ico$Rotate7.ico$Rotate8.ico$Save.ico$Setup.ico$SysReqMet.ico$SysReqNotMet.ico$graphics$stop.ico$warn.ico
API String ID: 419085990-1965610755
Opcode ID: 6e37cd3cfe2cc2ba13a14fd4c843b3c1d144f61b898ffeb8b87409994ce0030f
Instruction ID: 8428de9ace6b49aae0f5ef83c15c4097c42a725a63343fe9e05549660db2aa94
Opcode Fuzzy Hash: 6e37cd3cfe2cc2ba13a14fd4c843b3c1d144f61b898ffeb8b87409994ce0030f
Instruction Fuzzy Hash: AA41E6B182065A9BCB00DFE4D886BDEBBB8BF05385F104569E514BB241F7389B05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8A87C Relevance: 33.9, APIs: 2, Strings: 17, Instructions: 638
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6BC8A883

Part of subcall function 6BC81D0A: __EH_prolog3.LIBCMT ref: 6BC81D11
Part of subcall function 6BC81D0A: __CxxThrowException@8.LIBCMT ref: 6BC81DDE

__CxxThrowException@8.LIBCMT ref: 6BC8AD6D

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Strings

ProductCode, xrefs: 6BC8AB4A
Compressed items need to have URL and CompressedDownloadSize authored., xrefs: 6BC8AE1E
IsPresent, xrefs: 6BC8A909
schema validation failure: MSI, AgileMSI and AgileMSP do not support RepairOverride or UninstallOverride child elements!, xrefs: 6BC8AF0C
schema validation failure: Product Code cannot be emoty., xrefs: 6BC8AF7D
schema validation failure: wrong number of MSI child nodes!, xrefs: 6BC8AD0E
Compressed, xrefs: 6BC8AD72, 6BC8AD77, 6BC8ADB4
ParameterInfo.xml, xrefs: 6BC8AD19, 6BC8AE2C, 6BC8AF1A, 6BC8AF8B
RepairOverride, xrefs: 6BC8AE56
MSIRepairOptions, xrefs: 6BC8AC7E
MSIOptions, xrefs: 6BC8ABEB
UninstallOverride, xrefs: 6BC8AE94
ApplicableIf, xrefs: 6BC8A973
MSIUninstallOptions, xrefs: 6BC8AC33
CustomErrorHandling, xrefs: 6BC8AA45
<, xrefs: 6BC8AFBB
ActionTable, xrefs: 6BC8A9D9

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: <$ActionTable$ApplicableIf$Compressed$Compressed items need to have URL and CompressedDownloadSize authored.$CustomErrorHandling$IsPresent$MSIOptions$MSIRepairOptions$MSIUninstallOptions$ParameterInfo.xml$ProductCode$RepairOverride$UninstallOverride$schema validation failure: MSI, AgileMSI and AgileMSP do not support RepairOverride or UninstallOverride child elements!$schema validation failure: Product Code cannot be emoty.$schema validation failure: wrong number of MSI child nodes!
API String ID: 2489616738-1903366528
Opcode ID: 19899183bedde4bb2766bb98ffa4b3f9fb9d2d5367c4604c8da38b4e7216ca8f
Instruction ID: 47e549f1b0b504cc595813e2aa5db1d285859add92ce198b20375eee65a59e66
Opcode Fuzzy Hash: 19899183bedde4bb2766bb98ffa4b3f9fb9d2d5367c4604c8da38b4e7216ca8f
Instruction Fuzzy Hash: 5E427071A20249EFDB04DFB8C945ADE7BB8AF49308F048159F815E7281E778EB15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC922C2 Relevance: 32.0, APIs: 2, Strings: 16, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6BC922C9

Part of subcall function 6BCCC44A: _malloc.LIBCMT ref: 6BCCC464

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

__CxxThrowException@8.LIBCMT ref: 6BC927F0

Part of subcall function 6BCCC44A: std::exception::exception.LIBCMT ref: 6BCCC499
Part of subcall function 6BCCC44A: std::exception::exception.LIBCMT ref: 6BCCC4B3
Part of subcall function 6BCCC44A: __CxxThrowException@8.LIBCMT ref: 6BCCC4C4

Strings

schema validation failure: unknown Item type - , xrefs: 6BC92771
Exe, xrefs: 6BC9241E
RelatedProducts, xrefs: 6BC925B2
ParameterInfo.xml, xrefs: 6BC92761
MSP, xrefs: 6BC923CC
File, xrefs: 6BC924C1
CleanupBlock, xrefs: 6BC92567
". Valid types are MSI, MSP, Exe, Patches, ServiceControl and File. Theses are case sensitive., xrefs: 6BC92724
AgileMSI, xrefs: 6BC92379
Unknown Item type ", xrefs: 6BC92713
ServiceControl, xrefs: 6BC92514
Adding Item type ", xrefs: 6BC92678
(not applicable), xrefs: 6BC92606
Patches, xrefs: 6BC9246F
", local path , xrefs: 6BC92689
MSI, xrefs: 6BC922E8, 6BC92313

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throwstd::exception::exception$_malloc
String ID: ", local path $". Valid types are MSI, MSP, Exe, Patches, ServiceControl and File. Theses are case sensitive.$(not applicable)$Adding Item type "$AgileMSI$CleanupBlock$Exe$File$MSI$MSP$ParameterInfo.xml$Patches$RelatedProducts$ServiceControl$Unknown Item type "$schema validation failure: unknown Item type -
API String ID: 3439882596-1328758535
Opcode ID: 8a014f6ab6fec4eec574db59e856493617051ed3e867449ce6c2d25379dc1313
Instruction ID: df251bc706e0899b7df36678d77f34d71bc072cc91a691fb8588cc412972e8e7
Opcode Fuzzy Hash: 8a014f6ab6fec4eec574db59e856493617051ed3e867449ce6c2d25379dc1313
Instruction Fuzzy Hash: E8027171925208EFDB01DFF8D951AEE7BB8AF09308F104159E455EB281EB38DB44CB66

Uniqueness

Uniqueness Score: -1.00%

Function 6BC73ED7 Relevance: 31.7, APIs: 1, Strings: 17, Instructions: 219
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6BC73EDE

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8E22: __EH_prolog3.LIBCMT ref: 6BCA8E29
Part of subcall function 6BCA8E22: __recalloc.LIBCMT ref: 6BCA8E6B

Strings

promptrestart, xrefs: 6BC740B6
NoSetupVersionCheck, xrefs: 6BC741AC
CEIPconsent, xrefs: 6BC73F1C
parameterfolder, xrefs: 6BC74183
msioptions, xrefs: 6BC73FE9
uninstall, xrefs: 6BC7415A
showfinalerror, xrefs: 6BC74064
lcid, xrefs: 6BC73F97
chainingpackage, xrefs: 6BC73F45
uninstallpatch, xrefs: 6BC741D5
pipe, xrefs: 6BC7408D
serialdownload, xrefs: 6BC74131
createlayout, xrefs: 6BC73F6E
norestart, xrefs: 6BC74012
log, xrefs: 6BC73FC0
repair, xrefs: 6BC74108
passive, xrefs: 6BC7403B

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$__recalloc
String ID: CEIPconsent$NoSetupVersionCheck$chainingpackage$createlayout$lcid$log$msioptions$norestart$parameterfolder$passive$pipe$promptrestart$repair$serialdownload$showfinalerror$uninstall$uninstallpatch
API String ID: 1900422986-634121796
Opcode ID: a23af98d19124ca9381620c15a6e1290183dea6d0c3a3f8a5ef8c3ec6d7e550e
Instruction ID: 1c3dad1c15d9c122fd9ce1493d650f5be5c6f8402665d60093831cf9dbe71b56
Opcode Fuzzy Hash: a23af98d19124ca9381620c15a6e1290183dea6d0c3a3f8a5ef8c3ec6d7e550e
Instruction Fuzzy Hash: 0C913E35420189EBCB11DFB8C545BCCB7A4AF1532CF14C245E8A5AB282F778E7588726

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8B6EB Relevance: 30.3, APIs: 2, Strings: 15, Instructions: 565
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6BC8B6F2

Part of subcall function 6BC81D0A: __EH_prolog3.LIBCMT ref: 6BC81D11
Part of subcall function 6BC81D0A: __CxxThrowException@8.LIBCMT ref: 6BC81DDE

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC8BB04

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

schema validation failure: wrong number of MSP child nodes!, xrefs: 6BC8BAA5
schema validation failure: Patch Code cannot be empty!, xrefs: 6BC8BBF9
PatchCode, xrefs: 6BC8B9E7
Compressed items need to have URL and CompressedDownloadSize authored., xrefs: 6BC8BBB5
IsPresent, xrefs: 6BC8B775
schema validation failure: MSP does not support RepairOverride or UninstallOverride child elements!, xrefs: 6BC8BD15
Compressed, xrefs: 6BC8BB09, 6BC8BB0E, 6BC8BB4B
ParameterInfo.xml, xrefs: 6BC8BAB0, 6BC8BBC3, 6BC8BC07, 6BC8BD23
MSP, xrefs: 6BC8BA3A
RepairOverride, xrefs: 6BC8BC5F
4, xrefs: 6BC8BD53
UninstallOverride, xrefs: 6BC8BC9D
ApplicableIf, xrefs: 6BC8B7E2
CustomErrorHandling, xrefs: 6BC8B8B4
ActionTable, xrefs: 6BC8B848

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw$DispatcherExceptionUser
String ID: 4$ActionTable$ApplicableIf$Compressed$Compressed items need to have URL and CompressedDownloadSize authored.$CustomErrorHandling$IsPresent$MSP$ParameterInfo.xml$PatchCode$RepairOverride$UninstallOverride$schema validation failure: MSP does not support RepairOverride or UninstallOverride child elements!$schema validation failure: Patch Code cannot be empty!$schema validation failure: wrong number of MSP child nodes!
API String ID: 2724732616-1236810551
Opcode ID: e6f195fb9f44df482f2dcd60cdcab7ea1e07728b5ca5a5334de4f95417663b25
Instruction ID: 53d7280098573f14c8d729a3f2d0a46dc4766e0ad6a3de3adcfb57a0bd1054e7
Opcode Fuzzy Hash: e6f195fb9f44df482f2dcd60cdcab7ea1e07728b5ca5a5334de4f95417663b25
Instruction Fuzzy Hash: 05324F71A10249EFDB04DFB8C945EDE7BB8AF09308F048159F825A7281EB79DB05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC81480 Relevance: 30.3, APIs: 3, Strings: 14, Instructions: 510
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

schema validation failure: , xrefs: 6BC81A33
LessThanOrEqualTo, xrefs: 6BC816C0, 6BC816EC
GreaterThanOrEqualTo, xrefs: 6BC81790, 6BC817BC
can only have one logical or arithmietic expression for a child node, xrefs: 6BC81A47
Exists, xrefs: 6BC81861
GreaterThan, xrefs: 6BC817F8, 6BC81824
LessThan, xrefs: 6BC81658, 6BC81684
ParameterInfo.xml, xrefs: 6BC818F5, 6BC81A22
And, xrefs: 6BC814E1, 6BC81512
schema validation failure: unknown Expression: , xrefs: 6BC81906
AlwaysTrue, xrefs: 6BC8189E
Equals, xrefs: 6BC81728, 6BC81754
Not, xrefs: 6BC81603
NeverTrue, xrefs: 6BC818CF

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw_malloc
String ID: can only have one logical or arithmietic expression for a child node$AlwaysTrue$And$Equals$Exists$GreaterThan$GreaterThanOrEqualTo$LessThan$LessThanOrEqualTo$NeverTrue$Not$ParameterInfo.xml$schema validation failure: $schema validation failure: unknown Expression:
API String ID: 623675022-100526994
Opcode ID: 2ee3ae0d7a9ffe745f322c22e30ff1037842785184c4fc3765b1fbe1efc8f70b
Instruction ID: 384c5224a98fe2214007528cfe1158008284673837c2b2a105e76dc1c092693b
Opcode Fuzzy Hash: 2ee3ae0d7a9ffe745f322c22e30ff1037842785184c4fc3765b1fbe1efc8f70b
Instruction Fuzzy Hash: 0C02BDB15283419BD700CFBCC881A5FBBE8AF99358F104919F5A5D7281FB78DB488762

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBA0A7 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6BC73A0D: __EH_prolog3.LIBCMT ref: 6BC73A14

GetCommandLineW.KERNEL32(CC4203FA,?,00000000,ParameterInfo.xml,?,?,?,00000000,?,?,?,?,ParameterInfo.xml,?,00000000,?), ref: 6BCBA0F6

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

Part of subcall function 6BC73A76: __EH_prolog3.LIBCMT ref: 6BC73A7D

__CxxThrowException@8.LIBCMT ref: 6BCBA25F

Strings

SetupVersion specified in ParameterInfo.xml has a minor version lower than the currently supported version., xrefs: 6BCBA2E6
NoSetupVersionCheck, xrefs: 6BCBA10E
than the currently supported version., xrefs: 6BCBA3A8
1.0, xrefs: 6BCBA0DF, 6BCBA0E4, 6BCBA276, 6BCBA29D
SetupVersion, xrefs: 6BCBA162
ParameterInfo.xml, xrefs: 6BCBA1D0, 6BCBA309, 6BCBA438
higher, xrefs: 6BCBA3A3, 6BCBA3B9
SetupVersion specified in ParameterInfo.xml is '%s', xrefs: 6BCBA265
Current SetupVersion = %s, xrefs: 6BCBA0E5
SetupVersion specified in ParameterInfo.xml is , xrefs: 6BCBA3CB
lower, xrefs: 6BCBA39C
SetupVersion specified in ParameterInfo.xml has a minor version greater than the currently supported version., xrefs: 6BCBA2FA
Command line switch 'NoSetupVersionCheck' found - so not performing SetupVersion check., xrefs: 6BCBA137
SetupVersion not specified, xrefs: 6BCBA1C1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandException@8LineThrow
String ID: than the currently supported version.$1.0$Command line switch 'NoSetupVersionCheck' found - so not performing SetupVersion check.$Current SetupVersion = %s$NoSetupVersionCheck$ParameterInfo.xml$SetupVersion$SetupVersion not specified$SetupVersion specified in ParameterInfo.xml has a minor version greater than the currently supported version.$SetupVersion specified in ParameterInfo.xml has a minor version lower than the currently supported version.$SetupVersion specified in ParameterInfo.xml is $SetupVersion specified in ParameterInfo.xml is '%s'$higher$lower
API String ID: 1129948358-1674238012
Opcode ID: a8421c85d8005461aba162180a9ea811dd3a4824217902ba9f2c7f9178d0c52d
Instruction ID: 61073c9702a9c3b6eb641e06cead9fc551f0dc83621758c14c89f85d0f6cc91b
Opcode Fuzzy Hash: a8421c85d8005461aba162180a9ea811dd3a4824217902ba9f2c7f9178d0c52d
Instruction Fuzzy Hash: 63C162721287409FD310DB78C845F5FBBE8AF95318F144A1CF2A597291EB78DA098B63

Uniqueness

Uniqueness Score: -1.00%

Function 6BC82930 Relevance: 26.7, APIs: 2, Strings: 13, Instructions: 416
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6BC82937

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC8266A: __EH_prolog3.LIBCMT ref: 6BC82671

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC82BF3

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

schema validation failure: Success blockers has no child node, xrefs: 6BC82C6E
StopBlockers, xrefs: 6BC829B8, 6BC829BD, 6BC829D4, 6BC82B2B
schema validation failure: More than 1 Warning Block defined., xrefs: 6BC82D62
schema validation failure: Stop blockers has no child node, xrefs: 6BC82D0E
schema validation failure: More than 1 Success Block defined., xrefs: 6BC82C03
ParameterInfo.xml, xrefs: 6BC82B9F, 6BC82C11, 6BC82C7C, 6BC82CCD, 6BC82D1C, 6BC82D70, 6BC82DBF
8, xrefs: 6BC82DEF
WarnBlockers, xrefs: 6BC82A36, 6BC82A3B, 6BC82A52, 6BC82B57
Blockers, xrefs: 6BC82ABD
schema validation failure: no valid child element found for 'Blockers' node., xrefs: 6BC82B91
SuccessBlockers, xrefs: 6BC8293E, 6BC82943, 6BC8295A, 6BC82B03
schema validation failure: More than 1 Stop Block defined., xrefs: 6BC82CBF
schema validation failure: Warn blockers has no child node, xrefs: 6BC82DB1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
String ID: 8$Blockers$ParameterInfo.xml$StopBlockers$SuccessBlockers$WarnBlockers$schema validation failure: More than 1 Stop Block defined.$schema validation failure: More than 1 Success Block defined.$schema validation failure: More than 1 Warning Block defined.$schema validation failure: Stop blockers has no child node$schema validation failure: Success blockers has no child node$schema validation failure: Warn blockers has no child node$schema validation failure: no valid child element found for 'Blockers' node.
API String ID: 3417717588-4180151753
Opcode ID: 1cc805e54032884acb210e4cf5bab9864d5bb6256a0db0c7bbd2e23c76349645
Instruction ID: 177596b4b5f0d2a6e828ba29d1cd7a29a6dcd8d5c53e78e520180de201ec0e81
Opcode Fuzzy Hash: 1cc805e54032884acb210e4cf5bab9864d5bb6256a0db0c7bbd2e23c76349645
Instruction Fuzzy Hash: 63F1B171921249EBCF04DBF8C955E9E7BB8AF09308F108159F115EB281EB7C9B05CB66

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBAA5A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 6BCBAA61
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 6BCBAAA7
K32GetModuleBaseNameW.KERNEL32(?,?,?,00000104), ref: 6BCBAAD4
GetLastError.KERNEL32 ref: 6BCBAADB

Part of subcall function 6BCC8E28: _wcsnlen.LIBCMT ref: 6BCC8E38

GetLastError.KERNEL32 ref: 6BCBAB12
K32GetProcessImageFileNameW.KERNEL32(?,?,00000104,?,?,?,psapi.dll), ref: 6BCBAB97
GetLastError.KERNEL32 ref: 6BCBAB9E
PathStripPathW.SHLWAPI(00000000), ref: 6BCBABC5
FindCloseChangeNotification.KERNELBASE(?), ref: 6BCBAC4F
GetLastError.KERNEL32 ref: 6BCBAC57

Strings

GetProcessImageFileName, xrefs: 6BCBABA7
GetModuleBaseName, xrefs: 6BCBAAE4
EnumProcessModules failed with error %u, will try GetProcessImageFileName, xrefs: 6BCBAB1C
psapi.dll, xrefs: 6BCBAB37
OpenProcess, xrefs: 6BCBAC60

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorLast$NamePathProcess$BaseChangeCloseEnumFileFindH_prolog3_catchImageModuleModulesNotificationStrip_wcsnlen
String ID: EnumProcessModules failed with error %u, will try GetProcessImageFileName$GetModuleBaseName$GetProcessImageFileName$OpenProcess$psapi.dll
API String ID: 3594929559-952504876
Opcode ID: f77b7e28f322ce6ea74dff92bf4330d9755d47c512e5e0c8a8b6c885b2d4743e
Instruction ID: d0114bd0dda7adb3dc223177ec1358b9176b84f724bcb07974e02b5bf7390d69
Opcode Fuzzy Hash: f77b7e28f322ce6ea74dff92bf4330d9755d47c512e5e0c8a8b6c885b2d4743e
Instruction Fuzzy Hash: 6C514C71620109EFDB00DFB8CD4AEAE7BB5AF58314F104519F951A7290FB78DB508B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC22C9B Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 295memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00002000,00000004,6BC227B0,00000000,6BC40088), ref: 6BC22D01
VirtualAlloc.KERNELBASE(?,00000000,00001000,00000004,000003F8,00000000,?,?,?,?,6BC227B0,00000000,6BC40088), ref: 6BC22D4F

Strings

Local\SqmData_%s, xrefs: 6BC23B42

Memory Dump Source

Source File: 00000006.00000002.2772419557.000000006BC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BC20000, based on PE: true

Associated: 00000006.00000002.2772334607.000000006BC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772874776.000000006BC40000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772911983.000000006BC41000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc20000_Setup.jbxd

Similarity

API ID: AllocVirtual
String ID: Local\SqmData_%s
API String ID: 4275171209-1264235261
Opcode ID: 8e53a9571a036815732a57d8dbbb64dc57bc79c6d5e0346339279db788c2ae7f
Instruction ID: f8e7c2ee760bbdd383464d887086d033d73b983fa08408557dd0172c324299db
Opcode Fuzzy Hash: 8e53a9571a036815732a57d8dbbb64dc57bc79c6d5e0346339279db788c2ae7f
Instruction Fuzzy Hash: 65B1DD316702209FDBA09F69CC90F5637F5BB04784F4084A8E95ADA1A1FB79DB89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8E5F8 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 253COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8E602

Part of subcall function 6BC8EAEA: __EH_prolog3.LIBCMT ref: 6BC8EAF1

Part of subcall function 6BC8EA71: __EH_prolog3.LIBCMT ref: 6BC8EA78

Part of subcall function 6BC8E9F8: __EH_prolog3.LIBCMT ref: 6BC8E9FF

Part of subcall function 6BC8B19E: __EH_prolog3.LIBCMT ref: 6BC8B1A5

Part of subcall function 6BC81B6D: __EH_prolog3.LIBCMT ref: 6BC81B74

#8.OLEAUT32(00000010,?,?,?,00000000,?,00000010,6BCEC1C8,?,?,?,?,?,?,?,?), ref: 6BC8E6E4
#2.OLEAUT32(IgnoreDownloadFailure,?,?,00000000,?,00000010,6BCEC1C8,?,?,?,?,?,?,?,?), ref: 6BC8E6F8
#6.OLEAUT32(6BCEC1C8,?,?,00000000,?,00000010,6BCEC1C8,?,?,?,?,?,?,?,?), ref: 6BC8E730
__CxxThrowException@8.LIBCMT ref: 6BC8E7CD

Part of subcall function 6BCC91E7: __CxxThrowException@8.LIBCMT ref: 6BCC91CC

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

#9.OLEAUT32(00000010,?,6BCEC1C8,6BCEC1C8,Compressed,?,?,00000000,?,00000010,6BCEC1C8,?,?,?,?,?), ref: 6BC8E93E

Strings

schema validation failure: AgileMSP does not support Compressed attributes!, xrefs: 6BC8E8D4
IgnoreDownloadFailure should not be authored for Agile MSPs, xrefs: 6BC8E740
CompressedHashValue, xrefs: 6BC8E849
Compressed, xrefs: 6BC8E7D2
CompressedDownloadSize, xrefs: 6BC8E80C
ParameterInfo.xml, xrefs: 6BC8E74E, 6BC8E8E2
IgnoreDownloadFailure, xrefs: 6BC8E6F0

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: Compressed$CompressedDownloadSize$CompressedHashValue$IgnoreDownloadFailure$IgnoreDownloadFailure should not be authored for Agile MSPs$ParameterInfo.xml$schema validation failure: AgileMSP does not support Compressed attributes!
API String ID: 2489616738-3712495632
Opcode ID: 2c30886f5d11b101a8c6ccba682fd0bd28fc29163921aea92f00d219de0b1fb5
Instruction ID: 285f1903c0bf075af162c9400a4d7ab92cb349979d196759c6c6d59548b0f4cb
Opcode Fuzzy Hash: 2c30886f5d11b101a8c6ccba682fd0bd28fc29163921aea92f00d219de0b1fb5
Instruction Fuzzy Hash: 05B13BB1920249EBDF01DFF8C985BEEBBB8AF09308F104159E115B7281E7799B45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC97F53 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 231COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BC97F5A

Part of subcall function 6BCAB898: __EH_prolog3.LIBCMT ref: 6BCAB89F

GetFileSize.KERNEL32(?,00000000,?,80000000,00000001,00000003,00000080,00000000), ref: 6BC98064
CloseHandle.KERNEL32(?), ref: 6BC98191

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Strings

Hash verification succeeded for , xrefs: 6BC98074, 6BC980AB, 6BC980EF
Signature verification succeeded for , xrefs: 6BC97F9F
No FileHash provided. Cannot perform FileHash verification for , xrefs: 6BC981DB
Signature verification failed. Trying to verify hash , xrefs: 6BC97FC8
Hash verification succeeded but file size does not match for , xrefs: 6BC9811F
... , xrefs: 6BC97FD6
Hash verification failed for %s. HRESULT = 0x%x, xrefs: 6BC981B9
Hash verification succeeded but file size can not be verified for , xrefs: 6BC98155

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CloseFileH_prolog3_HandleSize
String ID: ... $Hash verification failed for %s. HRESULT = 0x%x$Hash verification succeeded but file size can not be verified for $Hash verification succeeded but file size does not match for $Hash verification succeeded for $No FileHash provided. Cannot perform FileHash verification for $Signature verification failed. Trying to verify hash $Signature verification succeeded for
API String ID: 2359445833-3405341789
Opcode ID: 8b6b2fa89c2a192597c0bf68e50eb5a5f93e59c0f9081a39901e1974a0a73429
Instruction ID: a6adcd0e6c45a32b510ae3a822416b862a3ba1b0c6914362c73bcd897112179a
Opcode Fuzzy Hash: 8b6b2fa89c2a192597c0bf68e50eb5a5f93e59c0f9081a39901e1974a0a73429
Instruction Fuzzy Hash: F6917D71A20204EFDF00DFE8D885E8EBBB5FF09304F104594E511AB296EB78EA54CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7BB5C Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 260COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7BB63

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

__CxxThrowException@8.LIBCMT ref: 6BC7BE0B

Strings

BlockingMutex, xrefs: 6BC7BCBD
AdditionalCommandLineSwitches, xrefs: 6BC7BBC6
FilesInUseSetting, xrefs: 6BC7BD0F
Using Serial Download and Install mechanism, xrefs: 6BC7BE1A
UserExperienceDataCollection, xrefs: 6BC7BC18
DisabledCommandLineSwitches, xrefs: 6BC7BB72
schema validation failure: there must be a valid child element for Configuration., xrefs: 6BC7BD7C
Using Simultaneous Download and Install mechanism, xrefs: 6BC7BE21
DownloadInstallSetting, xrefs: 6BC7BC6B
ParameterInfo.xml, xrefs: 6BC7BD8A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: AdditionalCommandLineSwitches$BlockingMutex$DisabledCommandLineSwitches$DownloadInstallSetting$FilesInUseSetting$ParameterInfo.xml$UserExperienceDataCollection$Using Serial Download and Install mechanism$Using Simultaneous Download and Install mechanism$schema validation failure: there must be a valid child element for Configuration.
API String ID: 2489616738-904804324
Opcode ID: 284f0c8a642d03e4352c5e0ef353c0c568f1aa262737a143a8140bc80068a6d1
Instruction ID: 5c5b3acadefeb0302159b6c44e72fa2d6c9334946b2c358f45a9f7b96a8dfc95
Opcode Fuzzy Hash: 284f0c8a642d03e4352c5e0ef353c0c568f1aa262737a143a8140bc80068a6d1
Instruction Fuzzy Hash: 75A15071920249EBCB10DFB8CD45AAEBBB8BF09314F104559F525A7281E778EB14CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC778C3 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 96registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC778CA
RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\PCHealth\ErrorReporting\DW\Installed,00000000,00020019,?,00000014,6BC77862,?,6BCA80D8,00000000), ref: 6BC778FA
RegQueryValueExW.ADVAPI32(?,DW0200,00000000,00000000,?,?,?,6BCA80D8,00000000), ref: 6BC77920
RegCloseKey.ADVAPI32(?,?,6BCA80D8,00000000), ref: 6BC7792C
GetFileAttributesW.KERNEL32(?,?,6BCA80D8,00000000), ref: 6BC77941
SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,?,?,6BCA80D8,00000000), ref: 6BC77956
GetFileAttributesW.KERNELBASE(?,?,6BCA80D8,00000000), ref: 6BC77979
GetFileAttributesW.KERNELBASE(?,?,6BCA80D8,00000000), ref: 6BC779D2

Strings

DW0200, xrefs: 6BC77911
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed, xrefs: 6BC778F0
DW\DW20.exe, xrefs: 6BC779A6
\Microsoft Shared\DW\DW20.exe, xrefs: 6BC77965

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AttributesFile$CloseFolderH_prolog3OpenPathQueryValue
String ID: DW0200$DW\DW20.exe$Software\Microsoft\PCHealth\ErrorReporting\DW\Installed$\Microsoft Shared\DW\DW20.exe
API String ID: 2337823764-2373061612
Opcode ID: 4544e95e43b0ddaa639b0eddc88d300e09607252aca0a6096ebb7d3ea59224bb
Instruction ID: 1f7fab4946d80876e9b578c4228ca55db0ec87010af6c77f7fda221b8cd2abfe
Opcode Fuzzy Hash: 4544e95e43b0ddaa639b0eddc88d300e09607252aca0a6096ebb7d3ea59224bb
Instruction Fuzzy Hash: 75318472C2111EABDB109FB4CC85EBFB7B9EF05359F00026AE520B6191F7788B519B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC944C2 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 210comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BC944CC

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA813B: __EH_prolog3.LIBCMT ref: 6BCA8142

Part of subcall function 6BC738EB: __EH_prolog3.LIBCMT ref: 6BC738F2

Part of subcall function 6BC941EA: __EH_prolog3.LIBCMT ref: 6BC941F1

Part of subcall function 6BC94408: __EH_prolog3.LIBCMT ref: 6BC9440F

CoInitialize.OLE32(00000000,?,?,?,?,6BC73845,?,00000000,00000000,6BCAFAA0,00000738,IronMan::EngineData::CreateEngineData,6BCAFAA0,threw exception,00000184,6BCB9FFB), ref: 6BC9457D
CoCreateInstance.OLE32(6BC6A974,00000000,00000017,6BC6A9A4,?,?,?,?,?,6BC73845,?,00000000,00000000,6BCAFAA0,00000738,IronMan::EngineData::CreateEngineData), ref: 6BC9459B

Part of subcall function 6BCBA0A7: GetCommandLineW.KERNEL32(CC4203FA,?,00000000,ParameterInfo.xml,?,?,?,00000000,?,?,?,?,ParameterInfo.xml,?,00000000,?), ref: 6BCBA0F6

CoUninitialize.OLE32(-00000960,00000000,?,?,succeeded,6BC6A78C,?,?,?,?,6BC73845,?,00000000,00000000,6BCAFAA0,00000738), ref: 6BC94676
#6.OLEAUT32(00000000,?,succeeded,6BC6A78C,?,?,?,?,6BC73845,?,00000000,00000000,6BCAFAA0,00000738,IronMan::EngineData::CreateEngineData,6BCAFAA0), ref: 6BC9467F
#2.OLEAUT32(?,?,?,?,?,?,6BC73845,?,00000000,00000000,6BCAFAA0,00000738,IronMan::EngineData::CreateEngineData,6BCAFAA0,threw exception,00000184), ref: 6BC946B4
__CxxThrowException@8.LIBCMT ref: 6BC94744

Strings

threw exception, xrefs: 6BC944D1
succeeded, xrefs: 6BC945FA
IronMan::EngineData::CreateEngineData, xrefs: 6BC944E4
ParameterInfo.xml, xrefs: 6BC9470B

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandCreateException@8H_prolog3_catchInitializeInstanceLineThrowUninitialize
String ID: IronMan::EngineData::CreateEngineData$ParameterInfo.xml$succeeded$threw exception
API String ID: 2089393550-3644667230
Opcode ID: 3bd1d9b05a08ea39c27aa0a648bf8671fe4d89a53fa521d3cdde2c511635719b
Instruction ID: 40297696d882e5fdd131bbad21772476dfa3c06ee865400717b6ef6323dd2265
Opcode Fuzzy Hash: 3bd1d9b05a08ea39c27aa0a648bf8671fe4d89a53fa521d3cdde2c511635719b
Instruction Fuzzy Hash: 08816CB1910249EFDF11DFA8C889EDE7BB8AF49318F108189F515EB241E7789B01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8E04D Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 365COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8E054

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC8E36A

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

schema validation failure: wrong number of File child nodes!, xrefs: 6BC8E2E0
File, xrefs: 6BC8E268
Compressed items need to have URL and CompressedDownloadSize authored., xrefs: 6BC8E41B
ApplicableIf, xrefs: 6BC8E13C
IsPresent, xrefs: 6BC8E0CF
Compressed, xrefs: 6BC8E36F, 6BC8E374, 6BC8E3B1
ActionTable, xrefs: 6BC8E1A5
ParameterInfo.xml, xrefs: 6BC8E2EB, 6BC8E429

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
String ID: ActionTable$ApplicableIf$Compressed$Compressed items need to have URL and CompressedDownloadSize authored.$File$IsPresent$ParameterInfo.xml$schema validation failure: wrong number of File child nodes!
API String ID: 3417717588-3917201069
Opcode ID: 0c2adb82e5945c6e9befd7b4cfa926509456e96a21454ba524d5f0cf5a503f2b
Instruction ID: 53f67d509f500d8d140fe2d2cdf2c1fdc1a7d3d419918f3baca0a02512f73fc4
Opcode Fuzzy Hash: 0c2adb82e5945c6e9befd7b4cfa926509456e96a21454ba524d5f0cf5a503f2b
Instruction Fuzzy Hash: 9FE14E71A20249EFDB04DFB8C945ADEBBB8AF09318F148159E415EB341E738EB05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9485F Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 314COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC94866

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC789D7: __EH_prolog3.LIBCMT ref: 6BC789DE
Part of subcall function 6BC789D7: __CxxThrowException@8.LIBCMT ref: 6BC78AA9

__CxxThrowException@8.LIBCMT ref: 6BC94BC5

Strings

Setup, xrefs: 6BC94AFE
schema validation failure: wrong number of child elements under top level Setup element, xrefs: 6BC94B63
Blockers, xrefs: 6BC94874
EnterMaintenanceModeIf, xrefs: 6BC94939, 6BC9493E, 6BC94975
Configuration, xrefs: 6BC94A72
SystemCheck, xrefs: 6BC94A1C
Items, xrefs: 6BC949C8
ParameterInfo.xml, xrefs: 6BC94B71

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: Blockers$Configuration$EnterMaintenanceModeIf$Items$ParameterInfo.xml$Setup$SystemCheck$schema validation failure: wrong number of child elements under top level Setup element
API String ID: 2489616738-3586895666
Opcode ID: 5f28fd677b8ec58f6cd3112519584cd5736121c942cae9245d710d7feb8b1ab5
Instruction ID: 940fdf78e3930aaf2ead69e5c097a84011796b5fb7afb11b1647be731c750c47
Opcode Fuzzy Hash: 5f28fd677b8ec58f6cd3112519584cd5736121c942cae9245d710d7feb8b1ab5
Instruction Fuzzy Hash: D1C16F7191024AEFDB10DFB8C945EAEBBB8AF09318F108159F525E7241EB38DB05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8647D Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 236COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC86484

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7A21F: __EH_prolog3_catch.LIBCMT ref: 6BC7A226

__CxxThrowException@8.LIBCMT ref: 6BC866A3

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Strings

CompressedHashValue, xrefs: 6BC86569
schema validation failure: If URL is present then there must be a DownloadSize, xrefs: 6BC86617
DownloadSize, xrefs: 6BC86520
schema validation failure: If HashValue is present then it must be a 64 hex-digit string, xrefs: 6BC866B7
HashValue, xrefs: 6BC864DB
URL, xrefs: 6BC86490
CompressedDownloadSize, xrefs: 6BC865AE
ParameterInfo.xml, xrefs: 6BC86625, 6BC866C5

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8H_prolog3_catchThrow
String ID: CompressedDownloadSize$CompressedHashValue$DownloadSize$HashValue$ParameterInfo.xml$URL$schema validation failure: If HashValue is present then it must be a 64 hex-digit string$schema validation failure: If URL is present then there must be a DownloadSize
API String ID: 24280941-3047338099
Opcode ID: a531b9930ca9a150b0124ce3bfc5a9dea64d6da6a0f78ce12aa3d01d2a519a10
Instruction ID: f1dc14cb522bc16107641de4572b5789a4c028ce3fc14329e33d9c6e9fa8c133
Opcode Fuzzy Hash: a531b9930ca9a150b0124ce3bfc5a9dea64d6da6a0f78ce12aa3d01d2a519a10
Instruction Fuzzy Hash: 95A17271920649EFCB10DFB8C945A9EBBF8AF19318F108599E055E7281E778EB04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC79F54 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC79F5B
#8.OLEAUT32(00000003,00000044,6BC862DE,?,?,?,00000001,?,EstimatedInstallTime,00000000,6BC90FFF,0000000A,?,?,00000010,6BC925FB), ref: 6BC79F69
#6.OLEAUT32(?,?,?,?,00000001,?,EstimatedInstallTime,00000000,6BC90FFF,0000000A,?,?,00000010,6BC925FB,?,000000C0), ref: 6BC79FA3

Part of subcall function 6BCB9A2E: __get_errno.LIBCMT ref: 6BCB9A4E
Part of subcall function 6BCB9A2E: __wcstoui64.LIBCMT ref: 6BCB9A71
Part of subcall function 6BCB9A2E: __get_errno.LIBCMT ref: 6BCB9A83

__ui64tow_s.LIBCMT ref: 6BC7A00F
__CxxThrowException@8.LIBCMT ref: 6BC7A0DC
#2.OLEAUT32(00000000,?,?,?,00000001,?,EstimatedInstallTime,00000000,6BC90FFF,0000000A,?,?,00000010,6BC925FB,?,000000C0), ref: 6BC7A0E2
#9.OLEAUT32(?,00000014,1.0), ref: 6BC7A109

Strings

schema validation failure: attribute %s missing for %s %s, xrefs: 6BC7A19B
Name, xrefs: 6BC7A141
schema validation failure: %s is invalid, a non-negitive numeric value is required for %s, xrefs: 6BC7A05C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: __get_errno$Exception@8H_prolog3Throw__ui64tow_s__wcstoui64
String ID: Name$schema validation failure: %s is invalid, a non-negitive numeric value is required for %s$schema validation failure: attribute %s missing for %s %s
API String ID: 1004733786-1070666262
Opcode ID: 336e514529c6e4332ab3490b19259b36921d9ba9933809be5525d574d00b3d8c
Instruction ID: 21e23a06da3ea3e0b543ae35af7887f0369507b8e9ff8d35356515b55db0f91c
Opcode Fuzzy Hash: 336e514529c6e4332ab3490b19259b36921d9ba9933809be5525d574d00b3d8c
Instruction Fuzzy Hash: D7919A72910249EBCF01DFB8C945EDEBBB9AF09318F144598F511AB291E778EB04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7A8EC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 210fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7A8F3

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A92B
GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A984
__CxxThrowException@8.LIBCMT ref: 6BC7AA48
SetFilePointer.KERNELBASE(?,00000000,6BC6A78C,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000,?), ref: 6BC7AA69
ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7AAB7
#4.OLEAUT32(00000000,?,?,00000002,00000000,00000000,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000), ref: 6BC7AACC
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7AB4C

Strings

Could not find mandatory data file %s. This is a bad package., xrefs: 6BC7AB05
ReadXML failed to open XML file %s, with error %d, xrefs: 6BC7AA27

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: File$H_prolog3$ChangeCloseException@8FindModuleNameNotificationPathPointerReadRelativeThrow
String ID: Could not find mandatory data file %s. This is a bad package.$ReadXML failed to open XML file %s, with error %d
API String ID: 554878451-4172873023
Opcode ID: ba60e8d2f53cdbce3e10a40c2219b43bca0c7a5a314487ca9a66a6b96e5a7eb3
Instruction ID: c9cf78bb08360a8b1789af64201295f51e9ff869721810575e499f8ea612cb92
Opcode Fuzzy Hash: ba60e8d2f53cdbce3e10a40c2219b43bca0c7a5a314487ca9a66a6b96e5a7eb3
Instruction Fuzzy Hash: 4781397292011AEBCF11DFA8CC85DAEBBBABF49318F104569F510B7251E7389B11CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAA4D3 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCAA4DA

Part of subcall function 6BC7C58B: __EH_prolog3.LIBCMT ref: 6BC7C592
Part of subcall function 6BC7C58B: GetLastError.KERNEL32 ref: 6BC7C5C0

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCB1303: __EH_prolog3.LIBCMT ref: 6BCB130A

GetLastError.KERNEL32 ref: 6BCAA57F
GetLastError.KERNEL32 ref: 6BCAA638
GetLastError.KERNEL32 ref: 6BCAA69F

Strings

Failed to record PackageVersion, xrefs: 6BCAA53B
Failed to record PackageName, xrefs: 6BCAA4FC
Failed to record PatchType, xrefs: 6BCAA652
Failed to record IsRetailBuild, xrefs: 6BCAA6B9
Failed to record InstallerVersion, xrefs: 6BCAA5F4
Failed to record DisplayedLcidId, xrefs: 6BCAA599

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: Failed to record DisplayedLcidId$Failed to record InstallerVersion$Failed to record IsRetailBuild$Failed to record PackageName$Failed to record PackageVersion$Failed to record PatchType
API String ID: 685212868-335235891
Opcode ID: 769782e15a61eae330f600619e6ca005242315d4745ac61e2186f3bd4939fa60
Instruction ID: e163e1af1c7428abe38e114df74fc2c94a8909ad68c9497efeb7141b9b555ec5
Opcode Fuzzy Hash: 769782e15a61eae330f600619e6ca005242315d4745ac61e2186f3bd4939fa60
Instruction Fuzzy Hash: A6517072520205AFCB10DFB5C946F8E3BB9BF85358F108514F915AB290EB79EB018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAA021 Relevance: 16.8, APIs: 5, Strings: 6, Instructions: 271COMMON

Download Yara Rule

APIs

Part of subcall function 6BC7C4F4: GetLastError.KERNEL32(?,6BCAA064,CC4203FA,?,?), ref: 6BC7C515

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCB1303: __EH_prolog3.LIBCMT ref: 6BCB130A

GetLastError.KERNEL32 ref: 6BCAA0D7
GetLastError.KERNEL32 ref: 6BCAA178
GetLastError.KERNEL32 ref: 6BCAA1EB
GetLastError.KERNEL32 ref: 6BCAA255
GetLastError.KERNEL32 ref: 6BCAA2E9

Strings

Failed to record StartupAppid, xrefs: 6BCAA205
Failed to record SetMachineId, xrefs: 6BCAA1A5
Failed to record current state name, xrefs: 6BCAA26F
Failed to record StartSession, xrefs: 6BCAA066
Failed to record MPC, xrefs: 6BCAA2FF
Failed to record SetUserId, xrefs: 6BCAA104

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorLast$H_prolog3
String ID: Failed to record MPC$Failed to record SetMachineId$Failed to record SetUserId$Failed to record StartSession$Failed to record StartupAppid$Failed to record current state name
API String ID: 3502553090-2804495384
Opcode ID: c006c0a966d2e175662a31c29f5af8027252ab22bff1b386ffb3015120851fbf
Instruction ID: 773d75b8994d7ce918ea2e6965e1a494a24e0b4faf0536aa79cf8b8cdf18c87f
Opcode Fuzzy Hash: c006c0a966d2e175662a31c29f5af8027252ab22bff1b386ffb3015120851fbf
Instruction Fuzzy Hash: 52A194726243529FD720CF74C845A5B7BE8AF85364F000A5CF552D71A1FB79DA04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC91E67 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 317COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC91E6E

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

__CxxThrowException@8.LIBCMT ref: 6BC921C4

Strings

DelayBetweenRetries, xrefs: 6BC91EF5
DownloadRetries, xrefs: 6BC91EAD
true, xrefs: 6BC91F73
No items found. The package must contain at least one item., xrefs: 6BC92137
CopyPackageFilesToDownloadLocation, xrefs: 6BC91F3D
Items, xrefs: 6BC91FC1
ParameterInfo.xml, xrefs: 6BC92145

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: CopyPackageFilesToDownloadLocation$DelayBetweenRetries$DownloadRetries$Items$No items found. The package must contain at least one item.$ParameterInfo.xml$true
API String ID: 2489616738-2573507987
Opcode ID: 7a91d3bdd25472733f00852dec40d495901266a8b18e8acaed5d62a4045ba4f6
Instruction ID: e11d8aecbbcc83bab2c00a018c556502d732e77f02be2f5dcf39bb36d7e6c8a5
Opcode Fuzzy Hash: 7a91d3bdd25472733f00852dec40d495901266a8b18e8acaed5d62a4045ba4f6
Instruction Fuzzy Hash: 49D16F71D11249DFDF01DFA8C885AAEBBB4AF49308F108199F555EB381E7389B05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC232BC Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 303COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6BC23302

Part of subcall function 6BC23679: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,6BC2332F,?), ref: 6BC23683
Part of subcall function 6BC23679: OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,6BC2332F,?), ref: 6BC236B3
Part of subcall function 6BC23679: ConvertSidToStringSidW.ADVAPI32(00000000,?,?,00000001,?,?,?,?,6BC2332F,?), ref: 6BC236D5
Part of subcall function 6BC23679: FindCloseChangeNotification.KERNELBASE(?,?,00000001,?,?,?,?,6BC2332F,?), ref: 6BC236E0

EnterCriticalSection.KERNEL32(6BC40168,?), ref: 6BC23334
LeaveCriticalSection.KERNEL32(6BC40168,00000400,?), ref: 6BC233F5
LocalFree.KERNEL32(00000000), ref: 6BC2340C
SetLastError.KERNEL32(00000057), ref: 6BC2341F

Part of subcall function 6BC217EB: malloc.MSVCRT ref: 6BC217F6

ctype.LIBCPMT ref: 6BC2EDDC

Part of subcall function 6BC2343E: GetSystemTime.KERNEL32(00000000,00000838,00000000), ref: 6BC2347D
Part of subcall function 6BC2343E: SystemTimeToFileTime.KERNEL32(00000000,00000000), ref: 6BC2348B

Part of subcall function 6BC230D2: InterlockedIncrement.KERNEL32(00000000), ref: 6BC230D8

Strings

%s_%s, xrefs: 6BC23AC6
W, xrefs: 6BC2EB77

Memory Dump Source

Source File: 00000006.00000002.2772419557.000000006BC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BC20000, based on PE: true

Associated: 00000006.00000002.2772334607.000000006BC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772874776.000000006BC40000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772911983.000000006BC41000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc20000_Setup.jbxd

Similarity

API ID: Time$CriticalProcessSectionSystem$ChangeCloseConvertCurrentEnterErrorFileFindFreeIncrementInterlockedLastLeaveLocalNotificationOpenStringTokenctypemallocmemset
String ID: %s_%s$W
API String ID: 1092980461-4070589124
Opcode ID: de0abb07a44b190c888689aa500510854092d5f607aa9686e1601170d17fd19a
Instruction ID: b6292ae356d3e9042e7bc171f856e91309832535f3733b22e3f09780d49257fb
Opcode Fuzzy Hash: de0abb07a44b190c888689aa500510854092d5f607aa9686e1601170d17fd19a
Instruction Fuzzy Hash: 1BC1F0319702289FDB619F65CC80BAA7BF9BF44344F0080D5E999A6191EF79CB85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8ED9B Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 264COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8EDA2

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC8EF6F

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

AgileMSI, xrefs: 6BC8EDB4, 6BC8EE68
CompressedHashValue, xrefs: 6BC8EFF7
schema validation failure: AgileMSI does not support Compressed attributes!, xrefs: 6BC8F084
schema validation failure: wrong number of AgileMSI child nodes!, xrefs: 6BC8EEE2
Compressed, xrefs: 6BC8EF74
CompressedDownloadSize, xrefs: 6BC8EFB6
ParameterInfo.xml, xrefs: 6BC8EEF0, 6BC8F092

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
String ID: AgileMSI$Compressed$CompressedDownloadSize$CompressedHashValue$ParameterInfo.xml$schema validation failure: AgileMSI does not support Compressed attributes!$schema validation failure: wrong number of AgileMSI child nodes!
API String ID: 3417717588-3703128407
Opcode ID: 3594093b653bf9d78c84cdd32278069506f61635d9e2488a859956f6c6072cea
Instruction ID: ae4d904b51a46e93ef5ef06186b002e3dda05a3774780edc64b5ee197e04b2ec
Opcode Fuzzy Hash: 3594093b653bf9d78c84cdd32278069506f61635d9e2488a859956f6c6072cea
Instruction Fuzzy Hash: 97B183B1924249EFCB04DFB8C845BEEBBB8BF09318F108558E525E7281E7799705CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA98A8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 232comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,CC4203FA,?,?), ref: 6BCA98DD
CoCreateInstance.OLE32 ref: 6BCA9902
#2.OLEAUT32(//MsiXmlBlob/MsiPatch/TargetProductCode), ref: 6BCA9975
#6.OLEAUT32(00000000), ref: 6BCA99B1
#6.OLEAUT32(?), ref: 6BCA9A7F

Part of subcall function 6BCC91E7: __CxxThrowException@8.LIBCMT ref: 6BCC91CC

Part of subcall function 6BCB0446: __EH_prolog3.LIBCMT ref: 6BCB044D

CoUninitialize.OLE32 ref: 6BCA9AED
#6.OLEAUT32(?), ref: 6BCA9B10
CoUninitialize.OLE32(?), ref: 6BCA9B6C

Strings

//MsiXmlBlob/MsiPatch/TargetProductCode, xrefs: 6BCA9970

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Uninitialize$CreateException@8H_prolog3InitializeInstanceThrow
String ID: //MsiXmlBlob/MsiPatch/TargetProductCode
API String ID: 165413875-925641906
Opcode ID: 75f073ccc929f5673ce4a6923b4351e8f81f07bdd807fc8a61e7e4281a104fa3
Instruction ID: 6d1fd29248de302da79f88f70fb2b711ea27cce432a10a942c5a90c86d2c0e48
Opcode Fuzzy Hash: 75f073ccc929f5673ce4a6923b4351e8f81f07bdd807fc8a61e7e4281a104fa3
Instruction Fuzzy Hash: F49172711183869FC700CF68C488A5BBBE9BFC9308F14496DF485DB252D77ADA45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9C98B Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9C992

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC9B749: __EH_prolog3.LIBCMT ref: 6BC9B750

GetTickCount.KERNEL32 ref: 6BC9CBA4

Part of subcall function 6BC73A0D: __EH_prolog3.LIBCMT ref: 6BC73A14

Strings

INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d), xrefs: 6BC9CA96
INSTALLMESSAGE_PROGRESS [%s] (Progress Addition), xrefs: 6BC9CA0D
INSTALLMESSAGE_PROGRESS [%s] (Action Info), xrefs: 6BC9CAF1
INSTALLMESSAGE_PROGRESS [%s] (Master Reset: tickCount=%d range=%d), xrefs: 6BC9CBB1
INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d) Negative progress ignored!!, xrefs: 6BC9CAA3
INSTALLMESSAGE_PROGRESS - Action Data message received, but step size is zero, xrefs: 6BC9CA4B
INSTALLMESSAGE_PROGRESS [%s] (Action Data: iProgress=%d iStep=%d), xrefs: 6BC9CA69

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CountTick
String ID: INSTALLMESSAGE_PROGRESS - Action Data message received, but step size is zero$INSTALLMESSAGE_PROGRESS [%s] (Action Data: iProgress=%d iStep=%d)$INSTALLMESSAGE_PROGRESS [%s] (Action Info)$INSTALLMESSAGE_PROGRESS [%s] (Master Reset: tickCount=%d range=%d)$INSTALLMESSAGE_PROGRESS [%s] (Progress Addition)$INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d)$INSTALLMESSAGE_PROGRESS [%s] (Progress Report: iProgress=%d) Negative progress ignored!!
API String ID: 194692712-1811215275
Opcode ID: 0895ba8cb0c6d997d8b04486d9941c9b5973ed7a3640555cc13294837f992a4c
Instruction ID: cd75f2085726509ba88be84346a8e9f3dfcd3e8bed2774829ae596a10ec457d9
Opcode Fuzzy Hash: 0895ba8cb0c6d997d8b04486d9941c9b5973ed7a3640555cc13294837f992a4c
Instruction Fuzzy Hash: D171C172A60646FFE701EBB5D842BAEBB65FF04314F008156E5109B580F738EBA1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BC77535 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134COMMON

Download Yara Rule

APIs

#7.OLEAUT32(?), ref: 6BC775A0
__time64.LIBCMT ref: 6BC77652

Part of subcall function 6BC753AA: __EH_prolog3.LIBCMT ref: 6BC753B1
Part of subcall function 6BC753AA: OutputDebugStringW.KERNEL32(?,?,?,00000008,6BCA6106,000013EC,?,00000000,?,?,ReportingFlags,?,-0000000D,?,?,6BC54A4C), ref: 6BC753D2

#6.OLEAUT32(?,?,?,?,?,?,6BCAFAE3,6BC6A78C,?,6BC6A78C,-00000960), ref: 6BC77630

Strings

Final Result: Installation completed successfully with success code: (0x%08lX), xrefs: 6BC775AF
Final Result: Installation failed with error code: (0x%08lX), xrefs: 6BC77605
Final Result: Installation failed with error code: (0x%08lX), "%s", xrefs: 6BC7761A
Final Result: Installation aborted, xrefs: 6BC775CA
Final Result: Installation completed successfully with success code: (0x%08lX), "%s", xrefs: 6BC775BB

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: DebugH_prolog3OutputString__time64
String ID: Final Result: Installation aborted$Final Result: Installation completed successfully with success code: (0x%08lX)$Final Result: Installation completed successfully with success code: (0x%08lX), "%s"$Final Result: Installation failed with error code: (0x%08lX)$Final Result: Installation failed with error code: (0x%08lX), "%s"
API String ID: 1457351144-1330816492
Opcode ID: 518eb200568b2cd8a4c4e727d79d84ffb0a69579b788965a421babe8ae67bb2a
Instruction ID: 34a4f02d891c22d7f0ea9549dff801abdfa6f990bcf8c310a67d5587608250e6
Opcode Fuzzy Hash: 518eb200568b2cd8a4c4e727d79d84ffb0a69579b788965a421babe8ae67bb2a
Instruction Fuzzy Hash: 115190721283459BC300DF68C885E5BBBE4FF95714F000A2DF59193291EB38DA18CB67

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC2E64 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 345COMMON

Download Yara Rule

Strings

File lock postponed for %s., xrefs: 6BCC30D6
File %s (%s), failed authentication. (Error = %d). It is recommended that you delete this file and retry setup again., xrefs: 6BCC3054

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID:
String ID: File %s (%s), failed authentication. (Error = %d). It is recommended that you delete this file and retry setup again.$File lock postponed for %s.
API String ID: 0-2368451233
Opcode ID: 0c736ac73f8c77b3ee188b3077cfb26974568400f48de392d140c47398fd5dc3
Instruction ID: ae49b5a3a57646bf58d8c1121e05d86553ca29f265768ae29ac88c39a5b58091
Opcode Fuzzy Hash: 0c736ac73f8c77b3ee188b3077cfb26974568400f48de392d140c47398fd5dc3
Instruction Fuzzy Hash: 60C180725182819FC711DF78C845A4FBBE4AF96728F000B5DF4A4A7291E778EA05CB63

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7AC78 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7AC7F
#6.OLEAUT32(?,?,?,?,?,?,?,?,?,00000004,6BCBA2AD,-00000010,1.0,?,00000014,1.0), ref: 6BC7AD86
#2.OLEAUT32(-00000010,?,?,?,?,?,00000004,6BCBA2AD,-00000010,1.0,?,00000014,1.0), ref: 6BC7AE90
__CxxThrowException@8.LIBCMT ref: 6BC7AF5F

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Strings

schema validation failure: ExpressionAlias's Id not defined or defined too many times: , xrefs: 6BC7AEDF
ExpressionAlias, xrefs: 6BC7ACCC, 6BC7AE0A
//*[@Id='%s'], xrefs: 6BC7AD46
schema validation failure: Invalid ExpressionAlias or Id not found: , xrefs: 6BC7AFA4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: //*[@Id='%s']$ExpressionAlias$schema validation failure: ExpressionAlias's Id not defined or defined too many times: $schema validation failure: Invalid ExpressionAlias or Id not found:
API String ID: 2489616738-1025498756
Opcode ID: b573386b883c80e07fa55548d6efd83de913313d7788c1857e658033e4979633
Instruction ID: 1c38d6c43f31f15edf3deb7a966e2789a098b48fbbd7ec62dbb54770bb2b58a6
Opcode Fuzzy Hash: b573386b883c80e07fa55548d6efd83de913313d7788c1857e658033e4979633
Instruction Fuzzy Hash: 23C14C71910249EFCB00DFF4C985EEEBBB9AF49308F2445A9F511AB251E7389B05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC79C5A Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 174COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC79C61
__CxxThrowException@8.LIBCMT ref: 6BC79D44
__fassign.LIBCMT ref: 6BC79D78
_wcstoul.LIBCMT ref: 6BC79D85

Part of subcall function 6BCCBA70: wcstoxl.LIBCMT ref: 6BCCBA80

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

__get_errno.LIBCMT ref: 6BC79D94

Strings

", xrefs: 6BC79DA8
schema validation failure: non-numeric value, %s, for %s, xrefs: 6BC79DD1
schema validation failure: empty value, %s, for %s, xrefs: 6BC79CC1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw__fassign__get_errno_wcstoulwcstoxl
String ID: "$schema validation failure: empty value, %s, for %s$schema validation failure: non-numeric value, %s, for %s
API String ID: 2631245360-326575430
Opcode ID: 1fbf827f73364ad1d9870b4b123fa3a06ef66d72860a40e56bf4a51c1ed7639a
Instruction ID: 80e0cc28b0dc3f4dea3f30e2840dfdbb814074b2f17116a4f68675ddf301a16c
Opcode Fuzzy Hash: 1fbf827f73364ad1d9870b4b123fa3a06ef66d72860a40e56bf4a51c1ed7639a
Instruction Fuzzy Hash: 85619D71910149EFCF11DFF8C885EEEBBB9AF19314F1081A9E125A7281E7789B04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA4F0E Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BCA4F15
CoInitialize.OLE32(00000000,0000005C,6BCBB810,?,?,?,?,?,?,?,?,?,ParameterInfo.xml,?,00000000,?), ref: 6BCA4F2A

Part of subcall function 6BCC8B85: #149.OLEAUT32(00000000,6BCA4F56,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6BCC8B8C
Part of subcall function 6BCC8B85: #150.OLEAUT32(?,00000000,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6BCC8B95

Part of subcall function 6BC7B02D: __EH_prolog3.LIBCMT ref: 6BC7B034
Part of subcall function 6BC7B02D: #6.OLEAUT32(?), ref: 6BC7B064

CoUninitialize.OLE32(?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml,?,?), ref: 6BCA50DA

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7A6E9: __EH_prolog3.LIBCMT ref: 6BC7A6F0
Part of subcall function 6BC7A6E9: #6.OLEAUT32(?,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6BC7A739

Part of subcall function 6BC7A7D1: __EH_prolog3.LIBCMT ref: 6BC7A7D8

__CxxThrowException@8.LIBCMT ref: 6BCA5091

Strings

#(loc., xrefs: 6BCA5005
//BlockIf[@ID], xrefs: 6BCA4F66
BlockIf/@ID cannot contain any token (#(loc.[Name]) references. BlockIf/@ID=", xrefs: 6BCA5019
ParameterInfo.xml, xrefs: 6BCA504C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$#149#150Exception@8H_prolog3_catchInitializeThrowUninitialize
String ID: #(loc.$//BlockIf[@ID]$BlockIf/@ID cannot contain any token (#(loc.[Name]) references. BlockIf/@ID="$ParameterInfo.xml
API String ID: 2640802626-3244902561
Opcode ID: 8e34d212566111bce46a83f3b5613a13fbeff4f638708096ffd45aac80c3e61e
Instruction ID: dc735ed4ce1827d6a7a6b52b7039076cc5a976d66a3283be581b89c50e1aa731
Opcode Fuzzy Hash: 8e34d212566111bce46a83f3b5613a13fbeff4f638708096ffd45aac80c3e61e
Instruction Fuzzy Hash: FE515E72D10149DBCB01DFF8C885ADEBBB8AF55318F208159E115F7281EB389B4ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC850EB Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 140comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BC850F2

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA813B: __EH_prolog3.LIBCMT ref: 6BCA8142

Part of subcall function 6BC738EB: __EH_prolog3.LIBCMT ref: 6BC738F2

CoInitialize.OLE32(00000000,00000000,00000000,?,?,IronMan::LocalizedData::CreateLocalizedData,?,threw exception,0000003C,6BCB9C48,-00000960,?,?,?,?,?), ref: 6BC85140
CoCreateInstance.OLE32(6BC6A974,00000000,00000017,6BC6A9A4,00000738,?,?,?,00000000,?,?,?,CC4203FA,?,?,?), ref: 6BC8515E
__CxxThrowException@8.LIBCMT ref: 6BC85286

Part of subcall function 6BC854C7: __EH_prolog3.LIBCMT ref: 6BC854CE
Part of subcall function 6BC854C7: __CxxThrowException@8.LIBCMT ref: 6BC85556

CoUninitialize.OLE32(-00000960,?,succeeded,?,?,?,00000000,?,?,?,CC4203FA,?,?,?), ref: 6BC851FC

Strings

threw exception, xrefs: 6BC850FA
IronMan::LocalizedData::CreateLocalizedData, xrefs: 6BC8510D
succeeded, xrefs: 6BC851B3

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw$CreateH_prolog3_catchInitializeInstanceUninitialize
String ID: IronMan::LocalizedData::CreateLocalizedData$succeeded$threw exception
API String ID: 4097945976-352736096
Opcode ID: 7555b8b91766250b64bb214433869af076c189bcc57387abf11f3d0682ae8d03
Instruction ID: 401950135231d8f94ff7caab60e24d004eb0349475be74294c99e90714ef6c00
Opcode Fuzzy Hash: 7555b8b91766250b64bb214433869af076c189bcc57387abf11f3d0682ae8d03
Instruction Fuzzy Hash: 90514A71910249EFCB01DFE8C885EDEBBB9AF49309F108059F115EB251EB78AB45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC5D34 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC5D3B
GetCommandLineW.KERNEL32(?), ref: 6BCC5DA0

Part of subcall function 6BCAFF5C: _wcsnlen.LIBCMT ref: 6BCAFF8F
Part of subcall function 6BCAFF5C: _memcpy_s.LIBCMT ref: 6BCAFFC5

Strings

- payload not required for this item to perform action., xrefs: 6BCC5D68
- available locally and verified., xrefs: 6BCC5DFE
- available but not verified yet, xrefs: 6BCC5E18
- to be downloaded, xrefs: 6BCC5E41
- available locally, xrefs: 6BCC5E28
not locally available, but no URL to bedownloaded - error!, xrefs: 6BCC5E4F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CommandH_prolog3Line_memcpy_s_wcsnlen
String ID: - available but not verified yet$ - available locally$ - available locally and verified.$ - payload not required for this item to perform action.$ - to be downloaded$ not locally available, but no URL to bedownloaded - error!
API String ID: 969748958-1544932709
Opcode ID: c1887ae2204a2d24c8744a64ba675c99b714c695281bf621a5199a58418d1bcc
Instruction ID: 0b88f818517429d7f8e2e17016a9f2a588602893727f0b763ec019d18f52a178
Opcode Fuzzy Hash: c1887ae2204a2d24c8744a64ba675c99b714c695281bf621a5199a58418d1bcc
Instruction Fuzzy Hash: 18410371561209AFCF21DFB88C86E9F3BA8AF16348F004055FA01AB191F73C9B44D762

Uniqueness

Uniqueness Score: -1.00%

Function 6BC777F7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,System\CurrentControlSet\Services\Eventlog\Application\VSSetup,00000000,00020019,?,?,6BCA80D8,00000000), ref: 6BC77830
RegCreateKeyExW.KERNELBASE(80000002,System\CurrentControlSet\Services\Eventlog\Application\VSSetup,00000000,00000000,00000000,00020006,00000000,?,00000000,?,6BCA80D8,00000000), ref: 6BC7784D

Part of subcall function 6BC778C3: __EH_prolog3.LIBCMT ref: 6BC778CA
Part of subcall function 6BC778C3: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\PCHealth\ErrorReporting\DW\Installed,00000000,00020019,?,00000014,6BC77862,?,6BCA80D8,00000000), ref: 6BC778FA
Part of subcall function 6BC778C3: RegQueryValueExW.ADVAPI32(?,DW0200,00000000,00000000,?,?,?,6BCA80D8,00000000), ref: 6BC77920
Part of subcall function 6BC778C3: RegCloseKey.ADVAPI32(?,?,6BCA80D8,00000000), ref: 6BC7792C
Part of subcall function 6BC778C3: GetFileAttributesW.KERNEL32(?,?,6BCA80D8,00000000), ref: 6BC77941

RegSetValueExW.KERNELBASE(?,EventMessageFile,00000000,00000002,?,00000208,?,6BCA80D8,00000000), ref: 6BC7787E
RegSetValueExW.KERNELBASE(?,TypesSupported,00000000,00000004,?,00000004,?,6BCA80D8,00000000), ref: 6BC778A1
RegCloseKey.KERNELBASE(?,?,6BCA80D8,00000000), ref: 6BC778A9

Strings

System\CurrentControlSet\Services\Eventlog\Application\VSSetup, xrefs: 6BC7781E, 6BC77823, 6BC7784B
EventMessageFile, xrefs: 6BC77873
TypesSupported, xrefs: 6BC7788C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Value$CloseOpen$AttributesCreateFileH_prolog3Query
String ID: EventMessageFile$System\CurrentControlSet\Services\Eventlog\Application\VSSetup$TypesSupported
API String ID: 4021642227-369282485
Opcode ID: e017d27c8ba60f93bd402dc9e1b0e0a6ff1d6b30de36332a0c7a320727193e27
Instruction ID: 36c08040aac2d1289ac012cbdcc1e6698fbadea863c99777c0333d0b37ef397d
Opcode Fuzzy Hash: e017d27c8ba60f93bd402dc9e1b0e0a6ff1d6b30de36332a0c7a320727193e27
Instruction Fuzzy Hash: A3115E7265122CBBDB309A55DC4EFEBBB7DEF85754F4004A5B618B2040D6749F50CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7B33F Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 247COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7B346

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7B27F: __EH_prolog3.LIBCMT ref: 6BC7B286

__CxxThrowException@8.LIBCMT ref: 6BC7B5C8

Strings

No DisabledCommandLineSwitches block was specified, xrefs: 6BC7B5E8
DisabledCommandLineSwitches, xrefs: 6BC7B373
Disabled CommandLineSwitch added: , xrefs: 6BC7B426, 6BC7B4E5
The DisabledCommandLineSwitches block has no CommandLineSwitches specified - either add them or remove the DisabledCommandLineSwit, xrefs: 6BC7B566
ParameterInfo.xml, xrefs: 6BC7B574

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: Disabled CommandLineSwitch added: $DisabledCommandLineSwitches$No DisabledCommandLineSwitches block was specified$ParameterInfo.xml$The DisabledCommandLineSwitches block has no CommandLineSwitches specified - either add them or remove the DisabledCommandLineSwit
API String ID: 2489616738-1449725936
Opcode ID: 8026993993882f05747e95d81e845f734934d9f337f2edc1012a2afbf9d37054
Instruction ID: 1519cbc483c9fa00d93d911451cd13f99c5f3f652e5b6221818bc668e60b28d9
Opcode Fuzzy Hash: 8026993993882f05747e95d81e845f734934d9f337f2edc1012a2afbf9d37054
Instruction Fuzzy Hash: 6CA19071910249DFCF01DFA8C885AEEBBB5BF89308F244599E111EB290E7399F41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8F2FA Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 195COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8F304

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

__CxxThrowException@8.LIBCMT ref: 6BC8F53B

Strings

AgileMSP, xrefs: 6BC8F319
agile msp , xrefs: 6BC8F400
ParameterInfo.xml, xrefs: 6BC8F4BD
No agile MSPs found!, xrefs: 6BC8F4AF
added, xrefs: 6BC8F415

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: added$AgileMSP$No agile MSPs found!$ParameterInfo.xml$agile msp
API String ID: 2489616738-3098326545
Opcode ID: df05287498e7517d1613d163c0136f5dbafdae97a4dd516746ee99b0332d44fb
Instruction ID: 14921d58069156a1875355fdfc8282c80bfa4ec47e2c55468670c6c9d1c8851c
Opcode Fuzzy Hash: df05287498e7517d1613d163c0136f5dbafdae97a4dd516746ee99b0332d44fb
Instruction Fuzzy Hash: 60816E71910159EFCB01CFE8C884EDEBBB8AF49318F148599E115EB281E778AB05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC56B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 195COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC56BD

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCD6C45: PMDtoOffset.LIBCMT ref: 6BCD6D19
Part of subcall function 6BCD6C45: std::bad_exception::bad_exception.LIBCMT ref: 6BCD6D43
Part of subcall function 6BCD6C45: __CxxThrowException@8.LIBCMT ref: 6BCD6D51

Strings

- no products affected by this item. Not Applicable. , xrefs: 6BCC58BB
of , xrefs: 6BCC579D, 6BCC57A2, 6BCC57AF
nameless item, xrefs: 6BCC56C2
Determining state, xrefs: 6BCC57CB
- authored action for this item is NoOp, xrefs: 6BCC586E
- not applicable , xrefs: 6BCC581D

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8OffsetThrowstd::bad_exception::bad_exception
String ID: - authored action for this item is NoOp$ - no products affected by this item. Not Applicable. $ - not applicable $ of $Determining state$nameless item
API String ID: 3118957153-195430493
Opcode ID: 2fe4e81f037c0d7bef877bc6a8623063dc71f87821b0b01e9009350d7832fac0
Instruction ID: 0a756f740b788e1ce60ad3352eba2a635f8827b86a456ca42bf6a77f88bea802
Opcode Fuzzy Hash: 2fe4e81f037c0d7bef877bc6a8623063dc71f87821b0b01e9009350d7832fac0
Instruction Fuzzy Hash: 8061AC72821119ABCF11DFB8CC46ADF7B68AF15398F004560E524BB291F738AB05C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC98DEF Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC82E3B: __EH_prolog3.LIBCMT ref: 6BC82E42

__CxxThrowException@8.LIBCMT ref: 6BC98F58

Strings

: SuccessBlockers evaluated to true., xrefs: 6BC98F8F
Global Block Checks, xrefs: 6BC98E2E, 6BC98E5E
no blocking conditions found, xrefs: 6BC98E1F
: WarnBlockers evaluated to true., xrefs: 6BC98FC4
Checking for global blockers, xrefs: 6BC98E4F
: StopBlockers evaluated to true., xrefs: 6BC98FB0

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: no blocking conditions found$: StopBlockers evaluated to true.$: SuccessBlockers evaluated to true.$: WarnBlockers evaluated to true.$Checking for global blockers$Global Block Checks
API String ID: 2489616738-2937627051
Opcode ID: 1918ff6c3b66c2912499f449708c9df94f354828899501b4f164e5aa90037e67
Instruction ID: 945a3abdafba9011911ba8141b825b1bda8ffdc973587db0e36c63f647df7c6a
Opcode Fuzzy Hash: 1918ff6c3b66c2912499f449708c9df94f354828899501b4f164e5aa90037e67
Instruction Fuzzy Hash: 587158B1418385AFD310DF65C884E4BBBE9BF89304F40492EF19587250E779EA49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7B02D Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7B034

Part of subcall function 6BCA8F6A: CoCreateInstance.OLE32(6BC6A974,00000000,00000017,6BC6A9A4,?,?,6BC7B049,?,0000002C,6BCBD888,?,?,?,?,00000001), ref: 6BCA8F80

#6.OLEAUT32(?), ref: 6BC7B064
__CxxThrowException@8.LIBCMT ref: 6BC7B148
#6.OLEAUT32(?,?,6BCEC1C8,?), ref: 6BC7B183

Part of subcall function 6BC73A0D: __EH_prolog3.LIBCMT ref: 6BC73A14

Strings

CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d, xrefs: 6BC7B053
m_spDoc->get_documentElement() failed. Parse error is: %s, xrefs: 6BC7B116
m_spDoc->loadXML() failed. Parse error is: %s, xrefs: 6BC7B1EB

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CreateException@8InstanceThrow
String ID: CoCreateInstance(__uuidof(DOMDocument30)) failed with hr=%d$m_spDoc->get_documentElement() failed. Parse error is: %s$m_spDoc->loadXML() failed. Parse error is: %s
API String ID: 319957572-2525052916
Opcode ID: e083c30ce11df366e3bbc480f94dd543a9ed4fce5b092412e684c2b81f798d68
Instruction ID: 47c45257ae789ac021b248b71bb3148ade393799f9c7cbf62a9421945c65d58b
Opcode Fuzzy Hash: e083c30ce11df366e3bbc480f94dd543a9ed4fce5b092412e684c2b81f798d68
Instruction Fuzzy Hash: 1D517E72C10149EBCB11EFF8C885EEEBBB8AF19318F144569E111B7241E778AB45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB2B38 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 144fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6BC781B0: GetFileSize.KERNEL32(?,?,?,?,?,6BCA3906,?,?,00000000,?,?,?,?,00000008,6BCAECAE,?), ref: 6BC781C0

PathFileExistsW.KERNELBASE(00000000), ref: 6BCB2BCA
__CxxThrowException@8.LIBCMT ref: 6BCB2C09
CopyFileW.KERNELBASE(00000010,00000000,00000000,?), ref: 6BCB2C3B
SetFileAttributesW.KERNELBASE(?,00000080), ref: 6BCB2C54

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC78371: __EH_prolog3.LIBCMT ref: 6BC78378

Strings

DHTMLLogger, xrefs: 6BCB2CF3
Copy of Header File failed, xrefs: 6BCB2CAF
DHTML Header File doesn't exist, xrefs: 6BCB2BD4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: File$H_prolog3$AttributesCopyException@8ExistsPathSizeThrow
String ID: Copy of Header File failed$DHTML Header File doesn't exist$DHTMLLogger
API String ID: 1055460099-1824744887
Opcode ID: d8a59ac73706229f731fa56df3869c384c0d019be7687f77c6fecb72ac4c506d
Instruction ID: bb9ca1233d98814427292d06a211d5ae7207feb6ac03e0fece36f386508693b1
Opcode Fuzzy Hash: d8a59ac73706229f731fa56df3869c384c0d019be7687f77c6fecb72ac4c506d
Instruction Fuzzy Hash: 18514A710283459BD711DF79C885E5FBBE8BF8A358F000A2DF194A7150E738D7098B62

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA4BBE Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 141fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA4BC5

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC76016: __EH_prolog3.LIBCMT ref: 6BC7601D
Part of subcall function 6BC76016: PathIsRelativeW.SHLWAPI(?,?,?,?,?,ParameterInfo.xml,?,?,00000738,6BCAFAA0,?,6BC6A78C,-00000960), ref: 6BC76060

__CxxThrowException@8.LIBCMT ref: 6BCA4CB6

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

ReadFile.KERNELBASE(?,?,00000002,?,00000000,?,80000000,00000001,00000003,00000080,00000000,?,?,?,?,0000002C), ref: 6BCA4CCC
FindCloseChangeNotification.KERNELBASE(?), ref: 6BCA4CEF

Part of subcall function 6BC78371: __EH_prolog3.LIBCMT ref: 6BC78378

Part of subcall function 6BC7A3DC: __EH_prolog3.LIBCMT ref: 6BC7A3E3

Strings

File %s is not UTF-16 with Byte Order Marks (BOM), xrefs: 6BCA4D1A
File %s could not be opened for read, xrefs: 6BCA4C5D
ParameterInfo.xml, xrefs: 6BCA4D33

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$ChangeCloseDispatcherExceptionException@8FileFindNotificationPathReadRelativeThrowUser
String ID: File %s could not be opened for read$File %s is not UTF-16 with Byte Order Marks (BOM)$ParameterInfo.xml
API String ID: 2138378564-652212332
Opcode ID: 6b3e0199a5919a0be0a32ab8f16aa6ce0a22db073ad929e4c782bb44934a2b2e
Instruction ID: 48a22ec845a25ac856d76e2992ea246fd70ee3b5275a6596f5b5a5cb053b4028
Opcode Fuzzy Hash: 6b3e0199a5919a0be0a32ab8f16aa6ce0a22db073ad929e4c782bb44934a2b2e
Instruction Fuzzy Hash: FD515C72820149EBCF01DFF8C985EDEBBB9AF05318F108155E155B7281EB789B058B66

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB173B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120sleepfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BCB1785
GetLastError.KERNEL32 ref: 6BCB180D

Part of subcall function 6BC774C1: __EH_prolog3.LIBCMT ref: 6BC774C8

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000001,Possible transient lock. WinVerifyTrust), ref: 6BCB183F
Sleep.KERNEL32(000003E8), ref: 6BCB184F
CloseHandle.KERNEL32(00000000), ref: 6BCB185E

Strings

Possible transient lock. WinVerifyTrust, xrefs: 6BCB181B
0, xrefs: 6BCB17B0

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CloseCreateErrorFileH_prolog3HandleLastSleep_memset
String ID: 0$Possible transient lock. WinVerifyTrust
API String ID: 3818960743-2497998438
Opcode ID: 8db76c1d01b247efa5e829558719fb449243da14833f288e66496e3cc7d36df4
Instruction ID: ece5c26ba232c67b50213115ab0a487027200d9a08622bae9e81dc3b823205d6
Opcode Fuzzy Hash: 8db76c1d01b247efa5e829558719fb449243da14833f288e66496e3cc7d36df4
Instruction Fuzzy Hash: EA416D71E20219ABDB04CFA8C885BDEBBB4FF49314F10012AE505FB280E7789645CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA7D25 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BCA7D2F

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

_memset.LIBCMT ref: 6BCA7D8F
GetVersionExW.KERNEL32 ref: 6BCA7DA8

Strings

OS Version = %d.%d.%d, Platform %d, xrefs: 6BCA7DEE
OS Description = %s, xrefs: 6BCA7E75
OS Version Information, xrefs: 6BCA7D4C, 6BCA7D51, 6BCA7D77
Could not determine OS version, xrefs: 6BCA7E9E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3H_prolog3_Version_memset
String ID: Could not determine OS version$OS Description = %s$OS Version = %d.%d.%d, Platform %d$OS Version Information
API String ID: 3727276431-2914782974
Opcode ID: a674aa92ddfc59eeff74866714a51c92f2518d9f953057958548989e74b378c8
Instruction ID: 99b8077b0d33ceac52e331ce54da0b068948cd9f11d80ba911f47a1ba5a83baf
Opcode Fuzzy Hash: a674aa92ddfc59eeff74866714a51c92f2518d9f953057958548989e74b378c8
Instruction Fuzzy Hash: 704158729201199BCB21DBA8CC46FCEB7B9AF09309F0440D5E249E7290F778AB94CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6BC795E1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC795E8
#8.OLEAUT32(?,0000002C,6BC84B72,?,?,?,00000000,?,6BC58108), ref: 6BC795FB
#9.OLEAUT32(00000008,?,?,?,?,?,?,?,?,?,?,?,00000000,?,6BC58108), ref: 6BC7964E
#6.OLEAUT32(?,?,?,00000000,?,6BC58108), ref: 6BC7962E

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

#2.OLEAUT32(00000000,?,?,00000000,?,6BC58108), ref: 6BC79671
__CxxThrowException@8.LIBCMT ref: 6BC79718

Strings

schema validation error: attribute not found - , xrefs: 6BC79696

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: schema validation error: attribute not found -
API String ID: 2489616738-3489740836
Opcode ID: 778d9700d1cd284f1a0fe69b76e8d2e7d8fc26e7d77ae100c3e082f571ab75b0
Instruction ID: 033c133076b0737a5299e2ef32fb4a42f091550ffff8f4c7689e09656f6f5640
Opcode Fuzzy Hash: 778d9700d1cd284f1a0fe69b76e8d2e7d8fc26e7d77ae100c3e082f571ab75b0
Instruction Fuzzy Hash: E8417F72810249EBCF01EFF4C888EDE7BB8AF05318F144669F565A7241E7789B44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC95241 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC95248

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCAB523: _free.LIBCMT ref: 6BCAB552

EnumWindows.USER32(6BC954BE,?), ref: 6BC952A6

Part of subcall function 6BC95450: _calloc.LIBCMT ref: 6BC95471

Part of subcall function 6BC9536A: __EH_prolog3.LIBCMT ref: 6BC95371

Part of subcall function 6BCC7BF4: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,6BCB1468,?,00000010,6BC85A52,?,?,?,0000004C,6BCBB83A,?,?,?), ref: 6BCC7BFF

Strings

No Blocking Processes, xrefs: 6BC952D6
complete, xrefs: 6BC9524D
Enumerating incompatible processes, xrefs: 6BC95275
Action, xrefs: 6BC9525F, 6BC95264, 6BC95282
Blocking Processes, xrefs: 6BC95312

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$EnumExceptionRaiseWindows_calloc_free
String ID: complete$Action$Blocking Processes$Enumerating incompatible processes$No Blocking Processes
API String ID: 3369859988-1677130810
Opcode ID: 0957464eceb724d7abf31821b040441f9272999de67505eee664549da4735d5b
Instruction ID: 8e3c6394b6b3806dae1dfca22a263e587530ca6c6858cd102b1391fefbbbc164
Opcode Fuzzy Hash: 0957464eceb724d7abf31821b040441f9272999de67505eee664549da4735d5b
Instruction Fuzzy Hash: 35319271A20209DFDF00DFB8D985A9DBBF8BF44305F148059E655AB241EB78DB018B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB387E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB3885

Part of subcall function 6BC75D87: __EH_prolog3.LIBCMT ref: 6BC75D8E
Part of subcall function 6BC75D87: GetModuleFileNameW.KERNEL32(6BC50000,00000010,00000104,?,6BCA80D8,00000000), ref: 6BC75DDB

Part of subcall function 6BC7C210: __EH_prolog3.LIBCMT ref: 6BC7C217

Part of subcall function 6BCA8C05: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6BCB9E00,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6BCA8C29

PathFileExistsW.KERNELBASE(?,SetupResources.dll,00000000,00000738,00000000,6BCAFAA0,0000000C,6BCB3B38,?,6BC6A78C,?), ref: 6BCB38EA
PathFileExistsW.KERNELBASE(00000000,LocalizedData.xml,00000000,00000738,00000000), ref: 6BCB3979

Part of subcall function 6BC73A0D: __EH_prolog3.LIBCMT ref: 6BC73A14

Strings

SetupResources.dll missing from %d directory, xrefs: 6BCB38F1
LocalizedData.xml, xrefs: 6BCB3968
SetupResources.dll, xrefs: 6BCB38D3
LocalizedData.xml missing from %d directory, xrefs: 6BCB3980

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$FilePath$Exists$AppendModuleName
String ID: LocalizedData.xml$LocalizedData.xml missing from %d directory$SetupResources.dll$SetupResources.dll missing from %d directory
API String ID: 3590062302-1245617268
Opcode ID: 8d5e48cdd93080aa3edb045f5540f2216fe55ad5d8edefdaee480fa01cd11e71
Instruction ID: 568a21d10b629279ea87f1d448a0f86d5e7a1a96fb2deda409a06ede4409ed24
Opcode Fuzzy Hash: 8d5e48cdd93080aa3edb045f5540f2216fe55ad5d8edefdaee480fa01cd11e71
Instruction Fuzzy Hash: A93143728201499BDB11DBB8CC46E9E77B4AF1631CF144150E464AB292F778DB048B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB10E7 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB10EE

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7C3BD: RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000001,?,?,?,?,?,6BCB3728,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6BC7C3DD
Part of subcall function 6BC7C3BD: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,6BCB1017,00000004,?,?,?,6BCB3728,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6BC7C3F6
Part of subcall function 6BC7C3BD: RegCloseKey.KERNELBASE(?,?,?,?,6BCB3728,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType,?,-00000960,00000004,6BCB1017,?), ref: 6BC7C405

GetLastError.KERNEL32(?,Software\Microsoft\DevDiv,?,?,PerfLab,?,?,0000000C,6BCAA2D2,?,6BC6A78C,?,-00000960,?,00000000,?), ref: 6BCB115F
GetLastError.KERNEL32(?,00000000,?,Failed to record IsInternal,?,Software\Microsoft\DevDiv,?,?,PerfLab,?,?,0000000C,6BCAA2D2,?,6BC6A78C,?), ref: 6BCB11BD

Strings

Failed to record IsAdmin, xrefs: 6BCB11D4
PerfLab, xrefs: 6BCB10FF
Software\Microsoft\DevDiv, xrefs: 6BCB1118
Failed to record IsInternal, xrefs: 6BCB1172

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last$CloseOpenQueryValue
String ID: Failed to record IsAdmin$Failed to record IsInternal$PerfLab$Software\Microsoft\DevDiv
API String ID: 716194244-1174128248
Opcode ID: 13e8c47ecbd4ca707017466ad2f66df6f17959a9b1231fc08dca32096ea428cb
Instruction ID: b942013ac4112994d8256c1c289473f5ffad6f6bd718173ddf8f6668ef2a0969
Opcode Fuzzy Hash: 13e8c47ecbd4ca707017466ad2f66df6f17959a9b1231fc08dca32096ea428cb
Instruction Fuzzy Hash: 97319271921112AFDB10CFB9CD46EAE7BB9BF85314F104658E421E7281FB78DB018661

Uniqueness

Uniqueness Score: -1.00%

Function 6BC776F4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC776FB

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

GetModuleFileNameW.KERNEL32(00000000,00000010,00000104), ref: 6BC77759
GetFileVersionInfoSizeW.KERNELBASE(00000010,?), ref: 6BC77772
GetFileVersionInfoW.KERNELBASE(00000010,?,00000000,00000000), ref: 6BC7778D
VerQueryValueW.VERSION(00000000,6BC6A9F4,?,?), ref: 6BC777A5

Strings

%d.%d.%d.%d, xrefs: 6BC777C8
0.0.0.0, xrefs: 6BC77705

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: File$H_prolog3InfoVersion$ModuleNameQuerySizeValue
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1538924429-464342551
Opcode ID: 0a06cd8dd9bf869f708c3b8ea5858dc83dcb633d784507946d86724fb5230be4
Instruction ID: 2598b07ce7dece95ec1b99234cab18cfedff60a996c764860d8bb2a38dd88386
Opcode Fuzzy Hash: 0a06cd8dd9bf869f708c3b8ea5858dc83dcb633d784507946d86724fb5230be4
Instruction Fuzzy Hash: 81318071920119ABDB00DFB5CC85CBFB7B9FF45304B00452AE551A7291EB389F12CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA7C33 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA7C3A

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA813B: __EH_prolog3.LIBCMT ref: 6BCA8142

Strings

User Experience Data Collection Policy: %s, xrefs: 6BCA7CD2
UserControlled, xrefs: 6BCA7CBE
Disabled, xrefs: 6BCA7CB7
AlwaysUploaded, xrefs: 6BCA7CB0
User Experience Data Collection Policy, xrefs: 6BCA7C52, 6BCA7C57, 6BCA7C71
Unknown, xrefs: 6BCA7C8E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: AlwaysUploaded$Disabled$Unknown$User Experience Data Collection Policy$User Experience Data Collection Policy: %s$UserControlled
API String ID: 431132790-3357067047
Opcode ID: 1d15b1a844c121117cb5f4e3dbdf69929a649d8471db472a697c7255c4a90fb5
Instruction ID: 3f18210466450f5ee83f2949e07e8a2974137fb1b15431d43c6d6893efee78b9
Opcode Fuzzy Hash: 1d15b1a844c121117cb5f4e3dbdf69929a649d8471db472a697c7255c4a90fb5
Instruction Fuzzy Hash: 9821A97192004AEBCB00DBE8C985EAEBBB9BF09349F104046E250F7241F77C9B058B72

Uniqueness

Uniqueness Score: -1.00%

Function 6BC97369 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC97370

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

OpenFileMappingW.KERNELBASE(00000002,00000000,00000000,?,6BC6AB1C,00000008,6BC974A5,?,?,00000004,6BCBC7F6,?,6BC695B4,00000000,00000001,?), ref: 6BC97399
GetLastError.KERNEL32(?,?,?,?,00000001), ref: 6BC973A6

Part of subcall function 6BC7C2EF: __EH_prolog3.LIBCMT ref: 6BC7C2F6

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000424,?,?,?,?,00000001), ref: 6BC973FB
UnmapViewOfFile.KERNEL32(00000000,?,0000021A,?,?,?,?,00000001), ref: 6BC97417
CloseHandle.KERNEL32(00000000,?,?,?,?,00000001), ref: 6BC97420

Strings

OpenFileMapping fails with last error: , xrefs: 6BC973B6

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$File$View$CloseErrorHandleLastMappingOpenUnmap
String ID: OpenFileMapping fails with last error:
API String ID: 2964829354-1738344248
Opcode ID: 6d84583a086bbaca7fda2659895c5c7076c784d0fea89802867ea7c44a6409fe
Instruction ID: 181c0bed83829a30c4e3cb3c5e5b20c6713844966170c9956034998f9caf597c
Opcode Fuzzy Hash: 6d84583a086bbaca7fda2659895c5c7076c784d0fea89802867ea7c44a6409fe
Instruction Fuzzy Hash: 84216A72910154EBDB11AFB9C84AE9F7BB4FF89350F008215F515AB241E7388B10DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB3C85 Relevance: 12.1, APIs: 8, Instructions: 118encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB3C8C

Part of subcall function 6BCB6F95: GetLastError.KERNEL32(?,?,6BCB3CAC,-00000960,6BC6A78C,00000000,0000003C,6BCB1A52,-00000960,6BCAFAA0,?,00000000,?,-00000960,?,?), ref: 6BCB6FBD

CertGetCertificateChain.CRYPT32(00000000,6BCAFAA0,00000000,?,?,00000000,00000000,6BC6A78C,-00000960,6BC6A78C,00000000,0000003C,6BCB1A52,-00000960,6BCAFAA0,?), ref: 6BCB3CEB
GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?,00000054,6BCC3044), ref: 6BCB3CF2
CertFreeCertificateChain.CRYPT32(6BC6A78C,?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?,00000054), ref: 6BCB3D10
SetLastError.KERNEL32(00000000,?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?,00000054), ref: 6BCB3D3C
GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?,00000054,6BCC3044), ref: 6BCB3D69
GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?,00000054,6BCC3044), ref: 6BCB3D6F
CertFreeCertificateChain.CRYPT32(6BC6A78C,?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?,00000054), ref: 6BCB3DB2

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorLast$CertCertificateChain$Free$H_prolog3
String ID:
API String ID: 3406622880-0
Opcode ID: 99e48ee094976a6d3b57d942b45223cf2d71eb81fdeead19c3c76bd7cf1da92a
Instruction ID: fc6fa8a40fdfa93118715882f8214e1d3fcd5baacfa30eaf6bba8376d4e6a141
Opcode Fuzzy Hash: 99e48ee094976a6d3b57d942b45223cf2d71eb81fdeead19c3c76bd7cf1da92a
Instruction Fuzzy Hash: D6412C76A20509EFDF11CFA8C8859DEB7B5FF48310B108569EA16E7210E738EB49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBB070 Relevance: 12.1, APIs: 8, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BCBB077
GetTokenInformation.KERNELBASE(00000002,00000001(TokenIntegrityLevel),00000000,00000000,00000009,0000000C,6BCA471F,6BC6A5D0,6BC6A544), ref: 6BCBB09E
GetLastError.KERNEL32 ref: 6BCBB0A0
GetTokenInformation.KERNELBASE(00000002,00000001(TokenIntegrityLevel),00000008,00000400,00000400,80070216), ref: 6BCBB119

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: InformationToken$ErrorH_prolog3_Last
String ID:
API String ID: 654496852-0
Opcode ID: 5de181628f87f7d3be417470324aa7c879c1642d0694cc00c25ed3020c97f53a
Instruction ID: 366936fee78f0ed437430aa03a8fbe5464a78f90f01aa5efa08125c99eb828fd
Opcode Fuzzy Hash: 5de181628f87f7d3be417470324aa7c879c1642d0694cc00c25ed3020c97f53a
Instruction Fuzzy Hash: D631BF728611269BCF118FA9CDC6AAF77B5EF45B20B214045E950BB250FB389B408BE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC85E68 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 6BC75D87: __EH_prolog3.LIBCMT ref: 6BC75D8E
Part of subcall function 6BC75D87: GetModuleFileNameW.KERNEL32(6BC50000,00000010,00000104,?,6BCA80D8,00000000), ref: 6BC75DDB

Part of subcall function 6BC85BC0: __EH_prolog3_GS.LIBCMT ref: 6BC85BCA
Part of subcall function 6BC85BC0: _memset.LIBCMT ref: 6BC85BF9
Part of subcall function 6BC85BC0: FindFirstFileW.KERNELBASE(?,?,????), ref: 6BC85C18
Part of subcall function 6BC85BC0: FindClose.KERNELBASE(?), ref: 6BC85CFF

__CxxThrowException@8.LIBCMT ref: 6BC8602D

Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Part of subcall function 6BCA8C05: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6BCB9E00,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6BCA8C29

PathFileExistsW.KERNELBASE(?,LocalizedData.xml,?,?,?,CC4203FA,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6BC85F2E

Part of subcall function 6BC85D1F: __EH_prolog3.LIBCMT ref: 6BC85D26
Part of subcall function 6BC85D1F: CoInitialize.OLE32(00000000,00000738,?,?,00000014,6BC85F51,?,?,?,?,CC4203FA,ParameterInfo.xml,00000000,?,ParameterInfo.xml), ref: 6BC85D58
Part of subcall function 6BC85D1F: CoCreateInstance.OLE32(6BC6A974,00000000,00000017,6BC6A9A4,?,?,?,00000014,6BC85F51,?,?,?,?,CC4203FA,ParameterInfo.xml,00000000), ref: 6BC85D76
Part of subcall function 6BC85D1F: CoUninitialize.OLE32(?,?,00000014,6BC85F51,?,?,?,?,CC4203FA,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?), ref: 6BC85E26
Part of subcall function 6BC85D1F: #6.OLEAUT32(00000738,?,?,00000014,6BC85F51,?,?,?,?,CC4203FA,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000), ref: 6BC85E2F

Strings

LocalizedData.xml is missing in resource folder %s. Every resource folder needs a LocalizedData.xml, xrefs: 6BC86063
LocalizedData.xml, xrefs: 6BC85F1C
LocalizedData.xml in resource folder %s, does not have a Language element, xrefs: 6BC85FC4
ParameterInfo.xml, xrefs: 6BC85E82, 6BC85FDF

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: File$FindH_prolog3Path$AppendCloseCreateException@8ExistsFirstH_prolog3_InitializeInstanceModuleNameThrowUninitialize_memcpy_s_memset
String ID: LocalizedData.xml$LocalizedData.xml in resource folder %s, does not have a Language element$LocalizedData.xml is missing in resource folder %s. Every resource folder needs a LocalizedData.xml$ParameterInfo.xml
API String ID: 1031262217-412676173
Opcode ID: 6f5d37e3b984a6120290bdae2ef00f8f106c36f0648a8e949d4e35b590b6095c
Instruction ID: 51558b42db1acfd54ab457efea6170e4f7d388c6a1bc1e69ade943416b59c933
Opcode Fuzzy Hash: 6f5d37e3b984a6120290bdae2ef00f8f106c36f0648a8e949d4e35b590b6095c
Instruction Fuzzy Hash: A1617B724283819FC701DF68C885E4FBBE8BF85318F000A6DF5A597251E778E6098B63

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAB898 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCAB89F

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Part of subcall function 6BC7397D: __EH_prolog3.LIBCMT ref: 6BC73984

Part of subcall function 6BCB173B: _memset.LIBCMT ref: 6BCB1785
Part of subcall function 6BCB173B: GetLastError.KERNEL32 ref: 6BCB180D
Part of subcall function 6BCB173B: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000001,Possible transient lock. WinVerifyTrust), ref: 6BCB183F
Part of subcall function 6BCB173B: Sleep.KERNEL32(000003E8), ref: 6BCB184F

Part of subcall function 6BCB189E: __EH_prolog3.LIBCMT ref: 6BCB18A5
Part of subcall function 6BCB189E: CryptQueryObject.CRYPT32(00000001,00000000,00000400,0000000E,00000000,00000000,00000000,00000000,?,6BCAFAA0,00000000,00000034,6BCAB913,?,-00000960), ref: 6BCB18ED
Part of subcall function 6BCB189E: GetLastError.KERNEL32(?,-00000960,?,?,00000000,-00000960,?,00000000,Verifying signature for ,?, Signature could not be verified for ,00000020,6BC97F98,?,00000054,6BCC3044), ref: 6BCB18F8

Part of subcall function 6BCA8A35: __EH_prolog3.LIBCMT ref: 6BCA8A3C

Part of subcall function 6BCA89DF: __EH_prolog3.LIBCMT ref: 6BCA89E6

Strings

Signature could not be verified for , xrefs: 6BCAB8A9
Signature verified successfully for , xrefs: 6BCAB91A
Verifying signature for , xrefs: 6BCAB8BB
- , xrefs: 6BCAB943, 6BCAB9E7
Signature verification for file %s (%s) failed with error 0x%x (%s), xrefs: 6BCAB9CA

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$ErrorLast$CreateCryptFileObjectQuerySleep_memset
String ID: - $ Signature could not be verified for $ Signature verified successfully for $Signature verification for file %s (%s) failed with error 0x%x (%s)$Verifying signature for
API String ID: 482089242-2727503808
Opcode ID: 81efcf1ed0f32ac42d4f11a1baa8d2ec86532bce36a503b51c9520638430554e
Instruction ID: 6b7a152d7149e90ab240ed9809ced6000812744b0f3fabf70eb0000d346d0668
Opcode Fuzzy Hash: 81efcf1ed0f32ac42d4f11a1baa8d2ec86532bce36a503b51c9520638430554e
Instruction Fuzzy Hash: 8D51657291014AEFCB01DBF8CC95FDE7BB8AF19358F144254E114AB281E778DB458761

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB4093 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB409A

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

GetThreadLocale.KERNEL32(?,DHTMLHeader.html), ref: 6BCB40B5
GetModuleFileNameW.KERNEL32(6BC50000,00000010,00000104), ref: 6BCB4127
PathFileExistsW.KERNELBASE(?,00000014,00000000), ref: 6BCB4175

Strings

%04d\%s, xrefs: 6BCB40DD
DHTMLHeader.html, xrefs: 6BCB40A3

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: FileH_prolog3$ExistsLocaleModuleNamePathThread
String ID: %04d\%s$DHTMLHeader.html
API String ID: 3575165106-1224721414
Opcode ID: 9aaa4dc9ac670452d0587e481742454d2676e9327c2f15b6fb39d1912b32f72e
Instruction ID: b5f001b8926e9baec8f2357ee6fa56f003f78e3e8e0570ca45ced29e6e9f4218
Opcode Fuzzy Hash: 9aaa4dc9ac670452d0587e481742454d2676e9327c2f15b6fb39d1912b32f72e
Instruction Fuzzy Hash: CF413A7192015A9BCF00DFB8CC89EAFBBB5BF15319F004568E511B7292E7789B06CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC754E6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC754ED
GetModuleHandleW.KERNEL32(kernel32.dll,0000002C,6BC77DF7,?,?,?,?,?,00000000,?,?,6BC6AB1C,00000008,6BC77D21), ref: 6BC754FD
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 6BC7551A
GetNativeSystemInfo.KERNELBASE(?), ref: 6BC75541

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

kernel32.dll, xrefs: 6BC754F8
GetNativeSystemInfo, xrefs: 6BC75514

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$AddressHandleInfoModuleNativeProcSystem
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2427612476-192647395
Opcode ID: 98352cbda46ea587ce0c29d8f5c9cae4c61985a75bb94d0985e55e28fc65da54
Instruction ID: 0a23753b7d77417a8c71c64e28c8b016edc06d6442841cd148eef4db39641b13
Opcode Fuzzy Hash: 98352cbda46ea587ce0c29d8f5c9cae4c61985a75bb94d0985e55e28fc65da54
Instruction Fuzzy Hash: 2AF09032A70215ABDB10EBB4D869F8E33B6AF84345F208025F100BA140FB7CDB01C764

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAF903 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BCAF90A
GetCommandLineW.KERNEL32(00000044,6BCA80DE,00000000), ref: 6BCAF91C

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

__time64.LIBCMT ref: 6BCAFAAD

Part of subcall function 6BCA709F: __EH_prolog3_catch.LIBCMT ref: 6BCA70A6

Strings

Setup, xrefs: 6BCAF9B6
%TEMP%\, xrefs: 6BCAF9C4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3_catch$CommandH_prolog3Line__time64
String ID: %TEMP%\$Setup
API String ID: 3716462386-3413213476
Opcode ID: 92b9143f5bbe49c649107cf4c0a66c5661dfdb1841ffba4676f30915510afdb8
Instruction ID: 8323515bdc79816df366a46d97aaedadddf688668073d2c3d1bb5ddc0fd07bdf
Opcode Fuzzy Hash: 92b9143f5bbe49c649107cf4c0a66c5661dfdb1841ffba4676f30915510afdb8
Instruction Fuzzy Hash: 4C71697191020ADFCB00CFF8C985AEEBBB4BF09318F244199E051B7291EB389B05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC93BCF Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC93BD6

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

ServiceBlocks, xrefs: 6BC93C51
ProcessBlocks, xrefs: 6BC93BE2
ProductDriveHints, xrefs: 6BC93CBD
SystemCheck, xrefs: 6BC93D2F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: ProcessBlocks$ProductDriveHints$ServiceBlocks$SystemCheck
API String ID: 431132790-3784926136
Opcode ID: 4fca8f2c6e84d95628546b26eb273f8580f536789979c9540fa6811c7e8e602f
Instruction ID: 8097591b99260519e24001fd97ae3efbda51ed76cd48ac59a4c8cf926808626b
Opcode Fuzzy Hash: 4fca8f2c6e84d95628546b26eb273f8580f536789979c9540fa6811c7e8e602f
Instruction Fuzzy Hash: 9A519371920249EFDF10DFB8D885AAE7BB8AF49314F144199F814EB241E738DB00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA53DF Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA53E6
PathIsRelativeW.SHLWAPI(00000000,?), ref: 6BCA5483
PathFileExistsW.KERNELBASE(00000001,?), ref: 6BCA5511

Strings

Package authoring error. The Url for this item is not authored and the item does not exist locally: , xrefs: 6BCA5549
pLocalPath is NULL!!!!!!, xrefs: 6BCA55A9

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Path$ExistsFileH_prolog3Relative
String ID: Package authoring error. The Url for this item is not authored and the item does not exist locally: $pLocalPath is NULL!!!!!!
API String ID: 1035510722-3253188715
Opcode ID: ff49398febc8b9bc38c7ce1433c51b19a855085ab69a69655005e3b57dec77de
Instruction ID: 1f0d771548afa747cfcb413e6c5642fd4c8060e6ecd34d326e4c3dacb41ff919
Opcode Fuzzy Hash: ff49398febc8b9bc38c7ce1433c51b19a855085ab69a69655005e3b57dec77de
Instruction Fuzzy Hash: A051D6B181014ADFCF11DFF8C845AAFBBB9AF16318F0081A5E154AB251E7789B45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB9B32 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 6BC8505A: __EH_prolog3.LIBCMT ref: 6BC85061

Part of subcall function 6BC73A0D: __EH_prolog3.LIBCMT ref: 6BC73A14

Part of subcall function 6BC7A8EC: __EH_prolog3.LIBCMT ref: 6BC7A8F3
Part of subcall function 6BC7A8EC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A92B
Part of subcall function 6BC7A8EC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A984
Part of subcall function 6BC7A8EC: __CxxThrowException@8.LIBCMT ref: 6BC7AA48

GetCommandLineW.KERNEL32(?,?,?,?,CC4203FA,?,?,?,?,ParameterInfo.xml,?,?,00000738,6BCAFAA0,?,6BC6A78C), ref: 6BCB9BB5

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

#6.OLEAUT32(?,-00000960,?,?,?,?,?,00000000,?,?,?,CC4203FA,?,?,?), ref: 6BCB9C61

Part of subcall function 6BC847AE: __EH_prolog3.LIBCMT ref: 6BC847B5

Part of subcall function 6BC850EB: __EH_prolog3_catch.LIBCMT ref: 6BC850F2
Part of subcall function 6BC850EB: CoInitialize.OLE32(00000000,00000000,00000000,?,?,IronMan::LocalizedData::CreateLocalizedData,?,threw exception,0000003C,6BCB9C48,-00000960,?,?,?,?,?), ref: 6BC85140
Part of subcall function 6BC850EB: CoCreateInstance.OLE32(6BC6A974,00000000,00000017,6BC6A9A4,00000738,?,?,?,00000000,?,?,?,CC4203FA,?,?,?), ref: 6BC8515E
Part of subcall function 6BC850EB: CoUninitialize.OLE32(-00000960,?,succeeded,?,?,?,00000000,?,?,?,CC4203FA,?,?,?), ref: 6BC851FC

#6.OLEAUT32(?,-00000960,?,?,?,00000000,?,?,?,?,?,00000000,?,?,?,CC4203FA), ref: 6BCB9C1B
#6.OLEAUT32(?,?,00000000,?,?,?,?,?,00000000,?,?,?,CC4203FA,?,?,?), ref: 6BCB9C36

Strings

Loading localized engine data for language %d from %s, xrefs: 6BCB9B7E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandCreateException@8FileH_prolog3_catchInitializeInstanceLineModuleNamePathRelativeThrowUninitialize
String ID: Loading localized engine data for language %d from %s
API String ID: 369597891-3315213612
Opcode ID: 12f9428a92560e7850f315bbdf185dffb2de5dd91dc46dd064dbcf0bd977232c
Instruction ID: e5c065b881494d011955e93332866cad1a47c7b68055801a05abe7c31ff998ef
Opcode Fuzzy Hash: 12f9428a92560e7850f315bbdf185dffb2de5dd91dc46dd064dbcf0bd977232c
Instruction Fuzzy Hash: DD416272018344AFC311DF68C845F9BBBECAF95328F100A1DF59592291E778DA188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC856B9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCB9C8F: __EH_prolog3.LIBCMT ref: 6BCB9C96
Part of subcall function 6BCB9C8F: GetCommandLineW.KERNEL32(0000002C,6BCBD857,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BCB9CB7
Part of subcall function 6BCB9C8F: PathIsRelativeW.SHLWAPI(?,?,?,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6BCB9D71

Part of subcall function 6BC7A8EC: __EH_prolog3.LIBCMT ref: 6BC7A8F3
Part of subcall function 6BC7A8EC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A92B
Part of subcall function 6BC7A8EC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A984
Part of subcall function 6BC7A8EC: __CxxThrowException@8.LIBCMT ref: 6BC7AA48

Part of subcall function 6BC857FB: __EH_prolog3.LIBCMT ref: 6BC85802

Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Part of subcall function 6BC7A8EC: SetFilePointer.KERNELBASE(?,00000000,6BC6A78C,00000001,?,00000000,00000000,00000002,?,80000000,00000001,00000003,00000080,00000000,00000000,?), ref: 6BC7AA69
Part of subcall function 6BC7A8EC: ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7AAB7
Part of subcall function 6BC7A8EC: #4.OLEAUT32(00000000,?,?,00000002,00000000,00000000,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000), ref: 6BC7AACC

#6.OLEAUT32(?,?,?,?,?,UiInfo.xml,?,?,?,-00000960,?,?,0000074C,?,ParameterInfo.xml,?), ref: 6BC857A0
#6.OLEAUT32(?,?,?,?,?,UiInfo.xml,?,?,?,-00000960,?,?,0000074C,?,ParameterInfo.xml,?), ref: 6BC857AF
#6.OLEAUT32(?,?,6BC6A78C,?,?,?,UiInfo.xml,?,?,?,-00000960,?,?,0000074C,?,ParameterInfo.xml), ref: 6BC857DD

Strings

UiInfo.xml, xrefs: 6BC85755
ParameterInfo.xml, xrefs: 6BC856F1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$File$PathRelative$CommandException@8LineModuleNamePointerReadThrow_memcpy_s
String ID: ParameterInfo.xml$UiInfo.xml
API String ID: 2549261649-386449131
Opcode ID: a272ffcdd04acc9fae8c11042f9575a8d4e51246a03131b49784741bba14682d
Instruction ID: 569c749bd5a3d98d0f67c1dd9be313c7f1e96af0cd859896786e4a86522b9016
Opcode Fuzzy Hash: a272ffcdd04acc9fae8c11042f9575a8d4e51246a03131b49784741bba14682d
Instruction Fuzzy Hash: 2B3181B2428345ABC700DF78C845E4BBBE8EF99618F040A1DF5D4D7251E779DA048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC819A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC819A7

Part of subcall function 6BC78BBF: __EH_prolog3.LIBCMT ref: 6BC78BC6

__CxxThrowException@8.LIBCMT ref: 6BC81AD1

Strings

schema validation failure: , xrefs: 6BC81A33
can only have one logical or arithmietic expression for a child node, xrefs: 6BC81A47
ParameterInfo.xml, xrefs: 6BC818F5, 6BC81A22

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: can only have one logical or arithmietic expression for a child node$ParameterInfo.xml$schema validation failure:
API String ID: 2489616738-4045823434
Opcode ID: 7176e5c56396397f8d8ecff1c4b8dc9143c74b5a7541b0536a4648ecc55ba21d
Instruction ID: 7976bd2a08d65d5f1e3116f68f4bd4a5ac01527f8e884635486ce99e3e3df2c9
Opcode Fuzzy Hash: 7176e5c56396397f8d8ecff1c4b8dc9143c74b5a7541b0536a4648ecc55ba21d
Instruction Fuzzy Hash: DB413271910149EBDB01DFB8C845F9EBBB8AF09318F148155E164EB281EB79DB05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAB666 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCAB66D

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCB16CF: GetDiskFreeSpaceExW.KERNELBASE(?,?,?,?,?,6BCAFAA0,?,?,?,?,?,?,6BCB3624,6BCAFAA0,000000FF), ref: 6BCB1704
Part of subcall function 6BCB16CF: GetLastError.KERNEL32(?,6BCAFAA0,?,?,?,?,?,?,6BCB3624,6BCAFAA0,000000FF,?,?,00000738,6BCAFAA0,?), ref: 6BCB1714

Strings

Drive:[%s] Bytes Needed:[%I64u] Bytes Available:[%I64u], xrefs: 6BCAB6E5
complete, xrefs: 6BCAB672
Action, xrefs: 6BCAB684, 6BCAB689, 6BCAB6A7
Disk space check for items being downloaded, xrefs: 6BCAB69A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DiskErrorFreeLastSpace
String ID: complete$Action$Disk space check for items being downloaded$Drive:[%s] Bytes Needed:[%I64u] Bytes Available:[%I64u]
API String ID: 2933164920-3673225344
Opcode ID: 2c5f0cee0da0476d0b6510eb49564f3634513128901fa93cc8f027d05c5450c7
Instruction ID: 4eb9d6b3b274370ce5d0758dbdc1b61509894fabfa6ef6a22907ac074db542ce
Opcode Fuzzy Hash: 2c5f0cee0da0476d0b6510eb49564f3634513128901fa93cc8f027d05c5450c7
Instruction Fuzzy Hash: F1216D71920149AFCF00DFA8C845EEEBBBAAF16314F144449E114A7251E7789B149B71

Uniqueness

Uniqueness Score: -1.00%

Function 6BC81C21 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC81C28

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC819A0: __EH_prolog3.LIBCMT ref: 6BC819A7
Part of subcall function 6BC819A0: __CxxThrowException@8.LIBCMT ref: 6BC81AD1

Part of subcall function 6BC78ACC: __EH_prolog3.LIBCMT ref: 6BC78AD3
Part of subcall function 6BC78ACC: __CxxThrowException@8.LIBCMT ref: 6BC78B59

Part of subcall function 6BC792F1: __EH_prolog3.LIBCMT ref: 6BC792F8

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC81CF5

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

schema validation failure: IsPresent can only be authored once., xrefs: 6BC81C93
IsPresent, xrefs: 6BC81C2D, 6BC81C32, 6BC81C6C
ParameterInfo.xml, xrefs: 6BC81CA1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw$DispatcherExceptionUser
String ID: IsPresent$ParameterInfo.xml$schema validation failure: IsPresent can only be authored once.
API String ID: 2724732616-4158871691
Opcode ID: 1714b41cb32557dec82f54a92e133580eb7a0103bffa875b3680cf7538e5d246
Instruction ID: ce505665d8b61aa68a6d45cc907060b62104b734d5e51d982f453a7c7a0fe4ef
Opcode Fuzzy Hash: 1714b41cb32557dec82f54a92e133580eb7a0103bffa875b3680cf7538e5d246
Instruction Fuzzy Hash: 0A216D72820149ABCF01DBF8CD46EDE7BB8AF15318F148159F154B7281EB789B088776

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB3742 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 6BCB3792
GetLastError.KERNEL32 ref: 6BCB379C

Part of subcall function 6BC774C1: __EH_prolog3.LIBCMT ref: 6BC774C8

GetLastError.KERNEL32 ref: 6BCB37BE

Strings

AllocateAndInitializeSid, xrefs: 6BCB37C7
CheckTokenMembership, xrefs: 6BCB37A5

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorLast$CheckH_prolog3MembershipToken
String ID: AllocateAndInitializeSid$CheckTokenMembership
API String ID: 3752544998-2579124284
Opcode ID: d563a52b26fc5d9d4cd34d40e618f7a16f0dbdd53c5fe424e45e9d20ca7ca273
Instruction ID: be1e5308c5c3be113baedec190783bc2fa001bbef18bcd555b65badbb6383b68
Opcode Fuzzy Hash: d563a52b26fc5d9d4cd34d40e618f7a16f0dbdd53c5fe424e45e9d20ca7ca273
Instruction Fuzzy Hash: F21163B5A10219AFDF14DFE9C999D6EB7F5FF48704B11486DE416A3240FB749A00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8590B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC85912

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7A8EC: __EH_prolog3.LIBCMT ref: 6BC7A8F3
Part of subcall function 6BC7A8EC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A92B
Part of subcall function 6BC7A8EC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A984
Part of subcall function 6BC7A8EC: __CxxThrowException@8.LIBCMT ref: 6BC7AA48

StrPBrkW.SHLWAPI(00000000,) <>",#(loc.,?,6BCAFAA0,6BCAFAA0,00000718,-00000960,?,00000000,00000010,6BC861AE,00000000,00000748,?,ParameterInfo.xml), ref: 6BC85988
#6.OLEAUT32(6BCAFAA0,#(loc.,?,6BCAFAA0,6BCAFAA0,00000718,-00000960,?,00000000,00000010,6BC861AE,00000000,00000748,?,ParameterInfo.xml), ref: 6BC859B9

Part of subcall function 6BCC8FCA: _memcpy_s.LIBCMT ref: 6BCC9010

Strings

#(loc., xrefs: 6BC85968
) <>", xrefs: 6BC8597F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8FileModuleNamePathRelativeThrow_memcpy_s
String ID: #(loc.$) <>"
API String ID: 3219545788-3905424865
Opcode ID: 3a005bc87c4d489f2c3f5efab99993de83718cfcf2b9002ea188911a4f6e80c5
Instruction ID: a90c7b8d35f456c7796c49a4511de3f7cd9e5071924746ce94aa1fe3e4804f78
Opcode Fuzzy Hash: 3a005bc87c4d489f2c3f5efab99993de83718cfcf2b9002ea188911a4f6e80c5
Instruction Fuzzy Hash: 45118472D2012A9BCF01DFF4CC459AE7BB8AF01368B404565E521B7290F7789F1687A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA55BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA55C2
OpenMutexW.KERNEL32(00100000,00000000,00000030,?,Global\,00000000,6BCBC149,?,00000000,?,?,?,?,?,Command-line option error: ,?), ref: 6BCA5649
CreateMutexW.KERNELBASE(00000000,00000000,00000030), ref: 6BCA5659
GetLastError.KERNEL32 ref: 6BCA5661

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Strings

Global\, xrefs: 6BCA560C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3Mutex$CreateErrorLastOpen
String ID: Global\
API String ID: 2685780869-188423391
Opcode ID: 072422658d63e7178c502fbd7520a38686c55c3681e8ba2766b613fb65ee8d43
Instruction ID: e2d3d1554cfab464e8393af99f766cee09bbaec9dd8b6c053bf890b4fb2b6b72
Opcode Fuzzy Hash: 072422658d63e7178c502fbd7520a38686c55c3681e8ba2766b613fb65ee8d43
Instruction Fuzzy Hash: 91219D71A20285DFDB01CF78C889B8A3BF1AF85315F148498F9548B341EB78DB50CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC947C5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC947CC

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

evaluating EnterMaintenanceModeIf, xrefs: 6BC947FE
evaluates to 'not in maintenance mode', xrefs: 6BC947D3
MaintenanceMode determination, xrefs: 6BC947E8, 6BC947ED, 6BC9480B
evaluates to 'in maintenance mode', xrefs: 6BC94827

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: evaluates to 'in maintenance mode'$ evaluates to 'not in maintenance mode'$MaintenanceMode determination$evaluating EnterMaintenanceModeIf
API String ID: 431132790-4185790000
Opcode ID: 17347a56eb5db0481e6bddee26797b8748f516368d85aa8eb1de8d2f90dc877a
Instruction ID: 6c77d1c09a2a41f1d8e8587f3c7290ab4f2084563f055dea97b5c865b3f01d65
Opcode Fuzzy Hash: 17347a56eb5db0481e6bddee26797b8748f516368d85aa8eb1de8d2f90dc877a
Instruction Fuzzy Hash: C3117072820149EFCF00DFE8C845AAEBBF8AF15304F048056E550AB241E7799B15C761

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC029B Relevance: 8.2, APIs: 2, Strings: 3, Instructions: 651COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,CC4203FA), ref: 6BCC02DA
LeaveCriticalSection.KERNEL32(?), ref: 6BCC0C3F

Part of subcall function 6BC74D12: __EH_prolog3.LIBCMT ref: 6BC74D19

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Part of subcall function 6BC7397D: __EH_prolog3.LIBCMT ref: 6BC73984

Part of subcall function 6BCCC44A: _malloc.LIBCMT ref: 6BCCC464

Part of subcall function 6BC9220D: __EH_prolog3.LIBCMT ref: 6BC92214
Part of subcall function 6BC9220D: __CxxThrowException@8.LIBCMT ref: 6BC9229B

Part of subcall function 6BCC2669: __EH_prolog3.LIBCMT ref: 6BCC2670

Part of subcall function 6BCC4F48: __EH_prolog3.LIBCMT ref: 6BCC4F4F

Part of subcall function 6BCABA66: __EH_prolog3.LIBCMT ref: 6BCABA6D

Part of subcall function 6BCC5223: __EH_prolog3.LIBCMT ref: 6BCC522A
Part of subcall function 6BCC5223: __recalloc.LIBCMT ref: 6BCC5238

Part of subcall function 6BCC5223: __recalloc.LIBCMT ref: 6BCC5254

Strings

determination is complete, xrefs: 6BCC02FA
evaluating each item, xrefs: 6BCC0332
Applicability for , xrefs: 6BCC0312

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CriticalSection__recalloc$EnterException@8LeaveThrow_malloc
String ID: determination is complete$Applicability for $evaluating each item
API String ID: 283897231-3228949585
Opcode ID: 35fa57311b10d775c35c42dd0ae8208033b4cac928e262a2483321bfd3aa1d3a
Instruction ID: fca1ffd510f27720a36fbaf8fb00d005bc6a4fa27def28769ffee08c51b60434
Opcode Fuzzy Hash: 35fa57311b10d775c35c42dd0ae8208033b4cac928e262a2483321bfd3aa1d3a
Instruction Fuzzy Hash: E95247B15183429FC321CF64C481A9BBBF4BF98318F00496DF5A997251E778EA49CB63

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBA851 Relevance: 7.7, APIs: 5, Instructions: 163COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBA858
GetTokenInformation.KERNELBASE(?,00000001,00000000,00000000,?,?,?,6BCBA5B2,?,00000000,?,?,6BCA4882), ref: 6BCBA8C5
GetTokenInformation.KERNELBASE(?,00000001,00000000,00000008,00000008,00000008,?,?,6BCBA5B2,?,00000000,?,?,6BCA4882), ref: 6BCBA908
LookupAccountSidW.ADVAPI32(00000000,00000000,00000000,00000008,00000010,00000008,6BCA4373,00000008,00000104,?,?,6BCBA5B2,?,00000000), ref: 6BCBA93E

Part of subcall function 6BCC8E28: _wcsnlen.LIBCMT ref: 6BCC8E38

FindCloseChangeNotification.KERNELBASE(?,?,?,6BCBA5B2,?,00000000,?,?,6BCA4882), ref: 6BCBA971

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: InformationToken$AccountChangeCloseFindH_prolog3LookupNotification_wcsnlen
String ID:
API String ID: 385857651-0
Opcode ID: 89a123cd12d8d422d7afa5ff65e91ab6c2fcc2372ec2325ac990cfacc4d8df1d
Instruction ID: da27dc021fcb79b1309a4eb9c519c407d2bca57fa17619f247869422e2565b9f
Opcode Fuzzy Hash: 89a123cd12d8d422d7afa5ff65e91ab6c2fcc2372ec2325ac990cfacc4d8df1d
Instruction Fuzzy Hash: 326160729101499BDF01CFB8CC46AEE7BB5BF15328F044244F960A7291EB78DB15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA45DF Relevance: 7.6, APIs: 5, Instructions: 136threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BCA45E9

Part of subcall function 6BCA2F3A: __EH_prolog3_catch.LIBCMT ref: 6BCA2F41
Part of subcall function 6BCA2F3A: _free.LIBCMT ref: 6BCA2FD0

GetCurrentThread.KERNEL32 ref: 6BCA46BE
OpenThreadToken.ADVAPI32(00000000,00000008,00000001,?), ref: 6BCA46D0
GetCurrentProcess.KERNEL32 ref: 6BCA46DA
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 6BCA46EA

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$H_prolog3_H_prolog3_catch_free
String ID:
API String ID: 4058884840-0
Opcode ID: cb79bb7b51378fa4669993800a81b1f087294ba4cd54e04a17d4f07295bb930c
Instruction ID: c87a50d22a14a697cdf0a3ebf9414364d70652dcdb0846fbcd43f8362035bc58
Opcode Fuzzy Hash: cb79bb7b51378fa4669993800a81b1f087294ba4cd54e04a17d4f07295bb930c
Instruction Fuzzy Hash: 2B51257191026A8BDB24CFA5C996BDDB7B4AF54304F5040EAD14AB7240EB786F84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC954D7 Relevance: 7.6, APIs: 5, Instructions: 136threadwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC954DE
GetWindowThreadProcessId.USER32(?,00000000), ref: 6BC954F0
GetCurrentProcessId.KERNEL32 ref: 6BC954F6
GetWindowTextW.USER32(?,00000010,?), ref: 6BC95575
IsWindowVisible.USER32(?), ref: 6BC9559C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Window$Process$CurrentH_prolog3TextThreadVisible
String ID:
API String ID: 1711305133-0
Opcode ID: ac73b7951049a0dfc12826bd11e93bad95abcc8d7e51a5806540e0d8c2eb237d
Instruction ID: c12a9b68cd7ce4e5d207eea80a00f0ca832008c14b3c844d6dd04ff70ce64353
Opcode Fuzzy Hash: ac73b7951049a0dfc12826bd11e93bad95abcc8d7e51a5806540e0d8c2eb237d
Instruction Fuzzy Hash: FD51AF71D2021ADBDF00DFB4C889A9EBB75FF04349F148469EA14AB241E738DB45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BC85D1F Relevance: 7.6, APIs: 5, Instructions: 113comCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC85D26

Part of subcall function 6BC7A8EC: __EH_prolog3.LIBCMT ref: 6BC7A8F3
Part of subcall function 6BC7A8EC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A92B
Part of subcall function 6BC7A8EC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A984
Part of subcall function 6BC7A8EC: __CxxThrowException@8.LIBCMT ref: 6BC7AA48

CoInitialize.OLE32(00000000,00000738,?,?,00000014,6BC85F51,?,?,?,?,CC4203FA,ParameterInfo.xml,00000000,?,ParameterInfo.xml), ref: 6BC85D58
CoCreateInstance.OLE32(6BC6A974,00000000,00000017,6BC6A9A4,?,?,?,00000014,6BC85F51,?,?,?,?,CC4203FA,ParameterInfo.xml,00000000), ref: 6BC85D76
CoUninitialize.OLE32(?,?,00000014,6BC85F51,?,?,?,?,CC4203FA,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000,?), ref: 6BC85E26
#6.OLEAUT32(00000738,?,?,00000014,6BC85F51,?,?,?,?,CC4203FA,ParameterInfo.xml,00000000,?,ParameterInfo.xml,?,00000000), ref: 6BC85E2F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CreateException@8FileInitializeInstanceModuleNamePathRelativeThrowUninitialize
String ID:
API String ID: 3083093944-0
Opcode ID: 054df726d87fbcaf1855f18123039fe23be427904720e095b06d8d4cfde1f9ea
Instruction ID: 718815925ed5de929e80ab4547a6e71ddc939f92a7f425ad73034f80e3e8e8be
Opcode Fuzzy Hash: 054df726d87fbcaf1855f18123039fe23be427904720e095b06d8d4cfde1f9ea
Instruction Fuzzy Hash: B9416D70910249EFDF00CFA4C8889AE7BB5BF45308F5484A8F656DB241D779DB45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB9F5B Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB9F65

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7A8EC: __EH_prolog3.LIBCMT ref: 6BC7A8F3
Part of subcall function 6BC7A8EC: PathIsRelativeW.SHLWAPI(00000000,00000000,?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A92B
Part of subcall function 6BC7A8EC: GetModuleFileNameW.KERNEL32(00000010,00000104,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A984
Part of subcall function 6BC7A8EC: __CxxThrowException@8.LIBCMT ref: 6BC7AA48

GetCommandLineW.KERNEL32(?,?,6BC6A78C,?,?,00000164,6BC944B6,-00000960,6BC6A78C,?,?,?,6BCBB921,?,00000000,?), ref: 6BCB9F91

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

#6.OLEAUT32(?,-00000960,?,?,?,6BC6A78C,?,00000000,?,6BC6A78C,?,?,00000164,6BC944B6,-00000960,6BC6A78C), ref: 6BCB9FE4
#6.OLEAUT32(6BCAFAA0,-00000960,6BCAFAA0,?,?,6BCAFAA0,6BC6A78C,00000000,6BCAFAA0,00000738,?,?,?,?,6BC6A78C,?), ref: 6BCBA06E
#6.OLEAUT32(?,?,?,6BCAFAA0,6BC6A78C,00000000,6BCAFAA0,00000738,?,?,?,?,6BC6A78C,?,00000000), ref: 6BCBA095

Part of subcall function 6BC944C2: __EH_prolog3_catch.LIBCMT ref: 6BC944CC
Part of subcall function 6BC944C2: CoInitialize.OLE32(00000000,?,?,?,?,6BC73845,?,00000000,00000000,6BCAFAA0,00000738,IronMan::EngineData::CreateEngineData,6BCAFAA0,threw exception,00000184,6BCB9FFB), ref: 6BC9457D
Part of subcall function 6BC944C2: CoCreateInstance.OLE32(6BC6A974,00000000,00000017,6BC6A9A4,?,?,?,?,?,6BC73845,?,00000000,00000000,6BCAFAA0,00000738,IronMan::EngineData::CreateEngineData), ref: 6BC9459B

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandCreateException@8FileH_prolog3_catchInitializeInstanceLineModuleNamePathRelativeThrow
String ID:
API String ID: 2511229215-0
Opcode ID: b24bcdcabbbf12be05d24ccfd7d5286d7d3cde8a687ada659c3e57e894935cdc
Instruction ID: 92f98d8c2579d253d41a1e9978b557e3491537c3afefca42c9752febc602fef5
Opcode Fuzzy Hash: b24bcdcabbbf12be05d24ccfd7d5286d7d3cde8a687ada659c3e57e894935cdc
Instruction Fuzzy Hash: B8415872810249EBCF12EFF4CC46AEEBBB8AF05319F108155E525A7250EB789B15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC753AA Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC753B1

Part of subcall function 6BC74D95: __EH_prolog3.LIBCMT ref: 6BC74D9C

OutputDebugStringW.KERNEL32(?,?,?,00000008,6BCA6106,000013EC,?,00000000,?,?,ReportingFlags,?,-0000000D,?,?,6BC54A4C), ref: 6BC753D2

Part of subcall function 6BCC8E66: #6.OLEAUT32(00000000,?,80070057,6BC75DEC,?,6BCA80D8,00000000), ref: 6BCC8E73
Part of subcall function 6BCC8E66: #2.OLEAUT32(00000000,?,80070057,6BC75DEC), ref: 6BCC8E82

FormatMessageW.KERNEL32(00001100,00000000,?,00000400,000013EC,00000000,00000000,?,?,00000008,6BCA6106,000013EC,?,00000000,?,?), ref: 6BC753F9
OutputDebugStringW.KERNELBASE(000013EC,?,-0000000D,?,?,6BC54A4C,?,?,00000000,?,?,FilesToKeep,?,?,?,00000000), ref: 6BC75406
LocalFree.KERNEL32(000013EC,000013EC,?,-0000000D,?,?,6BC54A4C,?,?,00000000,?,?,FilesToKeep,?,?,?), ref: 6BC75417

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: DebugH_prolog3OutputString$FormatFreeLocalMessage
String ID:
API String ID: 805980662-0
Opcode ID: 4df208e53f7d349a5ddbc9f775d598b2ccbd6059ef4e8a04aceb03bbb93a3461
Instruction ID: 78ae2f30228f0ffd24799dd9fd14ac4f6455a2aba1bae43b005ccc637556ae13
Opcode Fuzzy Hash: 4df208e53f7d349a5ddbc9f775d598b2ccbd6059ef4e8a04aceb03bbb93a3461
Instruction Fuzzy Hash: F001E5B2920119EBDF11AFB4CC5ADAF7A75FB05245B104529B610B51A0EB758F10DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6BC82E3B Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC82E42

Part of subcall function 6BCA937A: _free.LIBCMT ref: 6BCA93BF

Strings

evaluated to true, xrefs: 6BC82F57, 6BC83080
BlockIf, xrefs: 6BC82EC8, 6BC8302D
evaluated to false, xrefs: 6BC82EAF, 6BC8300E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3_free
String ID: evaluated to false$ evaluated to true$BlockIf
API String ID: 2248394366-2909538125
Opcode ID: 23d211a3d6b7d544eca2293c3b77112977929eee182c026416b90c64c117699d
Instruction ID: 151243f93b7df70bfa89726980236fff45595dd5c16c901ca0c56f576b1af3f3
Opcode Fuzzy Hash: 23d211a3d6b7d544eca2293c3b77112977929eee182c026416b90c64c117699d
Instruction Fuzzy Hash: 38A18B71910209DFCF11CFA8C985E9EBBB5FF49318F104199E415AB291E739EB09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA4272 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6BCA4301

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC78371: __EH_prolog3.LIBCMT ref: 6BC78378

Part of subcall function 6BC78171: SetFilePointer.KERNELBASE(?,?,?,00000000,?,?,?,6BC7AA5A,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 6BC78191

Strings

.htm, xrefs: 6BCA44C2
Cannot create file or delete file in Temp directory , xrefs: 6BCA4324
Cannot get valid temp folder, xrefs: 6BCA42CC

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8FilePointerThrow
String ID: .htm$Cannot create file or delete file in Temp directory $Cannot get valid temp folder
API String ID: 1975055723-2150540039
Opcode ID: 07d9a00de4cc9baef03941edae80d244324b11aa30ad1554b79e93da7875e0a9
Instruction ID: 55c0b509195d5bae01dd86b986d3200dcd5ecd2c1d3fee8b628fe9922cc7b5ea
Opcode Fuzzy Hash: 07d9a00de4cc9baef03941edae80d244324b11aa30ad1554b79e93da7875e0a9
Instruction Fuzzy Hash: 68A13D715283429FD700DF78C885B5FB7E8AF85758F004A1DF4A497291EB78D7098B62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC92B99 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC92BA0

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC92AD9: __EH_prolog3.LIBCMT ref: 6BC92AE0

Part of subcall function 6BCAB37B: __EH_prolog3.LIBCMT ref: 6BCAB382
Part of subcall function 6BCAB37B: __recalloc.LIBCMT ref: 6BCAB3C4

Strings

ProcessBlock added, xrefs: 6BC92C36, 6BC92CCB
No ProcessBlock element, xrefs: 6BC92D75
ProcessBlocks, xrefs: 6BC92BCD

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$__recalloc
String ID: No ProcessBlock element$ProcessBlock added$ProcessBlocks
API String ID: 1900422986-3251087430
Opcode ID: db6e23655d6569fa8aafe71b4c574e9696e0ab023564368d649445e996bcaf14
Instruction ID: 69fed338edc850a7993891a27974ea888c2922fa29d98abf1374df7a0ac8ade0
Opcode Fuzzy Hash: db6e23655d6569fa8aafe71b4c574e9696e0ab023564368d649445e996bcaf14
Instruction Fuzzy Hash: D97180B1A10249DFDB00DFA8C894AAEBBB5BF49308F1480A9E555EB351D7389F05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC92E83 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC92E8A

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC92DC3: __EH_prolog3.LIBCMT ref: 6BC92DCA

Part of subcall function 6BCAB37B: __EH_prolog3.LIBCMT ref: 6BCAB382
Part of subcall function 6BCAB37B: __recalloc.LIBCMT ref: 6BCAB3C4

Strings

ServiceBlocks, xrefs: 6BC92EB7
No ServiceBlock element, xrefs: 6BC9305F
ServiceBlock added, xrefs: 6BC92F20, 6BC92FB5

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$__recalloc
String ID: No ServiceBlock element$ServiceBlock added$ServiceBlocks
API String ID: 1900422986-3373415214
Opcode ID: b855d73f6b5f4ac1e895a9e2bca1b3920bdf7cd875b5a7eb2a03781802855a9b
Instruction ID: a4717ba278dfc6da39bb7e5d93410c8771517570b394aa7c97fb0cd72a308845
Opcode Fuzzy Hash: b855d73f6b5f4ac1e895a9e2bca1b3920bdf7cd875b5a7eb2a03781802855a9b
Instruction Fuzzy Hash: 5D7180B0A10249DFDF00DFA8C885AAEBBB5BF49304F1480A9E515EB351E7399F41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA709F Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BCA70A6

Part of subcall function 6BC74424: __EH_prolog3.LIBCMT ref: 6BC7442B

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8C8B: __EH_prolog3.LIBCMT ref: 6BCA8C92
Part of subcall function 6BCA8C8B: PathFindExtensionW.SHLWAPI(?,00000004,6BCA711D,?,?,?,00000000,?,?), ref: 6BCA8CBC

Part of subcall function 6BCCC44A: _malloc.LIBCMT ref: 6BCCC464

Part of subcall function 6BCA3892: __EH_prolog3.LIBCMT ref: 6BCA3899
Part of subcall function 6BCA3892: InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,6BCAECAE,?,?), ref: 6BCA3930

Strings

.htm, xrefs: 6BCA719C
.html, xrefs: 6BCA71AE
.txt, xrefs: 6BCA7148, 6BCA716E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CriticalExtensionFindH_prolog3_catchInitializePathSection_malloc
String ID: .htm$.html$.txt
API String ID: 2678321574-1806469533
Opcode ID: 40f913ea0dfff2804317b36fe53965538e7eaab0aab00b0315668c140aa0aad1
Instruction ID: 4af910dcbfbe9182ec9dcfc05ffad643310a53369d469a6e1e33f5e40b487a24
Opcode Fuzzy Hash: 40f913ea0dfff2804317b36fe53965538e7eaab0aab00b0315668c140aa0aad1
Instruction Fuzzy Hash: 9D518D7192024ADBDF01DBB8C945BAE7BE9BF05318F108156E454E7281F77C8B04DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB1B55 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB1B5C

Part of subcall function 6BCA8D2E: PathRemoveFileSpecW.SHLWAPI(00000000,2006C750,00000010,80004005,6BC75E00,6BCAF877,00000010,?,6BCA80D8,00000000), ref: 6BCA8D3F

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8D59: PathStripPathW.SHLWAPI(00000000,?,?,6BCBF83A), ref: 6BCA8D69

Part of subcall function 6BCAFF5C: _wcsnlen.LIBCMT ref: 6BCAFF8F
Part of subcall function 6BCAFF5C: _memcpy_s.LIBCMT ref: 6BCAFFC5

Part of subcall function 6BC75E89: __EH_prolog3.LIBCMT ref: 6BC75E90
Part of subcall function 6BC75E89: PathFindFileNameW.SHLWAPI(?,?,?,0000000C,6BC75E5B,?,6BCA80D8,?,0000000C,6BC77D85,?,00000000,?,?,6BC6AB1C,00000008), ref: 6BC75ECB
Part of subcall function 6BC75E89: PathFindExtensionW.SHLWAPI(?), ref: 6BC75EE8

Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Part of subcall function 6BCA89DF: __EH_prolog3.LIBCMT ref: 6BCA89E6

Part of subcall function 6BCA8A35: __EH_prolog3.LIBCMT ref: 6BCA8A3C

Strings

MsiEnableLog failed!!!, xrefs: 6BCB1CE0
-MSI_, xrefs: 6BCB1B85
.txt, xrefs: 6BCB1C5B

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3Path$FileFind_memcpy_s$ExtensionNameRemoveSpecStrip_wcsnlen
String ID: -MSI_$.txt$MsiEnableLog failed!!!
API String ID: 346814366-1014978939
Opcode ID: cd691b668f5ec7aee8de47468540f1a62f7664059677b82be47080b0c128c43d
Instruction ID: 139378f2c049acb7654200be96fa0bb9fb3b2ec0022a7b99467bb82c506f9fc6
Opcode Fuzzy Hash: cd691b668f5ec7aee8de47468540f1a62f7664059677b82be47080b0c128c43d
Instruction Fuzzy Hash: A9515271910149DFDB01DFF8C846EAEB7B4AF1931DF144245E160B7382E7789B458B62

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAA366 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCAA36D
GetLastError.KERNEL32 ref: 6BCAA46A

Strings

DW\DW20.exe, xrefs: 6BCAA3E2
Failed to record SetupFlags, xrefs: 6BCAA484

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: DW\DW20.exe$Failed to record SetupFlags
API String ID: 685212868-3543485478
Opcode ID: df9035b63223405f3d82c0935c6192bf23488f62dc8f614d232c84b76cb3f909
Instruction ID: ce5b883f84ec58e2e71fdb212d4f1ab65509b28a1820eedeb445a190840557bc
Opcode Fuzzy Hash: df9035b63223405f3d82c0935c6192bf23488f62dc8f614d232c84b76cb3f909
Instruction Fuzzy Hash: 4D41C672920149DFCB01DFB8C94AA9EBBB9EF15318F104254E510EB381E778DB05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB356C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB3573
PathStripToRootW.SHLWAPI(00000000,C600000B,6BCAFAA0,00000010,?,?,00000738,6BCAFAA0,?,6BC6A78C,-00000960), ref: 6BCB360B
GetLastError.KERNEL32(?,?,00000738,6BCAFAA0,?,6BC6A78C,-00000960), ref: 6BCB3640

Strings

Failed to record SystemMemory, xrefs: 6BCB365A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3LastPathRootStrip
String ID: Failed to record SystemMemory
API String ID: 1831876552-335854511
Opcode ID: bffd3ef60d17a2cbd2b8cdd932cd908bfd174609396cde0b6dc291b913d7a7c3
Instruction ID: 1c06d5a392abdb3c309e1f925bd7475a96aef90f0a3ce444f4418ea7af148ae4
Opcode Fuzzy Hash: bffd3ef60d17a2cbd2b8cdd932cd908bfd174609396cde0b6dc291b913d7a7c3
Instruction Fuzzy Hash: FF31A571A201169BCB10DFB8CC8A9AFBBB5FF45319F100654E511EB291E778DB01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA7A59 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA7A60

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7397D: __EH_prolog3.LIBCMT ref: 6BC73984

Part of subcall function 6BC739BE: __EH_prolog3.LIBCMT ref: 6BC739C5

Strings

Package Name = %s, xrefs: 6BCA7AD7
Package Version = %s, xrefs: 6BCA7B14
Package details, xrefs: 6BCA7A8F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Package Name = %s$Package Version = %s$Package details
API String ID: 431132790-2412997842
Opcode ID: 10d23febf3afac04cdc78cf6d47c9a21b1afface6d4d2e6f6c37dcd87238c5fd
Instruction ID: 98ec1f85e8918b7537d12f1cce86cac708d70cc426b68050a13968623519262a
Opcode Fuzzy Hash: 10d23febf3afac04cdc78cf6d47c9a21b1afface6d4d2e6f6c37dcd87238c5fd
Instruction Fuzzy Hash: 34318D7292014AEBCF00DBB8C945FAEBBB4AF1530CF144154E550BB291E779AB09CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC77173 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7717A
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,00000010), ref: 6BC771D9
#195.MSI(00000010,00000000,00000104,00000000,00000000,00000104,00000010,MSI.dll), ref: 6BC77248

Strings

MSI.dll, xrefs: 6BC77202

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: #195FolderH_prolog3Path
String ID: MSI.dll
API String ID: 2462876523-3845536143
Opcode ID: 3c6b9554ab5a26855b89b054ed3c7b703d57c2a8d4f02f37e7a1b1cce05dfbc5
Instruction ID: fd2c90ad349d92a0c37fe239fe0804d7270b04a6c1836ec70f929fe485cb3814
Opcode Fuzzy Hash: 3c6b9554ab5a26855b89b054ed3c7b703d57c2a8d4f02f37e7a1b1cce05dfbc5
Instruction Fuzzy Hash: 74316FB1A20209DBDF04DFB4C889ABEBBB5FF15319F044559E510BB281E7789B058B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7C985 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6BC7C98C
__CxxThrowException@8.LIBCMT ref: 6BC7C9E1

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

AssignmentType, xrefs: 6BC7C9C3
1, xrefs: 6BC7C9E6

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: DispatcherExceptionException@8H_prolog3_catch_ThrowUser
String ID: 1$AssignmentType
API String ID: 2496864217-340370839
Opcode ID: ee62094778c1c148689e4ed85f14e1c300345222e1eb2bec8afd0d7890870705
Instruction ID: b27004b9cd78fd1ee6f0025d501280452984ebea932c47dddd5b2c1f215e7439
Opcode Fuzzy Hash: ee62094778c1c148689e4ed85f14e1c300345222e1eb2bec8afd0d7890870705
Instruction Fuzzy Hash: 062129B5E21249EFDB04DFE8C4809DEFBB5BF08300F508529E655EB250E7349A45CB24

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9CBF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6BC9CC2C
GetTickCount.KERNEL32 ref: 6BC9CC50

Strings

Setting Progress: ticks, soFar = %d, %d %s, xrefs: 6BC9CC5A
(ActionData), xrefs: 6BC9CC3E, 6BC9CC4A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CountTick__aulldiv
String ID: (ActionData)$Setting Progress: ticks, soFar = %d, %d %s
API String ID: 3746106513-4185375322
Opcode ID: 22e0221debb8917842d653b2413e5f182603ae55ca3719ab95913ebbf82ccf6d
Instruction ID: deb0082abb3f86eb4605704135873e34427f1e1cddc3eb8b6ff8fc02637804e8
Opcode Fuzzy Hash: 22e0221debb8917842d653b2413e5f182603ae55ca3719ab95913ebbf82ccf6d
Instruction Fuzzy Hash: DE012BB25106547FD7106A68CC41E6B3F5DDF85764F048250F564CB180F728DF5187E0

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAF853 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6BCA7462: __EH_prolog3.LIBCMT ref: 6BCA7469
Part of subcall function 6BCA7462: GetModuleHandleW.KERNEL32(kernel32.dll,00000020,6BCAF877,?), ref: 6BCA7503
Part of subcall function 6BCA7462: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6BCA7513
Part of subcall function 6BCA7462: SetThreadStackGuarantee.KERNELBASE(00020000), ref: 6BCA7528
Part of subcall function 6BCA7462: SetUnhandledExceptionFilter.KERNEL32(6BCB41DE), ref: 6BCA752F
Part of subcall function 6BCA7462: GetCommandLineW.KERNEL32 ref: 6BCA7535

_memset.LIBCMT ref: 6BCAF88D
GetEnvironmentVariableW.KERNEL32(DebugIronMan,?,000000FF,?,?,?), ref: 6BCAF8A6
DebugBreak.KERNEL32(?,?,?), ref: 6BCAF8EA

Strings

DebugIronMan, xrefs: 6BCAF8A1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AddressBreakCommandDebugEnvironmentExceptionFilterGuaranteeH_prolog3HandleLineModuleProcStackThreadUnhandledVariable_memset
String ID: DebugIronMan
API String ID: 12115070-628588297
Opcode ID: 70195a219b57303402aedf680ba4e32c0bea569af89fea51c7ce10ad3334bba1
Instruction ID: c34d6ca6f00fdda9a8435d56e5389b071e904026bd7618fe58ac7784b7ec8cc5
Opcode Fuzzy Hash: 70195a219b57303402aedf680ba4e32c0bea569af89fea51c7ce10ad3334bba1
Instruction Fuzzy Hash: 5511C4B1A2120BAED710AF78CD1AAABB3B8EF05B54F4045B1E416D7241F738DB448761

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9575E Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC95765

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCBAC87: __EH_prolog3.LIBCMT ref: 6BCBAC8E

Part of subcall function 6BC739BE: __EH_prolog3.LIBCMT ref: 6BC739C5

Strings

Enumerating incompatible services, xrefs: 6BC95794
complete, xrefs: 6BC9576C
Action, xrefs: 6BC9577E, 6BC95783, 6BC957A1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: complete$Action$Enumerating incompatible services
API String ID: 431132790-2452571594
Opcode ID: df378598dbc602f3199b23d7709b501d83758db24943e5462d8d5d141742427a
Instruction ID: 1de08bf37e8ee7db85e032decfb838cea1a1ac7075bcaee06c905a7daf1315e3
Opcode Fuzzy Hash: df378598dbc602f3199b23d7709b501d83758db24943e5462d8d5d141742427a
Instruction Fuzzy Hash: C911C073810098EFCF01DFE8C84AEAE7BB4AF49314F148106E250B7250E7798B24DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BC22E0F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6BC22E34

Part of subcall function 6BC2182C: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00020018,6BC22E5E,?,?,00000000,?,?,?,6BC22E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6BC21897
Part of subcall function 6BC2182C: RegQueryValueExW.KERNELBASE(6BC22E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,6BC22E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6BC218B3
Part of subcall function 6BC2182C: RegCloseKey.KERNELBASE(6BC22E5E,?,00000000,?,?,?,6BC22E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6BC218D1

SetLastError.KERNEL32(00000000,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6BC22E80

Strings

Software\Microsoft\SQMClient, xrefs: 6BC22E4F
MachineId, xrefs: 6BC22E4A

Memory Dump Source

Source File: 00000006.00000002.2772419557.000000006BC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BC20000, based on PE: true

Associated: 00000006.00000002.2772334607.000000006BC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772874776.000000006BC40000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772911983.000000006BC41000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc20000_Setup.jbxd

Similarity

API ID: CloseErrorLastOpenQueryValuememset
String ID: MachineId$Software\Microsoft\SQMClient
API String ID: 895213837-1718750536
Opcode ID: f501b272971c1657b0d338bc9f0a03aa20875daf2dde2ddbf5d6c022e459656d
Instruction ID: 871e53e5d0cb84d2caf3c74c5ea6148d191ad5c4cf48175a74db5cc999a24566
Opcode Fuzzy Hash: f501b272971c1657b0d338bc9f0a03aa20875daf2dde2ddbf5d6c022e459656d
Instruction Fuzzy Hash: 13210632670254ABDB00EEB8CCD1F6E3769BB51784F0000A9EA45AB195FB7DCB449721

Uniqueness

Uniqueness Score: -1.00%

Function 6BC23D03 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6BC23D28

Part of subcall function 6BC2182C: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00020018,6BC22E5E,?,?,00000000,?,?,?,6BC22E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6BC21897
Part of subcall function 6BC2182C: RegQueryValueExW.KERNELBASE(6BC22E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,6BC22E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6BC218B3
Part of subcall function 6BC2182C: RegCloseKey.KERNELBASE(6BC22E5E,?,00000000,?,?,?,6BC22E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6BC218D1

SetLastError.KERNEL32(00000000,80000001,Software\Microsoft\SQMClient,UserId,?,00000027), ref: 6BC23D74

Strings

Software\Microsoft\SQMClient, xrefs: 6BC23D43
UserId, xrefs: 6BC23D3E

Memory Dump Source

Source File: 00000006.00000002.2772419557.000000006BC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BC20000, based on PE: true

Associated: 00000006.00000002.2772334607.000000006BC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772874776.000000006BC40000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772911983.000000006BC41000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc20000_Setup.jbxd

Similarity

API ID: CloseErrorLastOpenQueryValuememset
String ID: Software\Microsoft\SQMClient$UserId
API String ID: 895213837-3032788761
Opcode ID: 3d7a57f79bcdea0eb6b403e873328fd558fd41ae41f5e0f10cf5753841919fc0
Instruction ID: bc4d47218553cb3babe8544d05e3045ce7107b09883469028d62afeb4f2b0983
Opcode Fuzzy Hash: 3d7a57f79bcdea0eb6b403e873328fd558fd41ae41f5e0f10cf5753841919fc0
Instruction Fuzzy Hash: D221C9726B0244AFDB50EFB8CCD5F5A3769BB81784F000065EA12AB191F77DCB448754

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9F316 Relevance: 6.1, APIs: 4, Instructions: 66sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6BC9F32B
GetTickCount.KERNEL32 ref: 6BC9F345
Sleep.KERNELBASE(?), ref: 6BC9F39D
SetLastError.KERNEL32(000005B4), ref: 6BC9F3C0

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CountTick$ErrorLastSleep
String ID:
API String ID: 1403765585-0
Opcode ID: 91f066e5270f8f5df2f4260c2dd1a896289afd18ad3b3c1cdce3df35d62e33aa
Instruction ID: 1aa90bea56b6d7a7590de2587701e66038e689e07fbb054a4af15dc9640775f2
Opcode Fuzzy Hash: 91f066e5270f8f5df2f4260c2dd1a896289afd18ad3b3c1cdce3df35d62e33aa
Instruction Fuzzy Hash: 9F213E31A14344EFEB10EFA9E4597CEBBF1BB42705F008599E445E6241D77CFA498B22

Uniqueness

Uniqueness Score: -1.00%

Function 6BC23679 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,6BC2332F,?), ref: 6BC23683
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,6BC2332F,?), ref: 6BC236B3

Part of subcall function 6BC22815: GetTokenInformation.KERNELBASE(?,6BC2332F(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,6BC236C7,?,00000001), ref: 6BC22835
Part of subcall function 6BC22815: GetLastError.KERNEL32(?,?,6BC236C7,?,00000001,?,?,?,?,6BC2332F,?), ref: 6BC2283B
Part of subcall function 6BC22815: GetTokenInformation.KERNELBASE(?,6BC2332F(TokenIntegrityLevel),00000000,00000000,00000000,?,?,6BC236C7,?,00000001,?,?,?,?,6BC2332F,?), ref: 6BC22863

ConvertSidToStringSidW.ADVAPI32(00000000,?,?,00000001,?,?,?,?,6BC2332F,?), ref: 6BC236D5
FindCloseChangeNotification.KERNELBASE(?,?,00000001,?,?,?,?,6BC2332F,?), ref: 6BC236E0

Memory Dump Source

Source File: 00000006.00000002.2772419557.000000006BC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BC20000, based on PE: true

Associated: 00000006.00000002.2772334607.000000006BC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772874776.000000006BC40000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772911983.000000006BC41000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc20000_Setup.jbxd

Similarity

API ID: Token$InformationProcess$ChangeCloseConvertCurrentErrorFindLastNotificationOpenString
String ID:
API String ID: 3562588798-0
Opcode ID: 759552b6b70363b1d2ce0dd71ac7414ff70dca0e692fc05a46472e36837308c7
Instruction ID: cd7cef6a24fca1281842f795209ba5ae8c1efe735f675af29ff99515ae8b24ef
Opcode Fuzzy Hash: 759552b6b70363b1d2ce0dd71ac7414ff70dca0e692fc05a46472e36837308c7
Instruction Fuzzy Hash: 1C11E232571114AFDB209F65CD86E5D7BB8FF45790F0000A5F801A7240EB7ACB518750

Uniqueness

Uniqueness Score: -1.00%

Function 6BCCC44A Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6BCCC464

Part of subcall function 6BCCC353: __FF_MSGBANNER.LIBCMT ref: 6BCCC36C
Part of subcall function 6BCCC353: __NMSG_WRITE.LIBCMT ref: 6BCCC373
Part of subcall function 6BCCC353: RtlAllocateHeap.NTDLL(00000000,00000001,?,6BCA80D8,00000000,?,6BCCC469,6BCAF877,00000C00,00000020,6BCAF877,?), ref: 6BCCC398

std::exception::exception.LIBCMT ref: 6BCCC499
std::exception::exception.LIBCMT ref: 6BCCC4B3
__CxxThrowException@8.LIBCMT ref: 6BCCC4C4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 9f4e782b3085216865f45f17bfd672a83af1d8d4ade7d3d29ce4136d7d20f0c9
Instruction ID: 9ba824a68a501b51cc303b7d0f95493fd6e0bca04cf4c4c11447788199540196
Opcode Fuzzy Hash: 9f4e782b3085216865f45f17bfd672a83af1d8d4ade7d3d29ce4136d7d20f0c9
Instruction Fuzzy Hash: 8EF0F435820219ABDF00DFB8CC42BBF7AA8EB51298F044049D610AA190FF7CC755C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBAC87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBAC8E

Part of subcall function 6BCBD136: _free.LIBCMT ref: 6BCBD16A

Part of subcall function 6BCBD4A6: __EH_prolog3.LIBCMT ref: 6BCBD4AD
Part of subcall function 6BCBD4A6: GetLastError.KERNEL32 ref: 6BCBD4C9

Part of subcall function 6BCA83C3: __wcsicoll.LIBCMT ref: 6BCA83E1

Strings

No Blocking Services, xrefs: 6BCBAE98
Blocking Services, xrefs: 6BCBAEAC

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$ErrorLast__wcsicoll_free
String ID: Blocking Services$No Blocking Services
API String ID: 3921677135-2473106011
Opcode ID: 6dce45036cac282b64399040951d963a00a84f6e2ba1f829eb8e1ef25ac2e2ab
Instruction ID: 3192b373d0ebd3339c030b9af2c80997f4211885243e47aceb5d0e180689ba4f
Opcode Fuzzy Hash: 6dce45036cac282b64399040951d963a00a84f6e2ba1f829eb8e1ef25ac2e2ab
Instruction Fuzzy Hash: E5915D71A1164A9FDB00CF68C985B9EB7B0FF45318F004259F865AB391EB78EA11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8B19E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8B1A5

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

PatchCode, xrefs: 6BC8B375
EstimatedInstallTime, xrefs: 6BC8B1AA

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: EstimatedInstallTime$PatchCode
API String ID: 431132790-1584514563
Opcode ID: 63159f549c2c0a16f0c7106f2501987f57590a94cca4afbf979fc283c9fa9106
Instruction ID: 3cde77a5e419e2b6923ca074e679f79a65c50f6b662ba817fd6134470b46ca8a
Opcode Fuzzy Hash: 63159f549c2c0a16f0c7106f2501987f57590a94cca4afbf979fc283c9fa9106
Instruction Fuzzy Hash: 6F7129B0520246DFDB00CFA8D881F9A7BB4BF49348F1485AAE8199F251F7399A01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7555C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 6BC755C3

Part of subcall function 6BC7500D: _memset.LIBCMT ref: 6BC75015

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

%s - %s %s %s, xrefs: 6BC75680
Unknown OS, xrefs: 6BC755E1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3InfoSystem_memset
String ID: %s - %s %s %s$Unknown OS
API String ID: 3853411852-1218788732
Opcode ID: 4548345c6051396b0b8115e9448d7f0fd123ed49f1d67f83ddb21dc0649787e8
Instruction ID: afa411431bd96d55ac72d753efd9286b33914dad38fd6f63391a665dd820c0fe
Opcode Fuzzy Hash: 4548345c6051396b0b8115e9448d7f0fd123ed49f1d67f83ddb21dc0649787e8
Instruction Fuzzy Hash: 8D4171721283819FD721DF68C841A8BB7E9EF99318F140A1DF59497291EB34E7058B93

Uniqueness

Uniqueness Score: -1.00%

Function 6BC843AD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC843B4

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7A5F0: __EH_prolog3.LIBCMT ref: 6BC7A5F7

Part of subcall function 6BC7A5F0: #6.OLEAUT32(?,?,?,?,?,00000001,?,UiInfo.xml,?,?,00000000,?), ref: 6BC7A64B

Part of subcall function 6BCA861E: _wcschr.LIBCMT ref: 6BCA8635

Part of subcall function 6BC84500: __EH_prolog3.LIBCMT ref: 6BC84507
Part of subcall function 6BC84500: __CxxThrowException@8.LIBCMT ref: 6BC845FF

Part of subcall function 6BC84629: RegCloseKey.ADVAPI32(?,00000034,00000034,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6BC8430E,6BC6A78C,-00000960), ref: 6BC846A3
Part of subcall function 6BC84629: RegCloseKey.ADVAPI32(?,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6BC8430E,6BC6A78C,-00000960), ref: 6BC846B4

Strings

RegValueName, xrefs: 6BC843BD
RegKey, xrefs: 6BC843CB

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Close$Exception@8Throw_wcschr
String ID: RegKey$RegValueName
API String ID: 1652216082-3571311812
Opcode ID: fd1adc83385df26559a7b25fdd32a3bac1148ae4ec231371922939bf54e430b1
Instruction ID: 653fa755beb10f1ec1bada210c95be7f1ffb5a8d9a6e8625514e9ce567481b52
Opcode Fuzzy Hash: fd1adc83385df26559a7b25fdd32a3bac1148ae4ec231371922939bf54e430b1
Instruction Fuzzy Hash: AE418C32910249DBCB11DBF8C945ADEBBB8AF09328F144254E414F7281EB789F05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8427B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC84282

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7A65E: __EH_prolog3.LIBCMT ref: 6BC7A665
Part of subcall function 6BC7A65E: #6.OLEAUT32(?,?,?,6BCAFAA0,LCIDHint,00000024,6BCB6D79,6BC6A78C,?,?,?,6BCBB83A,?,?,6BC55660,?), ref: 6BC7A6BB

Part of subcall function 6BC843AD: __EH_prolog3.LIBCMT ref: 6BC843B4

GetUserDefaultUILanguage.KERNEL32(6BC6A78C,-00000960), ref: 6BC84318

Strings

LCIDHint, xrefs: 6BC84289

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DefaultLanguageUser
String ID: LCIDHint
API String ID: 3899947912-1583853939
Opcode ID: a81dd0ff134e5783cc416a87e5fee54248aa962aae21fccec7427c6121b3f41e
Instruction ID: 1dd72d8b759cb30f435c9c33a5f0e714e4408f02c12181ad193ce8c0b91f91e7
Opcode Fuzzy Hash: a81dd0ff134e5783cc416a87e5fee54248aa962aae21fccec7427c6121b3f41e
Instruction Fuzzy Hash: 3D418671D11209DFDB00DFB8C945A9E7BB9BF45318F1041A9E465AB290EB35DF05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BC96BA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC96BA8

Part of subcall function 6BC94DC2: __EH_prolog3.LIBCMT ref: 6BC94DC9
Part of subcall function 6BC94DC2: GetLastError.KERNEL32(00000000,LoadLibrary,00000000,0000000C,6BC96BDA,00000000,?), ref: 6BC94E20
Part of subcall function 6BC94DC2: __CxxThrowException@8.LIBCMT ref: 6BC94E3D

GetCommandLineW.KERNEL32(00000000,?), ref: 6BC96BEA

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

Part of subcall function 6BC73A76: __EH_prolog3.LIBCMT ref: 6BC73A7D

Part of subcall function 6BC94E7F: FreeLibrary.KERNEL32(00000000,?,6BC94E08,00000000,0000000C,6BC96BDA,00000000,?), ref: 6BC94E8C
Part of subcall function 6BC94E7F: LoadLibraryW.KERNELBASE(?,?,?,6BC94E08,00000000,0000000C,6BC96BDA,00000000,?), ref: 6BC94EA4

Part of subcall function 6BCCC44A: _malloc.LIBCMT ref: 6BCCC464

Part of subcall function 6BCBAF43: __EH_prolog3.LIBCMT ref: 6BCBAF4A
Part of subcall function 6BCBAF43: GetProcAddress.KERNEL32(00000004,CreateClassFactory), ref: 6BCBAF5A
Part of subcall function 6BCBAF43: GetLastError.KERNEL32 ref: 6BCBAF68
Part of subcall function 6BCBAF43: __CxxThrowException@8.LIBCMT ref: 6BCBB01F

Strings

passive, xrefs: 6BC96BFC

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$ErrorException@8LastLibraryThrow$AddressCommandFreeLineLoadProc_malloc
String ID: passive
API String ID: 304155978-1995439567
Opcode ID: b6d0c29c74cea01d68f89994c9d24708b1e592abe71900aef37af75e7bac704a
Instruction ID: bc9e90330ed1a4579e1f21ed7542e785217f23ea3f438d6f9ff9c4821b035327
Opcode Fuzzy Hash: b6d0c29c74cea01d68f89994c9d24708b1e592abe71900aef37af75e7bac704a
Instruction Fuzzy Hash: BE31E171820605DFEB20EFB4D84579DB7B5AF04318F0046A9E4A1A7280FB7C9B0687E1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC81EB2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC81EB9

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC819A0: __EH_prolog3.LIBCMT ref: 6BC819A7
Part of subcall function 6BC819A0: __CxxThrowException@8.LIBCMT ref: 6BC81AD1

Strings

BlockIf, xrefs: 6BC81EBE, 6BC81F67
DisplayText, xrefs: 6BC81EF8

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: BlockIf$DisplayText
API String ID: 2489616738-2498774408
Opcode ID: fe4d549b86c0cc4364b09311ed1dad3575d44e0c9eb503e3bddde0a641961369
Instruction ID: 050e2d627970e28ebdbc324b383f1e2797cf5dcd4768380ebc2cfef74558e367
Opcode Fuzzy Hash: fe4d549b86c0cc4364b09311ed1dad3575d44e0c9eb503e3bddde0a641961369
Instruction Fuzzy Hash: 4E314171920249EFCB00DFB8C941E9E7BB8BF49358F148159F555AB240E738EB05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC857FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC85802

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

_memcpy_s.LIBCMT ref: 6BC8589D

Strings

#(loc., xrefs: 6BC85819, 6BC858C1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$_memcpy_s
String ID: #(loc.
API String ID: 1663610674-1630946291
Opcode ID: ce67ce0547375da1cc8365c1f1a0a2b3764a8832a8f7f9aacd2c18c6b29a49af
Instruction ID: 0f4e244b5df978de589e913766713734965493b40f213f71f2104c0e16739190
Opcode Fuzzy Hash: ce67ce0547375da1cc8365c1f1a0a2b3764a8832a8f7f9aacd2c18c6b29a49af
Instruction Fuzzy Hash: 9831B4729201099FCF00DFB8CC81A9E77A5BF05318F048655EA25AF291EB78EF05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAEA7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCAEA84
GetComputerObjectNameW.SECUR32(00000007,00000000,6BCAFAA0), ref: 6BCAEAC9

Strings

microsoft.com, xrefs: 6BCAEB19

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ComputerH_prolog3NameObject
String ID: microsoft.com
API String ID: 4212761916-499418652
Opcode ID: 39003c9d7060e1296a5929d65dc008804c361ddebb4da85e570e5c2a68d3273f
Instruction ID: 846fea4803fa400f753eb71b4c42733593469772b3cd6747e156e8d6eaf98136
Opcode Fuzzy Hash: 39003c9d7060e1296a5929d65dc008804c361ddebb4da85e570e5c2a68d3273f
Instruction Fuzzy Hash: C7219D31A301078BCF04DFB8C8569AEB772AF41328F244669D522A72D1FB789B058B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB224B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB2252

Strings

Creating new Performer for ServiceControl item, xrefs: 6BCB225E
GetAction returned an invalid action type; creating DoNothingPerformer, xrefs: 6BCB228C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Creating new Performer for ServiceControl item$GetAction returned an invalid action type; creating DoNothingPerformer
API String ID: 431132790-300339860
Opcode ID: 01ce97dc982cf1457880251c1e6e6326e383a72ec5289591d46ae0a0d004e9ec
Instruction ID: ec03ef364b936360dd2dfb17b45da262efed18192891a8401e3b2e3c967b3772
Opcode Fuzzy Hash: 01ce97dc982cf1457880251c1e6e6326e383a72ec5289591d46ae0a0d004e9ec
Instruction Fuzzy Hash: F4117F34571202EBEB009BB8C829B6D7BA0BF59315F108155E108DF590FF7D9780D762

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA7B6B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA7B72

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC74D12: __EH_prolog3.LIBCMT ref: 6BC74D19

Part of subcall function 6BC739BE: __EH_prolog3.LIBCMT ref: 6BC739C5

Strings

Operation Type, xrefs: 6BCA7B8A, 6BCA7B8F, 6BCA7BA9
Operation: %s, xrefs: 6BCA7BE0

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Operation Type$Operation: %s
API String ID: 431132790-3288381836
Opcode ID: 80cb6d257707675cc11f4d07843e4dfe29f90993f03dba9e01163176678b551e
Instruction ID: aa42d7714abd0c92550518b8338a4c4e976488a454da228befad1c3f5f1661a4
Opcode Fuzzy Hash: 80cb6d257707675cc11f4d07843e4dfe29f90993f03dba9e01163176678b551e
Instruction Fuzzy Hash: 47215B71920149EBCB00DBF8C945EAEBBB9AF19308F144055E154F7241E7799B058B62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9502E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC95035

Part of subcall function 6BCC8E28: _wcsnlen.LIBCMT ref: 6BCC8E38

DeleteFileW.KERNELBASE(?,00000010,HFI,00000000,?,6BC6AB1C,00000004,6BCBA7EA,CC4203FA,CC4203FA,?,?,6BCA4882), ref: 6BC950A9

Strings

HFI, xrefs: 6BC95086

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: DeleteFileH_prolog3_wcsnlen
String ID: HFI
API String ID: 1332513528-686494941
Opcode ID: 7347504db439ebc56ac9014290a3e2e55daff2832d62b8b71690fae7adea1a01
Instruction ID: e4a7b2d2571aef3afc3523e7c4505ccd2b56b4d954382c0d1fd0a620b10328f1
Opcode Fuzzy Hash: 7347504db439ebc56ac9014290a3e2e55daff2832d62b8b71690fae7adea1a01
Instruction Fuzzy Hash: 3E1108757302049FE701AFB8C885A5FB7E4AF2531DF004259E66197291FB789B0587A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB369F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB36A6

Part of subcall function 6BC757FC: _memset.LIBCMT ref: 6BC7582B
Part of subcall function 6BC757FC: GetVersionExW.KERNEL32 ref: 6BC75840
Part of subcall function 6BC757FC: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001), ref: 6BC75856
Part of subcall function 6BC757FC: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001), ref: 6BC7585E
Part of subcall function 6BC757FC: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000001,?,00000001,00000001), ref: 6BC75866
Part of subcall function 6BC757FC: VerSetConditionMask.KERNEL32(00000000,?,00000010,00000001,?,00000020,00000001,?,00000001,00000001), ref: 6BC7586E
Part of subcall function 6BC757FC: VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BC75879

Strings

CSDReleaseType, xrefs: 6BCB36FF
SYSTEM\CurrentControlSet\Control\Windows, xrefs: 6BCB3714

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ConditionMask$Version$H_prolog3InfoVerify_memset
String ID: CSDReleaseType$SYSTEM\CurrentControlSet\Control\Windows
API String ID: 3830908078-406884543
Opcode ID: a830f71cf845df514bf83de1e127f40413dd5899642991bb8e553d225b582f5a
Instruction ID: 759d4abd9af18c17f441eb47ee3b38771d734983e87c296f020a7d5c131e1e41
Opcode Fuzzy Hash: a830f71cf845df514bf83de1e127f40413dd5899642991bb8e553d225b582f5a
Instruction Fuzzy Hash: 5201A9B3C2016857D7248B28C816AA937A4AB15354F064166FE59AB141E33DDF41C6A5

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB16CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,?,?,?,?,6BCAFAA0,?,?,?,?,?,?,6BCB3624,6BCAFAA0,000000FF), ref: 6BCB1704
GetLastError.KERNEL32(?,6BCAFAA0,?,?,?,?,?,?,6BCB3624,6BCAFAA0,000000FF,?,?,00000738,6BCAFAA0,?), ref: 6BCB1714

Part of subcall function 6BC774C1: __EH_prolog3.LIBCMT ref: 6BC774C8

Strings

GetDiskFreeSpaceEx, xrefs: 6BCB171D

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: DiskErrorFreeH_prolog3LastSpace
String ID: GetDiskFreeSpaceEx
API String ID: 3776785849-3355056173
Opcode ID: ada60ea7511f79cf7d8f28ebe52caec78b73b0116ea66b747dc82814725e1d50
Instruction ID: ee0cb89bf3b498920db04707df1ad0cbbfc6b3a1f435bae55fe85ee56ff337ad
Opcode Fuzzy Hash: ada60ea7511f79cf7d8f28ebe52caec78b73b0116ea66b747dc82814725e1d50
Instruction Fuzzy Hash: D101EC76D10229BB8B00DF98D9458DFBBB9EB89710B104549F905F7200E774AB45CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAEC8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCAEC96

Part of subcall function 6BCA3892: __EH_prolog3.LIBCMT ref: 6BCA3899
Part of subcall function 6BCA3892: InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,6BCAECAE,?,?), ref: 6BCA3930

Part of subcall function 6BCB2B38: PathFileExistsW.KERNELBASE(00000000), ref: 6BCB2BCA
Part of subcall function 6BCB2B38: __CxxThrowException@8.LIBCMT ref: 6BCB2C09
Part of subcall function 6BCB2B38: CopyFileW.KERNELBASE(00000010,00000000,00000000,?), ref: 6BCB2C3B
Part of subcall function 6BCB2B38: SetFileAttributesW.KERNELBASE(?,00000080), ref: 6BCB2C54

InitializeCriticalSection.KERNEL32(?,?,?,.html,00000001,00000000,6BCA7237,00000000,00000000,?,?,?,?,?,?,?), ref: 6BCAECF0

Strings

.html, xrefs: 6BCAECA0

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: File$CriticalH_prolog3InitializeSection$AttributesCopyException@8ExistsPathThrow
String ID: .html
API String ID: 4277916732-2179875201
Opcode ID: c610e443df9e2d9cf7df298afb23bc677193e680b96513a7a6395388a736bab4
Instruction ID: c427632c6a9cb4276a3e88359e2a1f164b7056934200384f82e6ec9949e26522
Opcode Fuzzy Hash: c610e443df9e2d9cf7df298afb23bc677193e680b96513a7a6395388a736bab4
Instruction Fuzzy Hash: AAF0C235630246EFDB01DBB4849A7DDB7A67FA4348F014058E5046B241EBBCAB09E7B2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC984AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,6BCAFAA0,?,?,6BCC30A7,6BCAFAA0,?,?,?,?), ref: 6BC984C9

Strings

File %s, locked for install. , xrefs: 6BC984E2
Failed to lock file %s., xrefs: 6BC984DB

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CreateFile
String ID: Failed to lock file %s.$File %s, locked for install.
API String ID: 823142352-2267527102
Opcode ID: 3dbb564087997be569a7af1f9165625af00f5b34663cc6152a721f6227a1f934
Instruction ID: 0619076e8cc339c42936af546ade8cabd86f88739d9490192c5a8e402f43bd3c
Opcode Fuzzy Hash: 3dbb564087997be569a7af1f9165625af00f5b34663cc6152a721f6227a1f934
Instruction Fuzzy Hash: B6E0927379021077E63015ADAC0AF453B989BC5B70F254121FB54BB2C0F565AA6482B8

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBA588 Relevance: 4.7, APIs: 3, Instructions: 225COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBA58F
GetCurrentProcessId.KERNEL32(00000020,6BC950E9,00000000,?,?,6BCA4882), ref: 6BCBA59F

Part of subcall function 6BC94F48: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6BC94F64
Part of subcall function 6BC94F48: _memset.LIBCMT ref: 6BC94F7E
Part of subcall function 6BC94F48: Process32FirstW.KERNEL32(00000000,?), ref: 6BC94F98
Part of subcall function 6BC94F48: FindCloseChangeNotification.KERNELBASE(00000000), ref: 6BC94FC7

Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Part of subcall function 6BCA83C3: __wcsicoll.LIBCMT ref: 6BCA83E1

GetTempPathW.KERNEL32(00000104,00000000,6BCA4882,6BCA4373,6BCA4882,00000000,00000010,00000010,?,00000000,6BCA4373,?,?,6BCA4882), ref: 6BCBA7B7

Part of subcall function 6BC94F48: Process32NextW.KERNEL32(00000000,0000022C), ref: 6BC94FB3

Part of subcall function 6BCC8E28: _wcsnlen.LIBCMT ref: 6BCC8E38

Part of subcall function 6BC9502E: __EH_prolog3.LIBCMT ref: 6BC95035

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3Process32$ChangeCloseCreateCurrentFindFirstNextNotificationPathProcessSnapshotTempToolhelp32__wcsicoll_memcpy_s_memset_wcsnlen
String ID:
API String ID: 3672672585-0
Opcode ID: d6f262015a47431f164040af2061cc505c32fa59cb30378e52130b87934db639
Instruction ID: a27b33f73bd2d28d310dcd99461946b22acb688e1daf307d6c776e2573fc3913
Opcode Fuzzy Hash: d6f262015a47431f164040af2061cc505c32fa59cb30378e52130b87934db639
Instruction Fuzzy Hash: C6918771D20245CFEB01DFF8C84AA9EB7B4EF19318F144699E550A7281EB789B05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC2182C Relevance: 4.6, APIs: 3, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,-00020018,6BC22E5E,?,?,00000000,?,?,?,6BC22E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6BC21897
RegQueryValueExW.KERNELBASE(6BC22E5E,?,00000000,00000027,80000002,?,?,00000000,?,?,?,6BC22E5E,80000002,Software\Microsoft\SQMClient,MachineId,?), ref: 6BC218B3
RegCloseKey.KERNELBASE(6BC22E5E,?,00000000,?,?,?,6BC22E5E,80000002,Software\Microsoft\SQMClient,MachineId,?,00000027), ref: 6BC218D1

Memory Dump Source

Source File: 00000006.00000002.2772419557.000000006BC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BC20000, based on PE: true

Associated: 00000006.00000002.2772334607.000000006BC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772874776.000000006BC40000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772911983.000000006BC41000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc20000_Setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a1f93bc3f5539ee61be47f1cfc42c8aca71681babe9823fe3b73e92ca64e3c21
Instruction ID: 2c57bbc97f8dff2f28ba65a562dea7f14fbdb8fadc31eb76b9ff3419dc5a10ca
Opcode Fuzzy Hash: a1f93bc3f5539ee61be47f1cfc42c8aca71681babe9823fe3b73e92ca64e3c21
Instruction Fuzzy Hash: 8731D832961259AFDB159F59C9D1F6A3BB5FB11384F0100E6FE10A7160E379CB84DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BC97462 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC97469

Part of subcall function 6BC97369: __EH_prolog3.LIBCMT ref: 6BC97370
Part of subcall function 6BC97369: OpenFileMappingW.KERNELBASE(00000002,00000000,00000000,?,6BC6AB1C,00000008,6BC974A5,?,?,00000004,6BCBC7F6,?,6BC695B4,00000000,00000001,?), ref: 6BC97399
Part of subcall function 6BC97369: GetLastError.KERNEL32(?,?,?,?,00000001), ref: 6BC973A6

OpenEventW.KERNEL32(00100002,00000000,00000000,?,?,00000004,6BCBC7F6,?,6BC695B4,00000000,00000001,?,6BC6A78C,?,00000001,?), ref: 6BC974B2
OpenFileMappingW.KERNELBASE(00000002,00000000,00000000,?,?,?,?,00000001), ref: 6BC974C2

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Open$FileH_prolog3Mapping$ErrorEventLast
String ID:
API String ID: 1631330826-0
Opcode ID: ad7c327285ea81837852e22f76cd618d50820a4d903c8c34aa4d19c2e160f3b7
Instruction ID: 7648be3acf650e27dadb4e6283200f620bbd2dccb38498a27a90d5afdcf2d689
Opcode Fuzzy Hash: ad7c327285ea81837852e22f76cd618d50820a4d903c8c34aa4d19c2e160f3b7
Instruction Fuzzy Hash: 10113AB5610246EFCB00CF64C886B99BBB0FF08350F108619E9589B781E778E620CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6BC22815 Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,6BC2332F(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000,?,?,6BC236C7,?,00000001), ref: 6BC22835
GetLastError.KERNEL32(?,?,6BC236C7,?,00000001,?,?,?,?,6BC2332F,?), ref: 6BC2283B

Part of subcall function 6BC21967: malloc.MSVCRT(?,6BC40554), ref: 6BC21979

GetTokenInformation.KERNELBASE(?,6BC2332F(TokenIntegrityLevel),00000000,00000000,00000000,?,?,6BC236C7,?,00000001,?,?,?,?,6BC2332F,?), ref: 6BC22863

Memory Dump Source

Source File: 00000006.00000002.2772419557.000000006BC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BC20000, based on PE: true

Associated: 00000006.00000002.2772334607.000000006BC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772874776.000000006BC40000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772911983.000000006BC41000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc20000_Setup.jbxd

Similarity

API ID: InformationToken$ErrorLastmalloc
String ID:
API String ID: 3066823155-0
Opcode ID: 8cc11686a9e1e6076b5518d12779aaef209cc73eafe8e9ac78bd8e2cd28ffcc3
Instruction ID: 690839d6afaa2a177ff5c8e4a82829ee3c6887084c88c3bea9b6311dd74a85d8
Opcode Fuzzy Hash: 8cc11686a9e1e6076b5518d12779aaef209cc73eafe8e9ac78bd8e2cd28ffcc3
Instruction Fuzzy Hash: 09018136575109FFEF019AA5DD52FAE7B6DEB05799F204062FA00AA060E739DF009770

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7C3BD Relevance: 4.5, APIs: 3, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000001,?,?,?,?,?,6BCB3728,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6BC7C3DD
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,6BCB1017,00000004,?,?,?,6BCB3728,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType), ref: 6BC7C3F6
RegCloseKey.KERNELBASE(?,?,?,?,6BCB3728,?,SYSTEM\CurrentControlSet\Control\Windows,?,?,CSDReleaseType,?,-00000960,00000004,6BCB1017,?), ref: 6BC7C405

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: d087945bb429c5558582895b45dd9a3db1300f3280220bc4b320bb2a4610530a
Instruction ID: a67031efec4cfd696d9b12c0a77aa060ec6f18afea67c33035fa6facb21c6f6d
Opcode Fuzzy Hash: d087945bb429c5558582895b45dd9a3db1300f3280220bc4b320bb2a4610530a
Instruction Fuzzy Hash: A2F019B2100108BFEB119FA4CC8AEAE7B7CEB053A8F108154F911A6190E775DA609A20

Uniqueness

Uniqueness Score: -1.00%

Function 6BC77D30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC77D37

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC77F2C: __EH_prolog3.LIBCMT ref: 6BC77F33

Part of subcall function 6BC75E18: __EH_prolog3.LIBCMT ref: 6BC75E1F

Part of subcall function 6BC754E6: __EH_prolog3.LIBCMT ref: 6BC754ED
Part of subcall function 6BC754E6: GetModuleHandleW.KERNEL32(kernel32.dll,0000002C,6BC77DF7,?,?,?,?,?,00000000,?,?,6BC6AB1C,00000008,6BC77D21), ref: 6BC754FD

Strings

Unknown, xrefs: 6BC77DDB

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$HandleModule
String ID: Unknown
API String ID: 1530205010-1654365787
Opcode ID: 34ced689197da8c65c95cdbdab21395ddfcb888d0d98f38d1b4acf06d3430c4e
Instruction ID: ad33a3861083d8594809ee535c8553803deb98d20796047b786d4953fb0bccf0
Opcode Fuzzy Hash: 34ced689197da8c65c95cdbdab21395ddfcb888d0d98f38d1b4acf06d3430c4e
Instruction Fuzzy Hash: CF31B5725207058BDB24DFB4C842FBF73A4FF19318F544A1DE166972C1EB78A6088756

Uniqueness

Uniqueness Score: -1.00%

Function 6BC82804 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8280B

Part of subcall function 6BCCC44A: _malloc.LIBCMT ref: 6BCCC464

Part of subcall function 6BC81EB2: __EH_prolog3.LIBCMT ref: 6BC81EB9

Strings

BlockIfGroup, xrefs: 6BC82862

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID: BlockIfGroup
API String ID: 1683881009-1356723647
Opcode ID: 3b6de52d95c7e98e537e6db6afd4a756bd8ec1d60052676f47ba23298623046e
Instruction ID: 6c0606be3751d1c8b129342d083577c166f81d1ed6aac080e336f0cbe1806c55
Opcode Fuzzy Hash: 3b6de52d95c7e98e537e6db6afd4a756bd8ec1d60052676f47ba23298623046e
Instruction Fuzzy Hash: BE312F7192020AABEF01DBF8D859AAE7BB8AF04348F104469E514EB181F738DB04DB71

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA4835 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA483C

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8C05: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6BCB9E00,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6BCA8C29

Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Strings

%TEMP%, xrefs: 6BCA4863

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$AppendPath_memcpy_s
String ID: %TEMP%
API String ID: 3727483831-235365282
Opcode ID: 57ab692d63c1e5bbde80dd065c9870664384007753f3ee4b787ec3b28e181f35
Instruction ID: b3f8b120a5f06db474b32c49989f64b86942de97fe3d27a8f9eb6e16774a596c
Opcode Fuzzy Hash: 57ab692d63c1e5bbde80dd065c9870664384007753f3ee4b787ec3b28e181f35
Instruction Fuzzy Hash: 6421807292014A8BDF01DBFCC886BAEB7B4AF1131CF144651D160FB2D1EB789B049762

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8266A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC82671

Part of subcall function 6BC789D7: __EH_prolog3.LIBCMT ref: 6BC789DE
Part of subcall function 6BC789D7: __CxxThrowException@8.LIBCMT ref: 6BC78AA9

Part of subcall function 6BC82804: __EH_prolog3.LIBCMT ref: 6BC8280B

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

ReturnCode, xrefs: 6BC826D1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: ReturnCode
API String ID: 2489616738-1214168914
Opcode ID: 3ad1e907f019b2ed0c6a7d59de180c9ac8386fd695caa4c209259cb72e55aaad
Instruction ID: 4b06ca9af66545eaddc5afc8b2f36ac272fc395134456722afe5d2f9636e0609
Opcode Fuzzy Hash: 3ad1e907f019b2ed0c6a7d59de180c9ac8386fd695caa4c209259cb72e55aaad
Instruction Fuzzy Hash: 922142B1521215DFCB00DF78C896A5E7BA8BF09718B14855AF414DF286EB74DB01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBA4BF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBA4C6

Strings

%TEMP%, xrefs: 6BCBA52B

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: %TEMP%
API String ID: 431132790-235365282
Opcode ID: 92ad9e93bce54fbbe14f0e7517ca6a869e4e06585c3466bc9d7ac0199e59ee0c
Instruction ID: c6746496695ff20e327bad68454441c600e36c97440cb7571973cba588e282d8
Opcode Fuzzy Hash: 92ad9e93bce54fbbe14f0e7517ca6a869e4e06585c3466bc9d7ac0199e59ee0c
Instruction Fuzzy Hash: 6C212971A2021AABDF00DFB4CC89EAE7B75FF04355F008524F961AA190EB78DB15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB9675 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(CC4203FA,6BCA80D8,?,00000000,6BCE4F7B,000000FF,?,6BCA754E,?,00000000), ref: 6BCB96A1

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

Part of subcall function 6BC73A76: __EH_prolog3.LIBCMT ref: 6BC73A7D

Strings

repair, xrefs: 6BCB970C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID: repair
API String ID: 1384747822-2397320225
Opcode ID: fd2e80b1b7104fa880f9e709b3c04a3916b2c2842b050b8be2a0101229b4cf32
Instruction ID: 3a8938814fd4780e92122f241f05a8d2c18e67f9d72da6130f4766fad91b7149
Opcode Fuzzy Hash: fd2e80b1b7104fa880f9e709b3c04a3916b2c2842b050b8be2a0101229b4cf32
Instruction Fuzzy Hash: 3C11B672568710ABC720DB64C846F9A73DCEF59724F000A2AB961971E1FB78E7048692

Uniqueness

Uniqueness Score: -1.00%

Function 6BC738EB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC738F2

Strings

Entering Function, xrefs: 6BC7391E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Entering Function
API String ID: 431132790-2002471330
Opcode ID: 3a7d05fce68b4d476968721136774c49b0733475a5b0860b31316f932dafe34c
Instruction ID: b3bcec42e47afd9cf762b274a69de0f0b2b70eac1834c98813cb701ed57975f8
Opcode Fuzzy Hash: 3a7d05fce68b4d476968721136774c49b0733475a5b0860b31316f932dafe34c
Instruction Fuzzy Hash: 69F0C2796202019FDB10CFA8C889B4EB7F1EF54614F14C41AE9998B310EB38EA50DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BC73937 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7393E

Strings

exiting function/method, xrefs: 6BC7394F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: exiting function/method
API String ID: 431132790-2452647166
Opcode ID: 057eb41e73afc8a215fa0038055269f17fa8f159a12e839624d83ffabfc917a1
Instruction ID: cfabe2d554aeea5d0ca4b91db4d126b6663b1f9753bf189ff9e7e72090a74866
Opcode Fuzzy Hash: 057eb41e73afc8a215fa0038055269f17fa8f159a12e839624d83ffabfc917a1
Instruction Fuzzy Hash: E4E065392202019FCB00DFA8C089F0AB7B1FF48305F008458E68A8B760EB35AA00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9710F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000424,6BC974D2,?,?,?,?,00000001), ref: 6BC9713B

Strings

The handle to the section is Null, xrefs: 6BC97121

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: FileView
String ID: The handle to the section is Null
API String ID: 3314676101-179083574
Opcode ID: 8af6649132ed59ce42b66a81dad784ed10d7330951c60ee5e645b499dfee09df
Instruction ID: 5c506b8788592c6f1380ea4da9b5439de48e3407a3ded49a96ce11eb162ddf3c
Opcode Fuzzy Hash: 8af6649132ed59ce42b66a81dad784ed10d7330951c60ee5e645b499dfee09df
Instruction Fuzzy Hash: D1E0ECB0795702AFEB209F69AC4AF027AE4EF08B40F10C859B25AEF5C1E374D5108B14

Uniqueness

Uniqueness Score: -1.00%

Function 6BC23536 Relevance: 3.2, APIs: 2, Instructions: 213COMMON

Download Yara Rule

APIs

ctype.LIBCPMT ref: 6BC32015
ctype.LIBCPMT ref: 6BC3202A

Part of subcall function 6BC217EB: malloc.MSVCRT ref: 6BC217F6

Part of subcall function 6BC22885: InitializeCriticalSectionAndSpinCount.KERNEL32(00000004,00000FA0,?,00000000,00000000), ref: 6BC228C4

Part of subcall function 6BC23992: EnterCriticalSection.KERNEL32(?,00000000,6BC2397F,00000000,6BC2371E,80004005), ref: 6BC239AE

Part of subcall function 6BC22C9B: VirtualAlloc.KERNELBASE(00000000,?,00002000,00000004,6BC227B0,00000000,6BC40088), ref: 6BC22D01
Part of subcall function 6BC22C9B: VirtualAlloc.KERNELBASE(?,00000000,00001000,00000004,000003F8,00000000,?,?,?,?,6BC227B0,00000000,6BC40088), ref: 6BC22D4F

Memory Dump Source

Source File: 00000006.00000002.2772419557.000000006BC21000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BC20000, based on PE: true

Associated: 00000006.00000002.2772334607.000000006BC20000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772874776.000000006BC40000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.2772911983.000000006BC41000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc20000_Setup.jbxd

Similarity

API ID: AllocCriticalSectionVirtualctype$CountEnterInitializeSpinmalloc
String ID:
API String ID: 738331480-0
Opcode ID: fae5d0607fb6c7dea4145c27aafbf2631f010019426c1a9724cc5dd0d5552c4a
Instruction ID: 460ed87d15f4373af08ca8cf45efd4d0ce88c5da2e04d17732005f29ec5ed51a
Opcode Fuzzy Hash: fae5d0607fb6c7dea4145c27aafbf2631f010019426c1a9724cc5dd0d5552c4a
Instruction Fuzzy Hash: FF710331574360AFDB209F69C8A4F597BA1BB45748F4044ACE915CE2A1FB7ECB44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBDAA6 Relevance: 3.1, APIs: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBDAAD

Part of subcall function 6BC9309D: __EH_prolog3.LIBCMT ref: 6BC930A4

InitializeCriticalSection.KERNEL32(0000000C), ref: 6BCBDC97

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CriticalInitializeSection
String ID:
API String ID: 1185523453-0
Opcode ID: f05c766279fcfc8826a64b7ba1f9ac2f7a703975bf0a1db821ce99de1b6fa19b
Instruction ID: a087d6e950f2cd79950ed61771be83eec11867d2d2552a80ab249d4f56e536d2
Opcode Fuzzy Hash: f05c766279fcfc8826a64b7ba1f9ac2f7a703975bf0a1db821ce99de1b6fa19b
Instruction Fuzzy Hash: 98619C7551024ADFCF01CFB8C585BCEBBF4BF18304F008199E968AB241E778AA15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9536A Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC95371
_calloc.LIBCMT ref: 6BC95471

Part of subcall function 6BCA83C3: __wcsicoll.LIBCMT ref: 6BCA83E1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3__wcsicoll_calloc
String ID:
API String ID: 1785777740-0
Opcode ID: 94090c2f54d2a6b603f2ca2991668beb22270f6e268d736e34f7d7a6f77a1a9c
Instruction ID: a31549205ecb9bf41b27ce0e2685ba2aabffcb45ec048c8c72ce3df369cc1e07
Opcode Fuzzy Hash: 94090c2f54d2a6b603f2ca2991668beb22270f6e268d736e34f7d7a6f77a1a9c
Instruction Fuzzy Hash: 39416AB1A106169FEB40DFA8D9C698EF7F4FF04316B208569E625E7240E738EA01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9968D Relevance: 3.1, APIs: 2, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6BC996EA
__aulldiv.LIBCMT ref: 6BC99705

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 16cf3757570758145d6acb6c5a06c3475e4457771ea001ee44105795bd83dff2
Instruction ID: 13c407082d5cef9f3125e1243bd66c38c1fc174ba65be7b55bd94a2b9f8c8439
Opcode Fuzzy Hash: 16cf3757570758145d6acb6c5a06c3475e4457771ea001ee44105795bd83dff2
Instruction Fuzzy Hash: D5117F75610600AFE720AF99DC55D2BB7FEEFC5B04B10885DF18687651EA74BD00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BC84629 Relevance: 3.1, APIs: 2, Instructions: 59registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6BCC87A6: RegCloseKey.ADVAPI32(?,?,?,6BC84651,00000034,00000034,00000000), ref: 6BCC87E6

RegCloseKey.ADVAPI32(?,00000034,00000034,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6BC8430E,6BC6A78C,-00000960), ref: 6BC846A3
RegCloseKey.ADVAPI32(?,00000034,00000034,00000000,00000000,?,00000034,RegKey,?,RegValueName,00000034,6BC8430E,6BC6A78C,-00000960), ref: 6BC846B4

Part of subcall function 6BCC86FE: RegQueryValueExW.ADVAPI32(00000000,00000034,00000000,00000034,00000034,00000000,?,?,6BC8469B,?,?,6BC8430E,00000034,00000034,00000034,00000034), ref: 6BCC8720

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Close$QueryValue
String ID:
API String ID: 2393043351-0
Opcode ID: b211c87afa717ed16581885c29de296c1aa9ca4ca8014237f0554b647b1e7cb0
Instruction ID: d4a4a8a1c275c40b1bb050e58b5f7196eae8dc87fbc6995d69d59caa98476d89
Opcode Fuzzy Hash: b211c87afa717ed16581885c29de296c1aa9ca4ca8014237f0554b647b1e7cb0
Instruction Fuzzy Hash: 0911F375D21229EFCF01DFA9C90489FBFBAFB88714B104496F810A6210E3789B15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC86369 Relevance: 3.1, APIs: 2, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC86370
_free.LIBCMT ref: 6BC863B3

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3_free
String ID:
API String ID: 2248394366-0
Opcode ID: f8532161bbd8204c2b0d0d5410e85bb731076b0afaf371bbcc090878a36736b9
Instruction ID: 5dbe61eadc6b46e1275584a638cf9c54314a7bd885aa1ecb0723a0f12ee3c79b
Opcode Fuzzy Hash: f8532161bbd8204c2b0d0d5410e85bb731076b0afaf371bbcc090878a36736b9
Instruction Fuzzy Hash: 4401D671530B019BC7208F69C4C191FBBE1BF40308B11887EE25987600EB7DEA80D741

Uniqueness

Uniqueness Score: -1.00%

Function 6BC75F5A Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC75F61

Part of subcall function 6BC75435: ExpandEnvironmentStringsW.KERNEL32(?,?,00000105,00000010,6BCFEE70,?,?,?,?,6BCB9D5F,00000000,?,UiInfo.xml,?,?,00000000), ref: 6BC75473
Part of subcall function 6BC75435: ExpandEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,?,6BCB9D5F,00000000,?,UiInfo.xml,?,?,00000000,?), ref: 6BC754A1

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

PathIsDirectoryW.SHLWAPI(?), ref: 6BC75F9E

Part of subcall function 6BCA8D59: PathStripPathW.SHLWAPI(00000000,?,?,6BCBF83A), ref: 6BCA8D69

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Path$EnvironmentExpandH_prolog3Strings$DirectoryStrip
String ID:
API String ID: 1110704599-0
Opcode ID: 0205c8c83bdd445422d924d7ce8fda6afed22473308bd1b66bfaba75b2b3d2f7
Instruction ID: cbebeb7bfaa35b0467a7817fd8b69888f67a7a7319b1c38144f1a1650aa5d531
Opcode Fuzzy Hash: 0205c8c83bdd445422d924d7ce8fda6afed22473308bd1b66bfaba75b2b3d2f7
Instruction Fuzzy Hash: DE116031630106CBDB10EBB8CC86FAEB3B5AF11319F500569E511FB291FB389B058B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA2E7B Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BCA2E82
_free.LIBCMT ref: 6BCA2F10

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3_catch_free
String ID:
API String ID: 2207867443-0
Opcode ID: 29e38e0af6dbe712292fe37f0af6565803c37ffb35de926f157d456c997374cc
Instruction ID: 8a6975b8411db0c1a1719a2014867e0ee38051b0338d3166ac1fb9cad2abe49a
Opcode Fuzzy Hash: 29e38e0af6dbe712292fe37f0af6565803c37ffb35de926f157d456c997374cc
Instruction Fuzzy Hash: A511B13062530ADFDB00DFB5C5557ADB7B0BF1131AF208198D114AB281E7798B84D791

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAB7B1 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff18a86c7b14cd81cbf01800b7d63eab747a22c8b072c2e0a85ca45d951fef9d
Instruction ID: 4f867fe6afcf78c6c37590c2dd776be422fb18981ba32c6ee4aa7222654cf4c9
Opcode Fuzzy Hash: ff18a86c7b14cd81cbf01800b7d63eab747a22c8b072c2e0a85ca45d951fef9d
Instruction Fuzzy Hash: A5110475610606DFC724DF69C888C9ABBF4FF49314301859DE84A9B621DB30FD45CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA3892 Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA3899

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA4272: __CxxThrowException@8.LIBCMT ref: 6BCA4301

Part of subcall function 6BC781B0: GetFileSize.KERNEL32(?,?,?,?,?,6BCA3906,?,?,00000000,?,?,?,?,00000008,6BCAECAE,?), ref: 6BC781C0

InitializeCriticalSection.KERNEL32(00000002,?,00000000,00000000,00000002,?,?,00000000,?,?,?,?,00000008,6BCAECAE,?,?), ref: 6BCA3930

Part of subcall function 6BC7813F: WriteFile.KERNELBASE(?,?,?,?,00000000,?,6BCA5E48), ref: 6BC78155

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: FileH_prolog3$CriticalException@8InitializeSectionSizeThrowWrite
String ID:
API String ID: 593797809-0
Opcode ID: b809aa364dbd9f22f9de7a77b6db0e9fe4877807414901798d065360b729b68a
Instruction ID: 8e583000c13495508ec59895041081e9f8562ceb1cbdce0021e27352e62bbc10
Opcode Fuzzy Hash: b809aa364dbd9f22f9de7a77b6db0e9fe4877807414901798d065360b729b68a
Instruction Fuzzy Hash: D3117C7152124AEFCB10DFA4C946FDEBBB8BF04304F008445E604B7641E778AB25DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB13E2 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB13E9

Part of subcall function 6BCB37ED: GetUserDefaultUILanguage.KERNEL32(-00000960,?,00000000,?,?,?,?,6BCB1405,?,00000010,6BC85A52,?,?,?,0000004C,6BCBB83A), ref: 6BCB380B

_free.LIBCMT ref: 6BCB1448

Part of subcall function 6BCB387E: __EH_prolog3.LIBCMT ref: 6BCB3885
Part of subcall function 6BCB387E: PathFileExistsW.KERNELBASE(?,SetupResources.dll,00000000,00000738,00000000,6BCAFAA0,0000000C,6BCB3B38,?,6BC6A78C,?), ref: 6BCB38EA

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DefaultExistsFileLanguagePathUser_free
String ID:
API String ID: 2326855983-0
Opcode ID: 29fe246740a05fa793e3d27769f6b8c283352f1b16688f8884540d2cccf3d9dc
Instruction ID: d36da0f08447d9f3a362b08e8be898f3894ddd5430190772e9a040a48d9de382
Opcode Fuzzy Hash: 29fe246740a05fa793e3d27769f6b8c283352f1b16688f8884540d2cccf3d9dc
Instruction Fuzzy Hash: D0113970C3022A8BCF159FE989829AFBB75AF44704F104496D92177241EB3D9742DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC98A66 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC98A6D
PathFileExistsW.KERNELBASE(?,?,?,?), ref: 6BC98AD6

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ExistsFileH_prolog3Path
String ID:
API String ID: 20096932-0
Opcode ID: 43007927ff1e0aefd7c71b310bb8381b5424bc4af43dfb8c4d8c28401fe57bfb
Instruction ID: b789762351af52f288138570867997bb28e230479b8961cf83e1cec7c0adecf7
Opcode Fuzzy Hash: 43007927ff1e0aefd7c71b310bb8381b5424bc4af43dfb8c4d8c28401fe57bfb
Instruction Fuzzy Hash: 18114CB5620245DFEB01DFBCC88598E77A5FF15358B008A69E595CB352EB78DB00CB21

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC8F08 Relevance: 3.1, APIs: 2, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 6BCC8F56

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: _memmove_s
String ID:
API String ID: 800865076-0
Opcode ID: 0ea771782788cd065121d2ef98f421460364dba8c0f507f0d09291c01fd6e705
Instruction ID: 73e294528a953e01655446d1dca762be36bff1cc9b41ae3dd00014f832696785
Opcode Fuzzy Hash: 0ea771782788cd065121d2ef98f421460364dba8c0f507f0d09291c01fd6e705
Instruction Fuzzy Hash: 5501B571620004AFC708DFA9CC95C7FB36AEFA9308710056DE50597241FF75AF00C692

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBE626 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBE62D
DeleteCriticalSection.KERNEL32(00000738,00000008,6BCBDCF6), ref: 6BCBE687

Part of subcall function 6BCC27E3: _free.LIBCMT ref: 6BCC2811
Part of subcall function 6BCC27E3: _free.LIBCMT ref: 6BCC2821

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: _free$CriticalDeleteH_prolog3Section
String ID:
API String ID: 700232784-0
Opcode ID: 186380616a052c3dc359f076a0cc3c5c09ed0e4ab026973c563740ac9bb010a5
Instruction ID: 30b6a359c96e22ca3f5a911f2e00e7cc08ed204c4cbc964b890bd1a7275cf5d4
Opcode Fuzzy Hash: 186380616a052c3dc359f076a0cc3c5c09ed0e4ab026973c563740ac9bb010a5
Instruction Fuzzy Hash: 8C018C7192071ADBDB00DFB4C4C568EBBB4BF14318F50819ED9106B681EB7CAB15DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBDCB2 Relevance: 3.0, APIs: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBDCB9
DeleteCriticalSection.KERNEL32(?,00000004,00000001,?,00000008,6BCBC66B,?,?,?,?,?,?,00000001,?,?,00000001), ref: 6BCBDCDB

Part of subcall function 6BCBE626: __EH_prolog3.LIBCMT ref: 6BCBE62D
Part of subcall function 6BCBE626: DeleteCriticalSection.KERNEL32(00000738,00000008,6BCBDCF6), ref: 6BCBE687

Part of subcall function 6BCB69E7: _free.LIBCMT ref: 6BCB6A0F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CriticalDeleteH_prolog3Section$_free
String ID:
API String ID: 882618174-0
Opcode ID: 4dd305957b753e910c2387d3330430383496decbe74e61e962549a6b3bc6fd63
Instruction ID: ce9f5451f7c28e92785fde55abf2c240809bddb0c1769c009ddbc10ca73cc1bb
Opcode Fuzzy Hash: 4dd305957b753e910c2387d3330430383496decbe74e61e962549a6b3bc6fd63
Instruction Fuzzy Hash: 2A11FA74520A87EADB08DBB4C546BCCFB61BF25308F908298C55853640EF7CB729DB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC87A6 Relevance: 3.0, APIs: 2, Instructions: 38registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000034,00000000,00000001,00000000,00000000,00000034,?,?,6BC84651,00000034,00000034,00000000), ref: 6BCC87D5
RegCloseKey.ADVAPI32(?,?,?,6BC84651,00000034,00000034,00000000), ref: 6BCC87E6

Part of subcall function 6BCC8740: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,6BCC87CB,00000000,00000034,00000001,00000000,00000000,00000034,?,?,6BC84651,00000034,00000034,00000000), ref: 6BCC8751
Part of subcall function 6BCC8740: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6BCC8761

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID:
API String ID: 823179699-0
Opcode ID: 488870381442c72cd856d4e386d3ce439eeb93565c0beb35272595fc411ccc35
Instruction ID: ecb93073cae64a96af06efb009470a3cdb07f0155d3febe090c1c0870ac779fb
Opcode Fuzzy Hash: 488870381442c72cd856d4e386d3ce439eeb93565c0beb35272595fc411ccc35
Instruction Fuzzy Hash: ADF04976522215FFEB058F85C885FABBB78FF50756F208059F815A6140E739DB20CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8C649 Relevance: 3.0, APIs: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8C650
#6.OLEAUT32(?,00000000,6BC8CF82,?,?,00000000,?,?,?,6BC94012,6BC68F4C,?,?,?,ActionTable), ref: 6BC8C673

Part of subcall function 6BC8973D: __EH_prolog3.LIBCMT ref: 6BC89744

Part of subcall function 6BC83AAF: __EH_prolog3.LIBCMT ref: 6BC83AB6

Part of subcall function 6BC81B6D: __EH_prolog3.LIBCMT ref: 6BC81B74

Part of subcall function 6BC8631F: CloseHandle.KERNEL32(00000000,?,6BC8C6FA,?,?,6BC94012,6BC68F4C,?,?,?,ActionTable,?,?,?,RepairOverride), ref: 6BC8632C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CloseHandle
String ID:
API String ID: 603388062-0
Opcode ID: 81e0251ce3aed2a3a7ec03db275beace11a6a70ac297004be6c6de6cff110d65
Instruction ID: 5f1b939d4b225f3c1a176a4059420ef1dad0f96f91c34d1eb10bc8266098fce0
Opcode Fuzzy Hash: 81e0251ce3aed2a3a7ec03db275beace11a6a70ac297004be6c6de6cff110d65
Instruction Fuzzy Hash: 1A112174020B41CADB24DF74C456B9EBBE0BF25288F40485DD5DA17251FB786B48DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC94E7F Relevance: 3.0, APIs: 2, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6BC94E08,00000000,0000000C,6BC96BDA,00000000,?), ref: 6BC94E8C
LoadLibraryW.KERNELBASE(?,?,?,6BC94E08,00000000,0000000C,6BC96BDA,00000000,?), ref: 6BC94EA4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Library$FreeLoad
String ID:
API String ID: 534179979-0
Opcode ID: 194c0d47c641cec78f4b0ab8905726fbd23542345df9d54de31d7100de8401e5
Instruction ID: 00ca025a4729a25e96420f5b51965016fcf2d1eee46db73f0cb45b980c0f613b
Opcode Fuzzy Hash: 194c0d47c641cec78f4b0ab8905726fbd23542345df9d54de31d7100de8401e5
Instruction Fuzzy Hash: 9AE0C2372007009BDB20DF69D408A47B7F8EF81B02B008829F42AD3900DB31F620CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC8B85 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

#149.OLEAUT32(00000000,6BCA4F56,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6BCC8B8C
#150.OLEAUT32(?,00000000,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,00000000,?,?,ParameterInfo.xml), ref: 6BCC8B95

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: #149#150
String ID:
API String ID: 1020524059-0
Opcode ID: 8d5c088a91b4754aea746fe944f07f8fced9d3430ab1f220c0c493a4f24b112c
Instruction ID: 4d9324536d4e7dbe62ea638a10febe5dfaaad739d7d002cee574ec4c223d1b1d
Opcode Fuzzy Hash: 8d5c088a91b4754aea746fe944f07f8fced9d3430ab1f220c0c493a4f24b112c
Instruction Fuzzy Hash: A4D017B1111212EBEB101F788C28F3777B8AF11644B100898B990E1110F738C690CB15

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA3D88 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,6BCB2C15), ref: 6BCA3D94
FindCloseChangeNotification.KERNELBASE(?), ref: 6BCA3DAB

Part of subcall function 6BCC8CF4: GetLastError.KERNEL32(6BC78130,6BC7AA1A,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 6BCC8CF4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: BuffersChangeCloseErrorFileFindFlushLastNotification
String ID:
API String ID: 4236133906-0
Opcode ID: ff7e475e307ac330989dddf94262d6ccf749026315b432da14312efe57f85375
Instruction ID: 3660fcc276b49a3e92492df2389bdbdb5c0e78e3210cc0f72ef1ba13026939dc
Opcode Fuzzy Hash: ff7e475e307ac330989dddf94262d6ccf749026315b432da14312efe57f85375
Instruction Fuzzy Hash: 4BD012329217518BEB709F34D50E75376F5BF80316F010D48A852D6440E778EA148654

Uniqueness

Uniqueness Score: -1.00%

Function 00042915 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 0004291C
Run.SETUPENGINE ref: 00042922

Memory Dump Source

Source File: 00000006.00000002.2765895024.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true

Associated: 00000006.00000002.2765858720.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2765924709.0000000000048000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2765957201.000000000004A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40000_Setup.jbxd

Similarity

API ID: HeapInformation
String ID:
API String ID: 3918721486-0
Opcode ID: 1900a73cc285783fba82e8c7953f8488eb82a9f6f60ed6f421860aa3d57af962
Instruction ID: 2e8533ce931ee767872bcafaa86fe20aa3d8d2ed4327793ff5fcc81c2cee906f
Opcode Fuzzy Hash: 1900a73cc285783fba82e8c7953f8488eb82a9f6f60ed6f421860aa3d57af962
Instruction Fuzzy Hash: 8CB092F45601406EFA105760AE0CFB62A1CE701342F000811B806C00A4C6E848C08524

Uniqueness

Uniqueness Score: -1.00%

Function 00042C43 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 00042C4B

Part of subcall function 00042C13: GetModuleHandleW.KERNEL32(mscoree.dll,?,00042C50,?,?,00046144,000000FF,0000001E,00000001,00000000,00000000,?,00044F49,?,00000001,?), ref: 00042C1D
Part of subcall function 00042C13: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00042C2D

ExitProcess.KERNEL32 ref: 00042C54

Memory Dump Source

Source File: 00000006.00000002.2765895024.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true

Associated: 00000006.00000002.2765858720.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2765924709.0000000000048000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2765957201.000000000004A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40000_Setup.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 8a1d1e112053f24e6f8a6c475fff2ee2ab2b3a1d4f638d490b27f882f7b30455
Instruction ID: 33d64b9721bfafa28e83c2e2fd8f5e0eb7602406754386bce7154d51527c128b
Opcode Fuzzy Hash: 8a1d1e112053f24e6f8a6c475fff2ee2ab2b3a1d4f638d490b27f882f7b30455
Instruction Fuzzy Hash: 7AB09275000148BFDB212F12DD0E8DD7F6AEB813A0B504021F8180A032DFB2AEE29AC8

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA82BA Relevance: 2.5, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,6BCAFAA0,-00000960,?,?,6BCA816E,-00000960,6BC6A78C,-00000960,6BC6A78C,00000000), ref: 6BCA82D9
MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,6BCAFAA0,-00000960,?,?,6BCA816E,-00000960,6BC6A78C,-00000960,6BC6A78C), ref: 6BCA82FA

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 89dabef5e46a9200a4688af3ed4982c35aabb2594a9a1c386f57fe91fc180bb8
Instruction ID: b5812601d2e54fb8827f6663ed727ce2a0a5b691ebc3ca2804aa613077dd1285
Opcode Fuzzy Hash: 89dabef5e46a9200a4688af3ed4982c35aabb2594a9a1c386f57fe91fc180bb8
Instruction Fuzzy Hash: 85F02432215125BBC7125A9B8C44EEFBF2CFB86B70F104201F928670809B74AB0287B5

Uniqueness

Uniqueness Score: -1.00%

Function 6BC98534 Relevance: 1.9, APIs: 1, Instructions: 412COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9853E

Part of subcall function 6BC75D87: __EH_prolog3.LIBCMT ref: 6BC75D8E
Part of subcall function 6BC75D87: GetModuleFileNameW.KERNEL32(6BC50000,00000010,00000104,?,6BCA80D8,00000000), ref: 6BC75DDB

Part of subcall function 6BC9220D: __EH_prolog3.LIBCMT ref: 6BC92214
Part of subcall function 6BC9220D: __CxxThrowException@8.LIBCMT ref: 6BC9229B

Part of subcall function 6BC8958D: __EH_prolog3.LIBCMT ref: 6BC89594
Part of subcall function 6BC8958D: PathFileExistsW.SHLWAPI(00000000,?,?,?), ref: 6BC89637

Part of subcall function 6BCD6C45: PMDtoOffset.LIBCMT ref: 6BCD6D19
Part of subcall function 6BCD6C45: std::bad_exception::bad_exception.LIBCMT ref: 6BCD6D43
Part of subcall function 6BCD6C45: __CxxThrowException@8.LIBCMT ref: 6BCD6D51

Part of subcall function 6BC98A66: __EH_prolog3.LIBCMT ref: 6BC98A6D

Part of subcall function 6BCA8C46: PathCombineW.SHLWAPI(?,6BCA80D8,?,75923340,?,6BC779B9,00000000,DW\DW20.exe,?,?,6BCA80D8,00000000), ref: 6BCA8C73

Part of subcall function 6BCAB195: __EH_prolog3.LIBCMT ref: 6BCAB19C
Part of subcall function 6BCAB195: __recalloc.LIBCMT ref: 6BCAB1E7

Part of subcall function 6BCAB0AF: __recalloc.LIBCMT ref: 6BCAB0ED

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8FilePathThrow__recalloc$CombineExistsModuleNameOffsetstd::bad_exception::bad_exception
String ID:
API String ID: 1089964648-0
Opcode ID: 096e8e70ff7814708df8c8e6a4483727f570d7e18f4d626756308b39e881ed68
Instruction ID: 9c7c2e5ee56c5618a0ca036c79f34cd67a85dd48d18f7bb56e50fe1ffb1f6d80
Opcode Fuzzy Hash: 096e8e70ff7814708df8c8e6a4483727f570d7e18f4d626756308b39e881ed68
Instruction Fuzzy Hash: 0CF18A71D1025AEFCF01DFB4C885ADEBBB5AF09318F104594E814BB242E739AB45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC93F84 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC93F8B

Part of subcall function 6BC82764: __EH_prolog3.LIBCMT ref: 6BC8276B

Part of subcall function 6BC94C9F: __EH_prolog3.LIBCMT ref: 6BC94CA6

Part of subcall function 6BC91DC1: __EH_prolog3.LIBCMT ref: 6BC91DC8

Part of subcall function 6BC93D91: _calloc.LIBCMT ref: 6BC93DB7

Part of subcall function 6BCC7BF4: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,6BCB1468,?,00000010,6BC85A52,?,?,?,0000004C,6BCBB83A,?,?,?), ref: 6BCC7BFF

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$ExceptionRaise_calloc
String ID:
API String ID: 1540488672-0
Opcode ID: 98cfd2ff6d097d3690c3c9a1b0ad7e19274b176f62fd38d6f049e2bb9d88d167
Instruction ID: 6ed6d7782f4207b28fcacaec1223f8d22ebc264bd5985a37950f035c033c93f2
Opcode Fuzzy Hash: 98cfd2ff6d097d3690c3c9a1b0ad7e19274b176f62fd38d6f049e2bb9d88d167
Instruction Fuzzy Hash: 86513B7191124ADFDF10CF68C585ADABBF4BF09308F0584AADD59AF202E774AA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA7644 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA764B

Part of subcall function 6BCCC44A: _malloc.LIBCMT ref: 6BCCC464

Part of subcall function 6BCA9F6A: GetTickCount.KERNEL32 ref: 6BCA9F85
Part of subcall function 6BCA9F6A: GetTickCount.KERNEL32 ref: 6BCA9FC0
Part of subcall function 6BCA9F6A: __time64.LIBCMT ref: 6BCA9FC6
Part of subcall function 6BCA9F6A: InitializeCriticalSection.KERNEL32(00000040,?,6BCA76C0,?), ref: 6BCA9FD6

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CountTick$CriticalH_prolog3InitializeSection__time64_malloc
String ID:
API String ID: 349597444-0
Opcode ID: edba31944ae6703252efa465ad1e786cd68b09b0b375cc0226c307a5430f54d8
Instruction ID: 51b3631ef2bbd7280878acf76303cb877c3bbe2b10bca7a4bfcd1583de86578d
Opcode Fuzzy Hash: edba31944ae6703252efa465ad1e786cd68b09b0b375cc0226c307a5430f54d8
Instruction Fuzzy Hash: 6C51A974610606DFDB04DF78C885A6E7BB0FF49320B0085A9F916DB3A1EB38EA01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6BC859F6 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC859FD

Part of subcall function 6BC856B9: #6.OLEAUT32(?,?,?,?,?,UiInfo.xml,?,?,?,-00000960,?,?,0000074C,?,ParameterInfo.xml,?), ref: 6BC857A0
Part of subcall function 6BC856B9: #6.OLEAUT32(?,?,?,?,?,UiInfo.xml,?,?,?,-00000960,?,?,0000074C,?,ParameterInfo.xml,?), ref: 6BC857AF
Part of subcall function 6BC856B9: #6.OLEAUT32(?,?,6BC6A78C,?,?,?,UiInfo.xml,?,?,?,-00000960,?,?,0000074C,?,ParameterInfo.xml), ref: 6BC857DD

Part of subcall function 6BCB13E2: __EH_prolog3.LIBCMT ref: 6BCB13E9
Part of subcall function 6BCB13E2: _free.LIBCMT ref: 6BCB1448

Part of subcall function 6BCAAF24: __recalloc.LIBCMT ref: 6BCAAF35

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$__recalloc_free
String ID:
API String ID: 2107563897-0
Opcode ID: 193b601689112985b76202e9e9c2a63ac471158cdfad8505d131ed0380234dcd
Instruction ID: 19f57285f9a02f75f54077142eafacfe52eb0b3d2468e4f8016715a5099e721f
Opcode Fuzzy Hash: 193b601689112985b76202e9e9c2a63ac471158cdfad8505d131ed0380234dcd
Instruction Fuzzy Hash: 1B5139B0D2120A9FCB00CFA8C4C1A9EBBF0BF19348F10455ED519AB241F7789B45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC95450 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 6BC95471

Part of subcall function 6BCAB439: __EH_prolog3.LIBCMT ref: 6BCAB440
Part of subcall function 6BCAB439: __recalloc.LIBCMT ref: 6BCAB488

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3__recalloc_calloc
String ID:
API String ID: 2338097913-0
Opcode ID: 4579ce2226c9b12ffe33fab36d27c5787e41185e0ea6721bd9b8998c2186b43d
Instruction ID: a01391e93bb5b75bcfca2f1971c3f4167ba3927026491f0d73a3ea9f24b80fed
Opcode Fuzzy Hash: 4579ce2226c9b12ffe33fab36d27c5787e41185e0ea6721bd9b8998c2186b43d
Instruction Fuzzy Hash: 9C116175A11306AFE750DFA9E9C290AF7E8EF44256720846EE269D3600F774EE508B90

Uniqueness

Uniqueness Score: -1.00%

Function 6BC91DC1 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC91DC8

Part of subcall function 6BCC7BF4: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,6BCB1468,?,00000010,6BC85A52,?,?,?,0000004C,6BCBB83A,?,?,?), ref: 6BCC7BFF

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ExceptionH_prolog3Raise
String ID:
API String ID: 741760457-0
Opcode ID: d06f65e338ad160ea8cf5659632171a50e686847fdaed4bb176e93d2425ed9e6
Instruction ID: 1c10e77c3f6657b2e0b003c738663d8cd10c2c62324c0663fc0151b398a0042f
Opcode Fuzzy Hash: d06f65e338ad160ea8cf5659632171a50e686847fdaed4bb176e93d2425ed9e6
Instruction Fuzzy Hash: A22144B491064AEFDB08CF68D0A5869FBF1FF59300721C89ED4598BB21E730EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAB229 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 6BCAB24C

Part of subcall function 6BCAB2A3: __EH_prolog3.LIBCMT ref: 6BCAB2AA
Part of subcall function 6BCAB2A3: __recalloc.LIBCMT ref: 6BCAB2F5

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3__recalloc_calloc
String ID:
API String ID: 2338097913-0
Opcode ID: d996a72379d8161f0a0138cbef90f8d4ec267c313d9d859823cdef306befe821
Instruction ID: 6e99f14916471bbc2f51470a856a41bf41f87c71ab3b5e79721f04b4001add4c
Opcode Fuzzy Hash: d996a72379d8161f0a0138cbef90f8d4ec267c313d9d859823cdef306befe821
Instruction Fuzzy Hash: 72015771A1420AABEB14CFA9C591B4EB7F8EF04346F20866EE019D3200E738EA418B14

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB37ED Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 6BCB6B52: __EH_prolog3.LIBCMT ref: 6BCB6B59
Part of subcall function 6BCB6B52: GetCommandLineW.KERNEL32(00000024,6BCB3802,00000000,?,?,?,?,6BCB1405,?,00000010,6BC85A52,?,?,?,0000004C,6BCBB83A), ref: 6BCB6B60
Part of subcall function 6BCB6B52: GetUserDefaultUILanguage.KERNEL32(00000738,00000000,00000000,?,?,?,6BCB1405,?,00000010,6BC85A52,?,?,?,0000004C,6BCBB83A,?), ref: 6BCB6B9C

Part of subcall function 6BCB6BEF: __EH_prolog3.LIBCMT ref: 6BCB6BF6
Part of subcall function 6BCB6BEF: CoInitialize.OLE32(00000000,?,?,?,?,UiInfo.xml,?,00000000,00000044,6BCB380B,-00000960,?,00000000,?), ref: 6BCB6C4A
Part of subcall function 6BCB6BEF: CoCreateInstance.OLE32(6BC6A974,00000000,00000017,6BC6A9A4,6BCAFAA0,?,?,?,UiInfo.xml,?,00000000,00000044,6BCB380B,-00000960,?,00000000), ref: 6BCB6C68

GetUserDefaultUILanguage.KERNEL32(-00000960,?,00000000,?,?,?,?,6BCB1405,?,00000010,6BC85A52,?,?,?,0000004C,6BCBB83A), ref: 6BCB380B

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: DefaultH_prolog3LanguageUser$CommandCreateInitializeInstanceLine
String ID:
API String ID: 4049621043-0
Opcode ID: e5f22671e4d531e8be2a431e16adbb1d15dfc360fd3550ede4119d530c88c077
Instruction ID: e206bb191fe664971c4429987dde69fd1b65916619460b42bb2ddcc0a0e07cb9
Opcode Fuzzy Hash: e5f22671e4d531e8be2a431e16adbb1d15dfc360fd3550ede4119d530c88c077
Instruction Fuzzy Hash: 8B01A1715216455BA3208F79C88085EB3A5EFC5374B20877EE979862D0F739DE018B72

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD127A Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6BCCDB17,6BCCC469,?,00000000,00000000,00000000,?,6BCCD71E,00000001,00000214,?,6BCA80D8), ref: 6BCD12BD

Part of subcall function 6BCCC0C9: __getptd_noexit.LIBCMT ref: 6BCCC0C9

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 9d4f8a7c23434e74b8f782ff74f7ae112220e2a61ff46973b0864c1e51e454e2
Instruction ID: 3a6a95b60c7899df075431ad89d7462ed7a6a3c5d2900bc2915a7cc1f38e5d5f
Opcode Fuzzy Hash: 9d4f8a7c23434e74b8f782ff74f7ae112220e2a61ff46973b0864c1e51e454e2
Instruction Fuzzy Hash: 3E012839A222359BEB188EBECC54B5733E8AB82332F014559EA15CB180F739C600C340

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB04EF Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB04F6

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7C985: __EH_prolog3_catch_GS.LIBCMT ref: 6BC7C98C
Part of subcall function 6BC7C985: __CxxThrowException@8.LIBCMT ref: 6BC7C9E1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8H_prolog3_catch_Throw
String ID:
API String ID: 2285297229-0
Opcode ID: e123de78358742c3df0bfedf0666cb99a189a79d29f6b5f83618b5c7ed32b966
Instruction ID: 413dd2bbf71b839e5dee2b369d677b21042c059e8044482afed395b439079b22
Opcode Fuzzy Hash: e123de78358742c3df0bfedf0666cb99a189a79d29f6b5f83618b5c7ed32b966
Instruction Fuzzy Hash: 36118C70D10219DFCF00CFA4C884E9EB7B4BF19355F104256E120AB291E3789B05DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7BE72 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7BE79

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 9286465543d688e68d29f33a9f94483d2f5935f5221178531949120de4c258d3
Instruction ID: 39b5b5d4f3835499a6b950b4a8f3fdb5040978d2386da8ec364ed7937398f360
Opcode Fuzzy Hash: 9286465543d688e68d29f33a9f94483d2f5935f5221178531949120de4c258d3
Instruction Fuzzy Hash: 32113C70A21214EFCF11EFA8C89599D7BA8AF48714B1081A9F519DB390D778DB41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC8FCA Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6BCC9010

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: 155230ef79ce4b5ea44fa73b64760e063800a91934b4b039c1f196e0b24ee9cd
Instruction ID: 861e5d29906b1811b3104ecbbb76353e98c6014a4b719102c7a041e9aea714cd
Opcode Fuzzy Hash: 155230ef79ce4b5ea44fa73b64760e063800a91934b4b039c1f196e0b24ee9cd
Instruction Fuzzy Hash: 40011A76610204AFC711DFA8C885C9AB7B9FF49354711896AE915CB311EB74EE05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7A21F Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BC7A226

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 3f093dd476250031284c9ee13e2717f8eeeaffe4bf1d3119f0c2b40471cecfc8
Instruction ID: 3c7b594255398104250e7ecf9acb05241236193bb794ad093c1effedd2fb261c
Opcode Fuzzy Hash: 3f093dd476250031284c9ee13e2717f8eeeaffe4bf1d3119f0c2b40471cecfc8
Instruction Fuzzy Hash: A4F06274A21305EBDB14DFA8C805B4D3BA6BF89351F2081A8B818DB390DB79DB01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6BC780E5 Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,00000000,?,00000000,00000001,?,6BC7AA1A,?,80000000,00000001,00000003,00000080,00000000), ref: 6BC7811F

Part of subcall function 6BCC8D0E: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6BC78109,?,?,?,?,00000000,?,00000001,?,6BC7AA1A,?,80000000,00000001), ref: 6BCC8D1F
Part of subcall function 6BCC8D0E: GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6BCC8D2F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID:
API String ID: 2580138172-0
Opcode ID: 1badb2d53c5e3d98754e5f7b6bce633809c35f66e7b49e0f60d726ea7cb07a24
Instruction ID: 8a5780662751f2086f0569e5a6eea407289c7e4abc2a73cac00144e21be21390
Opcode Fuzzy Hash: 1badb2d53c5e3d98754e5f7b6bce633809c35f66e7b49e0f60d726ea7cb07a24
Instruction Fuzzy Hash: CFF0AF3242111ABBCF22AFA5DD01DDA3F26FF19760F118121FA2465460E33AD672AB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC4F48 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC4F4F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: f15e832a27afb72bcf1eb2f5a622964e3a895d741ba11c9c13ca267aa88f74a3
Instruction ID: 52ec31056ebd84791360a5b3596d37779c9ff885e8ddb19e6ab46ee1338675e7
Opcode Fuzzy Hash: f15e832a27afb72bcf1eb2f5a622964e3a895d741ba11c9c13ca267aa88f74a3
Instruction Fuzzy Hash: 2101E4B4610B00AFDB20CF25C481B1ABBF1FF48314F008A1DE55A8B740E379EA51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BC79E69 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BC79E70

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 73fd96aac7ca438b5fd6404e315a92de24efd5c09aa9547edf9921d29520404a
Instruction ID: a318b3b2a834479e53b3a879ad75d90a804669dab8eefa61df950d3153852a44
Opcode Fuzzy Hash: 73fd96aac7ca438b5fd6404e315a92de24efd5c09aa9547edf9921d29520404a
Instruction Fuzzy Hash: 2CF06D34611208EBDB10DF68C805B8D3BA5AF05324F2481A8B808EB381DB79EF01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC2669 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC2670

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 4610337754783a363dcc71a80ac11cda3793b39adfe283e0e34099f4f7b71d12
Instruction ID: 5e2eec933f3e4cbbcc7dcf27dd2d8789a7387b8325a0902406e77fb91e27c320
Opcode Fuzzy Hash: 4610337754783a363dcc71a80ac11cda3793b39adfe283e0e34099f4f7b71d12
Instruction Fuzzy Hash: DF01E4B4610B00AFD720CF25C481B1ABBF1FF48314F108A1DE55A8B740E338EA51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8ECF0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8ECF7

Part of subcall function 6BC8A6A5: __EH_prolog3.LIBCMT ref: 6BC8A6AC

Part of subcall function 6BCAB229: _calloc.LIBCMT ref: 6BCAB24C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$_calloc
String ID:
API String ID: 1582800193-0
Opcode ID: c9ce6dd05b2cbc0355eff4c501b6a82b82f34fe8fad355ff403fb3a3cb610d99
Instruction ID: a794fd2b9b970f2a3fe1c3ad2f00079b9435a4fd6b741532584cb5fb3d6f3960
Opcode Fuzzy Hash: c9ce6dd05b2cbc0355eff4c501b6a82b82f34fe8fad355ff403fb3a3cb610d99
Instruction Fuzzy Hash: A50108B0920606EBD704CF20D8C6BC9FA60BB0D3C4F108619CA185B201F7BA6365DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA5133 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA513A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: ad677b21ab2f75b862cd72959be87f8907fb44506d5ec9459866395f24001b68
Instruction ID: cce69b10961c5875696e16cce96c92313af932419fc8f8335d9088cae8e1af51
Opcode Fuzzy Hash: ad677b21ab2f75b862cd72959be87f8907fb44506d5ec9459866395f24001b68
Instruction Fuzzy Hash: A1F0BE32A6114AAECF01DBB4C4227EC7B606F1234DF04818096543B2A1E7799B0997A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC94173 Relevance: 1.5, APIs: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9417A

Part of subcall function 6BC94CFE: __EH_prolog3.LIBCMT ref: 6BC94D05

Part of subcall function 6BC86369: __EH_prolog3.LIBCMT ref: 6BC86370
Part of subcall function 6BC86369: _free.LIBCMT ref: 6BC863B3

Part of subcall function 6BC81B6D: __EH_prolog3.LIBCMT ref: 6BC81B74

Part of subcall function 6BC94C5C: __EH_prolog3.LIBCMT ref: 6BC94C63

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$_free
String ID:
API String ID: 1395095407-0
Opcode ID: 6d6b8006a8924a79ed664693fe7e556f87a1ef34ade8e6a33ac61fe1f38248c1
Instruction ID: 28270d9226d8529b85a3712701e399ca4515e57c2f741c7e76d894b1420f458e
Opcode Fuzzy Hash: 6d6b8006a8924a79ed664693fe7e556f87a1ef34ade8e6a33ac61fe1f38248c1
Instruction Fuzzy Hash: C8F0CD75820790CEDB20EBB4C8027CDBBA0AF14308F40894DD5AA13280FBBC2709DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BC77CB6 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC77CBD

Part of subcall function 6BC77D30: __EH_prolog3.LIBCMT ref: 6BC77D37

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 619db3f9b603af34fd3d234563c228db3423459c19b15dba8c11476c5586ce91
Instruction ID: 814aead791b3cb4e6cd22a510e01dec2a5466128d17cda8c32b74fd1349d1624
Opcode Fuzzy Hash: 619db3f9b603af34fd3d234563c228db3423459c19b15dba8c11476c5586ce91
Instruction Fuzzy Hash: 2BF03074761606EADB4CCF3488417EAF6A2BF88308F01423E912DD7341EB356611DB84

Uniqueness

Uniqueness Score: -1.00%

Function 6BC73A0D Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC73A14

Part of subcall function 6BCC90F9: _vwprintf.LIBCMT ref: 6BCC913F
Part of subcall function 6BCC90F9: _vswprintf_s.LIBCMT ref: 6BCC9164

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3_vswprintf_s_vwprintf
String ID:
API String ID: 3682816334-0
Opcode ID: ca94641469dcfd0c8885bab87be62c7cf459fd29badc1678b5096f38e1710abe
Instruction ID: 2cad252a23f10262f96909c2ae1f0743f289ffd2b740a7321ef48a0f8d8c4a99
Opcode Fuzzy Hash: ca94641469dcfd0c8885bab87be62c7cf459fd29badc1678b5096f38e1710abe
Instruction Fuzzy Hash: 7EF01C7452010ADFDF00DFA0C849AAE77BAFF44319F048455E5549B251EB789B05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BC78171 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000,?,?,?,6BC7AA5A,?,00000000,00000000,00000002,?,80000000,00000001,00000003), ref: 6BC78191

Part of subcall function 6BCC8CF4: GetLastError.KERNEL32(6BC78130,6BC7AA1A,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 6BCC8CF4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: f7a594050740ad3726224ade2918bd6f6de36f816a6002dacc648b1127d94c73
Instruction ID: 00dfe35a9dab900a1c3bab3c55d663294d7aa387ae978190383976806cc6a488
Opcode Fuzzy Hash: f7a594050740ad3726224ade2918bd6f6de36f816a6002dacc648b1127d94c73
Instruction Fuzzy Hash: A7E0ED76520108AF9B04DFA5CC45D9F7BB9EB49314B104659BA25D2290E774DA109B21

Uniqueness

Uniqueness Score: -1.00%

Function 6BC739BE Relevance: 1.5, APIs: 1, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC739C5

Part of subcall function 6BCA89DF: __EH_prolog3.LIBCMT ref: 6BCA89E6

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: ada0e7b019759b5b298d98ed86eed2dc6183a3885172ce6b648dd79617872998
Instruction ID: eb7228f5b2f95f5d3257c3de13aa54671f7098a1d03598ae5ad0be7234dd680b
Opcode Fuzzy Hash: ada0e7b019759b5b298d98ed86eed2dc6183a3885172ce6b648dd79617872998
Instruction Fuzzy Hash: 7BF0A9B512000ADBCB00DFB8C846B4EF772FF0530DF148200E2105B291EB39AA10DB12

Uniqueness

Uniqueness Score: -1.00%

Function 6BC970A0 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_0004706B,?,00000000,00000000), ref: 6BC970BA

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2b85c9306f3d23d61f5fdef08dc8be676232c3c484602c29cfe881db41876cc2
Instruction ID: 55ae7d4acc0bc7985a355e2d38c14fb8975003aeae8586f9c561c93e313bcfbc
Opcode Fuzzy Hash: 2b85c9306f3d23d61f5fdef08dc8be676232c3c484602c29cfe881db41876cc2
Instruction Fuzzy Hash: FED05EB34107147F63209E699C08CB37BDCDA482603008426B918C3200E630EC008BB4

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7397D Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC73984

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 4522307a5bd66bbc843ebf994e99315d46ec7c48a2b395fd0a10acfccf18c263
Instruction ID: 487ff34ec878a24dc9136c5db384f7b61747adb77a54e1a0d94d7f56ff6655d5
Opcode Fuzzy Hash: 4522307a5bd66bbc843ebf994e99315d46ec7c48a2b395fd0a10acfccf18c263
Instruction Fuzzy Hash: 35E01A39610205EBCF018F64C845B8EB7A1BF48310F00C405FA199B250D7799A11EB55

Uniqueness

Uniqueness Score: -1.00%

Function 6BC81B6D Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC81B74

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 8bc1db0d002b3dd975159ee4bb32ec087c42a994a4da9921cac6fb7393ed3f80
Instruction ID: 9c728e2a22e8544867c1b407697dd4347da5915d81edfbff6f86eefce24bdd8d
Opcode Fuzzy Hash: 8bc1db0d002b3dd975159ee4bb32ec087c42a994a4da9921cac6fb7393ed3f80
Instruction Fuzzy Hash: C3E086B46612008FDB109FA8C085B1D77A1AF05705F00455DE2559B640FBB99A00CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA813B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA8142

Part of subcall function 6BCA82BA: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,6BCAFAA0,-00000960,?,?,6BCA816E,-00000960,6BC6A78C,-00000960,6BC6A78C,00000000), ref: 6BCA82D9
Part of subcall function 6BCA82BA: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,00000000,6BCAFAA0,-00000960,?,?,6BCA816E,-00000960,6BC6A78C,-00000960,6BC6A78C), ref: 6BCA82FA

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$H_prolog3
String ID:
API String ID: 692526729-0
Opcode ID: 54796305699da0a8e9add9ea9b5087f7bd810af920f47d3a4276bf3594d5eb75
Instruction ID: 560903aba00ef743d7a2e4d8f292666f8e58fe803b9d0e70e05c7e5eb38331df
Opcode Fuzzy Hash: 54796305699da0a8e9add9ea9b5087f7bd810af920f47d3a4276bf3594d5eb75
Instruction Fuzzy Hash: 06E0EC35131516ABDF026B708856B8E37236F41359F018151F9446B140E73D5716969A

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7813F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,6BCA5E48), ref: 6BC78155

Part of subcall function 6BCC8CF4: GetLastError.KERNEL32(6BC78130,6BC7AA1A,?,80000000,00000001,00000003,00000080,00000000,00000000,?,?,?,?,?,00000001), ref: 6BCC8CF4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: ff99cfe8350d7222e0ec3c9579bee91d57cf795661997fde11ee59077bb3bd65
Instruction ID: 877346197d7c00967eab6a8993409c71624fa02fd8d832b4b006ea31d358f475
Opcode Fuzzy Hash: ff99cfe8350d7222e0ec3c9579bee91d57cf795661997fde11ee59077bb3bd65
Instruction Fuzzy Hash: 5FD01732224248AFEB109FA6CC04E9B3BBDFB55710F004021FE1486010EB36DA20DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA80F9 Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA8100

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: d35da7502c7eceeb5bc99f82d0e811571f9065b0b23dceed20de9fb9402bc453
Instruction ID: b7146ff93e4661c407fc02ed832ee7c8c4477559b296533ffdff13a9d9cd4305
Opcode Fuzzy Hash: d35da7502c7eceeb5bc99f82d0e811571f9065b0b23dceed20de9fb9402bc453
Instruction Fuzzy Hash: BCE0E239231215AADF026B748852B8E3723AF55369F018051FA846B141EB3D5B16A6AA

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8F10A Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8F111

Part of subcall function 6BCCC44A: _malloc.LIBCMT ref: 6BCCC464

Part of subcall function 6BC8ECF0: __EH_prolog3.LIBCMT ref: 6BC8ECF7

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID:
API String ID: 1683881009-0
Opcode ID: 8896d4dd3bfd5be8d939036ceb786930bd80b838b397efa1899e0d8e8ee0dc91
Instruction ID: d3e3bf5312342cbfd5fa0017c464da6f3411a30ddc6ddfe90bdef7ab3f3fe4a0
Opcode Fuzzy Hash: 8896d4dd3bfd5be8d939036ceb786930bd80b838b397efa1899e0d8e8ee0dc91
Instruction Fuzzy Hash: A9D05E65A7034186FF009BF4880776E95A06B0061CF508815D704DA080FBFC8701D111

Uniqueness

Uniqueness Score: -1.00%

Function 6BC80CC5 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC80CCC

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 1aa106873e6397d3099e065ec54ce1a4ae1eeaf3c23c43afbd023a7fb0df583f
Instruction ID: a5482bb938fdf46fa781431ec5197e92292911ae59a3df69bbe1c5954e7b21e8
Opcode Fuzzy Hash: 1aa106873e6397d3099e065ec54ce1a4ae1eeaf3c23c43afbd023a7fb0df583f
Instruction Fuzzy Hash: 25E0C2B4621301CFDB108F50C495F5E77B0BF44346F10044EE2518B280E7B90600DB41

Uniqueness

Uniqueness Score: -1.00%

Function 6BC94E51 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,6BC96CE7,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6BC94E64

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 72c541680c3999a2389ac93cbac17f1659b10392ef99a9b6cfd8d434e44e4896
Instruction ID: 68e5adeeb753b795b9bcc46681245776027199fc8aa24c2d1905d0e2bc4b72cb
Opcode Fuzzy Hash: 72c541680c3999a2389ac93cbac17f1659b10392ef99a9b6cfd8d434e44e4896
Instruction Fuzzy Hash: 8BD0A7324103118BD7204F1DD148A47B7E4AB49311F00481CE4A5D7540DBB4DA40C744

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD5892 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6BCD58A5

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f7af203fd191e90d8e79d38a095065d5f7d5b16dba8045c2201aedcf7a78de74
Instruction ID: 8cdbd2207b6b1fdbc9fa741b2997109394ad47a899fcfc93d33ed71219eee7cc
Opcode Fuzzy Hash: f7af203fd191e90d8e79d38a095065d5f7d5b16dba8045c2201aedcf7a78de74
Instruction Fuzzy Hash: 31C08C36080208FBCB018E40CC49F957F69EB90351F24C060B71C294B0C772D6B1DA94

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA8F6A Relevance: 1.5, APIs: 1, Instructions: 11comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(6BC6A974,00000000,00000017,6BC6A9A4,?,?,6BC7B049,?,0000002C,6BCBD888,?,?,?,?,00000001), ref: 6BCA8F80

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 8f4749e818a02018ef9321f19678d7e3f7497a8fd2de64a53e8c2580833d586c
Instruction ID: 77ebcf4aac0e69d90117f0d0585a053f6b2459083d2d88460786570e9c8604fd
Opcode Fuzzy Hash: 8f4749e818a02018ef9321f19678d7e3f7497a8fd2de64a53e8c2580833d586c
Instruction Fuzzy Hash: 2EC02B3308021CBBC7101DC5DC09FA27F28D7C47D0F220001F318240827979D6209979

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7F275 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

#6.OLEAUT32(?,?,6BC7F3C4), ref: 6BC7F28A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf30f43b7556cef42c95c52c455d5492d8b057ef09988bc432da825f2d1341f
Instruction ID: 366f1ab57d330274ebaaa65acb8ad7926e5d165e867f12c5a017fb11873c2a5b
Opcode Fuzzy Hash: baf30f43b7556cef42c95c52c455d5492d8b057ef09988bc432da825f2d1341f
Instruction Fuzzy Hash: 0FD0C9F10217128BC7304F05F49AD52BBB0EF862D0329480ED5E507610F6789A858B91

Uniqueness

Uniqueness Score: -1.00%

Function 00042EBE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00042ECA

Part of subcall function 00042D79: __lock.LIBCMT ref: 00042D87
Part of subcall function 00042D79: _DecodePointerInternal@4.SETUP(00046EE8,00000020,00042EEA,?,00000001,00000000,?,00042F39,000000FF,?,00044358,00000011,?,?,000439C3,0000000D), ref: 00042DC3
Part of subcall function 00042D79: _DecodePointerInternal@4.SETUP(?,00042F39,000000FF,?,00044358,00000011,?,?,000439C3,0000000D,?,00042FA5,00000003), ref: 00042DD4
Part of subcall function 00042D79: _DecodePointerInternal@4.SETUP(-00000004,?,00042F39,000000FF,?,00044358,00000011,?,?,000439C3,0000000D,?,00042FA5,00000003), ref: 00042DFA
Part of subcall function 00042D79: _DecodePointerInternal@4.SETUP(?,00042F39,000000FF,?,00044358,00000011,?,?,000439C3,0000000D,?,00042FA5,00000003), ref: 00042E0D
Part of subcall function 00042D79: _DecodePointerInternal@4.SETUP(?,00042F39,000000FF,?,00044358,00000011,?,?,000439C3,0000000D,?,00042FA5,00000003), ref: 00042E17

Memory Dump Source

Source File: 00000006.00000002.2765895024.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true

Associated: 00000006.00000002.2765858720.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2765924709.0000000000048000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.2765957201.000000000004A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40000_Setup.jbxd

Similarity

API ID: DecodeInternal@4Pointer$__lock_doexit
String ID:
API String ID: 2547502318-0
Opcode ID: de040e4b3af3e3fd7ea996bf6568ec0e03965820b0d039836c69a1d868c49cad
Instruction ID: 4827ce7f0d053e4181dbd20258fc3746589848a9dc96f150a386625b382fc828
Opcode Fuzzy Hash: de040e4b3af3e3fd7ea996bf6568ec0e03965820b0d039836c69a1d868c49cad
Instruction Fuzzy Hash: 82B01273A8030C33DA212546EC03F863F0D87C1B60F640030FA0C1D1E2A9E3B96180CD

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD5876 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 6BCD5883

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 30cd01837a7c0295097eed5d8b956b80b5775cdaa527bedf1f810b2cb6434927
Instruction ID: 924b989f5bc9d42d4fcb68faf319819629b3609b3a78cc6f69f668d798d20620
Opcode Fuzzy Hash: 30cd01837a7c0295097eed5d8b956b80b5775cdaa527bedf1f810b2cb6434927
Instruction Fuzzy Hash: 01C09B37040108BBCB111E45DC09F45BFA9D795751F14C051F608154628773D531D694

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9CE1C Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

#88.MSI(?,?), ref: 6BC9CE27

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adfb482bd12e3e4a3ab5e6d6cc0b039f087d7b48c191129eb90f199b6e059ad
Instruction ID: dbd9530cb13b828ff906423a857f2eb6c6ca84634200a6a0eb88c48050b56d7d
Opcode Fuzzy Hash: 1adfb482bd12e3e4a3ab5e6d6cc0b039f087d7b48c191129eb90f199b6e059ad
Instruction Fuzzy Hash: 4EB0923300024CFBCF015F86EC08C9E7F2AFB95360B688015F929410209B72D930EA50

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7C4F4 Relevance: 1.3, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,6BCAA064,CC4203FA,?,?), ref: 6BC7C515

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7a1b84ba01e2cc86674cf17dba758c9bb5418f31e0010622e36bb46af987a12a
Instruction ID: d14e60d3a1a6b9989b72748dd00b55602a5521b0e4b93517cad989a493cd5e07
Opcode Fuzzy Hash: 7a1b84ba01e2cc86674cf17dba758c9bb5418f31e0010622e36bb46af987a12a
Instruction Fuzzy Hash: E911A5B16517029FE734DF35D516B2BB7E49B00754F10893DE246DA1D0EBB9EA009F44

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC0221 Relevance: 1.3, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6BC91DC1: __EH_prolog3.LIBCMT ref: 6BC91DC8

InitializeCriticalSection.KERNEL32(?,?,-00000960,?,?,?,?,?,?,?,6BCBDBF6,00000001,6BC69230,?,?,00000000), ref: 6BCC0289

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CriticalH_prolog3InitializeSection
String ID:
API String ID: 4173362194-0
Opcode ID: 525f76e549f01ae3bdd9473ceb77b6eeaddbd4dd22ef2eb1722e4080ffda9be9
Instruction ID: 2c2d4d67be218e44a7128db8e667d99356291fd8d4c6b6ba66236c6229f816a0
Opcode Fuzzy Hash: 525f76e549f01ae3bdd9473ceb77b6eeaddbd4dd22ef2eb1722e4080ffda9be9
Instruction Fuzzy Hash: 69015AB2500B09AFCB51CF78C44199ABBF8FF49604B00882EE59AC3700EB34FA04DB20

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9706B Relevance: 1.3, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 6BC9708A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fe7b153a3c3cbaf058fd46f178e275460d627a796c8aed688571f4f84c91dfe3
Instruction ID: 1f1a459895b626cdb81aba34cb39e181f5aa57e3b3144ab3559215f37fb632e0
Opcode Fuzzy Hash: fe7b153a3c3cbaf058fd46f178e275460d627a796c8aed688571f4f84c91dfe3
Instruction Fuzzy Hash: 79E0EC361107149FC720AF65C50ED46BBE9EF45331B00C82AE9AA97A20DB35F810CF50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6BCBCF6E Relevance: 10.5, APIs: 7, Instructions: 34windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBCF75
GetLastError.KERNEL32(00000008,6BCB9664,-00000960,00000000,?,?,?,6BCA73F6,?,%1!s!_%2!04d!%3!02d!%4!02d!_%5!02d!%6!02d!%7!02d!%8!03d!,?,00000002,?,?,?,?), ref: 6BCBCF88
SetLastError.KERNEL32(00000000,?,?,6BCA73F6,?,%1!s!_%2!04d!%3!02d!%4!02d!_%5!02d!%6!02d!%7!02d!%8!03d!,?,00000002,?,?,?,?,?,?), ref: 6BCBCF94
FormatMessageW.KERNEL32(00000500,00000000,00000000,00000000,?,00000000,?,?,?,6BCA73F6,?,%1!s!_%2!04d!%3!02d!%4!02d!_%5!02d!%6!02d!%7!02d!%8!03d!,?,00000002,?,?), ref: 6BCBCFA8
GetLastError.KERNEL32(?,?,6BCA73F6,?,%1!s!_%2!04d!%3!02d!%4!02d!_%5!02d!%6!02d!%7!02d!%8!03d!,?,00000002,?,?,?,?,?,?), ref: 6BCBCFAE
SetLastError.KERNEL32(6BCAFAA0,?,?,6BCA73F6,?,%1!s!_%2!04d!%3!02d!%4!02d!_%5!02d!%6!02d!%7!02d!%8!03d!,?,00000002,?,?,?,?,?,?), ref: 6BCBCFBC
LocalFree.KERNEL32(?,-00000960,?,?,?,6BCA73F6,?,%1!s!_%2!04d!%3!02d!%4!02d!_%5!02d!%6!02d!%7!02d!%8!03d!,?,00000002,?,?,?,?,?,?), ref: 6BCBCFCC

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorLast$FormatFreeH_prolog3LocalMessage
String ID:
API String ID: 69132360-0
Opcode ID: 7ce945051dd90aeb4e35e053a01edb6e276c27af150ffa3036d6e42b72a12c13
Instruction ID: d569e4b9cd9375c1fe4ff14dc78a354e3862046edf107143bd5443a61b386244
Opcode Fuzzy Hash: 7ce945051dd90aeb4e35e053a01edb6e276c27af150ffa3036d6e42b72a12c13
Instruction Fuzzy Hash: 1DF0373282016AAADF019FA5CD0ACAFBB79FF91704B00441AA510A2060EB748F20DB20

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC7C0B Relevance: 4.5, APIs: 3, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

LoadResource.KERNEL32(6BCA80D8,FFFF0000,6BCA80D8,?,6BCA89A0,6BCA80D8,00000000,?,6BCA8965,00000000,FFFF0000,00000000,00000010,6BCAF877,00000001), ref: 6BCC7C19
LockResource.KERNEL32(00000000,6BD08444,?,6BCA89A0,6BCA80D8,00000000,?,6BCA8965,00000000,FFFF0000,00000000,00000010,6BCAF877,00000001), ref: 6BCC7C25
SizeofResource.KERNEL32(6BCA80D8,FFFF0000,?,6BCA89A0,6BCA80D8,00000000,?,6BCA8965,00000000,FFFF0000,00000000,00000010,6BCAF877,00000001), ref: 6BCC7C37

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 565aac176690b7007d717c8d5fa752dc47ccc1d131c84a7f0621607433aedbc1
Instruction ID: 71975e5e2c29f99a8d101a161c3289ab62d146a51af08d8002a85d26c4101022
Opcode Fuzzy Hash: 565aac176690b7007d717c8d5fa752dc47ccc1d131c84a7f0621607433aedbc1
Instruction Fuzzy Hash: 61F0C233660117668F114F2ACC488AB7FA6EAD07A23054022F858D6111F739C660B2A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9E813 Relevance: 1.5, APIs: 1, Instructions: 12serviceCOMMON

Download Yara Rule

APIs

StartServiceW.ADVAPI32(?,?,?), ref: 6BC9E821

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ServiceStart
String ID:
API String ID: 3589236100-0
Opcode ID: 3ee9e5038606456e476355ca740d58a5fcba4eecedbb4d697a0063f62da4ecdc
Instruction ID: 6391685ae40dcfd812b8ccadef852504d0aa6d22697ecdcbb9c3f2609f516fa9
Opcode Fuzzy Hash: 3ee9e5038606456e476355ca740d58a5fcba4eecedbb4d697a0063f62da4ecdc
Instruction Fuzzy Hash: B2C08C3308424EFBCF014FA6CC09C6A3F2AEBD5320B008510F919C5060CA32C530EB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA4B28 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bba099df480d8f4978b993072259ded9981c8681c69027e70a31dcd5c739f83
Instruction ID: 4755aceb426f8c46693ae5a06bc79544394d8401f286081b4397c79812106ead
Opcode Fuzzy Hash: 3bba099df480d8f4978b993072259ded9981c8681c69027e70a31dcd5c739f83
Instruction Fuzzy Hash: 0FA002331486DCD74650198A540EA3777BEE1C26A2A5501A1D514125059972EA21C5E6

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC4EB6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d12445a78e696092390aa9c2655e953ecd7abc8336412b164b354586ad69085
Instruction ID: 1b3df5fc29fabea2a2b66c8384de997473ff5cb140cecca5fcab9ed2d6fce1c2
Opcode Fuzzy Hash: 8d12445a78e696092390aa9c2655e953ecd7abc8336412b164b354586ad69085
Instruction Fuzzy Hash: D9A0023314869CD78650198A540D93277BDE1C26A2A9501A1D51652501A972EA21C5D5

Uniqueness

Uniqueness Score: -1.00%

Function 6BCCD937 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6BCCB1BE,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCD93F
__mtterm.LIBCMT ref: 6BCCD94B

Part of subcall function 6BCCD5F8: _DecodePointerInternal@4.SETUPENGINE(00000005,6BCCB281,6BCCB267,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCD609
Part of subcall function 6BCCD5F8: TlsFree.KERNEL32(0000001C,6BCCB281,6BCCB267,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCD623
Part of subcall function 6BCCD5F8: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6BCCB281,6BCCB267,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCD28C9
Part of subcall function 6BCCD5F8: _free.LIBCMT ref: 6BCD28CC
Part of subcall function 6BCCD5F8: DeleteCriticalSection.KERNEL32(0000001C,?,?,6BCCB281,6BCCB267,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCD28F3

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6BCCD961
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6BCCD96E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6BCCD97B
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6BCCD988
TlsAlloc.KERNEL32(?,?,6BCCB1BE,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCD9D8
TlsSetValue.KERNEL32(00000000,?,?,6BCCB1BE,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCD9F3
__init_pointers.LIBCMT ref: 6BCCD9FD
_EncodePointerInternal@4.SETUPENGINE(?,?,6BCCB1BE,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCDA0E
_EncodePointerInternal@4.SETUPENGINE(?,?,6BCCB1BE,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCDA1B
_EncodePointerInternal@4.SETUPENGINE(?,?,6BCCB1BE,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCDA28
_EncodePointerInternal@4.SETUPENGINE(?,?,6BCCB1BE,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCDA35
_DecodePointerInternal@4.SETUPENGINE(Function_0007D790,?,?,6BCCB1BE,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCDA56
__calloc_crt.LIBCMT ref: 6BCCDA6B
_DecodePointerInternal@4.SETUPENGINE(00000000,?,?,6BCCB1BE,6BCEBDA0,00000008,6BCCB357,?,?,?,6BCEBDC0,0000000C,6BCCB417,?), ref: 6BCCDA85
GetCurrentThreadId.KERNEL32 ref: 6BCCDA97

Strings

FlsSetValue, xrefs: 6BCCD970
FlsGetValue, xrefs: 6BCCD963
KERNEL32.DLL, xrefs: 6BCCD93A
FlsFree, xrefs: 6BCCD97D
FlsAlloc, xrefs: 6BCCD95B

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Internal@4Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1131704290-3819984048
Opcode ID: 56283480e63ed943659a322f86b847e24447a4fc155a66041237cafce33e9dbb
Instruction ID: 9a555f1668438003c9241550816d5c7fd5e46a172484c3459f48c2eceefa7cf1
Opcode Fuzzy Hash: 56283480e63ed943659a322f86b847e24447a4fc155a66041237cafce33e9dbb
Instruction Fuzzy Hash: 2531A3319E1311AAEF01AF79CC09656BEE4EBA2395710059EE418DF150FF78C251DF62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8F80D Relevance: 30.2, APIs: 2, Strings: 15, Instructions: 475COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8F814

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

CompressedHashValue, xrefs: 6BC8FCA2
IsPresent, xrefs: 6BC8F87F
Compressed, xrefs: 6BC8FC25
CompressedDownloadSize, xrefs: 6BC8FC64
ParameterInfo.xml, xrefs: 6BC8F7AE, 6BC8FBCC, 6BC8FD36
schema validation failure: ServiceControl does not support RepairOverride or UninstallOverride child elements!, xrefs: 6BC8FBBE
RepairOverride, xrefs: 6BC8FB05
schema validation failure: ServiceControl does not support Compressed attributes!, xrefs: 6BC8FD28
UninstallOverride, xrefs: 6BC8FB43
ApplicableIf, xrefs: 6BC8F8E7
+, xrefs: 6BC8FD66
Name, xrefs: 6BC8FA5A
CustomErrorHandling, xrefs: 6BC8F9B8
EstimatedInstallTime, xrefs: 6BC8F823
ActionTable, xrefs: 6BC8F94F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: +$ActionTable$ApplicableIf$Compressed$CompressedDownloadSize$CompressedHashValue$CustomErrorHandling$EstimatedInstallTime$IsPresent$Name$ParameterInfo.xml$RepairOverride$UninstallOverride$schema validation failure: ServiceControl does not support Compressed attributes!$schema validation failure: ServiceControl does not support RepairOverride or UninstallOverride child elements!
API String ID: 431132790-3507379325
Opcode ID: f0b22e907f3b64fb89b2fedf29cf865e220e7011b549a324b494db974204578d
Instruction ID: fecbb90c5af5229f900e07b245688e06ae8a753a9bec6d7da16727c0b02b72e6
Opcode Fuzzy Hash: f0b22e907f3b64fb89b2fedf29cf865e220e7011b549a324b494db974204578d
Instruction Fuzzy Hash: F7126071920249EFCB04DFA8C945EEEBBB8BF09318F108559F465E7281E7789B05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9999E Relevance: 26.7, APIs: 3, Strings: 12, Instructions: 486COMMON

Download Yara Rule

APIs

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Part of subcall function 6BC7397D: __EH_prolog3.LIBCMT ref: 6BC73984

__CxxThrowException@8.LIBCMT ref: 6BC99FEA

Part of subcall function 6BC753AA: __EH_prolog3.LIBCMT ref: 6BC753B1
Part of subcall function 6BC753AA: OutputDebugStringW.KERNEL32(?,?,?,00000008,6BCA6106,000013EC,?,00000000,?,?,ReportingFlags,?,-0000000D,?,?,6BC54A4C), ref: 6BC753D2

#6.OLEAUT32(?), ref: 6BC99DE0

Strings

Exe %s has initiated a restart., xrefs: 6BC99E07
Exe (%s) succeeded (but does not apply to any products on this machine), xrefs: 6BC99E16
%s - Exe installer does not provide a log file name, xrefs: 6BC99C68
complete, xrefs: 6BC999DA
Exe (%s) failed with 0x%x - %s., xrefs: 6BC99DB8
Action, xrefs: 6BC99A82
Exe log file(s) :, xrefs: 6BC99CD2
Performing Action on Exe at , xrefs: 6BC99A5C
Exe %s returned success, but changes will not be effective until the service is restarted., xrefs: 6BC99DF1
Exe (%s) succeeded and requires reboot., xrefs: 6BC99DFC
Exe (%s) succeeded., xrefs: 6BC99E21
PerformOperation on exe returned exit code %u (translates to HRESULT = 0x%x), xrefs: 6BC99F32

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DebugException@8OutputStringThrow_memcpy_s
String ID: complete$%s - Exe installer does not provide a log file name$Action$Exe %s has initiated a restart.$Exe %s returned success, but changes will not be effective until the service is restarted.$Exe (%s) failed with 0x%x - %s.$Exe (%s) succeeded (but does not apply to any products on this machine)$Exe (%s) succeeded and requires reboot.$Exe (%s) succeeded.$Exe log file(s) :$PerformOperation on exe returned exit code %u (translates to HRESULT = 0x%x)$Performing Action on Exe at
API String ID: 1184042123-2724633158
Opcode ID: d56ae346153776d8bf002c2b0b20a2f410b711288d2d5c047edfbc4a48a3bbb6
Instruction ID: da92719bd997da8d0c76f6486b59a4fc5e1ac5547b921dbe64252acc2e7f76dd
Opcode Fuzzy Hash: d56ae346153776d8bf002c2b0b20a2f410b711288d2d5c047edfbc4a48a3bbb6
Instruction Fuzzy Hash: B01278711183419FD720DF68C885B1BBBE5BF89708F044A5DF19597292EB78EA08CB63

Uniqueness

Uniqueness Score: -1.00%

Function 6BC87E77 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 445COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC87E7E
__CxxThrowException@8.LIBCMT ref: 6BC88008
__EH_prolog3.LIBCMT ref: 6BC8801A
__CxxThrowException@8.LIBCMT ref: 6BC88109

Part of subcall function 6BCC91E7: __CxxThrowException@8.LIBCMT ref: 6BCC91CC
Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Part of subcall function 6BCA854A: __EH_prolog3.LIBCMT ref: 6BCA8551
Part of subcall function 6BCA854A: _wcsspn.LIBCMT ref: 6BCA858D
Part of subcall function 6BCA854A: _wcscspn.LIBCMT ref: 6BCA85A3

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Strings

[%s] - schema validation failure. Environment variable cannot be expanded! Name sould contain minimum of a valid environmental var, xrefs: 6BC87F92
[%s] - schema validation failure. Name sould contain minimum of a valid environmental variable pointing to an installed program to, xrefs: 6BC87FB5
schema validation failure: The InstallCommandLine, UninstallCommandLind and RepairCommandLine of an ExeBase of MsuPackage like , xrefs: 6BC882B6
When Rollback is true for item , xrefs: 6BC88096
schema validation failure: , xrefs: 6BC881CD
", xrefs: 6BC8841D
must be empty., xrefs: 6BC882CB
a valid UninstallCommandLine is required., xrefs: 6BC880AB
schema validation failure. URL, HashValue and DownLoadSize attributes are not valid for LocalExe type like , xrefs: 6BC883CE
ParameterInfo.xml, xrefs: 6BC87FC3, 6BC88086, 6BC881BD, 6BC882A6, 6BC883BE
has invalid LogFileHint, xrefs: 6BC881E2

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw$_memcpy_s_wcscspn_wcsspn
String ID: a valid UninstallCommandLine is required.$ has invalid LogFileHint$ must be empty.$"$ParameterInfo.xml$When Rollback is true for item $[%s] - schema validation failure. Environment variable cannot be expanded! Name sould contain minimum of a valid environmental var$[%s] - schema validation failure. Name sould contain minimum of a valid environmental variable pointing to an installed program to$schema validation failure. URL, HashValue and DownLoadSize attributes are not valid for LocalExe type like $schema validation failure: $schema validation failure: The InstallCommandLine, UninstallCommandLind and RepairCommandLine of an ExeBase of MsuPackage like
API String ID: 773600123-2088432839
Opcode ID: 09fea0e0b903ef8b392ae47230df5412ec5573f8928051a3b1eccc6086cbcfa8
Instruction ID: 6bae7ff7f52a1372031c7f1712212c85c2166889bcb4ffdbd048dc764696f403
Opcode Fuzzy Hash: 09fea0e0b903ef8b392ae47230df5412ec5573f8928051a3b1eccc6086cbcfa8
Instruction Fuzzy Hash: 6402A072920249DBDB01DBF8C845FDEBBB4AF1531CF148255E560B7281E778AB448B72

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9A2EA Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 333COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC9A32F

Part of subcall function 6BCA8D2E: PathRemoveFileSpecW.SHLWAPI(00000000,2006C750,00000010,80004005,6BC75E00,6BCAF877,00000010,?,6BCA80D8,00000000), ref: 6BCA8D3F

Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Part of subcall function 6BCA8D59: PathStripPathW.SHLWAPI(00000000,?,?,6BCBF83A), ref: 6BCA8D69

Part of subcall function 6BCA8D05: PathQuoteSpacesW.SHLWAPI(00000000,?,00000000,6BC9A3B4), ref: 6BCA8D19

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

CloseHandle.KERNEL32(?), ref: 6BC9A4A0
CloseHandle.KERNEL32(?), ref: 6BC9A4AC
GetLastError.KERNEL32 ref: 6BC9A503
#6.OLEAUT32(?), ref: 6BC9A5DA
CloseHandle.KERNEL32(?), ref: 6BC9A620
CloseHandle.KERNEL32(?), ref: 6BC9A62C
GetExitCodeProcess.KERNEL32(?,?), ref: 6BC9A6FF
CloseHandle.KERNEL32(?), ref: 6BC9A754
CloseHandle.KERNEL32(00000000), ref: 6BC9A761

Strings

%s %s, xrefs: 6BC9A3EE
Error launching CreateProcess with command line = , xrefs: 6BC9A523
CreateProcess returned error = , xrefs: 6BC9A590
Launching CreateProcess with command line = , xrefs: 6BC9A41C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CloseHandle$Path$CodeErrorExitFileH_prolog3LastProcessQuoteRemoveSpacesSpecStrip_memcpy_s_memset
String ID: CreateProcess returned error = $%s %s$Error launching CreateProcess with command line = $Launching CreateProcess with command line =
API String ID: 2400787916-3240347213
Opcode ID: c1a74c3dc54a11c17e22a018e42a6ed7040c5eb9d296ded99ae5759685fbe35e
Instruction ID: 383afface66c8ec3ad51b677cbfc13958490959e93643d69d5321be1336a949d
Opcode Fuzzy Hash: c1a74c3dc54a11c17e22a018e42a6ed7040c5eb9d296ded99ae5759685fbe35e
Instruction Fuzzy Hash: 6FD199721183419FC711DF68C885A5BBBE4FF9A328F004A5CF194972A2EB74DA54CB63

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC5F72 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC5F79
GetLastError.KERNEL32(?,Setup Installer,00000001,00000000,00000000,00000000,?,?,6BCC45A9,00000000,?), ref: 6BCC5FCC

Part of subcall function 6BC774C1: __EH_prolog3.LIBCMT ref: 6BC774C8

GlobalFree.KERNEL32(?), ref: 6BCC5FF3
GlobalFree.KERNEL32(?), ref: 6BCC6000
GlobalFree.KERNEL32(?), ref: 6BCC600D
GlobalFree.KERNEL32(?), ref: 6BCC605C
GlobalFree.KERNEL32(?), ref: 6BCC6069
GlobalFree.KERNEL32(?), ref: 6BCC6076
GlobalFree.KERNEL32(?), ref: 6BCC6099
GlobalFree.KERNEL32(?), ref: 6BCC60A6
GlobalFree.KERNEL32(?), ref: 6BCC60B3

Strings

Unable to retrieve Proxy information although WinHttpGetIEProxyConfigForCurrentUser called succeeded, xrefs: 6BCC6081
Retrieving proxy information using WinHttpGetIEProxyConfigForCurrentUser, xrefs: 6BCC5F85
WinHttpGetIEProxyConfigForCurrentUser, xrefs: 6BCC5FD5

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: FreeGlobal$H_prolog3$ErrorLast
String ID: Retrieving proxy information using WinHttpGetIEProxyConfigForCurrentUser$Unable to retrieve Proxy information although WinHttpGetIEProxyConfigForCurrentUser called succeeded$WinHttpGetIEProxyConfigForCurrentUser
API String ID: 3758970598-3016001025
Opcode ID: 5767bab43c5159b2dbf2bc85d0cfd25ab69e61492bd69fa3cff196b8fdbd19df
Instruction ID: 35b64d7598c69bda5ac8fd8952b6169bdaa6dcbc4cd080ef12e538eaa00e41fe
Opcode Fuzzy Hash: 5767bab43c5159b2dbf2bc85d0cfd25ab69e61492bd69fa3cff196b8fdbd19df
Instruction Fuzzy Hash: BB410831D11A28DBCF019FA4CA449EDFBB1BF58B11F15406AE510B7220E7799A41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8BD7C Relevance: 23.2, APIs: 2, Strings: 11, Instructions: 414COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8BD83

Part of subcall function 6BC81D0A: __EH_prolog3.LIBCMT ref: 6BC81D11
Part of subcall function 6BC81D0A: __CxxThrowException@8.LIBCMT ref: 6BC81DDE

__CxxThrowException@8.LIBCMT ref: 6BC8C0EE

Strings

MSP, xrefs: 6BC8C024
RepairOverride, xrefs: 6BC8C15E
schema validation failure: wrong number of MSP child nodes!, xrefs: 6BC8C08C
schema validation failure: Patch Code cannot be empty!, xrefs: 6BC8C0FB
PatchCode, xrefs: 6BC8BFD0
UninstallOverride, xrefs: 6BC8C19C
ApplicableIf, xrefs: 6BC8BE72
IsPresent, xrefs: 6BC8BE03
schema validation failure: MSP does not support RepairOverride or UninstallOverride child elements!, xrefs: 6BC8C214
(, xrefs: 6BC8C252
ParameterInfo.xml, xrefs: 6BC8C09A, 6BC8C109, 6BC8C222

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: ($ApplicableIf$IsPresent$MSP$ParameterInfo.xml$PatchCode$RepairOverride$UninstallOverride$schema validation failure: MSP does not support RepairOverride or UninstallOverride child elements!$schema validation failure: Patch Code cannot be empty!$schema validation failure: wrong number of MSP child nodes!
API String ID: 3670251406-3439019449
Opcode ID: 463c3610a0b640c547fd299445c4f116078e155b4c324658a1398b027f5f7f7b
Instruction ID: 43844529629b9da2f3e99f5a5c8d62e0c5193859ea2d9eff279d5ea95136d871
Opcode Fuzzy Hash: 463c3610a0b640c547fd299445c4f116078e155b4c324658a1398b027f5f7f7b
Instruction Fuzzy Hash: F202517191024AEFDB04DFA8C945E9EBBB8BF09308F108159F525E7281E7789B15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7E2F2 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 194COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7E2F9

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Part of subcall function 6BCA8A35: __EH_prolog3.LIBCMT ref: 6BCA8A3C

Part of subcall function 6BCA861E: _wcschr.LIBCMT ref: 6BCA8635

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC7E533

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

schema validation error: , xrefs: 6BC7E300
HKU, xrefs: 6BC7E49B
HKEY_LOCAL_MACHINE, xrefs: 6BC7E42D
HKEY_USERS, xrefs: 6BC7E4B1
HKCR, xrefs: 6BC7E443
HKLM, xrefs: 6BC7E417
's Location attribute doesn't match any (supported) hive, xrefs: 6BC7E314
HKEY_CURRENT_USER, xrefs: 6BC7E485
HKEY_CLASSES_ROOT, xrefs: 6BC7E459
HKCU, xrefs: 6BC7E46F
ParameterInfo.xml, xrefs: 6BC7E4C3

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser_wcschr
String ID: 's Location attribute doesn't match any (supported) hive$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$ParameterInfo.xml$schema validation error:
API String ID: 664556297-457235518
Opcode ID: 799a80d3763fac6f33c3bc7c8403dadbb43245cfd6caf9906a094469cf431f79
Instruction ID: 7c547ae856ce9866b44bc84c4818f0563f486faa404e0bf3a6d35cfc1313b1e5
Opcode Fuzzy Hash: 799a80d3763fac6f33c3bc7c8403dadbb43245cfd6caf9906a094469cf431f79
Instruction Fuzzy Hash: 08718072A2024A9BDF00DBF4C882EEEB778AF15318F144665E520E7281FB7CDB458761

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8D850 Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 410COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6BC8D93E

Part of subcall function 6BC79723: __EH_prolog3.LIBCMT ref: 6BC7972A
Part of subcall function 6BC79723: #8.OLEAUT32(?,00000014,6BC7A5E4,?,-00000960,?,?,?,6BCA4FE5,?,?,?,?,6BC58108), ref: 6BC7973B
Part of subcall function 6BC79723: #6.OLEAUT32(6BC6A78C,?,6BCA4FE5,?,?,?,?,6BC58108,?,?,00000000,?,?,?,?), ref: 6BC79771
Part of subcall function 6BC79723: #9.OLEAUT32(?,?,6BC6AB1C,?,6BCA4FE5,?,?,?,?,6BC58108,?,?,00000000,?,?,?), ref: 6BC797AE

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC78D64: __EH_prolog3.LIBCMT ref: 6BC78D6B

Part of subcall function 6BC81D0A: __EH_prolog3.LIBCMT ref: 6BC81D11
Part of subcall function 6BC81D0A: __CxxThrowException@8.LIBCMT ref: 6BC81DDE

Strings

Only one sub item of this type can exist : , xrefs: 6BC8D8D8
SystemDriveSize, xrefs: 6BC8DA29
CommandLine, xrefs: 6BC8D9D5
InstalledProductSize, xrefs: 6BC8DA82
ApplicableIf, xrefs: 6BC8DB0A
?, xrefs: 6BC8DBF1
IsPresent, xrefs: 6BC8DB29
Name, xrefs: 6BC8D972
ActionTable, xrefs: 6BC8DAFB
ParameterInfo.xml, xrefs: 6BC8D8C7
, xrefs: 6BC8DD25

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: $?$ActionTable$ApplicableIf$CommandLine$InstalledProductSize$IsPresent$Name$Only one sub item of this type can exist : $ParameterInfo.xml$SystemDriveSize
API String ID: 2489616738-3687437762
Opcode ID: 3875bbc8e4447d70b2f7cefd5806821b2ed85ee7e618ed960c19a6682fc1f785
Instruction ID: c4e4230d3d1f3cd451f39bdbad4a1ba89df2b786f2e22a784e1f515b376498b5
Opcode Fuzzy Hash: 3875bbc8e4447d70b2f7cefd5806821b2ed85ee7e618ed960c19a6682fc1f785
Instruction Fuzzy Hash: 60F14BB11183859FD320DF68C845B5BBBE8BF89318F004A5DF4A9D7291EB78D605CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC76DE1 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC76DE8

Part of subcall function 6BC75F5A: __EH_prolog3.LIBCMT ref: 6BC75F61
Part of subcall function 6BC75F5A: PathIsDirectoryW.SHLWAPI(?), ref: 6BC75F9E

Strings

%s (%s) failed on product (%s). Msi Log: <a href="%s">%s</a>, xrefs: 6BC76E92
: ERROR_SUCCESS_RESTART_REQUIRED, xrefs: 6BC76F3F
: no error, xrefs: 6BC77125
: ERROR_SUCCESS_REBOOT_REQUIRED, xrefs: 6BC76FCF
: ERROR_UNKNOWN_PRODUCT (not actually an error - patch does not apply to this product), xrefs: 6BC77095
%s (%s) succeeded on product (%s) and requires the service to be restarted. Msi Log: <a href="%s">%s</a>, xrefs: 6BC76F0B
%s (%s) succeeded on product (%s) and requires reboot. Msi Log: <a href="%s">%s</a>, xrefs: 6BC76F9B
%s (%s) succeeded on product (%s). Msi Log: <a href="%s">%s</a>, xrefs: 6BC770F1
%s (%s) succeeded on product (%s) and a reboot has been initiated!!!!. Msi Log: <a href="%s">%s</a>, xrefs: 6BC77039
Return value - 0x%X, xrefs: 6BC76E1E
: ERROR_SUCCESS_REBOOT_INITIATED, xrefs: 6BC7706D

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DirectoryPath
String ID: %s (%s) failed on product (%s). Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s) and a reboot has been initiated!!!!. Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s) and requires reboot. Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s) and requires the service to be restarted. Msi Log: <a href="%s">%s</a>$%s (%s) succeeded on product (%s). Msi Log: <a href="%s">%s</a>$: ERROR_SUCCESS_REBOOT_INITIATED$: ERROR_SUCCESS_REBOOT_REQUIRED$: ERROR_SUCCESS_RESTART_REQUIRED$: no error$: ERROR_UNKNOWN_PRODUCT (not actually an error - patch does not apply to this product)$Return value - 0x%X
API String ID: 529697523-3126805711
Opcode ID: 0351713b64970eaefa5c054bf0a19eb1f621d123d9b9587247536ba904427291
Instruction ID: 58c163ceb174d2625a1849d32d51d159cbd7575fdc22416b334c9bd8f96c81db
Opcode Fuzzy Hash: 0351713b64970eaefa5c054bf0a19eb1f621d123d9b9587247536ba904427291
Instruction Fuzzy Hash: 85C18C72910209EFCF01DFA8C845A9DBBB1FF09308F148144F655AB3A1D779AB61DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC75917 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetProductInfo,?,?,6BC7563A), ref: 6BC75935
GetProcAddress.KERNEL32(00000000), ref: 6BC7593C

Strings

kernel32.dll, xrefs: 6BC75930
Storage Edition, xrefs: 6BC759B6
Professional, xrefs: 6BC759D6
Enterprise Edition, xrefs: 6BC7599A
Web Edition, xrefs: 6BC759A8
Home Edition, xrefs: 6BC759CB
Datacenter Edition, xrefs: 6BC7598F
Compute Cluster Edition, xrefs: 6BC75984
Standard Edition, xrefs: 6BC759BD
GetProductInfo, xrefs: 6BC7592B

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Compute Cluster Edition$Datacenter Edition$Enterprise Edition$GetProductInfo$Home Edition$Professional$Standard Edition$Storage Edition$Web Edition$kernel32.dll
API String ID: 1646373207-2428100242
Opcode ID: 4af2efff7c80b07323b3601885357e0e7dc4fdb4c4c47ebb73583e165dd84d76
Instruction ID: e6ebc0f39c0e596323c66fa30e5cff07a01e1f40fc6e7b763369dae51984a097
Opcode Fuzzy Hash: 4af2efff7c80b07323b3601885357e0e7dc4fdb4c4c47ebb73583e165dd84d76
Instruction Fuzzy Hash: D411C872035300B6DB346697CD06BE632A5EB41766F10407BBB7661040F72D9B73D679

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC1E8F Relevance: 19.7, APIs: 2, Strings: 9, Instructions: 408fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,?,6BC6AB1C,?,?,?,?,?,?), ref: 6BCC22B9
GetLastError.KERNEL32 ref: 6BCC22C3

Strings

Failed to delete invalid file, xrefs: 6BCC22CE
BITS service not available, xrefs: 6BCC21B0
Download failed at attempt %d of %d for %s using %s, xrefs: 6BCC232D
User cancelled download attempt %d of %d for %s using %s, xrefs: 6BCC238D
complete, xrefs: 6BCC1F68
Action, xrefs: 6BCC1FA5
Download succeeded at attempt %d of %d for %s using %s, xrefs: 6BCC23CB
Downloading Item , xrefs: 6BCC1F77
Starting download attempt %d of %d for %s using %s, xrefs: 6BCC207E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: complete$Action$BITS service not available$Download failed at attempt %d of %d for %s using %s$Download succeeded at attempt %d of %d for %s using %s$Downloading Item $Failed to delete invalid file$Starting download attempt %d of %d for %s using %s$User cancelled download attempt %d of %d for %s using %s
API String ID: 2018770650-2175310925
Opcode ID: a0003ec1e70d6f1907db694f5f2ec374f7982f69167ce2e08f906f97c3bc79c6
Instruction ID: 1668debd42eb5879b4e57dfd13a14352a8127c467d8f33d28ba6bd157004c602
Opcode Fuzzy Hash: a0003ec1e70d6f1907db694f5f2ec374f7982f69167ce2e08f906f97c3bc79c6
Instruction Fuzzy Hash: 0302BF711183409FCB21CF68C881B5BBBE8FF99314F04859DE9948B292E738DA45CB63

Uniqueness

Uniqueness Score: -1.00%

Function 6BC853AC Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 227COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC853B3
#6.OLEAUT32(?,?,6BC6A78C,?,00000034,6BC851D3,-00000960,?,succeeded,?,?,?,00000000), ref: 6BC85436
#2.OLEAUT32(6BCAFAA0,6BCAFAA0,//Setup/LocalizedData/Language,?,6BC6A78C,?,00000034,6BC851D3,-00000960,?,succeeded,?,?,?,00000000), ref: 6BC854A6
__EH_prolog3.LIBCMT ref: 6BC854CE
__CxxThrowException@8.LIBCMT ref: 6BC85556

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

Strings

//Setup/LocalizedData/Language, xrefs: 6BC853E2
Unable to find Language element for LangID="%d" in localized data, xrefs: 6BC85530
Schema validation failure in file , xrefs: 6BC8558B
W, xrefs: 6BC85546
\LocalizedData.xml: should have atleast one 'Language' child element!, xrefs: 6BC855AF
ParameterInfo.xml, xrefs: 6BC8557B

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: //Setup/LocalizedData/Language$ParameterInfo.xml$Schema validation failure in file $Unable to find Language element for LangID="%d" in localized data$W$\LocalizedData.xml: should have atleast one 'Language' child element!
API String ID: 2489616738-1863159554
Opcode ID: 85707c0b9483df564a753d283f6355f454a4590f63bf7af7fe4d0e0f4f4af186
Instruction ID: 17a25c4b1dff3ad6d5984c4fbae7d7d6cec3ed92690cacbeabfdd75d74787f2f
Opcode Fuzzy Hash: 85707c0b9483df564a753d283f6355f454a4590f63bf7af7fe4d0e0f4f4af186
Instruction Fuzzy Hash: 63918271910149EFCF01DFF8C885AAEBBB9AF49319F104199F215EB281E7789B05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA6B86 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 351COMMON

Download Yara Rule

APIs

Part of subcall function 6BCAB149: _free.LIBCMT ref: 6BCAB171
Part of subcall function 6BCAB149: _free.LIBCMT ref: 6BCAB182

GetCommandLineW.KERNEL32(CC4203FA,?,?,00000000,?,?,?,?,?,ParameterInfo.xml,?,?,?,00000000,?,?), ref: 6BCA6BD1

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

Part of subcall function 6BCA8D7E: _calloc.LIBCMT ref: 6BCA8D9C

Part of subcall function 6BCAEBE6: __recalloc.LIBCMT ref: 6BCAEBF7

Strings

" switch cannot be disabled, but is specified in the DisabledCommandLineSwitches., xrefs: 6BCA7045
quiet, xrefs: 6BCA6CF0
Setup, xrefs: 6BCA6C38
Command-line option error: the ", xrefs: 6BCA6DAC
The ", xrefs: 6BCA6E0C, 6BCA7032
Unrecognized switch(es) ", xrefs: 6BCA6F8A
" switch is disallowed for this package., xrefs: 6BCA6E1F
" switch has been disallowed for this package., xrefs: 6BCA6DBF
Command-line option error: unrecognized switch(es) ", xrefs: 6BCA6F26

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: _free$CommandH_prolog3Line__recalloc_calloc
String ID: " switch cannot be disabled, but is specified in the DisabledCommandLineSwitches.$" switch has been disallowed for this package.$" switch is disallowed for this package.$Command-line option error: the "$Command-line option error: unrecognized switch(es) "$Setup$The "$Unrecognized switch(es) "$quiet
API String ID: 1533339410-3701387627
Opcode ID: 3b2bbf475108365375d6c105f47c1cc25cc4637f4afe426f1a1b8e5e6ba00c9d
Instruction ID: 8760584be6a50a97d76b23591d25855342fee8dc7b9e3a2b8f66491fb04c10fc
Opcode Fuzzy Hash: 3b2bbf475108365375d6c105f47c1cc25cc4637f4afe426f1a1b8e5e6ba00c9d
Instruction Fuzzy Hash: 0CE15C725183819FC311CF78C881B4BB7E4BF89318F044A59F5D597291EB78EA498BA3

Uniqueness

Uniqueness Score: -1.00%

Function 6BC90FC7 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 342COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC90FCE

Part of subcall function 6BC78D64: __EH_prolog3.LIBCMT ref: 6BC78D6B

Part of subcall function 6BC878AC: __EH_prolog3.LIBCMT ref: 6BC878B3

Strings

!, xrefs: 6BC91349
MSIRepairOptions, xrefs: 6BC912CE
ApplicableIf, xrefs: 6BC9106B
IsPresent, xrefs: 6BC90FFF
MSIUninstallOptions, xrefs: 6BC91282
Name, xrefs: 6BC911DD
CustomErrorHandling, xrefs: 6BC9115D
RelatedProducts, xrefs: 6BC91316, 6BC9131B, 6BC91366
ActionTable, xrefs: 6BC910D3

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: !$ActionTable$ApplicableIf$CustomErrorHandling$IsPresent$MSIRepairOptions$MSIUninstallOptions$Name$RelatedProducts
API String ID: 431132790-4204973247
Opcode ID: 11af5bc31f0a2dfcf0a8dabf91204bf68ffd7c20681fbe50120a91dd1744b473
Instruction ID: 50cc9b640c93c4f4b073e9e3e99c47045676d9294dfd6aa0f68c4b366549a218
Opcode Fuzzy Hash: 11af5bc31f0a2dfcf0a8dabf91204bf68ffd7c20681fbe50120a91dd1744b473
Instruction Fuzzy Hash: C3D13171A1024AEFDB00DFA8D945E9EBBB8AF09314F148199F815EB381D778DB05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC8C2F8 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 271COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8C2FF

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

#2.OLEAUT32(.//ExpressionAlias,00000000,?,?,00000000,?,ApplicableIf,?,?,6BC94012,00000000,00000010,?,00000020,00000000,00000020), ref: 6BC8C387
#6.OLEAUT32(00000010,?,?,00000000,?,ApplicableIf,?,?,6BC94012,00000000,00000010,?,00000020,00000000,00000020,ApplicableIf), ref: 6BC8C3B3
__CxxThrowException@8.LIBCMT ref: 6BC8C57D

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Strings

schema validation failure: MsiXmlBlob must exists under the ApplicableIf Element, xrefs: 6BC8C4F1
<MsiXmlBlob>, xrefs: 6BC8C4C8
ApplicableIf, xrefs: 6BC8C32A
.//ExpressionAlias, xrefs: 6BC8C382
schema validation failure: Failed to Walk the ApplicableIf Nodelist., xrefs: 6BC8C582
ParameterInfo.xml, xrefs: 6BC8C4FF, 6BC8C590

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: .//ExpressionAlias$<MsiXmlBlob>$ApplicableIf$ParameterInfo.xml$schema validation failure: Failed to Walk the ApplicableIf Nodelist.$schema validation failure: MsiXmlBlob must exists under the ApplicableIf Element
API String ID: 2489616738-1448000463
Opcode ID: 07e1e3efce5d9ff80d4aeeb95bedb5cc9e69186627076582e8761ace775b4ea8
Instruction ID: 5c1786148974ae878556b9ae4e03301565ad14a056273e117f227dd6d03577f1
Opcode Fuzzy Hash: 07e1e3efce5d9ff80d4aeeb95bedb5cc9e69186627076582e8761ace775b4ea8
Instruction Fuzzy Hash: C0B15C71910149EFCF00DFE8C984AEEBBB9AF49318F1481A8E515EB241E7399B45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC4B5D Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 202COMMON

Download Yara Rule

Strings

UrlMon failed to create the destination file, xrefs: 6BCC4DAA
using UrlMon , xrefs: 6BCC4BFF
Downloading , xrefs: 6BCC4BEB
complete, xrefs: 6BCC4BD6
Unable to create the destination directory: %s, xrefs: 6BCC4CCB
UrlMon download failed with %x, xrefs: 6BCC4D60
Action, xrefs: 6BCC4C29

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CriticalSection$EnterLeave
String ID: complete$ using UrlMon $Action$Downloading $Unable to create the destination directory: %s$UrlMon download failed with %x$UrlMon failed to create the destination file
API String ID: 689481870-358785795
Opcode ID: 9a99f90de2853a711b3ceecb511f48b04b388a802b5e2121ddead6a9b2b9e24a
Instruction ID: 044998876fcd9b422b11d9f1b2844814ea68386f7e83906d8130faf6ef967da0
Opcode Fuzzy Hash: 9a99f90de2853a711b3ceecb511f48b04b388a802b5e2121ddead6a9b2b9e24a
Instruction Fuzzy Hash: 18819F711283419FD310DF78C889E0BBBE9FF89318F044A5DF5A597251EB39EA058B52

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB8FAC Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 144stringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB8FB3

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

lstrlenW.KERNEL32(</MsiXmlBlob>,</MsiXmlBlob>,CC4203FA,<MsiXmlBlob,?,?,00000008,6BCB8345,?,?,00000000,6BCB56B5,?,-000000F4,?,?), ref: 6BCB901D
#2.OLEAUT32(?,<MsiXmlBlob,?,?,00000008,6BCB8345,?,?,00000000,6BCB56B5,?,-000000F4,?,?,-000000F8,?), ref: 6BCB906E
__EH_prolog3_GS.LIBCMT ref: 6BCB9094

Strings

Failed to get install context for product: %s, received error: %d, xrefs: 6BCB90E6
MsiGetPatchInfoEx failed for product: %s, received error: %d, xrefs: 6BCB9150
<MsiXmlBlob, xrefs: 6BCB8FCB
</MsiXmlBlob>, xrefs: 6BCB9008, 6BCB900D, 6BCB901C
1, xrefs: 6BCB9157
State, xrefs: 6BCB911D

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$H_prolog3_lstrlen
String ID: 1$</MsiXmlBlob>$<MsiXmlBlob$Failed to get install context for product: %s, received error: %d$MsiGetPatchInfoEx failed for product: %s, received error: %d$State
API String ID: 590229360-881197934
Opcode ID: 5466137816faf58b800a6671f8b84994ce4dc705c2d9693a32bbb10175a7cd16
Instruction ID: 14ec6bc45a358c380fa89e0ddcf3e923e9332bb3ccd8e6ca479f1fae1b95fc96
Opcode Fuzzy Hash: 5466137816faf58b800a6671f8b84994ce4dc705c2d9693a32bbb10175a7cd16
Instruction Fuzzy Hash: F351B371920209EFCF00DFB4C885EDDBBB5BF19328F148559E564AB291EB789B04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC83BBF Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 263COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC83BC6

Strings

CustomErrorHandling element not defined, xrefs: 6BC83BF7
MSIErrorMessage, xrefs: 6BC83D23
ReturnCode, xrefs: 6BC83CE0
Adding Custom Code , xrefs: 6BC83E18
schema validation failure: Expect at least one CustomError element., xrefs: 6BC83C6F
CustomErrorHandling, xrefs: 6BC83C10
Processing CustomErrorHandling element block, xrefs: 6BC83C06
ParameterInfo.xml, xrefs: 6BC83C7D

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Adding Custom Code $CustomErrorHandling$CustomErrorHandling element not defined$MSIErrorMessage$ParameterInfo.xml$Processing CustomErrorHandling element block$ReturnCode$schema validation failure: Expect at least one CustomError element.
API String ID: 431132790-2299275001
Opcode ID: 5ac1004cb1b01fdcc519d537287f6d8c97ae62784e6fbd948e4f56b5fed595be
Instruction ID: fffef347272b8d68d38f257f8db1b5d356d93aef4f36ffa6d93f1318e99a4696
Opcode Fuzzy Hash: 5ac1004cb1b01fdcc519d537287f6d8c97ae62784e6fbd948e4f56b5fed595be
Instruction Fuzzy Hash: 9FB16C72920249EBDF11DFF8C946BDEBBB4AF09318F144258E161B7281E7789B05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBFA58 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBFA5F
MoveFileExW.KERNEL32(00000000,?,00000003,00000018,6BCBF721,?,?,00000001,00000001), ref: 6BCBFA90
GetLastError.KERNEL32(?,00000001,00000001), ref: 6BCBFA9E

Part of subcall function 6BCA20CA: __EH_prolog3.LIBCMT ref: 6BCA20D1
Part of subcall function 6BCA20CA: PathFileExistsW.SHLWAPI(?,?,?,00000034,6BCBFCB8), ref: 6BCA2100
Part of subcall function 6BCA20CA: DeleteFileW.KERNEL32(?), ref: 6BCA210C
Part of subcall function 6BCA20CA: PathIsDirectoryW.SHLWAPI(?), ref: 6BCA2135
Part of subcall function 6BCA20CA: PathFileExistsW.SHLWAPI(?), ref: 6BCA2146
Part of subcall function 6BCA20CA: SHFileOperationW.SHELL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BCA2194

MoveFileExW.KERNEL32(-00000960,?,00000003,?,-00000960,?,00000000,00000000,00000000,00000000,-00000960,00000000,-00000960,6BC6AB1C,?,00000001), ref: 6BCBFBB7
GetLastError.KERNEL32(?,00000001,00000001), ref: 6BCBFBC5

Strings

Failed to find file in the extracted folder: %s, xrefs: 6BCBFC30
Decompression of payload failed: %s, xrefs: 6BCBFC7E
.tmp, xrefs: 6BCBFB08
Failed to move temp file to destination location. MoveFileEx call failed with 0x%x, xrefs: 6BCBFACF, 6BCBFBF2

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: File$Path$ErrorExistsH_prolog3LastMove$DeleteDirectoryOperation
String ID: .tmp$Decompression of payload failed: %s$Failed to find file in the extracted folder: %s$Failed to move temp file to destination location. MoveFileEx call failed with 0x%x
API String ID: 3364322592-4277776893
Opcode ID: b1c3ab470cbbdb8fa0129f919a822f11c91036a486d739521c0a9d9ed75f1ee2
Instruction ID: 8202bf6727fcc45d0a6af155ae644f6de62241eebf040cb13498c451152268cd
Opcode Fuzzy Hash: b1c3ab470cbbdb8fa0129f919a822f11c91036a486d739521c0a9d9ed75f1ee2
Instruction Fuzzy Hash: A371B075520205EFDB10CFB8C889F9E7BB9AF05318F008958E845EB252E779EB05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC5B10 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC5B17
GetLastError.KERNEL32(?,Setup Installer,00000001,00000000,00000000,00000000,?,?,6BCC45A9,00000000,?), ref: 6BCC5B6C

Part of subcall function 6BC774C1: __EH_prolog3.LIBCMT ref: 6BC774C8

GetLastError.KERNEL32(?,Setup Installer,00000000,00000000,00000000,10000000,?,Setup Installer,00000001,00000000,00000000,00000000,?,?,6BCC45A9,00000000), ref: 6BCC5C2F

Strings

Using WINHTTP_ACCESS_TYPE_NO_PROXY, xrefs: 6BCC5BDE
Auto detection of proxy failed, try to retrieve proxy information via IE., xrefs: 6BCC5BA4
WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, xrefs: 6BCC5C0C
Using WINHTTP_ACCESS_TYPE_NAMED_PROXY, xrefs: 6BCC5BF3
WinHttpOpen, xrefs: 6BCC5B72, 6BCC5C35
Setup Installer, xrefs: 6BCC5B53, 6BCC5B58, 6BCC5C20

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: Auto detection of proxy failed, try to retrieve proxy information via IE.$Setup Installer$Using WINHTTP_ACCESS_TYPE_NAMED_PROXY$Using WINHTTP_ACCESS_TYPE_NO_PROXY$WINHTTP_ACCESS_TYPE_DEFAULT_PROXY$WinHttpOpen
API String ID: 685212868-13788701
Opcode ID: 07c4f638c79c5c0d9a8c0bbfc39406a0926dab78919c96c390454596dfdd882f
Instruction ID: 3e58a60341c902d0af30205f8e95c67d47da5e3728fb71e4371f427ea4209e00
Opcode Fuzzy Hash: 07c4f638c79c5c0d9a8c0bbfc39406a0926dab78919c96c390454596dfdd882f
Instruction Fuzzy Hash: 2C416F71920115AFCB00DFA4CD8AEAFBBB9EF49310F144456F605EB252E7789A00CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC98B66 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC98B6D

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

PathIsRelativeW.SHLWAPI(?,?,?,00000024,6BCC2777), ref: 6BC98B8B
PathFileExistsW.SHLWAPI(?), ref: 6BC98BC6

Part of subcall function 6BC75D87: __EH_prolog3.LIBCMT ref: 6BC75D8E
Part of subcall function 6BC75D87: GetModuleFileNameW.KERNEL32(6BC50000,00000010,00000104,?,6BCA80D8,00000000), ref: 6BC75DDB

Part of subcall function 6BCA8C05: PathAppendW.SHLWAPI(00000000,?,?,?,?,?,6BCB9E00,00000000,00000000,?,?,?,00000000,?,UiInfo.xml), ref: 6BCA8C29

Part of subcall function 6BC98C5F: CreateWindowExW.USER32(00000000,STATIC,00000000,0000000E,80000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 6BC98CA7
Part of subcall function 6BC98C5F: GetWindowLongW.USER32(?,000000F0), ref: 6BC98CBC
Part of subcall function 6BC98C5F: SetWindowLongW.USER32(?,000000F0,00000000), ref: 6BC98CCC
Part of subcall function 6BC98C5F: LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 6BC98CD9
Part of subcall function 6BC98C5F: GetDesktopWindow.USER32 ref: 6BC98CEB
Part of subcall function 6BC98C5F: ShowWindow.USER32(?,00000001), ref: 6BC98CFE

ShowWindow.USER32(?,00000005), ref: 6BC98BF5
UpdateWindow.USER32(?), ref: 6BC98BFE
TranslateMessage.USER32(?), ref: 6BC98C1F
DispatchMessageW.USER32(?), ref: 6BC98C29
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6BC98C36

Strings

Splash screen file '%s' not found, xrefs: 6BC98BD6

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Window$H_prolog3MessagePath$FileLongShow$AppendCreateDesktopDispatchExistsImageLoadModuleNameRelativeTranslateUpdate
String ID: Splash screen file '%s' not found
API String ID: 301856859-2590370906
Opcode ID: 5494764721116891b14af586078d85ec1e997e58b832f7400f51c36af066a880
Instruction ID: b57372378f70e4fa6622bd066ba3bc2d0cae221b98e180a1bbaf890ef934f3e2
Opcode Fuzzy Hash: 5494764721116891b14af586078d85ec1e997e58b832f7400f51c36af066a880
Instruction Fuzzy Hash: C6214A72920259ABDF11AFF8CC49E9E7BB8BF09358F044515E521B7290E739EB508B21

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA33BE Relevance: 15.1, APIs: 10, Instructions: 118COMMON

Download Yara Rule

APIs

GetSecurityDescriptorDacl.ADVAPI32(?,6BCA71D3,6BCA71DB,00000002,6BC6A5C4,10000000,00000000), ref: 6BCA33FA
_malloc.LIBCMT ref: 6BCA340B
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,6BC6A5C4,10000000,00000000), ref: 6BCA3425
_free.LIBCMT ref: 6BCA3439
GetAclInformation.ADVAPI32(00000000,6BCA71DF,0000000C,00000002), ref: 6BCA346E
_malloc.LIBCMT ref: 6BCA347B
_memcpy_s.LIBCMT ref: 6BCA3494
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 6BCA34B9
_free.LIBCMT ref: 6BCA34CB
_free.LIBCMT ref: 6BCA34D9

Part of subcall function 6BCA352A: MakeAbsoluteSD.ADVAPI32(?,00000000,6BC6A5C4,00000000,6BCA71C7,00000000,6BCA71CB,00000000,6BCA71CF,00000000,6BCA71D3,?,6BC6A588,6BC6A5C4,10000000,00000000), ref: 6BCA358F
Part of subcall function 6BCA352A: GetLastError.KERNEL32 ref: 6BCA3595
Part of subcall function 6BCA352A: _malloc.LIBCMT ref: 6BCA35A8
Part of subcall function 6BCA352A: _malloc.LIBCMT ref: 6BCA35B9
Part of subcall function 6BCA352A: _malloc.LIBCMT ref: 6BCA35CF
Part of subcall function 6BCA352A: _malloc.LIBCMT ref: 6BCA35E5
Part of subcall function 6BCA352A: _malloc.LIBCMT ref: 6BCA35FC

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: _malloc$DescriptorSecurity_free$Dacl$AbsoluteErrorInformationInitializeLastMake_memcpy_s
String ID:
API String ID: 1365157220-0
Opcode ID: 917c5e66763b3832398c35b8d3e79576e61c585ea0b24acc00c0cd914c5e2486
Instruction ID: 0fbc0bc46efb0e7be5b5a177e27b751e0d8b99fb003a67a1ccd40f004e4547e9
Opcode Fuzzy Hash: 917c5e66763b3832398c35b8d3e79576e61c585ea0b24acc00c0cd914c5e2486
Instruction Fuzzy Hash: 9331F872A25207BBEB115FB59C56A6FBBBCAF94718F10807DE515E3040FB2CCB008661

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB4D79 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 326COMMON

Download Yara Rule

Strings

IronMan::MspInstallerT<class IronMan::PatchesFilteredT<class IronMan::CMsiInstallContext> >::Rollback, xrefs: 6BCB4DC3
There are no patches to uninstall during rollback for product, xrefs: 6BCB4EAA
GetMsiLocalCachedPackagePath returned 0x%X, xrefs: 6BCB5112
MsiInstallProduct returned 0x%X, xrefs: 6BCB50F0
MSIPATCHREMOVE="%s", xrefs: 6BCB50D0
about to call MsiInstallProduct with MSIPATCHREMOVE="%s" on product %s(%s) to remove patches., xrefs: 6BCB5096
Install, xrefs: 6BCB519F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: GetMsiLocalCachedPackagePath returned 0x%X$Install$IronMan::MspInstallerT<class IronMan::PatchesFilteredT<class IronMan::CMsiInstallContext> >::Rollback$MSIPATCHREMOVE="%s"$MsiInstallProduct returned 0x%X$There are no patches to uninstall during rollback for product$about to call MsiInstallProduct with MSIPATCHREMOVE="%s" on product %s(%s) to remove patches.
API String ID: 431132790-1026096532
Opcode ID: d367ab1423fc26e0df21c0dc11b50b965d170d63e0fb12fbd44d341c94ee014d
Instruction ID: e189c6888be2654cdc3c0a67750b327e2490e306c3de68d9cf48ecdc487f14db
Opcode Fuzzy Hash: d367ab1423fc26e0df21c0dc11b50b965d170d63e0fb12fbd44d341c94ee014d
Instruction Fuzzy Hash: 44D18B71518340DFD701CF68C885A0FBBE5AF89328F044A4DF5959B3A2E778EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BC90888 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 294COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BC90892
_memset.LIBCMT ref: 6BC908D6
#246.MSI(00000000,00000000,00000004,00000000,?,00000000,00000000,00000000,6BC9F68F), ref: 6BC908EA
#244.MSI(?,?,00000000,00000004,LocalPackage,00000000,?,00000000), ref: 6BC90964
#244.MSI(?,?,00000000,00000004,LocalPackage,00000000,00000000,00000000), ref: 6BC909B7

Part of subcall function 6BCA8D7E: _calloc.LIBCMT ref: 6BCA8D9C

Strings

LocalPackage, xrefs: 6BC90957, 6BC909AA

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: #244$#246H_prolog3__calloc_memset
String ID: LocalPackage
API String ID: 113209346-4154802423
Opcode ID: 1f0635f184259ca7905c9e0491439d32b0867eebc826773114a16c1d90ee8ff3
Instruction ID: f31545b190c21acf0215be53ae58595b9c1bedcccec7666e8c970281c174fb72
Opcode Fuzzy Hash: 1f0635f184259ca7905c9e0491439d32b0867eebc826773114a16c1d90ee8ff3
Instruction Fuzzy Hash: FCC15D72D10248DBDF11DFB8C885B9E77B5BF45318F2442A9E528EB242E7389B45CB21

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7CFDF Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 225COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7CFE6

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

__CxxThrowException@8.LIBCMT ref: 6BC7D1B8

Strings

ProductCode, xrefs: 6BC7CFEF, 6BC7D1BD
schema validation failure: get_parentNode failed, xrefs: 6BC7D12B
AgileMSI, xrefs: 6BC7D0AA
Self, xrefs: 6BC7D046
MSI, xrefs: 6BC7D090
ParameterInfo.xml, xrefs: 6BC7D139

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: AgileMSI$MSI$ParameterInfo.xml$ProductCode$Self$schema validation failure: get_parentNode failed
API String ID: 2489616738-3833163985
Opcode ID: 7193ac69f5a7b3fa78ab6109e86a80847f6fe61f20523e29765236934f47fb6c
Instruction ID: 0fb19efad98b88264d64bbd87ff97ebfb694aed08ee0332701dacb6250ee1a6f
Opcode Fuzzy Hash: 7193ac69f5a7b3fa78ab6109e86a80847f6fe61f20523e29765236934f47fb6c
Instruction Fuzzy Hash: 8F915FB1911149DFCF00DFF8C8859EEBBB8AF09318F148169E561E7241E7399B45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC878AC Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 199COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC878B3

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

__CxxThrowException@8.LIBCMT ref: 6BC87AE2

Strings

schema validation failure: wrong number of ActionTable child nodes!, xrefs: 6BC87A52
InstallAction, xrefs: 6BC878BF
UninstallAction, xrefs: 6BC87926
RepairAction, xrefs: 6BC8798A
ActionTable, xrefs: 6BC879EE
ParameterInfo.xml, xrefs: 6BC8781E, 6BC87A60

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: ActionTable$InstallAction$ParameterInfo.xml$RepairAction$UninstallAction$schema validation failure: wrong number of ActionTable child nodes!
API String ID: 2489616738-4108169080
Opcode ID: ca5a5256b855b32819ad08ee6cf654affe3a95d5eed8135affe45ac0e8011a8e
Instruction ID: 36d6ca793432a4650b1ccdd29a9127644112a68aba21381797444463af8a9328
Opcode Fuzzy Hash: ca5a5256b855b32819ad08ee6cf654affe3a95d5eed8135affe45ac0e8011a8e
Instruction Fuzzy Hash: BF7134B1A10249EFDB00DFF8C985EAE7BB8AF05318F144159E125E7291EB78DB05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9428F Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 162COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BC94296
__EH_prolog3.LIBCMT ref: 6BC9440F

Part of subcall function 6BCAFF5C: _wcsnlen.LIBCMT ref: 6BCAFF8F
Part of subcall function 6BCAFF5C: _memcpy_s.LIBCMT ref: 6BCAFFC5

Strings

#(loc., xrefs: 6BC94428
', xrefs: 6BC942CE
>, xrefs: 6BC942DC
&, xrefs: 6BC942C7
", xrefs: 6BC942C0
<, xrefs: 6BC942D5

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3H_prolog3__memcpy_s_wcsnlen
String ID: #(loc.$&$'$>$<$"
API String ID: 1381108809-1774302600
Opcode ID: 02995afee2d0dd7f0914f90aba199bed1247d01b908b7c6b95611a24a0cad079
Instruction ID: 05ddb2aa600b85e597621d01b8f8c47900a6c4f980dc1146887a953e4f2e420c
Opcode Fuzzy Hash: 02995afee2d0dd7f0914f90aba199bed1247d01b908b7c6b95611a24a0cad079
Instruction Fuzzy Hash: 6C519C71A20249DBDF01DFF8C885AEEB7B5BF48318F104156E920EB391E7789B008B65

Uniqueness

Uniqueness Score: -1.00%

Function 6BC87C7F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC87C86

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

__CxxThrowException@8.LIBCMT ref: 6BC87E2C

Strings

Cartman, xrefs: 6BC87CD9
HotIron, xrefs: 6BC87E0E
MsuPackage, xrefs: 6BC87DC1
LocalExe, xrefs: 6BC87D71
ExeType, xrefs: 6BC87C8F
IronMan, xrefs: 6BC87D25

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: Cartman$ExeType$HotIron$IronMan$LocalExe$MsuPackage
API String ID: 2489616738-3730881327
Opcode ID: 7e13eccd5eb3228dab54fc837c96f9e05e1b4323b70c2045558f17a236e06348
Instruction ID: f2ba33d0414bb98094b4b7cc889ddbdd8a33e7c9d2811b2b30ad68dc6780c602
Opcode Fuzzy Hash: 7e13eccd5eb3228dab54fc837c96f9e05e1b4323b70c2045558f17a236e06348
Instruction Fuzzy Hash: 1A518471A1524A9FDB10DFB8C881A6A7BBABF0532CB144269E455DB281F739CB00DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC91BFF Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC91C06

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

__CxxThrowException@8.LIBCMT ref: 6BC91D6D

Strings

Continue, xrefs: 6BC91CB3
schema validation failure: invalid attribute value for - OnSubFailureAction, xrefs: 6BC91CE0
Rollback, xrefs: 6BC91C59
OnSubFailureAction, xrefs: 6BC91C11
Stop, xrefs: 6BC91C9A
ParameterInfo.xml, xrefs: 6BC91CEE

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: Continue$OnSubFailureAction$ParameterInfo.xml$Rollback$Stop$schema validation failure: invalid attribute value for - OnSubFailureAction
API String ID: 2489616738-3344869707
Opcode ID: a08d574d236c8f5cc328ba8f7a7369857c4905b80dd2ecad9dfd719b6dca9372
Instruction ID: f0bdfd19d70f9744bbf933622ef5a07527ebdd791aea1d78d59acbe4042e4afa
Opcode Fuzzy Hash: a08d574d236c8f5cc328ba8f7a7369857c4905b80dd2ecad9dfd719b6dca9372
Instruction Fuzzy Hash: 2F419471A20149ABDB00EBF8C946FEE7BB96F05358F144158E165E7280FB78DB05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA4D81 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA4D88
__CxxThrowException@8.LIBCMT ref: 6BCA4E04

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

Strings

#(loc., xrefs: 6BCA4E83
UI element in parameterinfo.xml cannot contain any token (#(loc.[Name]) reference., xrefs: 6BCA4E99
Missing closing > for UI element in parameterinfo.xml, xrefs: 6BCA4E1C
Missing UI element in parameterinfo.xml, xrefs: 6BCA4DA1
<UI , xrefs: 6BCA4D8F
ParameterInfo.xml, xrefs: 6BCA4DBF, 6BCA4E3D, 6BCA4EBA

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: #(loc.$<UI $Missing UI element in parameterinfo.xml$Missing closing > for UI element in parameterinfo.xml$ParameterInfo.xml$UI element in parameterinfo.xml cannot contain any token (#(loc.[Name]) reference.
API String ID: 2489616738-2078404788
Opcode ID: 9d8cb37df46e5886cab09ddcd8772fb08f0086707e542af4d83c0a3e18da1e6a
Instruction ID: 01a11b1ebdc09eb57516647e0ffba69ba26f140a8f402e36613d5b5250309618
Opcode Fuzzy Hash: 9d8cb37df46e5886cab09ddcd8772fb08f0086707e542af4d83c0a3e18da1e6a
Instruction Fuzzy Hash: AC414C72924149ABCF05DBF4C995EEEB7B8AF58308F144559E111B7180FB7C9B098B31

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBF8EC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 110fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBF8F3

Part of subcall function 6BCA8D2E: PathRemoveFileSpecW.SHLWAPI(00000000,2006C750,00000010,80004005,6BC75E00,6BCAF877,00000010,?,6BCA80D8,00000000), ref: 6BCA8D3F

Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Part of subcall function 6BC75704: __EH_prolog3.LIBCMT ref: 6BC7570B

GetTempFileNameW.KERNEL32(00000000,TMP,00000000,00000000,?,00000010,6BCBF63F,00000001), ref: 6BCBF9B5
GetLastError.KERNEL32(?,00000010,6BCBF63F,00000001), ref: 6BCBF9BF
DeleteFileW.KERNEL32(00000000,?,00000010,6BCBF63F,00000001), ref: 6BCBFA2B

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Strings

Failed to get a temp file name. GetTempFileName call failed with 0x%x, xrefs: 6BCBF9EF
.exe, xrefs: 6BCBFA33
TMP, xrefs: 6BCBF9AD
Failed to create the folder: , xrefs: 6BCBF94A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: FileH_prolog3$DeleteErrorLastNamePathRemoveSpecTemp_memcpy_s
String ID: .exe$Failed to create the folder: $Failed to get a temp file name. GetTempFileName call failed with 0x%x$TMP
API String ID: 250032342-292932526
Opcode ID: a7c0d00bea109d7a2420df3e699519b9d23e81c400368c564119231f31cb1b8f
Instruction ID: 1b3cf1429ceba5bf4cf8388b67af6ce8d3fcfc402da08d0e515d589276cb2fa8
Opcode Fuzzy Hash: a7c0d00bea109d7a2420df3e699519b9d23e81c400368c564119231f31cb1b8f
Instruction Fuzzy Hash: 1B419275A20106DFDB01DFB8C84AB9FBBB1AF05318F144558E550EB292E778DB01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC86FD3 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC86FDA

Part of subcall function 6BCA83C3: __wcsicoll.LIBCMT ref: 6BCA83E1

__CxxThrowException@8.LIBCMT ref: 6BC870E7

Strings

false, xrefs: 6BC8702D
False, xrefs: 6BC86FF3, 6BC86FF8
schema validation failure: invalid IgnoreDownloadFailure attribute value, xrefs: 6BC8705A
True, xrefs: 6BC86FEC
true, xrefs: 6BC8701B
ParameterInfo.xml, xrefs: 6BC87068

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw__wcsicoll
String ID: False$ParameterInfo.xml$True$false$schema validation failure: invalid IgnoreDownloadFailure attribute value$true
API String ID: 1238845444-4159781073
Opcode ID: 78b3cc3d99e8d31ea26be3cfb1bfea56d02ce682493f66fc9742a75bcf5a12f5
Instruction ID: 5997b248824581778a5b218bb772e43e052845e2201ac42b5fc4c633d4105ff1
Opcode Fuzzy Hash: 78b3cc3d99e8d31ea26be3cfb1bfea56d02ce682493f66fc9742a75bcf5a12f5
Instruction Fuzzy Hash: 9231CF72A20148ABDB01DBB8C841F9E7BB46F19358F108155F115EB281FB7C9B548B71

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9C88B Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9C892

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

IDRETRY, xrefs: 6BC9C8E2
unknown return type, xrefs: 6BC9C8C7
IDIGNORE, xrefs: 6BC9C8D9
IDNO, xrefs: 6BC9C8D0
IDCANCEL, xrefs: 6BC9C8EB
Returning , xrefs: 6BC9C897
IDOK, xrefs: 6BC9C8F4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Returning $IDCANCEL$IDIGNORE$IDNO$IDOK$IDRETRY$unknown return type
API String ID: 431132790-446421279
Opcode ID: 540f850097e08e9254a575de5fa215f0e93d5486276b6ae6bf8e7dfbc9674b9a
Instruction ID: a652edeb36d22fc7ce6bda140254b92f3659fe94e29832707243d377cc861acf
Opcode Fuzzy Hash: 540f850097e08e9254a575de5fa215f0e93d5486276b6ae6bf8e7dfbc9674b9a
Instruction Fuzzy Hash: 9D218E7217010EABEB01EBA4DC46FAF33A4BB01704F804451B665EA1D1F77DEB208729

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7AB78 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7AB7F
#2.OLEAUT32(Parse failed for some unknown reason), ref: 6BC7ABD9
#6.OLEAUT32(?,?,?,?,?,00000000,?,?,?,CC4203FA,?,?,?,?,ParameterInfo.xml), ref: 6BC7AC2E
#6.OLEAUT32(?,?,?,?,?,00000000,?,?,?,CC4203FA,?,?,?,?,ParameterInfo.xml), ref: 6BC7AC40
#6.OLEAUT32(00000738,?,?,?,?,00000000,?,?,?,CC4203FA,?,?,?,?,ParameterInfo.xml), ref: 6BC7AC56

Strings

Parse failed for some unknown reason, xrefs: 6BC7ABD4
spParseError->get_reason failed with hr = 0x%08x, xrefs: 6BC7ABC6
spDoc->get_parseError failed with hr = 0x%08x, xrefs: 6BC7ABAD

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Parse failed for some unknown reason$spDoc->get_parseError failed with hr = 0x%08x$spParseError->get_reason failed with hr = 0x%08x
API String ID: 431132790-1327361504
Opcode ID: 420972201f11cc4d2e29b99f75964a6e226e091eb5a2bbd0ac5b05d39f4bfe49
Instruction ID: 9b684ef914820485f5b9a5a756259a5ffed4c260bc9ce78795f769e87106e82c
Opcode Fuzzy Hash: 420972201f11cc4d2e29b99f75964a6e226e091eb5a2bbd0ac5b05d39f4bfe49
Instruction Fuzzy Hash: 0331A471D1020AEFCF00DFE4C889AAEBBB1BF44304F1045A9E554BB260E7799B45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BCCDEA2 Relevance: 13.7, APIs: 9, Instructions: 196COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?,6BCCC469), ref: 6BCCDEAF
__calloc_crt.LIBCMT ref: 6BCCDEBB

Part of subcall function 6BCCDB01: Sleep.KERNEL32(00000000,?,6BCCC469,6BCAF877,00000C00,00000020,6BCAF877,?), ref: 6BCCDB29

__calloc_crt.LIBCMT ref: 6BCCDF5B
GetFileType.KERNEL32(?,00000001,6BCCC469), ref: 6BCCDFE2

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: __calloc_crt$FileInfoSleepStartupType
String ID:
API String ID: 591920814-0
Opcode ID: fc49acb9c16d0a19ad1943e732b176a3aaa083d8a0575538bff7d27458a54507
Instruction ID: 53b3e0c2edbaf4eaf7074173a3261973963b24142cacc959dcdb5d6250a0699a
Opcode Fuzzy Hash: fc49acb9c16d0a19ad1943e732b176a3aaa083d8a0575538bff7d27458a54507
Instruction Fuzzy Hash: 616101729617428FE7008F69C889A5B7BE0FF26320F1446A8D065DB2E1E738E6059786

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC43D1 Relevance: 13.6, APIs: 9, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,6BCC2194,?), ref: 6BCC43EB
WinHttpSetStatusCallback.WINHTTP(?,00000000,00000000,00000000,?,?,?,6BCC2194,?), ref: 6BCC440B
WinHttpCloseHandle.WINHTTP(?,?,6BCC2194,?), ref: 6BCC4417
WinHttpCloseHandle.WINHTTP(?,?,?,?,6BCC2194,?), ref: 6BCC442A
WinHttpCloseHandle.WINHTTP(?,?,?,?,6BCC2194,?), ref: 6BCC443D
DeleteCriticalSection.KERNEL32(?,?,?,?,6BCC2194,?), ref: 6BCC444C
CloseHandle.KERNEL32(?,?,6BCC2194,?), ref: 6BCC445D
_free.LIBCMT ref: 6BCC4474
CoUninitialize.OLE32(?,6BCC2194,?), ref: 6BCC447A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CloseHandle$Http$CallbackCriticalDeleteSectionStatusUninitialize_free
String ID:
API String ID: 3862446683-0
Opcode ID: 2a38a3e74247460d36551d6e03e3a353919b141af07ab24131884ed95cc5ebe0
Instruction ID: c872d739174a388a57da9ec04241dd37ba8425852f0a09f3037f5b690a94344a
Opcode Fuzzy Hash: 2a38a3e74247460d36551d6e03e3a353919b141af07ab24131884ed95cc5ebe0
Instruction Fuzzy Hash: 27110AB25017429FDB209FB9C8CC897F7EDFF542547614C2EE1AAD3200D778E9848A21

Uniqueness

Uniqueness Score: -1.00%

Function 6BC849E4 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 231COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC849EB

Part of subcall function 6BC73A0D: __EH_prolog3.LIBCMT ref: 6BC73A14

__CxxThrowException@8.LIBCMT ref: 6BC84A52

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Part of subcall function 6BC795E1: __EH_prolog3.LIBCMT ref: 6BC795E8
Part of subcall function 6BC795E1: #8.OLEAUT32(?,0000002C,6BC84B72,?,?,?,00000000,?,6BC58108), ref: 6BC795FB
Part of subcall function 6BC795E1: #6.OLEAUT32(?,?,?,00000000,?,6BC58108), ref: 6BC7962E
Part of subcall function 6BC795E1: #9.OLEAUT32(00000008,?,?,?,?,?,?,?,?,?,?,?,00000000,?,6BC58108), ref: 6BC7964E

Strings

Language, xrefs: 6BC84A57
Text, xrefs: 6BC84AAD
Unable to find Language element for LangID="%d" in localized data, xrefs: 6BC84A2C
W, xrefs: 6BC84A4B
LocalizedText, xrefs: 6BC84B92

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
String ID: Language$LocalizedText$Text$Unable to find Language element for LangID="%d" in localized data$W
API String ID: 3417717588-1012890799
Opcode ID: 2bc6abeccd3326cf0b61b7f5ecf647d911b89d7af81a549d953b00661e831260
Instruction ID: d56619719e0ca6d85fb528be7f60dd60d7f15de11bc0cdfcb9576916825e0767
Opcode Fuzzy Hash: 2bc6abeccd3326cf0b61b7f5ecf647d911b89d7af81a549d953b00661e831260
Instruction Fuzzy Hash: AE916E71D11259EFCB01CFA8C885ADEBBB9AF49718F148189F414EB341E7799B01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAA8BE Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 188COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCAA8C5

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC7C58B: __EH_prolog3.LIBCMT ref: 6BC7C592
Part of subcall function 6BC7C58B: GetLastError.KERNEL32 ref: 6BC7C5C0

Part of subcall function 6BCB1303: __EH_prolog3.LIBCMT ref: 6BCB130A

Part of subcall function 6BC776F4: __EH_prolog3.LIBCMT ref: 6BC776FB
Part of subcall function 6BC776F4: GetModuleFileNameW.KERNEL32(00000000,00000010,00000104), ref: 6BC77759
Part of subcall function 6BC776F4: GetFileVersionInfoSizeW.KERNELBASE(00000010,?), ref: 6BC77772
Part of subcall function 6BC776F4: GetFileVersionInfoW.KERNELBASE(00000010,?,00000000,00000000), ref: 6BC7778D
Part of subcall function 6BC776F4: VerQueryValueW.VERSION(00000000,6BC6A9F4,?,?), ref: 6BC777A5

Part of subcall function 6BCB08B1: __EH_prolog3.LIBCMT ref: 6BCB08B8
Part of subcall function 6BCB08B1: GetLastError.KERNEL32 ref: 6BCB08D6

Part of subcall function 6BCB1209: __EH_prolog3.LIBCMT ref: 6BCB1210

Part of subcall function 6BCAAC54: __EH_prolog3.LIBCMT ref: 6BCAAC5B

Part of subcall function 6BC77F7B: __EH_prolog3.LIBCMT ref: 6BC77F82

Part of subcall function 6BCB05F4: __EH_prolog3.LIBCMT ref: 6BCB05FB
Part of subcall function 6BCB05F4: GetLastError.KERNEL32 ref: 6BCB0619

Strings

Failed to record Current Item Step, xrefs: 6BCAAAEA
Failed to record msi error message, xrefs: 6BCAAA93
Failed to record Package Version, xrefs: 6BCAA969
Failed to record CurrentFlag, xrefs: 6BCAAA3D
Failed to record PackageName, xrefs: 6BCAA903
Failed to record Application Version, xrefs: 6BCAA9C4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$ErrorFileLast$InfoVersion$ModuleNameQuerySizeValue
String ID: Failed to record Application Version$Failed to record Current Item Step$Failed to record CurrentFlag$Failed to record Package Version$Failed to record PackageName$Failed to record msi error message
API String ID: 1277668817-952374492
Opcode ID: 8ee42d04921d774203c2ac021b580e2e867c3beb36b51d2f3705565998025b8d
Instruction ID: 2b4c9c441e67f1c498114d7738d4e57c391c111cfee6149a8f24d65630a5b7b8
Opcode Fuzzy Hash: 8ee42d04921d774203c2ac021b580e2e867c3beb36b51d2f3705565998025b8d
Instruction Fuzzy Hash: 187192B2810149AFDB10DFF8CD45FAF77B8AF45318F144618E561AB2C1EB78AB058B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9282A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 181COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC92831

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC92A18

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

Dll, xrefs: 6BC9283F
Name, xrefs: 6BC9288F
Version, xrefs: 6BC928D9
schema validation failure: wrong number of UI child nodes!, xrefs: 6BC9298B
ParameterInfo.xml, xrefs: 6BC92999

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
String ID: Dll$Name$ParameterInfo.xml$Version$schema validation failure: wrong number of UI child nodes!
API String ID: 3417717588-3832895198
Opcode ID: 04f8496e51b233fb3c53c63a24abfc1fe7e7b80dace36ea540e2f3c4bf94a9ae
Instruction ID: 68b5cd8522f0cb0e5a6699b8c8b717524bfd754842b5a8a85719c30984caa2b7
Opcode Fuzzy Hash: 04f8496e51b233fb3c53c63a24abfc1fe7e7b80dace36ea540e2f3c4bf94a9ae
Instruction Fuzzy Hash: 7C61527161024AEBDB14DFB8C945EAE7BB8AF09318F104158F555EB381EB78EB04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC86A17 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC86A1E

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

SystemDriveSize, xrefs: 6BC86A8C
InstalledProductSize, xrefs: 6BC86ADD
schema validation failure: Sum of SystemDriveSize and InstalledProductSize must be less than or equal to MaxULONGLONG., xrefs: 6BC86B84
Name, xrefs: 6BC86A2A
ParameterInfo.xml, xrefs: 6BC86B92

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: InstalledProductSize$Name$ParameterInfo.xml$SystemDriveSize$schema validation failure: Sum of SystemDriveSize and InstalledProductSize must be less than or equal to MaxULONGLONG.
API String ID: 431132790-3576396425
Opcode ID: 5332996d9084256299a7b420ef216a48a78d3192d6716820f4f2c44e40afb33f
Instruction ID: 2d3b9370bc993b404a403381349cbc8d394962c4ad6fc4973ba4093159a5fece
Opcode Fuzzy Hash: 5332996d9084256299a7b420ef216a48a78d3192d6716820f4f2c44e40afb33f
Instruction Fuzzy Hash: 4A6180B1520649DFDB10DFA8C885AAEBBB4AF08318F148558E555E7281E778EB04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC838B7 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 169COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC838BE

Part of subcall function 6BC78D64: __EH_prolog3.LIBCMT ref: 6BC78D6B

Part of subcall function 6BC83496: __EH_prolog3.LIBCMT ref: 6BC8349D

Strings

Retry, xrefs: 6BC83999, 6BC839CF
schema validation failure: More than 1 CustomError Mapping block defined., xrefs: 6BC838E7
Create CustomErrorRetry object, xrefs: 6BC839B2
Create CustomErrorMappingBase object, xrefs: 6BC83A67
The mapping element defined: , xrefs: 6BC83967
ParameterInfo.xml, xrefs: 6BC838F9

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Create CustomErrorMappingBase object$Create CustomErrorRetry object$ParameterInfo.xml$Retry$The mapping element defined: $schema validation failure: More than 1 CustomError Mapping block defined.
API String ID: 431132790-1753673958
Opcode ID: 826379932bb2080193c1630e09740f35d539c76f997ba889a58161118c38ec98
Instruction ID: cafd6eedf07634f53fc2795a898c59d8286ce4afd0aafb23a755b32e8950bd30
Opcode Fuzzy Hash: 826379932bb2080193c1630e09740f35d539c76f997ba889a58161118c38ec98
Instruction Fuzzy Hash: C1516071A201499BDF10DBF8C946BEEBBF8AF49318F104258E115E7291EB7C9B05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC75A6A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC75A71
#8.MSI(?,?,?,?,` WHERE ,?,00000000,?,` FROM `,?,SELECT `,00000014,6BC76D93,?,?,?), ref: 6BC75B3A
#8.MSI(00000000,?,?,6BC847DF,6BCAFAA0,?,6BCAFAA0,6BC6A78C,6BC6A78C,00000014,6BCB9BFD,00000000,?,?,?,?), ref: 6BC75BE4
#8.MSI(?,?,?,6BC847DF,6BCAFAA0,?,6BCAFAA0,6BC6A78C,6BC6A78C,00000014,6BCB9BFD,00000000,?,?,?,?), ref: 6BC75BFD

Strings

` FROM `, xrefs: 6BC75AB6
SELECT `, xrefs: 6BC75AA2
` WHERE , xrefs: 6BC75ADC

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: SELECT `$` FROM `$` WHERE
API String ID: 431132790-1231751523
Opcode ID: f59bd93942b78ccfcd233c7f384e9ae1cf2775b13d323713588be3c0e60e7997
Instruction ID: 946756ba7cd4d39995de259cc764756971fccbf9d723a070e0e3a067e86918ba
Opcode Fuzzy Hash: f59bd93942b78ccfcd233c7f384e9ae1cf2775b13d323713588be3c0e60e7997
Instruction Fuzzy Hash: 63518172910119AFCF11DFB4CC89AAE7BB5EF09324F148254F525AB281EB78DB01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9C3FE Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9C405
#118.MSI(?,00000001,00000010,00000000,?,?,?,00000018,6BC9BD17,?), ref: 6BC9C49F

Strings

FilesInUse, xrefs: 6BC9C583
INSTALLMESSAGE_FILESINUSE, xrefs: 6BC9C51B
User response to File In Use dialog, xrefs: 6BC9C506
Rollback, xrefs: 6BC9C4BC
IronMan::MsiExternalUiHandler::UiHandlerRecord, xrefs: 6BC9C529

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: #118H_prolog3
String ID: FilesInUse$INSTALLMESSAGE_FILESINUSE$IronMan::MsiExternalUiHandler::UiHandlerRecord$Rollback$User response to File In Use dialog
API String ID: 3812083994-4129176870
Opcode ID: a65cde272036ca5af97f1456c2421e9b803073d4049f922212687422c8b93e3c
Instruction ID: 78a49a8f4ece1ce8e491349b618a9828d0cc2c1bcb2b636893775546690cc5e8
Opcode Fuzzy Hash: a65cde272036ca5af97f1456c2421e9b803073d4049f922212687422c8b93e3c
Instruction Fuzzy Hash: 365180B1920109DBEF00EFB8D885BAF7B78BF05318F104655E510A7281E778DB55CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC38A4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Part of subcall function 6BCA8A35: __EH_prolog3.LIBCMT ref: 6BCA8A3C

Part of subcall function 6BC7397D: __EH_prolog3.LIBCMT ref: 6BC73984

Part of subcall function 6BCBB172: __EH_prolog3.LIBCMT ref: 6BCBB179
Part of subcall function 6BCBB172: EnterCriticalSection.KERNEL32(00000001,00000014,6BCBFB33,00000000,00000002,00000007,00000000,6BCAFAA0,.tmp,?,00000000,00000000,00000018,6BCBF721,?), ref: 6BCBB185
Part of subcall function 6BCBB172: LeaveCriticalSection.KERNEL32(00000000,-00000960,?,-00000960,00000000,-00000960,?,00000001,00000001), ref: 6BCBB222

Part of subcall function 6BCC5387: __EH_prolog3.LIBCMT ref: 6BCC538E

TranslateMessage.USER32(?), ref: 6BCC39CA
DispatchMessageW.USER32(?), ref: 6BCC39D5
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6BCC39E5

Strings

using BITS , xrefs: 6BCC38F1
Downloading , xrefs: 6BCC391D
complete, xrefs: 6BCC38D8
Action, xrefs: 6BCC394E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Message$CriticalSection$DispatchEnterLeaveTranslate
String ID: complete$ using BITS $Action$Downloading
API String ID: 1364335139-2023831673
Opcode ID: ed08b01f624f1738f6edf17e0842b529e60d187a4656fa209423f079ac37be76
Instruction ID: 542db8c08ce89a091e15d4c7c68f6bb3363c9c5ce34203b4e8138d9e44af06ea
Opcode Fuzzy Hash: ed08b01f624f1738f6edf17e0842b529e60d187a4656fa209423f079ac37be76
Instruction Fuzzy Hash: 625191721283419FC310DFB8C885E5BB7E8FF99318F000A19F5A597281E778EA45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB8908 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115synchronizationprocessCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BCB8934
swprintf.LIBCMT ref: 6BCB896F
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,04000020,00000000,00000000,?,?), ref: 6BCB899F
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6BCB8A12
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6BCB8A33
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6BCB8A4A

Strings

"%s" -x -s %u, xrefs: 6BCB8953

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: MutexRelease$CreateEventProcess_memsetswprintf
String ID: "%s" -x -s %u
API String ID: 1473316640-3953405307
Opcode ID: 77d2349026f0dc45eb5c92941f593a444ce52757e1a187865fb3e6485697609b
Instruction ID: c8a420e5b504d48f391f781fa480b5c3912110af758beafce0b825e739b097ec
Opcode Fuzzy Hash: 77d2349026f0dc45eb5c92941f593a444ce52757e1a187865fb3e6485697609b
Instruction Fuzzy Hash: C54130B1710214AFDB208F55CC89F8EBBB9FF89704F4045E9F25AA61A1D7759A44CF08

Uniqueness

Uniqueness Score: -1.00%

Function 6BC86E88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC86E8F

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA83C3: __wcsicoll.LIBCMT ref: 6BCA83E1

__CxxThrowException@8.LIBCMT ref: 6BC86FC8

Strings

false, xrefs: 6BC86EF5
schema validation failure: invalid IgnoreDownloadFailure attribute value, xrefs: 6BC86F3B
true, xrefs: 6BC86EE3
ParameterInfo.xml, xrefs: 6BC86F49
IgnoreDownloadFailure, xrefs: 6BC86E98

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw__wcsicoll
String ID: IgnoreDownloadFailure$ParameterInfo.xml$false$schema validation failure: invalid IgnoreDownloadFailure attribute value$true
API String ID: 3031948457-1650268905
Opcode ID: aae54e8a9eaee9ffcec42c862f92c93a4abd1fb9dc1e11fd40cfb798688b0bfc
Instruction ID: 84b01bf4f8f7d076447a76f69bfba347fbfec2ec6f02a52d18c4fced15613e02
Opcode Fuzzy Hash: aae54e8a9eaee9ffcec42c862f92c93a4abd1fb9dc1e11fd40cfb798688b0bfc
Instruction Fuzzy Hash: 71417EB2920149EBDB00DBB8C845FAE7BB4AF19318F1481A8F155E7281EB789B45C735

Uniqueness

Uniqueness Score: -1.00%

Function 6BC87B3F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 108COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC87B46
_wcspbrk.LIBCMT ref: 6BC87B9A
_wcsrchr.LIBCMT ref: 6BC87C03

Strings

*?\, xrefs: 6BC87B94
LogFileHint [%s] is invalid. Log File hint extension is required., xrefs: 6BC87C47
LogFileHint [%s] is invalid. First character must not be '*', '?' or '\'., xrefs: 6BC87BC9
LogFileHint [%s] is invalid. Too few characters passed in., xrefs: 6BC87B71

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3_wcspbrk_wcsrchr
String ID: *?\$LogFileHint [%s] is invalid. First character must not be '*', '?' or '\'.$LogFileHint [%s] is invalid. Log File hint extension is required.$LogFileHint [%s] is invalid. Too few characters passed in.
API String ID: 2981567969-3369350866
Opcode ID: 39331ada87911722715d79a0e167f73a78e3eb992e7631751ec6cfc8f90235a9
Instruction ID: 53fdab759e50ebf6829d7c405ec24c0f8660fdf6e6b2a7898d2383c71b631d5c
Opcode Fuzzy Hash: 39331ada87911722715d79a0e167f73a78e3eb992e7631751ec6cfc8f90235a9
Instruction Fuzzy Hash: AB315F31A301069BDF10DFA8C845A6EBBB6BF42318B14485DE050AB251FB78AB159B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC93E62 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC93E69

Part of subcall function 6BCCC121: __getptd_noexit.LIBCMT ref: 6BCCC126

_wcstoul.LIBCMT ref: 6BC93EFB
__get_errno.LIBCMT ref: 6BC93F0D

Part of subcall function 6BCC8FCA: _memcpy_s.LIBCMT ref: 6BCC9010

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC93F79

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

", xrefs: 6BC93F15
Invalid SetupVersion specified, xrefs: 6BC93E92
ParameterInfo.xml, xrefs: 6BC93EA3

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser__get_errno__getptd_noexit_memcpy_s_wcstoul
String ID: "$Invalid SetupVersion specified$ParameterInfo.xml
API String ID: 4025250812-3008374587
Opcode ID: a25e83b808353347fd4cac026ae5db98360ea21aaf5a8289b19916987fa9980f
Instruction ID: c8afac9b135da2b5cd8be446401e4c5ce1812ecdb97b3f47524fac80993239b9
Opcode Fuzzy Hash: a25e83b808353347fd4cac026ae5db98360ea21aaf5a8289b19916987fa9980f
Instruction Fuzzy Hash: 793183729202099BDF10EFF8D8819EFB7B8AF54318F104569E129E7180FB789B45C761

Uniqueness

Uniqueness Score: -1.00%

Function 6BC93934 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9393B
__CxxThrowException@8.LIBCMT ref: 6BC93AEE

Strings

RegKeyHint, xrefs: 6BC9386F
Bad product drive hint type!, xrefs: 6BC9389C
No product drive hints found!, xrefs: 6BC93A61
ComponentHint, xrefs: 6BC93826
ParameterInfo.xml, xrefs: 6BC938AA, 6BC93A6F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: Bad product drive hint type!$ComponentHint$No product drive hints found!$ParameterInfo.xml$RegKeyHint
API String ID: 3670251406-217397854
Opcode ID: 9392d0c6aedab16d195dda4f74052c1f5e56c771eecfb260d6aafe3b0cce87d3
Instruction ID: 0c63bf3a0c4b0a8243d8193ce2a6e39e9e7955e76d0bf757adbdf6ee3308a0a0
Opcode Fuzzy Hash: 9392d0c6aedab16d195dda4f74052c1f5e56c771eecfb260d6aafe3b0cce87d3
Instruction Fuzzy Hash: 5D317071910249EFCB00DFE8C885EDEBBB4BF59308F108569E129EB241E7789B45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBAF43 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBAF4A
GetProcAddress.KERNEL32(00000004,CreateClassFactory), ref: 6BCBAF5A
GetLastError.KERNEL32 ref: 6BCBAF68

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA813B: __EH_prolog3.LIBCMT ref: 6BCA8142

Part of subcall function 6BCA89DF: __EH_prolog3.LIBCMT ref: 6BCA89E6

Part of subcall function 6BCAFF5C: _wcsnlen.LIBCMT ref: 6BCAFF8F
Part of subcall function 6BCAFF5C: _memcpy_s.LIBCMT ref: 6BCAFFC5

Part of subcall function 6BC78834: __EH_prolog3.LIBCMT ref: 6BC7883B

__CxxThrowException@8.LIBCMT ref: 6BCBB01F

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

CreateClassFactory, xrefs: 6BCBAF51, 6BCBAF56, 6BCBAF93
in , xrefs: 6BCBAF83
GetProcAddress looking for , xrefs: 6BCBAF71

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$AddressDispatcherErrorExceptionException@8LastProcThrowUser_memcpy_s_wcsnlen
String ID: in $CreateClassFactory$GetProcAddress looking for
API String ID: 3164256213-3602099363
Opcode ID: 9e52cae40fb53051b51f71060d48a02111157f0789381317b92cd8aef4c897d8
Instruction ID: a344a1680db7ef3f0f5da43e585515426c20116942621b2a75b45d61cc6455eb
Opcode Fuzzy Hash: 9e52cae40fb53051b51f71060d48a02111157f0789381317b92cd8aef4c897d8
Instruction Fuzzy Hash: A6210772920149ABCF01DBF8CD86EEEBBB8AF19318F144155E214E7281EB789B058735

Uniqueness

Uniqueness Score: -1.00%

Function 6BC98C5F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,STATIC,00000000,0000000E,80000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 6BC98CA7

Part of subcall function 6BCC8570: GetWindowLongW.USER32(?,000000F0), ref: 6BCC8596
Part of subcall function 6BCC8570: GetParent.USER32(?), ref: 6BCC85A8
Part of subcall function 6BCC8570: GetWindowRect.USER32(?,?), ref: 6BCC85C2
Part of subcall function 6BCC8570: GetWindowLongW.USER32(00000000,000000F0), ref: 6BCC85D8
Part of subcall function 6BCC8570: MonitorFromWindow.USER32(?,00000002), ref: 6BCC85F7

GetWindowLongW.USER32(?,000000F0), ref: 6BC98CBC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6BC98CCC
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000010), ref: 6BC98CD9

Part of subcall function 6BCABAB3: SendMessageW.USER32(?,00000172,00000000,?), ref: 6BCABAC4

GetDesktopWindow.USER32 ref: 6BC98CEB

Part of subcall function 6BCC8570: GetWindow.USER32(?,00000004), ref: 6BCC85B4
Part of subcall function 6BCC8570: GetMonitorInfoW.USER32(00000000,?), ref: 6BCC8614
Part of subcall function 6BCC8570: SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 6BCC86E4

ShowWindow.USER32(?,00000001), ref: 6BC98CFE

Strings

STATIC, xrefs: 6BC98C8E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Window$Long$Monitor$CreateDesktopFromImageInfoLoadMessageParentRectSendShow
String ID: STATIC
API String ID: 4041997823-1882779555
Opcode ID: ac897c9b91cb70b68739e4688700dff77d2a5dfd75c3e86cede6a86ceeed0ac5
Instruction ID: 55e22a16af4fd99ec6e32433ac43c3c0e8a6719a86de18710aa5375e02c802a6
Opcode Fuzzy Hash: ac897c9b91cb70b68739e4688700dff77d2a5dfd75c3e86cede6a86ceeed0ac5
Instruction Fuzzy Hash: B21154715152216FDB109F298C0DE9B7FF9EF8A360F100619B519E2190EB759E11C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC74D12 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC74D19

Part of subcall function 6BCA813B: __EH_prolog3.LIBCMT ref: 6BCA8142

Strings

Installing, xrefs: 6BC74D77
Uninstalling, xrefs: 6BC74D6E
Error, xrefs: 6BC74D29
Creating Layout, xrefs: 6BC74D5C
Repairing, xrefs: 6BC74D65
Uninstalling Patch, xrefs: 6BC74D53

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Creating Layout$Error$Installing$Repairing$Uninstalling$Uninstalling Patch
API String ID: 431132790-1745000867
Opcode ID: f3972b236c598ae1f1d953ee01941de49c08867a951325ba84659ff5f714c5e1
Instruction ID: ad5fe043fac2219ddbb816027385d49ed971fafcae78eb5200aad40e93f886bc
Opcode Fuzzy Hash: f3972b236c598ae1f1d953ee01941de49c08867a951325ba84659ff5f714c5e1
Instruction Fuzzy Hash: 11F0AF326B860DA6FB32ABB4CC41F7D6231B7B5756F004151F250AA1C0F7BC87649229

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9B8C3 Relevance: 10.7, APIs: 7, Instructions: 182COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9B8CA
#115.MSI(?,?,00000000,?,00000018,6BC9BD17,?), ref: 6BC9B900
#118.MSI(?,00000000,?,?,?,00000000,?,00000018,6BC9BD17,?), ref: 6BC9B936
#118.MSI(?,00000000,00000000,00000000,00000000,?,00000000,?,00000018,6BC9BD17,?), ref: 6BC9B968

Part of subcall function 6BCC8E28: _wcsnlen.LIBCMT ref: 6BCC8E38

__recalloc.LIBCMT ref: 6BC9BA2B
_free.LIBCMT ref: 6BC9BAA8
#137.MSI(00000000,00000000,00000000,?,?,?,6BC53E98,?,00000000,?,00000018,6BC9BD17,?), ref: 6BC9BAE4

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Part of subcall function 6BCAFF5C: _wcsnlen.LIBCMT ref: 6BCAFF8F
Part of subcall function 6BCAFF5C: _memcpy_s.LIBCMT ref: 6BCAFFC5

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: #118H_prolog3_wcsnlen$#115#137__recalloc_free_memcpy_s
String ID:
API String ID: 3464579499-0
Opcode ID: 2c7b93d85eb88b37184c54ca2b5e1714aee3f5aed4c6bd9758d34a77f149dabf
Instruction ID: df30546f78334a9ab83f40002f0cad3ff0afc65330418ad9d49718bb29f11ce8
Opcode Fuzzy Hash: 2c7b93d85eb88b37184c54ca2b5e1714aee3f5aed4c6bd9758d34a77f149dabf
Instruction Fuzzy Hash: 79716871D2021AEFDF05DFA4D881AAEBBB6FF05314F104069E514BB250EB34AB46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BC95835 Relevance: 10.7, APIs: 7, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9583C

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

PathGetDriveNumberW.SHLWAPI(?,?,?,?,?,00000018,6BC95F95,?,?,?,?,?,6BC6AB1C,?,6BC6AB1C,?), ref: 6BC95869
PathGetDriveNumberW.SHLWAPI(?,?,?,?,00000018,6BC95F95,?,?,?,?,?,6BC6AB1C,?,6BC6AB1C,?,6BC6AB1C), ref: 6BC95871
PathGetDriveNumberW.SHLWAPI(?,?,?,?,?,?,?,?,?,00000018,6BC95F95,?,?,?,?,?), ref: 6BC958BA
PathGetDriveNumberW.SHLWAPI(?,?,?,?,00000018,6BC95F95,?,?,?,?,?,6BC6AB1C,?,6BC6AB1C,?,6BC6AB1C), ref: 6BC958C2
PathGetDriveNumberW.SHLWAPI(?,?,?,?,?,?,?,?,?,00000018,6BC95F95,?,?,?,?,?), ref: 6BC95908
PathGetDriveNumberW.SHLWAPI(?,?,?,?,?,?,00000018,6BC95F95,?,?,?,?,?,6BC6AB1C,?,6BC6AB1C), ref: 6BC95910

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: DriveNumberPath$H_prolog3
String ID:
API String ID: 2285536258-0
Opcode ID: ae1576d68bae5a1d6fc3837616b331764274d4e343ad6ba47d73f110b6f9677c
Instruction ID: 37e94c00ead06e90089e9e18ee5f71006d0ea112ae255903639d02a4079f81d4
Opcode Fuzzy Hash: ae1576d68bae5a1d6fc3837616b331764274d4e343ad6ba47d73f110b6f9677c
Instruction Fuzzy Hash: 42811875910649DFCF04DFA9C48099DFBB1BF08328B18C29AE868AB361D735EA51CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA5839 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BCA589E
GetCurrentProcess.KERNEL32(?,00120411,00000001,00000000,?,?,6BCFEE70), ref: 6BCA5930
GetCurrentProcess.KERNEL32(00000000,?,?,6BCFEE70), ref: 6BCA5933
GetCurrentProcess.KERNEL32(00000000,?,?,6BCFEE70), ref: 6BCA5936
DuplicateHandle.KERNEL32(00000000,?,?,6BCFEE70), ref: 6BCA5939

Strings

VSSetup, xrefs: 6BCA58FF

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle_memset
String ID: VSSetup
API String ID: 2604347766-1972238211
Opcode ID: 1e89e8787d3f635605dc584ca1c9f3920f86cb46039fa37b4b19b26ceff9550e
Instruction ID: 92fab15ec98dd4488efe22af65602bd58b6fbbd9f4d33a32e8470015abf0826a
Opcode Fuzzy Hash: 1e89e8787d3f635605dc584ca1c9f3920f86cb46039fa37b4b19b26ceff9550e
Instruction Fuzzy Hash: 71611B71A101199FEB20DF68CC85EAAB7F9FF49304F0484DAE589A7240DB759E81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB332D Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB3334

Part of subcall function 6BCA83C3: __wcsicoll.LIBCMT ref: 6BCA83E1

__CxxThrowException@8.LIBCMT ref: 6BCB3484

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

Invalid UserExperienceDataCollection's child element: %s, xrefs: 6BCB3426
PatchType, xrefs: 6BCB3391
Type, xrefs: 6BCB33A7
ParameterInfo.xml, xrefs: 6BCB343F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw__wcsicoll
String ID: Invalid UserExperienceDataCollection's child element: %s$ParameterInfo.xml$PatchType$Type
API String ID: 3031948457-2953714570
Opcode ID: 159c048f21dd81fcf0184a4981a0b19c027cfbd9a8fa91c5bb61a833d3237691
Instruction ID: 824ad28486653d1a227922e9c02b1054de0dec788c85c75557fad79d50ec07a0
Opcode Fuzzy Hash: 159c048f21dd81fcf0184a4981a0b19c027cfbd9a8fa91c5bb61a833d3237691
Instruction Fuzzy Hash: 9A51BEB1970209EBCB10DFF9C885DAE7BA8AF46744F404156F514A7241F73C8B89CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7B926 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7B92D

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC7BA61

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

BlockingMutex, xrefs: 6BC7B9A2
BlockingMutex Name attribute should not be empty and cannot contain '\'., xrefs: 6BC7B9FF
Name, xrefs: 6BC7B93C
ParameterInfo.xml, xrefs: 6BC7BA0D

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
String ID: BlockingMutex$BlockingMutex Name attribute should not be empty and cannot contain '\'.$Name$ParameterInfo.xml
API String ID: 3417717588-1122533197
Opcode ID: 27fae7e4d705ac57b9c4041a0abb7095eddfda08f156f23fbf0770bccfa651b8
Instruction ID: dab437a86fb863ac71e9429524ac57344eba9650973950dcceed790a4e889727
Opcode Fuzzy Hash: 27fae7e4d705ac57b9c4041a0abb7095eddfda08f156f23fbf0770bccfa651b8
Instruction Fuzzy Hash: 2541617152024AEBCB14DFB8C845F9E77B4AF09318F148158F525A7281EB78EB04CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD6C45 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 6BCD6D19
std::bad_exception::bad_exception.LIBCMT ref: 6BCD6D43
__CxxThrowException@8.LIBCMT ref: 6BCD6D51

Strings

Bad dynamic_cast!, xrefs: 6BCD6D3B

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8OffsetThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 1176828985-2956939130
Opcode ID: 69e53ec58e8e749628dd68ba3041dea784e176e3cb5fe5d1800aec633c266263
Instruction ID: dd8aed4941a7dc130f35dc28e655235620491f4170da77018b93eace8554ade8
Opcode Fuzzy Hash: 69e53ec58e8e749628dd68ba3041dea784e176e3cb5fe5d1800aec633c266263
Instruction Fuzzy Hash: DB319D79E21A159FCB04CFA8C881A9E77B0FF49315B1044A9EA51E7250F73CEA01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC84DD6 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC84DDD

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Part of subcall function 6BCA8A35: __EH_prolog3.LIBCMT ref: 6BCA8A3C

Part of subcall function 6BCA89DF: __EH_prolog3.LIBCMT ref: 6BCA89E6

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC84EEA

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

" for Text element in , xrefs: 6BC84E23
Found duplicate ID attribute ", xrefs: 6BC84E0E
\LocalizedData.xml. Duplicates not allowed., xrefs: 6BC84E4A
ParameterInfo.xml, xrefs: 6BC84DFE

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
String ID: " for Text element in $Found duplicate ID attribute "$ParameterInfo.xml$\LocalizedData.xml. Duplicates not allowed.
API String ID: 3417717588-3340550128
Opcode ID: c3275865f102e787fa3e0e60ac5c5d805749b368bfabc667451770a544cc1bcd
Instruction ID: c3df85e476224e3fdac82f3ac5ff38b77b7add35ae101569acd7a9a105d8b1c4
Opcode Fuzzy Hash: c3275865f102e787fa3e0e60ac5c5d805749b368bfabc667451770a544cc1bcd
Instruction Fuzzy Hash: B9413072520149ABCB01DBF8C846FEE77A8AF19318F144355F124E72C1EB789B158776

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9BB49 Relevance: 10.6, APIs: 7, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9BB50

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC9BAF0: __EH_prolog3.LIBCMT ref: 6BC9BAF7

Part of subcall function 6BC992D0: __EH_prolog3.LIBCMT ref: 6BC992D7

_free.LIBCMT ref: 6BC9BBC0

Part of subcall function 6BCCC1AE: HeapFree.KERNEL32(00000000,00000000,?,6BCCD75D,00000000,?,6BCA80D8,6BCCC0CE,6BCCC3DC,00000000), ref: 6BCCC1C4
Part of subcall function 6BCCC1AE: GetLastError.KERNEL32(00000000,?,6BCCD75D,00000000,?,6BCA80D8,6BCCC0CE,6BCCC3DC,00000000), ref: 6BCCC1D6

#141.MSI(00000003,00000000,?,00000000,?,?,6BC6AB1C,?,6BC6AB1C,00000024,6BCABE09,?,?,?,?,?), ref: 6BC9BBF8
GetCommandLineW.KERNEL32(?,00000000,?,?,6BC6AB1C,?,6BC6AB1C,00000024,6BCABE09,?,?,?,?,?,?,?), ref: 6BC9BC00
#141.MSI(00000102,00000000,?,00000000,?,?), ref: 6BC9BC32
#281.MSI(Function_0004BD03,00000922,?,00000000,?,?), ref: 6BC9BC40
#137.MSI(Function_0004BCE5,00007FDF,?,?,?), ref: 6BC9BC51

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$#141$#137#281CommandErrorFreeHeapLastLine_free
String ID:
API String ID: 2896052883-0
Opcode ID: 2dec2915461954e985074450e36cc2514e97e616a8d1a05907fc94f0682d8995
Instruction ID: a198acf57101d528ff474a006aed1c1191ba03e66bd27488de42decd0a9cff66
Opcode Fuzzy Hash: 2dec2915461954e985074450e36cc2514e97e616a8d1a05907fc94f0682d8995
Instruction Fuzzy Hash: 70316071411788EFEB20DF69D885A8BBBF8BF09304F00841DE59A97651E778E744CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB09BB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB09C2
GetCommandLineW.KERNEL32(00000030,6BCAA2BF,?,6BC6A78C,?,-00000960,?,00000000,?,Failed to record current state name), ref: 6BCB09CD

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

GetCommandLineW.KERNEL32(?,00000000), ref: 6BCB09DD

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC73A76: __EH_prolog3.LIBCMT ref: 6BC73A7D

GetCommandLineW.KERNEL32(?,ChainingPackage,00000000,00000738,00000000), ref: 6BCB0A21

Part of subcall function 6BC73CEF: __EH_prolog3.LIBCMT ref: 6BC73CF6

Part of subcall function 6BC7C58B: __EH_prolog3.LIBCMT ref: 6BC7C592
Part of subcall function 6BC7C58B: GetLastError.KERNEL32 ref: 6BC7C5C0

Part of subcall function 6BCB1303: __EH_prolog3.LIBCMT ref: 6BCB130A

Strings

ChainingPackage, xrefs: 6BCB09F3, 6BCB09F8, 6BCB0A30
Failed to record Operation UI Mode, xrefs: 6BCB0A69

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine$ErrorLast
String ID: ChainingPackage$Failed to record Operation UI Mode
API String ID: 1326720558-3597460744
Opcode ID: 6fee8ca71d0ac35ca65f5d79dedff1237244c0da45169dbf606b1b3a0cc1c262
Instruction ID: e5c765d5553d74cbd8cd88e637919ec2126b2bfcd68bcb52dce7b7fe1807eb70
Opcode Fuzzy Hash: 6fee8ca71d0ac35ca65f5d79dedff1237244c0da45169dbf606b1b3a0cc1c262
Instruction Fuzzy Hash: 80217EB2820189ABCB11EBF8C846FDF7BBC9F55318F144155E610B7281EB789B05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC529F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BCC52F4
_memset.LIBCMT ref: 6BCC530B
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?), ref: 6BCC531F
GetTempFileNameW.KERNEL32(?,bch,00000000,?,?,?,?,?,?,?), ref: 6BCC533A

Strings

bch, xrefs: 6BCC532E
http://www.microsoft.com, xrefs: 6BCC534F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Temp_memset$FileNamePath
String ID: bch$http://www.microsoft.com
API String ID: 1350388415-1062877558
Opcode ID: a4f48bccd3933fffbe30b92f0235843b4a12cc72e88f4e756b2ff6a857c69c8c
Instruction ID: d40483c83dc9962dc2721309faa209ca17f22ac2dced3918f079a1294ff31f34
Opcode Fuzzy Hash: a4f48bccd3933fffbe30b92f0235843b4a12cc72e88f4e756b2ff6a857c69c8c
Instruction Fuzzy Hash: B02141707102199FDB10DF68CC49E9B77FCAF58704F104899A646D3241E738EB818B65

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9E3AD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9E3B4
GetLastError.KERNEL32(?,00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,6BC9E843), ref: 6BC9E3DE

Part of subcall function 6BC753AA: __EH_prolog3.LIBCMT ref: 6BC753B1
Part of subcall function 6BC753AA: OutputDebugStringW.KERNEL32(?,?,?,00000008,6BCA6106,000013EC,?,00000000,?,?,ReportingFlags,?,-0000000D,?,?,6BC54A4C), ref: 6BC753D2

GetLastError.KERNEL32(00000000,00000000,?,00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,6BC9E843), ref: 6BC9E3F4
#6.OLEAUT32(00000000), ref: 6BC9E416

Strings

WU Service: %s succeeded, xrefs: 6BC9E426
WU Service: Trying to %s function %s failed with error: %u, xrefs: 6BC9E401

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last$DebugOutputString
String ID: WU Service: %s succeeded$WU Service: Trying to %s function %s failed with error: %u
API String ID: 1162381382-1251908523
Opcode ID: fa514f6eb2883e017c191b12f464622251249096ce5cc1ac360bedaa892c3ee0
Instruction ID: 57e17784550e3051e991be28a0b1285cc9290d9fb93be4c59a2a83ebdb180822
Opcode Fuzzy Hash: fa514f6eb2883e017c191b12f464622251249096ce5cc1ac360bedaa892c3ee0
Instruction Fuzzy Hash: 78211975520106DFEF00DFA4C849FAEBBB5FF15314F1484A8E414AB261EB39EA14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7A2D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7A2DC

Part of subcall function 6BCA83C3: __wcsicoll.LIBCMT ref: 6BCA83E1

__CxxThrowException@8.LIBCMT ref: 6BC7A38D

Strings

false, xrefs: 6BC7A31A
true, xrefs: 6BC7A307
schema validation failure: invalid value authored for: , xrefs: 6BC7A339
ParameterInfo.xml, xrefs: 6BC7A329

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw__wcsicoll
String ID: ParameterInfo.xml$false$schema validation failure: invalid value authored for: $true
API String ID: 1238845444-3295494506
Opcode ID: 3fc352d0552fad783bbfaf4e1b453436a805ad61eb4101f11c4950f67b91388d
Instruction ID: cd0ab4a4df51c266535372bfa1f209b98efdfb92e6a9993009d0cfe719c1ea33
Opcode Fuzzy Hash: 3fc352d0552fad783bbfaf4e1b453436a805ad61eb4101f11c4950f67b91388d
Instruction Fuzzy Hash: 2A11BE72920149ABCB01EFB8C841EDE77A86F16318F048165F664A7240FB7CDB458775

Uniqueness

Uniqueness Score: -1.00%

Function 6BC95B4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 6BC95B66
GetLastError.KERNEL32 ref: 6BC95B6E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6BC95B8F
ResetEvent.KERNEL32(00000000), ref: 6BC95B96
CloseHandle.KERNEL32(00000000), ref: 6BC95BC5

Strings

Launching Install operation. Download operation is completed., xrefs: 6BC95BA1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Event$CloseCreateErrorHandleLastObjectResetSingleWait
String ID: Launching Install operation. Download operation is completed.
API String ID: 1135383174-2441870237
Opcode ID: 346a6ce92d6050662212eb403315c4f83bcfafa87190b5e7933756a8be8c403c
Instruction ID: ab64bd6f8c5bff0345ac345c18b5d1d92c1da656bd285f86387244d5171e6ad3
Opcode Fuzzy Hash: 346a6ce92d6050662212eb403315c4f83bcfafa87190b5e7933756a8be8c403c
Instruction Fuzzy Hash: 73116175540305EFDB00DF68C989FAE7BB5EB86711F104548FA15A7280E7749641CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6BCABB42 Relevance: 9.1, APIs: 6, Instructions: 90windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,00000064,000004FF), ref: 6BCABB5C
GetTickCount.KERNEL32 ref: 6BCABB6C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6BCABBED
TranslateMessage.USER32(?), ref: 6BCABBFB
DispatchMessageW.USER32(?), ref: 6BCABC05
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6BCABC14

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Message$Peek$CountDispatchMultipleObjectsTickTranslateWait
String ID:
API String ID: 732506675-0
Opcode ID: 0b2a9814376a84be30b93d262a6198996c61193222aed80763e951fc96abfcc7
Instruction ID: 8b18db39f74782963bbf13614eadc05220bf8a9bfcd3d223d68483417f107665
Opcode Fuzzy Hash: 0b2a9814376a84be30b93d262a6198996c61193222aed80763e951fc96abfcc7
Instruction Fuzzy Hash: F03105B2D00709ABDB109FB5C988C9A7BFCFF49715F104955E142A2190FB35EA94CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9CEDD Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,6BC9DBA0), ref: 6BC9CEFC
WaitForSingleObject.KERNEL32(?,000000FF,?,?,6BC9DBA0), ref: 6BC9CF07
CloseHandle.KERNEL32(?,?,?,6BC9DBA0), ref: 6BC9CF10
CloseHandle.KERNEL32(?,?,?,6BC9DBA0), ref: 6BC9CF1D
CloseHandle.KERNEL32(?,?,?,6BC9DBA0), ref: 6BC9CF2A
CloseHandle.KERNEL32(?,?,?,6BC9DBA0), ref: 6BC9CF37

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2857295742-0
Opcode ID: 053788e250e4e04a7193d17b3fa1f6d9aeef23265d7448d2cc3e359d1ade376e
Instruction ID: a514e22de1eef171eb63662765c4dfb93fd9e0b6e59fa0010293e17888ef670b
Opcode Fuzzy Hash: 053788e250e4e04a7193d17b3fa1f6d9aeef23265d7448d2cc3e359d1ade376e
Instruction Fuzzy Hash: 9C118E725157409BDB30AFAAE9C4817F7F9BF543103A00E6EE1A6C3A50D738FA488E10

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD791C Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6BCD7944

Part of subcall function 6BCD7091: __getptd.LIBCMT ref: 6BCD709F
Part of subcall function 6BCD7091: __getptd.LIBCMT ref: 6BCD70AD

__getptd.LIBCMT ref: 6BCD794E

Part of subcall function 6BCCD771: __getptd_noexit.LIBCMT ref: 6BCCD774
Part of subcall function 6BCCD771: __amsg_exit.LIBCMT ref: 6BCCD781

__getptd.LIBCMT ref: 6BCD795C
__getptd.LIBCMT ref: 6BCD796A
__getptd.LIBCMT ref: 6BCD7975
_CallCatchBlock2.LIBCMT ref: 6BCD799B

Part of subcall function 6BCD7145: __CallSettingFrame@12.LIBCMT ref: 6BCD7191

Part of subcall function 6BCD7A42: __getptd.LIBCMT ref: 6BCD7A51
Part of subcall function 6BCD7A42: __getptd.LIBCMT ref: 6BCD7A5F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: f0c8059c89713eaa046ddc3fa026b8b88399e495c99780d498ce646afbe66f10
Instruction ID: 043ca600bd586e9f410c4a60fc2e4b16aed4802b60c1ab314e14c002848f387d
Opcode Fuzzy Hash: f0c8059c89713eaa046ddc3fa026b8b88399e495c99780d498ce646afbe66f10
Instruction Fuzzy Hash: DD1119B9D60209DFDB00DFB4C446AAE7BB0FF08318F21846AE814A7250EB389A11DF51

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD1ACA Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6BCD1AD6

Part of subcall function 6BCCD771: __getptd_noexit.LIBCMT ref: 6BCCD774
Part of subcall function 6BCCD771: __amsg_exit.LIBCMT ref: 6BCCD781

__amsg_exit.LIBCMT ref: 6BCD1AF6
__lock.LIBCMT ref: 6BCD1B06
InterlockedDecrement.KERNEL32(?), ref: 6BCD1B23
_free.LIBCMT ref: 6BCD1B36
InterlockedIncrement.KERNEL32(024D17A0), ref: 6BCD1B4E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 3ed73e5307673c14d572e5069c6d3e0f2c3858bb6c9a3ad4c0ec0002197301c9
Instruction ID: 8ecfd60d43061d7294ceb383b90e099f1019decefe737e948fbbecda65b890af
Opcode Fuzzy Hash: 3ed73e5307673c14d572e5069c6d3e0f2c3858bb6c9a3ad4c0ec0002197301c9
Instruction Fuzzy Hash: 74010479D7263AABDB009FA8D40575A77B0BF01F11F010186E910A7181F73CAB51CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC6BE2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 196COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC6BE9
GetLastError.KERNEL32 ref: 6BCC6C31

Part of subcall function 6BC774C1: __EH_prolog3.LIBCMT ref: 6BC774C8

Strings

Error writing to local file: hr= 0x%x, xrefs: 6BCC6D67
WinHttpReceiveResponse, xrefs: 6BCC6C3A
WINHTTP_CALLBACK_STATUS_REQUEST_ERROR error: error=%d, result= %d. Percentage downloaded=%i, xrefs: 6BCC6CD7

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$ErrorLast
String ID: Error writing to local file: hr= 0x%x$WINHTTP_CALLBACK_STATUS_REQUEST_ERROR error: error=%d, result= %d. Percentage downloaded=%i$WinHttpReceiveResponse
API String ID: 1123136255-3042121607
Opcode ID: c6f15b1759fd200f2c358f49e66db40b40b5c2552fe0dd7c5341db5816a4627a
Instruction ID: 798446971cdcb3ff79c6734754d0fb1ebf93ad5fa6b9320e29d1a96b54542de5
Opcode Fuzzy Hash: c6f15b1759fd200f2c358f49e66db40b40b5c2552fe0dd7c5341db5816a4627a
Instruction Fuzzy Hash: 7C81A170A20A09DBCB04CF64C554AAFB7F6FF48311F10885AE46997350EB38EA41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BC80E89 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC80E90

Part of subcall function 6BC78BBF: __EH_prolog3.LIBCMT ref: 6BC78BC6

__CxxThrowException@8.LIBCMT ref: 6BC81004

Strings

schema validation failure: , xrefs: 6BC80F66
must have exactly 2 child nodes, xrefs: 6BC80F7B
ParameterInfo.xml, xrefs: 6BC80F56

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: must have exactly 2 child nodes$ParameterInfo.xml$schema validation failure:
API String ID: 2489616738-936724439
Opcode ID: b520e9a51b90d227ade5ffe1c6241f409f7611556e9026eae558c2018037382a
Instruction ID: ef5c6d727f52038353cfba594e0404e3328be41d7af3c40e1cff1cc47e0c86d5
Opcode Fuzzy Hash: b520e9a51b90d227ade5ffe1c6241f409f7611556e9026eae558c2018037382a
Instruction Fuzzy Hash: BE514271521245AFDB01DBF8C845F9E7BB8AF09318F148159F514EB281EB79DB01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC78F67 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC78F6E
#6.OLEAUT32(?), ref: 6BC78FB8
#2.OLEAUT32(?,00000024,6BC84AEC,?), ref: 6BC79017
__CxxThrowException@8.LIBCMT ref: 6BC790BF

Strings

schema validation failure: child element not found - , xrefs: 6BC79040

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: schema validation failure: child element not found -
API String ID: 3670251406-3859288074
Opcode ID: bc1da470841c43c5516d373151e7f143f881c26173d801c26e14bb55e26cc89f
Instruction ID: c4166cbe42b52f75c7a805207f1efa7f2077fc26c19a42ec4a870b2cec5eb28d
Opcode Fuzzy Hash: bc1da470841c43c5516d373151e7f143f881c26173d801c26e14bb55e26cc89f
Instruction Fuzzy Hash: 0B418DB1910249EFCB00DFA8C988A9EBBB9BF09304F2445A9F555E7241E778DF04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB3F0B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB3F12

Part of subcall function 6BCB4093: __EH_prolog3.LIBCMT ref: 6BCB409A
Part of subcall function 6BCB4093: GetThreadLocale.KERNEL32(?,DHTMLHeader.html), ref: 6BCB40B5
Part of subcall function 6BCB4093: GetModuleFileNameW.KERNEL32(6BC50000,00000010,00000104), ref: 6BCB4127
Part of subcall function 6BCB4093: PathFileExistsW.KERNELBASE(?,00000014,00000000), ref: 6BCB4175

__CxxThrowException@8.LIBCMT ref: 6BCB3FB7

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

GetFileSize.KERNEL32(?,00000000,00000080,80000000,00000001,00000003,00000080,00000000,?), ref: 6BCB3FC0
CloseHandle.KERNEL32(?), ref: 6BCB3FDE

Part of subcall function 6BC78371: __EH_prolog3.LIBCMT ref: 6BC78378

Part of subcall function 6BC7A3DC: __EH_prolog3.LIBCMT ref: 6BC7A3E3

Strings

DHTML Header: %s, xrefs: 6BCB3F78

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$File$CloseDispatcherExceptionException@8ExistsHandleLocaleModuleNamePathSizeThreadThrowUser
String ID: DHTML Header: %s
API String ID: 3827389996-3243986505
Opcode ID: 8e9c427cebfa2b5f155ecd07bc924ca39a4d07e916d7c4e5d76a8a7205baee8f
Instruction ID: eabca58d62366f57c4f361a82eec28327d72ace53d64d72ce5b7f00e3ce741d2
Opcode Fuzzy Hash: 8e9c427cebfa2b5f155ecd07bc924ca39a4d07e916d7c4e5d76a8a7205baee8f
Instruction Fuzzy Hash: 73414A72920209EBCF11DFF8D886EDEBBB9AF09318F144559E150F7290E7389B458B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB1E30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB1E37
#2.OLEAUT32(CC4203FA,?,</MsiXmlBlob>,?,<MsiXmlBlob>,?,?,6BCAD2C4,?,?,?,00000004,?,?,?,?), ref: 6BCB1F2B

Part of subcall function 6BCC8E28: _wcsnlen.LIBCMT ref: 6BCC8E38

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Part of subcall function 6BCA8A35: __EH_prolog3.LIBCMT ref: 6BCA8A3C

Part of subcall function 6BCA98A8: CoInitialize.OLE32(00000000,CC4203FA,?,?), ref: 6BCA98DD
Part of subcall function 6BCA98A8: CoCreateInstance.OLE32 ref: 6BCA9902
Part of subcall function 6BCA98A8: #2.OLEAUT32(//MsiXmlBlob/MsiPatch/TargetProductCode), ref: 6BCA9975
Part of subcall function 6BCA98A8: #6.OLEAUT32(00000000), ref: 6BCA99B1

#6.OLEAUT32(?,00000000,?,00000000,?,?,6BCAD2C4,?,?,?,00000004,?,?,?,?,?), ref: 6BCB1F0F

Strings

<MsiXmlBlob>, xrefs: 6BCB1EAA
</MsiXmlBlob>, xrefs: 6BCB1EBA

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CreateInitializeInstance_wcsnlen
String ID: </MsiXmlBlob>$<MsiXmlBlob>
API String ID: 3017586024-3435035887
Opcode ID: 746ec41f5132c5caafc7b6fea4d3d1693ac5d0944f80270d5b112085e7dd9d10
Instruction ID: 333ee03d20e84f885fd887fd59c9f0bebc0902b8386f3086664892fa90a6d777
Opcode Fuzzy Hash: 746ec41f5132c5caafc7b6fea4d3d1693ac5d0944f80270d5b112085e7dd9d10
Instruction Fuzzy Hash: 5331707292016AABCF01CFB9CC49EAFBBB5EF45368F104244F514A7251E7749B01C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC80B9D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC80BA4

Part of subcall function 6BC7F75A: __EH_prolog3.LIBCMT ref: 6BC7F761

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

__CxxThrowException@8.LIBCMT ref: 6BC80CB1

Strings

schema validation failure: Exists must have exactly 1 child node, xrefs: 6BC80C24
Exists, xrefs: 6BC80BC5
ParameterInfo.xml, xrefs: 6BC80C32

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID: Exists$ParameterInfo.xml$schema validation failure: Exists must have exactly 1 child node
API String ID: 2489616738-3741814419
Opcode ID: c8ddaa8de796fc75f7a2325f6c5c87d30b437b7dd0f890b069adc62d8fe6121c
Instruction ID: 38c41852c7768fc24b62c4ebe1980d78efaae251ca65d626283ad13e97ce6733
Opcode Fuzzy Hash: c8ddaa8de796fc75f7a2325f6c5c87d30b437b7dd0f890b069adc62d8fe6121c
Instruction Fuzzy Hash: 2E3183B1920149EBCB01DBF8C996FAEBBB4AF05308F144159E115EB281EB79DB05C761

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9D864 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

#116.MSI(?,00000001), ref: 6BC9D87A
#116.MSI(?,00000002), ref: 6BC9D884
#116.MSI(?,00000003), ref: 6BC9D8C1
#116.MSI(?,00000003), ref: 6BC9D8EE

Strings

d, xrefs: 6BC9D909

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: #116
String ID: d
API String ID: 3213738560-2564639436
Opcode ID: 47630c33e075a77e7fed00d003f66ae8c9da13dad050a19736836ac636d52321
Instruction ID: 666df7750b1770a66791342da4a90b3a08b3b826a76fca75788e1ae5119f5c70
Opcode Fuzzy Hash: 47630c33e075a77e7fed00d003f66ae8c9da13dad050a19736836ac636d52321
Instruction Fuzzy Hash: 3B21A870A5570AFFFB14FF69E984A48BBB5FB44300F01816AE114AB550EB75EB50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BC95A73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6BC95ADA
GetTickCount.KERNEL32 ref: 6BC95AF9

Strings

Item(s) availability state is "Error". Exiting setup., xrefs: 6BC95AB4
Launching Download operation. Install operation will follow after download is complete., xrefs: 6BC95B18
Launching Download and Install operations simultaneously., xrefs: 6BC95B2C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CountTick
String ID: Item(s) availability state is "Error". Exiting setup.$Launching Download and Install operations simultaneously.$Launching Download operation. Install operation will follow after download is complete.
API String ID: 536389180-143185584
Opcode ID: 8d6c67c8b3aff6d3bb6dfe1dbc3f5bf221b68e1edd9816f4beb4722607b44269
Instruction ID: 3492f4a02e291067c9f5ca4e56f36fcb96ed50202800f5a89af60c38956046df
Opcode Fuzzy Hash: 8d6c67c8b3aff6d3bb6dfe1dbc3f5bf221b68e1edd9816f4beb4722607b44269
Instruction Fuzzy Hash: 06318F31314300DFD714EF68D498E1ABBB1FF49705B004489F6968B361DB35EA05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6BC81D0A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC81D11

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC819A0: __EH_prolog3.LIBCMT ref: 6BC819A7
Part of subcall function 6BC819A0: __CxxThrowException@8.LIBCMT ref: 6BC81AD1

Part of subcall function 6BC78ACC: __EH_prolog3.LIBCMT ref: 6BC78AD3
Part of subcall function 6BC78ACC: __CxxThrowException@8.LIBCMT ref: 6BC78B59

Part of subcall function 6BC792F1: __EH_prolog3.LIBCMT ref: 6BC792F8

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC81DDE

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

schema validation failure: IsPresent can only be authored once., xrefs: 6BC81D7C
ApplicableIf, xrefs: 6BC81D16, 6BC81D1B, 6BC81D55
ParameterInfo.xml, xrefs: 6BC81D8A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw$DispatcherExceptionUser
String ID: ApplicableIf$ParameterInfo.xml$schema validation failure: IsPresent can only be authored once.
API String ID: 2724732616-3920316726
Opcode ID: 2f302b4ee1c9e8a5579870b5c1dc22ea6d4ac70e144bd2aca83e6a11b53e589e
Instruction ID: 8f7f473867486d4477b7fdbaa08e6ddea88c7b80e49321910d0089e290cdd2d6
Opcode Fuzzy Hash: 2f302b4ee1c9e8a5579870b5c1dc22ea6d4ac70e144bd2aca83e6a11b53e589e
Instruction Fuzzy Hash: 42215C72820149ABCF11DBF8C946EDE7BB8AF15318F148159F254B7281EB789B088776

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC8D0E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryfileloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6BC78109,?,?,?,?,00000000,?,00000001,?,6BC7AA1A,?,80000000,00000001), ref: 6BCC8D1F
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6BCC8D2F
CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000,?,?,6BC78109,?,?,?,?,00000000,?), ref: 6BCC8D6C

Strings

kernel32.dll, xrefs: 6BCC8D1A
CreateFileTransactedW, xrefs: 6BCC8D29

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: 624a314b96a239eb0125b03e76c6856c8a2331e9e44dde52681bbf16928fff1a
Instruction ID: 361d58b721ca1dee004fd8951c949908cc80d4c1ce3f8abc5e7d131fff52a98f
Opcode Fuzzy Hash: 624a314b96a239eb0125b03e76c6856c8a2331e9e44dde52681bbf16928fff1a
Instruction Fuzzy Hash: E901A83201094ABB8F124F9ACC08CAB3F76FBE6B517104A15F92550064E736C6B1EB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC758A8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC758AF

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

Unknown, xrefs: 6BC758BF
IA64, xrefs: 6BC758F0
x64, xrefs: 6BC758E9
x86, xrefs: 6BC758F9

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: IA64$Unknown$x64$x86
API String ID: 431132790-3030484263
Opcode ID: e8894242ae7750b751345592efa618152ca8feca7495affb889f98e60051cd90
Instruction ID: d5eb73ee0d37ebb87cb9fb1783fdcad2516761078a1b57d317bffdd4a3946880
Opcode Fuzzy Hash: e8894242ae7750b751345592efa618152ca8feca7495affb889f98e60051cd90
Instruction Fuzzy Hash: 1EF0E931570245ABEB1056608C41BBD7261FB11719F104456F320EA1C0F77E9735D229

Uniqueness

Uniqueness Score: -1.00%

Function 6BC763CB Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BC763D2
_memset.LIBCMT ref: 6BC7640C
#111.MSI(00000000,?), ref: 6BC76426
_memset.LIBCMT ref: 6BC764BF
#43.MSI(00000000,00000000,?,00000000), ref: 6BC764D2

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: _memset$#111H_prolog3_
String ID:
API String ID: 1462857871-0
Opcode ID: b891c58876b6955f0a55c558a73877caedd9c689b5a9a5c3914264d13eccc847
Instruction ID: b9265936e8eba54356a5f9608e6d224f9209413b25493e5789279d4a81b7d6c1
Opcode Fuzzy Hash: b891c58876b6955f0a55c558a73877caedd9c689b5a9a5c3914264d13eccc847
Instruction Fuzzy Hash: 63315C72D202189FCB11DFF8CC8A9AEB7B9FF49314F144169E109EB241E7789A05CB11

Uniqueness

Uniqueness Score: -1.00%

Function 6BC95BD8 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,759223A0), ref: 6BC95BEF
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,759223A0), ref: 6BC95BF9
WaitForMultipleObjects.KERNEL32(00000002,?,00000001,000000FF,?,759223A0), ref: 6BC95C38
CloseHandle.KERNEL32(?,?,759223A0), ref: 6BC95C47
CloseHandle.KERNEL32(?,?,759223A0), ref: 6BC95C4C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CloseCreateEventHandle$MultipleObjectsWait
String ID:
API String ID: 3314610268-0
Opcode ID: 789680d52748f7668545ea9417a004a58ca1d4e7a3d3ebf952c56f02ae5516fe
Instruction ID: 26cae06e7e4f1bc2dd8fb78d19f30f619612bb1ec1d183aa6bc74e9bfeebc71f
Opcode Fuzzy Hash: 789680d52748f7668545ea9417a004a58ca1d4e7a3d3ebf952c56f02ae5516fe
Instruction Fuzzy Hash: 60214175E00219AFDF04DFA9C8C49EEBBB9EF4D740F108169E665A7250D7745E40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD1301 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6BCD130F

Part of subcall function 6BCCC353: __FF_MSGBANNER.LIBCMT ref: 6BCCC36C
Part of subcall function 6BCCC353: __NMSG_WRITE.LIBCMT ref: 6BCCC373
Part of subcall function 6BCCC353: RtlAllocateHeap.NTDLL(00000000,00000001,?,6BCA80D8,00000000,?,6BCCC469,6BCAF877,00000C00,00000020,6BCAF877,?), ref: 6BCCC398

_free.LIBCMT ref: 6BCD1322

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 22d3fe17e50c07a4c6844aabe80b7d6721c52ec3ee88c828136dbeed6d74a171
Instruction ID: bfaf6c236c7a8bafbf948aa49f7a562f06506f1ed403bf348fc5a769dd7d0798
Opcode Fuzzy Hash: 22d3fe17e50c07a4c6844aabe80b7d6721c52ec3ee88c828136dbeed6d74a171
Instruction Fuzzy Hash: 3311013BC25631EBCB112FBDA805A8B37A8EF45374B114526EA489B540FB3CCB40C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAEA08 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,00000064,000004FF), ref: 6BCAEA28
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6BCAEA3E
TranslateMessage.USER32(?), ref: 6BCAEA48
DispatchMessageW.USER32(?), ref: 6BCAEA52
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6BCAEA61

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 2015114452-0
Opcode ID: e0b1fbaafa5768dccd3711e2e0083e2e49cdd9e14ce960425a916b3e82942ebe
Instruction ID: ab3edf18ede7edea378ad7f0d50c5b65962b97c928f7a8cee653d527e94aec6a
Opcode Fuzzy Hash: e0b1fbaafa5768dccd3711e2e0083e2e49cdd9e14ce960425a916b3e82942ebe
Instruction Fuzzy Hash: FD011EB291222ABBDF109AA58C08DDF7B7CEF4A760F140121FA15F2084E674DB44C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 6BC77282 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BC77289

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

(Elapsed time: %D %H:%M:%S)., xrefs: 6BC772A0
%I64d, xrefs: 6BC772F8, 6BC772FD, 6BC7730B
%02ld, xrefs: 6BC772C4

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3H_prolog3_
String ID: (Elapsed time: %D %H:%M:%S).$%02ld$%I64d
API String ID: 3355343447-823490803
Opcode ID: 95399ba8df237d8b4ffa076ae24cbe1712b8f3a3f1872b20390c433b84c3c280
Instruction ID: 24f1fb8287c51fc3b21682cdb4a1a4516183da0a27dce308f811de7bd36ba5a0
Opcode Fuzzy Hash: 95399ba8df237d8b4ffa076ae24cbe1712b8f3a3f1872b20390c433b84c3c280
Instruction Fuzzy Hash: FF61A471D21118EBCB21DBB8C981FAEBBB9EF45714F50405AE900FB250F7789B019B65

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAC365 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 6BCA813B: __EH_prolog3.LIBCMT ref: 6BCA8142

Part of subcall function 6BC738EB: __EH_prolog3.LIBCMT ref: 6BC738F2

Part of subcall function 6BC9BB49: __EH_prolog3.LIBCMT ref: 6BC9BB50
Part of subcall function 6BC9BB49: _free.LIBCMT ref: 6BC9BBC0
Part of subcall function 6BC9BB49: #141.MSI(00000003,00000000,?,00000000,?,?,6BC6AB1C,?,6BC6AB1C,00000024,6BCABE09,?,?,?,?,?), ref: 6BC9BBF8
Part of subcall function 6BC9BB49: GetCommandLineW.KERNEL32(?,00000000,?,?,6BC6AB1C,?,6BC6AB1C,00000024,6BCABE09,?,?,?,?,?,?,?), ref: 6BC9BC00
Part of subcall function 6BC9BB49: #141.MSI(00000102,00000000,?,00000000,?,?), ref: 6BC9BC32
Part of subcall function 6BC9BB49: #281.MSI(Function_0004BD03,00000922,?,00000000,?,?), ref: 6BC9BC40
Part of subcall function 6BC9BB49: #137.MSI(Function_0004BCE5,00007FDF,?,?,?), ref: 6BC9BC51

GetCommandLineW.KERNEL32(?,?,000000FF,?,?,?), ref: 6BCAC487

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

Part of subcall function 6BC743D6: __EH_prolog3.LIBCMT ref: 6BC743DD

Strings

IronMan::BaseMspInstallerT<class IronMan::MsiExternalUiHandler,class IronMan::PatchesFilteredT<class IronMan::CMsiInstallContext> >::PerformAction, xrefs: 6BCAC3B9
aborted, xrefs: 6BCAC55F
PerformMsiOperation returned 0x%X, xrefs: 6BCAC515

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$#141CommandLine$#137#281_free
String ID: IronMan::BaseMspInstallerT<class IronMan::MsiExternalUiHandler,class IronMan::PatchesFilteredT<class IronMan::CMsiInstallContext> >::PerformAction$PerformMsiOperation returned 0x%X$aborted
API String ID: 4265463466-3942517129
Opcode ID: e2104078143872a6d2d64a545e82ae2d48ac5fa221c2b03f15451b1e5e154ab6
Instruction ID: 7699249ffe3c181ced331136b2d65612fcc7b0c31680aafe0b7a1b59f8f0871a
Opcode Fuzzy Hash: e2104078143872a6d2d64a545e82ae2d48ac5fa221c2b03f15451b1e5e154ab6
Instruction Fuzzy Hash: 2D7180711183419FC710DF68C884B5BBBE9BF89314F104A6DF499D7291EB38D609CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA4998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BCA49A2
_memset.LIBCMT ref: 6BCA49B6
GetCurrentProcess.KERNEL32(00000028,?), ref: 6BCA49F6

Part of subcall function 6BCC8FCA: _memcpy_s.LIBCMT ref: 6BCC9010

Strings

SeShutdownPrivilege, xrefs: 6BCA4A12

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CurrentH_prolog3_Process_memcpy_s_memset
String ID: SeShutdownPrivilege
API String ID: 3477395303-3733053543
Opcode ID: 58bb6a18e1cb2a623fb41bc1e8364d7dc357f5d82fd9d62ec4467d9714721459
Instruction ID: abe2e234dd3098774b0ee4c6f115bd5b6e82d16911228f3cd1fe86749a6328d2
Opcode Fuzzy Hash: 58bb6a18e1cb2a623fb41bc1e8364d7dc357f5d82fd9d62ec4467d9714721459
Instruction Fuzzy Hash: 54411971A111199FCB209F95CC88EAEB7B9EF89705F0040D9F549A7240EB749F81CF65

Uniqueness

Uniqueness Score: -1.00%

Function 6BC74B7C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC74B83

Part of subcall function 6BCC91E7: __CxxThrowException@8.LIBCMT ref: 6BCC91CC

Strings

cannot begin with a / character unless surrounded by double quotations ""/likethis"". , xrefs: 6BC74BA9
parameter , xrefs: 6BC74BBD
The /, xrefs: 6BC74BE2

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: cannot begin with a / character unless surrounded by double quotations ""/likethis"". $ parameter $The /
API String ID: 3670251406-2817188564
Opcode ID: e0c9efc3af93e5c12179c6d9ad1d7a8682cb17ea0245a335dfa799b11fda6062
Instruction ID: 62a34b938af950af7f9e86ea3c13c2abb462a657f391e180aa2f59bd17ee40de
Opcode Fuzzy Hash: e0c9efc3af93e5c12179c6d9ad1d7a8682cb17ea0245a335dfa799b11fda6062
Instruction Fuzzy Hash: FE412B72820049EBCB11DBFCC846F9EB7B5AF1932CF148244E164B7281EB789B559726

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB6381 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6BCB6485

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

__EH_prolog3.LIBCMT ref: 6BCB6388

Part of subcall function 6BCCC44A: _malloc.LIBCMT ref: 6BCCC464

Part of subcall function 6BC9D939: __EH_prolog3.LIBCMT ref: 6BC9D940

Strings

In IronManExeInstaller::IronManExeInstaller, xrefs: 6BCB6429
In CartmanExeInstaller::CartmanExeInstaller, xrefs: 6BCB63E1

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser_malloc
String ID: In CartmanExeInstaller::CartmanExeInstaller$In IronManExeInstaller::IronManExeInstaller
API String ID: 3653670741-4107417756
Opcode ID: 628008f57499f0f8e1c74795ce35687552af68901518d55ac820a89bc17e60c2
Instruction ID: cf738738df23315c3325a1f9fedc9a743566fdbf38904d9452c52e56f14ad4d8
Opcode Fuzzy Hash: 628008f57499f0f8e1c74795ce35687552af68901518d55ac820a89bc17e60c2
Instruction Fuzzy Hash: FA41E371920A05EBEB15CFB8D881B5FBBA0AF15744F10C069F914AB241E7BDC750CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC97B48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 6BC97B92
ReadFile.KERNEL32(6BC97DEC,00000000,00100000,?,00000000,?), ref: 6BC97BF5
CloseHandle.KERNEL32(6BC97DEC,?), ref: 6BC97C46

Strings

, xrefs: 6BC97C18

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-3916222277
Opcode ID: 792382c39b1130c613796000212e202ee3bb85bad33a789dcf805d4877188756
Instruction ID: c0b39c82fa334e039d2ba87e03a881505a3555ea45843c36f22ca454e585139e
Opcode Fuzzy Hash: 792382c39b1130c613796000212e202ee3bb85bad33a789dcf805d4877188756
Instruction Fuzzy Hash: 0B31BB31A11208EFDF00AFA4D848FAE7B75FF49311F10409AF561AB290EB759B44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BC79A39 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC79A40

Part of subcall function 6BCCBE01: __fassign.LIBCMT ref: 6BCCBE0D

__itow_s.LIBCMT ref: 6BC79A85

Part of subcall function 6BCCBF2B: _xtow_s@20.LIBCMT ref: 6BCCBF4E

Part of subcall function 6BCC8E28: _wcsnlen.LIBCMT ref: 6BCC8E38

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC79B4F

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

schema validation failure: non-numeric value, %s, for %s, xrefs: 6BC79ACF

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser__fassign__itow_s_wcsnlen_xtow_s@20
String ID: schema validation failure: non-numeric value, %s, for %s
API String ID: 2893151999-2423109837
Opcode ID: 6e6d917e7db6bc89c089409a4f69c40bcc77f58562bd81e86d28e50864a6bbe0
Instruction ID: 1b3acc0a01290467d3b36ac6397bee08d2674abdfae21dfb06fced63f4107ba2
Opcode Fuzzy Hash: 6e6d917e7db6bc89c089409a4f69c40bcc77f58562bd81e86d28e50864a6bbe0
Instruction Fuzzy Hash: FB419072910109EBDB01DFB8CC46EEE7BB9AF15318F144154F524AB291EB78DB04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC8BC7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC8BCE
FormatMessageW.KERNEL32(00001300,00000000,6BC6A78C,?,?,00000000,00000000,00000008,6BC78358,-00000960,?,?,?,6BCB6DCC,6BC6A78C), ref: 6BCC8C07
LocalFree.KERNEL32(?,-00000960,?,?,6BCB6DCC,6BC6A78C,?,?,?,UiInfo.xml,?,00000000,00000044,6BCB380B,-00000960,?), ref: 6BCC8C30

Part of subcall function 6BCC91E7: __CxxThrowException@8.LIBCMT ref: 6BCC91CC

Strings

HRESULT 0x%8.8x, xrefs: 6BCC8C14

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow
String ID: HRESULT 0x%8.8x
API String ID: 567734482-2887418326
Opcode ID: 83e13c501a527ba10ceee8b92f166fdaf6500683050e3fc403edeca0e9d083de
Instruction ID: 1865db77249002b57e5e354c33eb26aa09f77ed427e9a9da6fe70d699d470699
Opcode Fuzzy Hash: 83e13c501a527ba10ceee8b92f166fdaf6500683050e3fc403edeca0e9d083de
Instruction Fuzzy Hash: B921AE75622119EFCB019F68CC81DAFB776FF68318F40806AF91066240E73D8B019B57

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAE92B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCAE932

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA1593: __EH_prolog3.LIBCMT ref: 6BCA159A

Part of subcall function 6BC739BE: __EH_prolog3.LIBCMT ref: 6BC739C5

Strings

Copying Items, xrefs: 6BCAE964
complete, xrefs: 6BCAE939
Action, xrefs: 6BCAE94E, 6BCAE953, 6BCAE971

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: complete$Action$Copying Items
API String ID: 431132790-1386866621
Opcode ID: 8776b851685eb5515011becc59627e17b5c4a5b35436f96987ae672b9cd32a86
Instruction ID: 7586f0ceddea492e976f208c67327161bca34c8f9fd5e0f1d2e0accfe04dd467
Opcode Fuzzy Hash: 8776b851685eb5515011becc59627e17b5c4a5b35436f96987ae672b9cd32a86
Instruction Fuzzy Hash: D0217CB1920259EFCB10CBE8C885FAEBBB8AF59308F144019E105B7241E778AF058B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC76D0C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC76D13

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC75A6A: __EH_prolog3.LIBCMT ref: 6BC75A71
Part of subcall function 6BC75A6A: #8.MSI(?,?,?,?,` WHERE ,?,00000000,?,` FROM `,?,SELECT `,00000014,6BC76D93,?,?,?), ref: 6BC75B3A

Strings

Value, xrefs: 6BC76D67
`Property` = 'DisplayName', xrefs: 6BC76D44
MsiPatchMetadata, xrefs: 6BC76D55

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: MsiPatchMetadata$Value$`Property` = 'DisplayName'
API String ID: 431132790-332461799
Opcode ID: 5601aaa6175b30b4f3e45c092693ca88d31582ce7c2a9d0d530d38a1f3d3d8d6
Instruction ID: 00344b7341f66e404707d6ca73ea983b15e53d822ff3c945ffd2846cb291a974
Opcode Fuzzy Hash: 5601aaa6175b30b4f3e45c092693ca88d31582ce7c2a9d0d530d38a1f3d3d8d6
Instruction Fuzzy Hash: 9921627291014AEFCF01DFF8C881ADEB7B8AF14318F148166E524B7241E7789B159761

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB6A25 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB6A2C

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BCB6ACE

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

Invalid PatchType: %s, xrefs: 6BCB6A6F
ParameterInfo.xml, xrefs: 6BCB6A89

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
String ID: Invalid PatchType: %s$ParameterInfo.xml
API String ID: 3417717588-3582119368
Opcode ID: ca9d31da2e9df3cbc7582dd10bf257b0c89f4e82aa52813fef6b8ef34dc87d5d
Instruction ID: 9a39810c19bdfa67dc379d189d1f939c5bbc1b90682274a4f8e17991efd1cb64
Opcode Fuzzy Hash: ca9d31da2e9df3cbc7582dd10bf257b0c89f4e82aa52813fef6b8ef34dc87d5d
Instruction Fuzzy Hash: B4215C72920149EBDF01DBF8C946FDEBBB9AF15308F104159E204A7281EB78AB04C772

Uniqueness

Uniqueness Score: -1.00%

Function 6BC91A72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC91A79
__CxxThrowException@8.LIBCMT ref: 6BC91B08

Strings

schema validation failure: Install action is not supported in the ActionTable for RelatedProducts., xrefs: 6BC91AA6
ParameterInfo.xml, xrefs: 6BC91AB8

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: ParameterInfo.xml$schema validation failure: Install action is not supported in the ActionTable for RelatedProducts.
API String ID: 3670251406-470515384
Opcode ID: 3e81be84756c162cab41026ca227d2b01b654117f656aa3ada7877f47450fd1d
Instruction ID: 1c25d7253eef15d6b09ca5661f96fe478699276f689fbfb8136ecb9fca92c8a3
Opcode Fuzzy Hash: 3e81be84756c162cab41026ca227d2b01b654117f656aa3ada7877f47450fd1d
Instruction Fuzzy Hash: 21117072920148EFEB19EBB8C846FED37B9AF04319F404199E214A7191FB7C9784CB25

Uniqueness

Uniqueness Score: -1.00%

Function 6BC90E60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC90E67
__CxxThrowException@8.LIBCMT ref: 6BC90EEA

Strings

schema validation failure: Only 'install' and 'noop' are valid actions for CleanupBlock., xrefs: 6BC90E88
ParameterInfo.xml, xrefs: 6BC90E9A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: ParameterInfo.xml$schema validation failure: Only 'install' and 'noop' are valid actions for CleanupBlock.
API String ID: 3670251406-3947869871
Opcode ID: 8a5d19af9e74f4861a138b317e30ce682491021b319d850a2f1555f99fdb15f3
Instruction ID: a92c9110f4c835f91054eeef592b0490105d2469cd9ce652ae6ad379650737bc
Opcode Fuzzy Hash: 8a5d19af9e74f4861a138b317e30ce682491021b319d850a2f1555f99fdb15f3
Instruction Fuzzy Hash: AD116D76520148ABDB00EFB8C882EDE77A8AF15318F508155F654EB180FB78DB55C771

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB8CC7 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB8CCE

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC75A6A: __EH_prolog3.LIBCMT ref: 6BC75A71
Part of subcall function 6BC75A6A: #8.MSI(?,?,?,?,` WHERE ,?,00000000,?,` FROM `,?,SELECT `,00000014,6BC76D93,?,?,?), ref: 6BC75B3A

Strings

Value, xrefs: 6BCB8D11
MsiPatchMetadata, xrefs: 6BCB8D00
`Company` = 'Microsoft Corporation' AND `Property` = 'Baseline', xrefs: 6BCB8CEE

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: MsiPatchMetadata$Value$`Company` = 'Microsoft Corporation' AND `Property` = 'Baseline'
API String ID: 431132790-557274228
Opcode ID: 9aca739322685a2c306f1860163b43a7f3017d9fdf89baccbec405dd16593177
Instruction ID: 3dbdff80b356756044387508416790d51bccdb57d7be793754e59f10579ee304
Opcode Fuzzy Hash: 9aca739322685a2c306f1860163b43a7f3017d9fdf89baccbec405dd16593177
Instruction Fuzzy Hash: 8111707282000EEBCB01DBF4C946FEFB7B8AF14328F108155E150B7181EB385B058BA6

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB2961 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6BCC87A6: RegCloseKey.ADVAPI32(?,?,?,6BC84651,00000034,00000034,00000000), ref: 6BCC87E6

RegCloseKey.ADVAPI32(00000000,80000001,Software\Microsoft\VisualStudio\Setup,?,00000000), ref: 6BCB29C9

Part of subcall function 6BCC86FE: RegQueryValueExW.ADVAPI32(00000000,00000034,00000000,00000034,00000034,00000000,?,?,6BC8469B,?,?,6BC8430E,00000034,00000034,00000034,00000034), ref: 6BCC8720

RegCloseKey.ADVAPI32(00000000,00000000,IsInCorpnetHook,000000FF,80000001,Software\Microsoft\VisualStudio\Setup,?,00000000), ref: 6BCB29B7

Strings

IsInCorpnetHook, xrefs: 6BCB2999
Software\Microsoft\VisualStudio\Setup, xrefs: 6BCB296D

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Close$QueryValue
String ID: IsInCorpnetHook$Software\Microsoft\VisualStudio\Setup
API String ID: 2393043351-2117743171
Opcode ID: 4e528ea86a25a0f0a838c3a3e8a67a4bc42f5968ef131eae707194649e2f2a03
Instruction ID: c62b375c7a1869766895eece06ba16984acf17c8b70c290f5aa02b444067d00c
Opcode Fuzzy Hash: 4e528ea86a25a0f0a838c3a3e8a67a4bc42f5968ef131eae707194649e2f2a03
Instruction Fuzzy Hash: 74016D31D25239EBCF109BA58D099AFBF78FB81B51F400596E834B6140F3788B01DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BC94DC2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC94DC9

Part of subcall function 6BC94E7F: FreeLibrary.KERNEL32(00000000,?,6BC94E08,00000000,0000000C,6BC96BDA,00000000,?), ref: 6BC94E8C
Part of subcall function 6BC94E7F: LoadLibraryW.KERNELBASE(?,?,?,6BC94E08,00000000,0000000C,6BC96BDA,00000000,?), ref: 6BC94EA4

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

GetLastError.KERNEL32(00000000,LoadLibrary,00000000,0000000C,6BC96BDA,00000000,?), ref: 6BC94E20

Part of subcall function 6BC78834: __EH_prolog3.LIBCMT ref: 6BC7883B

__CxxThrowException@8.LIBCMT ref: 6BC94E3D

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

LoadLibrary, xrefs: 6BC94E0E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$Library$DispatcherErrorExceptionException@8FreeLastLoadThrowUser
String ID: LoadLibrary
API String ID: 1332344226-2077302977
Opcode ID: 861af557cdb3448c56068348b739c88b0f89ed79ea59226d1e9f78ae89499a10
Instruction ID: 35d7be34367681a38cf927e4f204d3e5aa4e548f01a1ef2cbf8b99e51640bb2d
Opcode Fuzzy Hash: 861af557cdb3448c56068348b739c88b0f89ed79ea59226d1e9f78ae89499a10
Instruction Fuzzy Hash: 54014C36920248EBDB01DFA0C886FDEB7A9AB04358F00C465AA149B141EB7CCB05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC5CCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC5CD2
GetLastError.KERNEL32(?,?,?,6BCC45A9,00000000,?), ref: 6BCC5D02

Part of subcall function 6BC774C1: __EH_prolog3.LIBCMT ref: 6BC774C8

Strings

WinHttpOpenRequest, xrefs: 6BCC5D08
GET, xrefs: 6BCC5CE9

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$ErrorLast
String ID: GET$WinHttpOpenRequest
API String ID: 1123136255-4115601440
Opcode ID: 24b2cb29ddb9013f0f095bf936d03619071dcab2d44f39783ba18df18bc30525
Instruction ID: 90b3d51ea2936ca3ba355585ee3b00229e724f5a6add961ff453c7f408fe2de7
Opcode Fuzzy Hash: 24b2cb29ddb9013f0f095bf936d03619071dcab2d44f39783ba18df18bc30525
Instruction Fuzzy Hash: D5F0E236120600ABCB11AF75CC4AD4BBEB6EFC9324F10490AF645C7250F7388641DB22

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC0C9E Relevance: 6.2, APIs: 4, Instructions: 239COMMON

Download Yara Rule

APIs

#2.OLEAUT32(00000010), ref: 6BCC0DD5
#6.OLEAUT32(?), ref: 6BCC0DFD
#2.OLEAUT32(?,?,?,00000000), ref: 6BCC0E82
#6.OLEAUT32(?), ref: 6BCC0EAF

Part of subcall function 6BCB69E7: _free.LIBCMT ref: 6BCB6A0F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cb8222193ea609d1b7584d7eee53c7848607d297c34a452c33357152d64b7543
Instruction ID: f0394a8d95ea58ed62bbdf0c1e0da65b11ffd6fc3c27ce7e037f47ce2cc36011
Opcode Fuzzy Hash: cb8222193ea609d1b7584d7eee53c7848607d297c34a452c33357152d64b7543
Instruction Fuzzy Hash: 3E9167B15297418FCB01DF28C484A4FBBE4FF99714F04499DE8949B251E738EA46CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA1ECB Relevance: 6.1, APIs: 4, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

_calloc.LIBCMT ref: 6BCA1F27
_calloc.LIBCMT ref: 6BCA1F36
_free.LIBCMT ref: 6BCA1FE7
_free.LIBCMT ref: 6BCA1FF6

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: _calloc_free
String ID:
API String ID: 3666697239-0
Opcode ID: c3b584fbad088602850cfc5f1227ef6b8636993f535901b4e6826727baf16dbe
Instruction ID: 28d65d55e59c60369f277ac0f28e870b1c6f615a21a69cd51756939ec19564fb
Opcode Fuzzy Hash: c3b584fbad088602850cfc5f1227ef6b8636993f535901b4e6826727baf16dbe
Instruction Fuzzy Hash: 0B416B71D2516AAFDB08CFADD890ADDBBF1BF4A310F1484AAE415EB240E7349E40CB11

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD3E4F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6BCD3E83
__isleadbyte_l.LIBCMT ref: 6BCD3EB6
MultiByteToWideChar.KERNEL32(00000080,00000009,6BCCB725,?,00000000,00000000,?,?,?,?,6BCCB725,00000000), ref: 6BCD3EE7
MultiByteToWideChar.KERNEL32(00000080,00000009,6BCCB725,00000001,00000000,00000000,?,?,?,?,6BCCB725,00000000), ref: 6BCD3F55

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d6a7ff02d349df46d85cae7484849b10a1f9107109b5d0243a496730b7612801
Instruction ID: 2faa65391b3cb9102ebdd3d575058658bc5c87811f586fe68822dbe62a9102c7
Opcode Fuzzy Hash: d6a7ff02d349df46d85cae7484849b10a1f9107109b5d0243a496730b7612801
Instruction Fuzzy Hash: A631D275A22259EFDB20DFA8C8849AA7BB5BF81310F0085EDF2608B4D0F334DA40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA2CCE Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6BCA2D18
InitializeAcl.ADVAPI32(00000000,00000008,6BCA3038,?,6BCA71EF,6BCA345A), ref: 6BCA2D34
_free.LIBCMT ref: 6BCA2D48
AddAce.ADVAPI32(6BCC1082,6BCA3038,000000FF,00000000,?,6BCA71EF,6BCA345A), ref: 6BCA2D89

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Initialize_free_malloc
String ID:
API String ID: 425657638-0
Opcode ID: a45be597cee6ee8a0d8107f151126153a26a29fd94e28005fbe538bfd40a02ec
Instruction ID: 9866d854d32676b0bc0949d15a18515409232c5f9e3d42ebcff7e7f92b0942e2
Opcode Fuzzy Hash: a45be597cee6ee8a0d8107f151126153a26a29fd94e28005fbe538bfd40a02ec
Instruction Fuzzy Hash: 3321D335A10612EFDB119F76C8A8E1BB7F9FF84754720845CE466CB252EB38EA41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA2971 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BCA2978
GetSidLengthRequired.ADVAPI32(0C75FF50,00000050,6BCA2C91,6BC60B3C,00000002,00000020,00000222,00000000,?,?,6BCA463F), ref: 6BCA29DC
InitializeSid.ADVAPI32(0000000F,00000009,0C75FF50,?,?,6BCA463F), ref: 6BCA29EF
GetSidSubAuthority.ADVAPI32(0000000F,00000000,?,?,6BCA463F), ref: 6BCA2A16

Part of subcall function 6BCC8822: GetLastError.KERNEL32(6BCA29FE,?,?,6BCA463F), ref: 6BCC8822

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AuthorityErrorH_prolog3_InitializeLastLengthRequired
String ID:
API String ID: 1730150861-0
Opcode ID: 4f4514bcb9c11534b9eef4e1afa41d7c7ae8987c44c56f3b759ffa677bfad255
Instruction ID: c34311b8a1aa7c58469aac654dfcca773ebccbbfa0563f4bf042373cd5c4c73f
Opcode Fuzzy Hash: 4f4514bcb9c11534b9eef4e1afa41d7c7ae8987c44c56f3b759ffa677bfad255
Instruction Fuzzy Hash: 44218C71A2029AEFDB01CFE5C4997DDBBB9BF54308F004058D505AB241E77DAB08DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC4823 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6BCC4878
CloseHandle.KERNEL32(?), ref: 6BCC4891
SetEvent.KERNEL32(?), ref: 6BCC48AC
LeaveCriticalSection.KERNEL32(?), ref: 6BCC48B5

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CriticalSection$CloseEnterEventHandleLeave
String ID:
API String ID: 1836394787-0
Opcode ID: 3da0bccf88dd825dfa6081a9f2771885c0334e54cbf3320226b2d3b453152287
Instruction ID: 468dacac26c3e0d73729025d0784946d37f21543498de049063b8d2490dc76d3
Opcode Fuzzy Hash: 3da0bccf88dd825dfa6081a9f2771885c0334e54cbf3320226b2d3b453152287
Instruction Fuzzy Hash: CE112E76600645AFDB218FA8C8CC89BBBF9FF48355710486EE5AAC3200D734ED44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC430D Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC4314
CoInitialize.OLE32(00000000,00000000,00000000,00000000,6BCC215D,?,?,?,?), ref: 6BCC4336
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6BCC4352
InitializeCriticalSection.KERNEL32(?), ref: 6BCC43BC

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Initialize$CreateCriticalEventH_prolog3Section
String ID:
API String ID: 1191084466-0
Opcode ID: 5de1a0478dae85794f98e1e70cbab154a38c92d773cf63a3fc77bce9415c581b
Instruction ID: 203de329e8a9fbc409e3b45cadf54fbe618fdc349f4a228bcbf3ac96f386cc29
Opcode Fuzzy Hash: 5de1a0478dae85794f98e1e70cbab154a38c92d773cf63a3fc77bce9415c581b
Instruction Fuzzy Hash: 18211771810240DBDB11CF5AC888987FBF9FFE1304B14846BA9598B226D7789240CF22

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD8D9E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6BCD8DC4

Part of subcall function 6BCD8BE6: __fltout2.LIBCMT ref: 6BCD8C11

__cftog_l.LIBCMT ref: 6BCD8DEA
__cftoe_l.LIBCMT ref: 6BCD8E1C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7885726e51710dfb409d83f47fda806ed7f39660f26e99df1c6e86efa9305941
Instruction ID: 57fd557523a5d1fd8eb8a668f2d2ec23cca9be5c420f7f7f64546253dfdf6022
Opcode Fuzzy Hash: 7885726e51710dfb409d83f47fda806ed7f39660f26e99df1c6e86efa9305941
Instruction Fuzzy Hash: A811693A01018EBBCF025F94CC41CEE3F66BB19354B489855FA2859020E33AC6B1EB81

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA9F6A Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6BCA9F85

Part of subcall function 6BCA813B: __EH_prolog3.LIBCMT ref: 6BCA8142

GetTickCount.KERNEL32 ref: 6BCA9FC0
__time64.LIBCMT ref: 6BCA9FC6

Part of subcall function 6BCCBB0C: GetSystemTimeAsFileTime.KERNEL32(-00000960,?,?,?,6BCA9FCB,00000000,?,6BCA76C0,?), ref: 6BCCBB17
Part of subcall function 6BCCBB0C: __aulldiv.LIBCMT ref: 6BCCBB37

InitializeCriticalSection.KERNEL32(00000040,?,6BCA76C0,?), ref: 6BCA9FD6

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CountTickTime$CriticalFileH_prolog3InitializeSectionSystem__aulldiv__time64
String ID:
API String ID: 1278626987-0
Opcode ID: 9e850e4ec7041ae9f43f7900c29e94632dedfa81fa9c2051121a95db60b20d2d
Instruction ID: a6c9a28e25ab6d7b35010fce800775ab29d4fc3deb242798c902052838057402
Opcode Fuzzy Hash: 9e850e4ec7041ae9f43f7900c29e94632dedfa81fa9c2051121a95db60b20d2d
Instruction Fuzzy Hash: 1101ABB1800B049FC3208F6AD584843FBF8FB882143908A2ED19A83A10E775F6498F64

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD5B2F Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BD08458,6BD08444,6BCAF877,?,6BCA8906,00000000,00000010,6BCAF877,00000001,?,?,6BCAFEE7,6BCA80D8,FFFF0000,?,6BCA811F), ref: 6BCD5B3C
LeaveCriticalSection.KERNEL32(6BD08458,?,6BCA8906,00000000,00000010,6BCAF877,00000001,?,?,6BCAFEE7,6BCA80D8,FFFF0000,?,6BCA811F,6BCAF877,00000020), ref: 6BCD5B58
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,6BCA8906,00000000,00000010,6BCAF877,00000001,?,?,6BCAFEE7,6BCA80D8,FFFF0000), ref: 6BCD5B77
LeaveCriticalSection.KERNEL32(6BD08458,?,6BCA8906,00000000,00000010,6BCAF877,00000001,?,?,6BCAFEE7,6BCA80D8,FFFF0000,?,6BCA811F,6BCAF877,00000020), ref: 6BCD5B7E

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExceptionRaise
String ID:
API String ID: 799838862-0
Opcode ID: d16817a61d5e42897355f23af2591754b6d62d25a32151b170ec632582ba7ff8
Instruction ID: 17848bd1c0a18cc64e1bf62c0f07aef674dcc9b5c019443f1bc559d6b36a405b
Opcode Fuzzy Hash: d16817a61d5e42897355f23af2591754b6d62d25a32151b170ec632582ba7ff8
Instruction Fuzzy Hash: DEF0623A210214AFE6205E99CC48A5AB774FB8AB52F004519FB41E7540E764F901CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6BC769A9 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 262COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC769B0
#205.MSI(?,00000000,?,00000010,?,?,SkipProduct,?,?,VersionMaxInclusive,?,00000000,?,?,?,VersionMaxInclusive), ref: 6BC76A0B

Strings

skipped after applying Relation criteria, xrefs: 6BC76C71

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: #205H_prolog3
String ID: skipped after applying Relation criteria
API String ID: 2698596250-1982174377
Opcode ID: c8bf76a290fcfb4ca2fcf9bbcc00de912eb8fed2327dc110479ce324afd573d9
Instruction ID: 346884c2c200224e59352e720278f94a6e46d4362c1c2dc8c54169b474fc3613
Opcode Fuzzy Hash: c8bf76a290fcfb4ca2fcf9bbcc00de912eb8fed2327dc110479ce324afd573d9
Instruction Fuzzy Hash: 7FB19171920149CFCF01DFB8C845BEEBBB9AF1A318F1441A5E460B7281E778AB45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC88E88 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC88E8F

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCC91E7: _memcpy_s.LIBCMT ref: 6BCC9238

Strings

EstimatedInstallTime, xrefs: 6BC88E98
LogFileHint, xrefs: 6BC890B6

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$_memcpy_s
String ID: EstimatedInstallTime$LogFileHint
API String ID: 1663610674-3554194153
Opcode ID: 9277d6d882677a584384790662512599a1e0f79c2cea78130db3b62af2fd18d7
Instruction ID: a31507cf8dc87e04885566e44093a14a264817a4c0e1ead1ef4b78d24f3a17d0
Opcode Fuzzy Hash: 9277d6d882677a584384790662512599a1e0f79c2cea78130db3b62af2fd18d7
Instruction Fuzzy Hash: F99148B0510249DFDF10CFA8C985B997BB4BF09348F1485AAEC58AF352E739DA01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC78D64 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC78D6B
__CxxThrowException@8.LIBCMT ref: 6BC78F1D

Strings

schema validation failure: child element not found - , xrefs: 6BC78E9D

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: schema validation failure: child element not found -
API String ID: 3670251406-3859288074
Opcode ID: 62bc6431dae03aa4d2f0b5d3d3f07825030c7268266c66111db1eaf062b2629f
Instruction ID: dd2fcff49fc42edf9100fe63c7085882d563d3835f3d89f65baa0cd296a00264
Opcode Fuzzy Hash: 62bc6431dae03aa4d2f0b5d3d3f07825030c7268266c66111db1eaf062b2629f
Instruction Fuzzy Hash: 90718F71911259DFCB01DFA4C884EAE7BB9BF49708F244595F561AB240E778AB00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC78BBF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC78BC6
__CxxThrowException@8.LIBCMT ref: 6BC78D1B

Strings

schema validation failure: child element #%i not found, xrefs: 6BC78C9C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: schema validation failure: child element #%i not found
API String ID: 3670251406-2691057778
Opcode ID: 16ce1db0eb1bde7df875c3680281299f41aa45d842d57fdf0c13a9ac223d69fd
Instruction ID: 114d9ca4eb5b7aa24bd6f9c4082ace8d80cd0efeba487c9e3c54b1bca911a933
Opcode Fuzzy Hash: 16ce1db0eb1bde7df875c3680281299f41aa45d842d57fdf0c13a9ac223d69fd
Instruction Fuzzy Hash: 96517F7591124ADFCF00DFA4C884DAE7BB5BF45304F1089A9F965AB290E738DB04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BC74A2C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC74A33

Part of subcall function 6BC73A76: __EH_prolog3.LIBCMT ref: 6BC73A7D

Part of subcall function 6BC73CEF: __EH_prolog3.LIBCMT ref: 6BC73CF6

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA89DF: __EH_prolog3.LIBCMT ref: 6BCA89E6

Part of subcall function 6BCA8A35: __EH_prolog3.LIBCMT ref: 6BCA8A3C

Part of subcall function 6BCAFF5C: _wcsnlen.LIBCMT ref: 6BCAFF8F
Part of subcall function 6BCAFF5C: _memcpy_s.LIBCMT ref: 6BCAFFC5

Strings

switch requires a , xrefs: 6BC74A7F
The /, xrefs: 6BC74A93

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$_memcpy_s_wcsnlen
String ID: switch requires a $The /
API String ID: 2603297733-1851487679
Opcode ID: de1847c1db71ac0758c41e300b93d90203701711b22a449067b70b1b6de69e92
Instruction ID: 8eb0b13068073f1fc08ba2eed3bd234fbd408f307a7465f2402f88d557c876a5
Opcode Fuzzy Hash: de1847c1db71ac0758c41e300b93d90203701711b22a449067b70b1b6de69e92
Instruction Fuzzy Hash: BC416E72910049AFCB11DBF8C841EEE77B9AF1A32CF148259F164E7281E7789F158726

Uniqueness

Uniqueness Score: -1.00%

Function 6BC9A85E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC9A865

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8D59: PathStripPathW.SHLWAPI(00000000,?,?,6BCBF83A), ref: 6BCA8D69

Part of subcall function 6BCA8D2E: PathRemoveFileSpecW.SHLWAPI(00000000,2006C750,00000010,80004005,6BC75E00,6BCAF877,00000010,?,6BCA80D8,00000000), ref: 6BCA8D3F

PathRelativePathToW.SHLWAPI(00000010,?,00000010,?,00000080,?,00000014,6BC99E93,?,?), ref: 6BC9A906

Strings

Exe Log File: <a href="%s">%s</a>, xrefs: 6BC9A962

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Path$H_prolog3$FileRelativeRemoveSpecStrip
String ID: Exe Log File: <a href="%s">%s</a>
API String ID: 2749740144-4230338525
Opcode ID: 19f6f297e755684a61db920a706340502a4d0321c12d329a6735a026b8ddaa5b
Instruction ID: 796304936de4e6b991ddfcae2b5d811bfd9f742bbc860136d8254709b23810ec
Opcode Fuzzy Hash: 19f6f297e755684a61db920a706340502a4d0321c12d329a6735a026b8ddaa5b
Instruction Fuzzy Hash: FE416B7191021ADFDF01DFA4C845BEEBBB1FF58318F014659E920AB291E7789B06CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA8F8F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCA8F96

Part of subcall function 6BCB02DE: __EH_prolog3.LIBCMT ref: 6BCB02E5
Part of subcall function 6BCB02DE: GetCommandLineW.KERNEL32(0000001C,6BCA90A9,-00000960,6BC6A78C,?,6BC7BFE7,00000018,6BC7BC5C,-0000093C,?,?,?,?,?,?,UserExperienceDataCollection), ref: 6BCB02EA

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

UserExperienceDataCollection, xrefs: 6BCA902C
Policy, xrefs: 6BCA8FB6

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID: Policy$UserExperienceDataCollection
API String ID: 1384747822-3168315836
Opcode ID: a21172aa72247c8e3326a4100be0f56e80eb84514447d071386353b7ff6502c8
Instruction ID: 4073b9f2e88c04848673adf04aea304d4c6c6c9b3f43e527aac623e5b601fd7f
Opcode Fuzzy Hash: a21172aa72247c8e3326a4100be0f56e80eb84514447d071386353b7ff6502c8
Instruction Fuzzy Hash: CD316170620205DFCF04DFA8C945A6E7BB4AF49314F048558F815EB382DB79DB04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7BA6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC7BA73

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

FilesInUseSetting, xrefs: 6BC7BAF6
Prompt, xrefs: 6BC7BA7F, 6BC7BA84, 6BC7BAC7

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: FilesInUseSetting$Prompt
API String ID: 431132790-2040230194
Opcode ID: 56f76c7d935bbb9c09627077cb1d83c2a522f1a29fa35d5373b4adb3253869f9
Instruction ID: 873b50a4afecafdd5ed08b419f0613ea576133e093acc00c4b430144cff47bb4
Opcode Fuzzy Hash: 56f76c7d935bbb9c09627077cb1d83c2a522f1a29fa35d5373b4adb3253869f9
Instruction Fuzzy Hash: 4831617161024AEFDB10DFA8C845BAEBBB8AF05318F148158F425EB381D7759F00C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB23A3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB23AA

Strings

Creating new Performer for RelatedProducts item, xrefs: 6BCB23B6
GetAction returned an invalid action type; creating DoNothingPerformer, xrefs: 6BCB23E7

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Creating new Performer for RelatedProducts item$GetAction returned an invalid action type; creating DoNothingPerformer
API String ID: 431132790-899595094
Opcode ID: f0c6f7d954020736151c520aca507ccb34df22732a68146eec8805d9026e141c
Instruction ID: 433ee6c61de54e4808ef9268df1178e9f678704bb43289396ef258471000c862
Opcode Fuzzy Hash: f0c6f7d954020736151c520aca507ccb34df22732a68146eec8805d9026e141c
Instruction Fuzzy Hash: EA31AE31670616AFDB04CFA8C491E2DBBA0FF09340B00C158EA588FA50FB79E680CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA7370 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77timeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BCA7377
GetLocalTime.KERNEL32(00000002,00000028,6BCBBB8A,00000000,00000000,?,%TEMP%\), ref: 6BCA73BD

Part of subcall function 6BCA8C46: PathCombineW.SHLWAPI(?,6BCA80D8,?,75923340,?,6BC779B9,00000000,DW\DW20.exe,?,?,6BCA80D8,00000000), ref: 6BCA8C73

Strings

%1!s!_%2!04d!%3!02d!%4!02d!_%5!02d!%6!02d!%7!02d!%8!03d!, xrefs: 6BCA73EB

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: CombineH_prolog3_LocalPathTime
String ID: %1!s!_%2!04d!%3!02d!%4!02d!_%5!02d!%6!02d!%7!02d!%8!03d!
API String ID: 2977577383-1000284812
Opcode ID: 153d8f17467c7176b8e2e9761ce43e9c6b75c24eff48709aa273d03e7d1ccb39
Instruction ID: 74775495819a22258c4a83d1d5af10b7180722d9343020d05be21cd4107c0a9b
Opcode Fuzzy Hash: 153d8f17467c7176b8e2e9761ce43e9c6b75c24eff48709aa273d03e7d1ccb39
Instruction Fuzzy Hash: F031FFB1910218AFCB40CFE9C885AEEB7F9BF0C319F10406AE944F7251E7789A44DB65

Uniqueness

Uniqueness Score: -1.00%

Function 6BC789D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC789DE

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8A90: __EH_prolog3.LIBCMT ref: 6BCA8A97

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7845D: __EH_prolog3.LIBCMT ref: 6BC78464

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC78AA9

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

schema validation error: element name is wrong: , xrefs: 6BC78A2C

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
String ID: schema validation error: element name is wrong:
API String ID: 3417717588-568579515
Opcode ID: c1548f0b45948beb79599e25f13749333269d20a5ca2b44bcee45f67c1f716a1
Instruction ID: 3493881ce6acea2055349664bcffa4e6b617bd8bc45f887f13ebd910f33f8fa3
Opcode Fuzzy Hash: c1548f0b45948beb79599e25f13749333269d20a5ca2b44bcee45f67c1f716a1
Instruction Fuzzy Hash: 28317172920149EBDB01DBF4C946FEEB7B8AF15318F144255E220A7281EB78AB04C771

Uniqueness

Uniqueness Score: -1.00%

Function 6BC93371 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC93378

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

Location, xrefs: 6BC93389
RegKeyHint, xrefs: 6BC933D8, 6BC933DD, 6BC93419

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Location$RegKeyHint
API String ID: 431132790-2405023635
Opcode ID: 2834d7eef34305503324ad7fbf24124b56e349b07662e868cdd5da65a653c10a
Instruction ID: b7a457c35d2d4e7704010192f95232b3dfb35e2e0f70cfbec0c8a4a4ed3cd9e1
Opcode Fuzzy Hash: 2834d7eef34305503324ad7fbf24124b56e349b07662e868cdd5da65a653c10a
Instruction Fuzzy Hash: 8D21867151024AEBDB01DFF8C981BAEB7B8BF49308F104159E515BB281EB79EB05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC78ACC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC78AD3

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BC783D2: __EH_prolog3.LIBCMT ref: 6BC783D9

Part of subcall function 6BC7A398: __EH_prolog3.LIBCMT ref: 6BC7A39F

__CxxThrowException@8.LIBCMT ref: 6BC78B59

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

Strings

schema validation error: cannot get the parent element., xrefs: 6BC78B04

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$DispatcherExceptionException@8ThrowUser
String ID: schema validation error: cannot get the parent element.
API String ID: 3417717588-3625153524
Opcode ID: 77fd2f497131cf63986a7c6892ddfe14e240b3a400d5606457ddcb4b500dad4a
Instruction ID: 258d5df8e7101e5e3ddfbe4661fab75b5e2f34814063c0b4702f4f73af689f2c
Opcode Fuzzy Hash: 77fd2f497131cf63986a7c6892ddfe14e240b3a400d5606457ddcb4b500dad4a
Instruction Fuzzy Hash: E3213BB5910219AFCB01DFA8C885DEE7BB9AF48318B108559F115EB240E7789B45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC92AD9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC92AE0

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

ImageName, xrefs: 6BC92AEE
ProcessBlock, xrefs: 6BC92B3A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: ImageName$ProcessBlock
API String ID: 431132790-2988717093
Opcode ID: 61a217d4a2dcdb582f656f66408d2791bcc4f0b65830cdfe48cd9615fb109a95
Instruction ID: d25ab908d9686fb16ad93d746d480e628ab2cf50f742d371e2ce372d955b7a3d
Opcode Fuzzy Hash: 61a217d4a2dcdb582f656f66408d2791bcc4f0b65830cdfe48cd9615fb109a95
Instruction Fuzzy Hash: EA21807161024AEFDB00DFB8C945AAE77B8AF05328F148158F425EB381DB38DB05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6BC92DC3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC92DCA

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

ServiceName, xrefs: 6BC92DD8
ServiceBlock, xrefs: 6BC92E24

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: ServiceBlock$ServiceName
API String ID: 431132790-1184029286
Opcode ID: 3205dc3b215f3ecffcef176e7eeeb2f3ae353c4a8bdfc747362911dcad0cb3e9
Instruction ID: 6790e29dd406fd93e484f3bcc3f34d3e21f54b210eb9791b8079d0dfed0eccfc
Opcode Fuzzy Hash: 3205dc3b215f3ecffcef176e7eeeb2f3ae353c4a8bdfc747362911dcad0cb3e9
Instruction Fuzzy Hash: 5B217F7161020AEBDB00DFA8C985AAE77B8AF05318F108158F825EB380DB78DB05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB2306 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB230D

Strings

Creating new Performer for CleanupBlock item, xrefs: 6BCB2319
GetAction returned an invalid action type; creating DoNothingPerformer, xrefs: 6BCB234A

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: Creating new Performer for CleanupBlock item$GetAction returned an invalid action type; creating DoNothingPerformer
API String ID: 431132790-476338252
Opcode ID: 3fa675fd0700260cff3027dc1af2269022e5dc727cf4b356b4b1eb66404e40e0
Instruction ID: 7333b4e8de37a6633f908d8611e1cbc2b124a14bc851c73777cd76d9b5e3cd5c
Opcode Fuzzy Hash: 3fa675fd0700260cff3027dc1af2269022e5dc727cf4b356b4b1eb66404e40e0
Instruction Fuzzy Hash: BA11A336131602AFDB04CFB4C895E2DBB65BF59304B108065E3098F590EB39E694DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BCAFF5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcsnlen.LIBCMT ref: 6BCAFF8F
_memcpy_s.LIBCMT ref: 6BCAFFC5

Part of subcall function 6BCC91E7: __CxxThrowException@8.LIBCMT ref: 6BCC91CC

Strings

OS Version Information, xrefs: 6BCAFF64

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s_wcsnlen
String ID: OS Version Information
API String ID: 31407445-551053750
Opcode ID: 8168cbdc033ae0adbce4f79c5a0d65b4d783b76de210cf6e87fab632a8fa9b67
Instruction ID: 86189f869f734ec7e768b381f0be3761791d619f3fa4f10691e863f0cfa65c93
Opcode Fuzzy Hash: 8168cbdc033ae0adbce4f79c5a0d65b4d783b76de210cf6e87fab632a8fa9b67
Instruction Fuzzy Hash: 8801C432A10108BFCB14CFB8CC8989E77EADA85364B11856EF419DB251FB74EB008B91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC97CE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6BC97D19

Part of subcall function 6BCD1847: KiUserExceptionDispatcher.NTDLL(?,?,6BCCC4C9,00000C00,?,?,?,?,6BCCC4C9,00000C00,6BCEBE3C,6BD07774,00000C00,00000020,6BCAF877,?), ref: 6BCD1889

_wcstoul.LIBCMT ref: 6BC97D51

Strings

W, xrefs: 6BC97D12

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: DispatcherExceptionException@8ThrowUser_wcstoul
String ID: W
API String ID: 3061576314-655174618
Opcode ID: 530d50920553fcfcb6b5d5d2d0c1bd39888c0c12d31fd4dd46ee5442e7b41f7d
Instruction ID: b0a6cb184f11d7b7d04c650590e07ba25ad5820b84cb3ae3e693e835efa31c80
Opcode Fuzzy Hash: 530d50920553fcfcb6b5d5d2d0c1bd39888c0c12d31fd4dd46ee5442e7b41f7d
Instruction Fuzzy Hash: B4119E76D1121DEADB00DFA9D800AEFB3B8EF14714F0048AAD451A3240E7789B05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA1DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BCA1DF8
_memset.LIBCMT ref: 6BCA1E7A

Strings

x, xrefs: 6BCA1E39

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: _memset
String ID: x
API String ID: 2102423945-2363233923
Opcode ID: 266e2b27c0cce563d17340ad14417632ce5351a8a46b55ac8a30924554282850
Instruction ID: 934bf33c455a151ec0e37ac67b6d0d94413f489eb1611b80786c1239ec53ec7c
Opcode Fuzzy Hash: 266e2b27c0cce563d17340ad14417632ce5351a8a46b55ac8a30924554282850
Instruction Fuzzy Hash: 331186B15102019BDF54CF14C889BD737A8EF55314F144098ED45AF28ADBB9EA48CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB2DA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB2DAC
_wcstoul.LIBCMT ref: 6BCB2E16

Part of subcall function 6BCCBA70: wcstoxl.LIBCMT ref: 6BCCBA80

Strings

0x%x, xrefs: 6BCB2E31

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3_wcstoulwcstoxl
String ID: 0x%x
API String ID: 3147468384-1033910204
Opcode ID: 54e86915218b557e0b2907690b206359ed9e02b63ccd3901f528f93a1ecfa1b8
Instruction ID: fb714158eb31efc927a07ade95964862825b71a48a67dbf0dec7209843efcc05
Opcode Fuzzy Hash: 54e86915218b557e0b2907690b206359ed9e02b63ccd3901f528f93a1ecfa1b8
Instruction Fuzzy Hash: 82119A72920119ABDF01DF64CC42FAF7BA5AF15325F048419F814BB250E77C9F159B86

Uniqueness

Uniqueness Score: -1.00%

Function 6BC89398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC8939F

Part of subcall function 6BCA83C3: __wcsicoll.LIBCMT ref: 6BCA83E1

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Part of subcall function 6BCA8D2E: PathRemoveFileSpecW.SHLWAPI(00000000,2006C750,00000010,80004005,6BC75E00,6BCAF877,00000010,?,6BCA80D8,00000000), ref: 6BCA8D3F

Strings

$$LogFileFolder$$, xrefs: 6BC893AC
$$LogFilePrefix$$, xrefs: 6BC893F2

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$FilePathRemoveSpec__wcsicoll
String ID: $$LogFileFolder$$$$$LogFilePrefix$$
API String ID: 1140376282-1980405239
Opcode ID: 06bc6031dcd7b1a9744343afb21b6fac20c4c91c84630c57afb30b6c8311dcef
Instruction ID: 632cda584eb945839f638851ab85c7f83b43b32e12fcc21d83f146338b44b437
Opcode Fuzzy Hash: 06bc6031dcd7b1a9744343afb21b6fac20c4c91c84630c57afb30b6c8311dcef
Instruction Fuzzy Hash: 8C0169B292014A9BDB00DFB8CC46F9E76A8AF1131CF044614E164D6282F7BCD7558766

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB0924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB092B
GetLastError.KERNEL32 ref: 6BCB096D

Strings

Failed to record Operation UI Mode, xrefs: 6BCB0987

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: Failed to record Operation UI Mode
API String ID: 685212868-1990955872
Opcode ID: 6c81a307dccce76ea6392b984b22e2d59229ba2d43df606910840b37a3d71440
Instruction ID: f45cdf8fa85484b1fef5ed6ef3c8f7335ad3b5d50f710f06a7b5f9b2bea9a96f
Opcode Fuzzy Hash: 6c81a307dccce76ea6392b984b22e2d59229ba2d43df606910840b37a3d71440
Instruction Fuzzy Hash: 65019271920241AFE7209F76C905B4E7BB9BF42348F008119A4658A291F7BCD74ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BCBFF85 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCBFF8C
GetLastError.KERNEL32(?,?,?,6BCBD1A6,00000000,6BCBC066,?,80070057,?,InvalidArguments,?,00000000,?,ParameterInfo.xml,?,?), ref: 6BCBFFB2

Strings

Failed to record TimeToFirstWindow, xrefs: 6BCBFFCC

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: Failed to record TimeToFirstWindow
API String ID: 685212868-1716191741
Opcode ID: f30e38147a22fc1824b9e5d2af618aafaf4b471c3c7f9f9a0390b4c4837623ea
Instruction ID: 091f1732f21220a03068f97379cfd9ac9349bd52bcce0815488ec90e6e31d650
Opcode Fuzzy Hash: f30e38147a22fc1824b9e5d2af618aafaf4b471c3c7f9f9a0390b4c4837623ea
Instruction Fuzzy Hash: A601D636221201AFD7109F75CC15F5E7BA5AF42355F108528E505CA680F77DEB01CA60

Uniqueness

Uniqueness Score: -1.00%

Function 6BCD7A42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6BCD70EE: __getptd.LIBCMT ref: 6BCD70F4
Part of subcall function 6BCD70EE: __getptd.LIBCMT ref: 6BCD7104

__getptd.LIBCMT ref: 6BCD7A51

Part of subcall function 6BCCD771: __getptd_noexit.LIBCMT ref: 6BCCD774
Part of subcall function 6BCCD771: __amsg_exit.LIBCMT ref: 6BCCD781

__getptd.LIBCMT ref: 6BCD7A5F

Strings

csm, xrefs: 6BCD7A6D

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: c8dba911710f4852703bd8d990f1b28230b9dd4adf1b73253e7ece5c285c4cab
Instruction ID: 1c8341f83b4b657db75fa95c2a3a783b60f7e0cb0265b34a79930e99adb26eb8
Opcode Fuzzy Hash: c8dba911710f4852703bd8d990f1b28230b9dd4adf1b73253e7ece5c285c4cab
Instruction Fuzzy Hash: AC01863C9222058BDB258F30C44067DB3B5AF10315F60586FD95856690EB7CD795EF51

Uniqueness

Uniqueness Score: -1.00%

Function 6BC74E67 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BC74E71

Part of subcall function 6BC7500D: _memset.LIBCMT ref: 6BC75015

Part of subcall function 6BCA80F9: __EH_prolog3.LIBCMT ref: 6BCA8100

Strings

Error, xrefs: 6BC74E8E
%d.%d.%d, xrefs: 6BC74ECD

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3H_prolog3__memset
String ID: %d.%d.%d$Error
API String ID: 755347604-3400412798
Opcode ID: e7ab2707a4c4a133c3a465ed5cab9159116b7dd1cc63583f5e8ad42bc5c043d5
Instruction ID: abef1fd07511ce4752f8df8dbcde07e0bda3543e6c42196770be45338d76be00
Opcode Fuzzy Hash: e7ab2707a4c4a133c3a465ed5cab9159116b7dd1cc63583f5e8ad42bc5c043d5
Instruction Fuzzy Hash: 1A017832930119CBDB22AB64CC52BCEB7B2BF19308F0004E5E184A7102F7389B65CB45

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB08B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB08B8
GetLastError.KERNEL32 ref: 6BCB08D6

Strings

Failed to record Operation Requested, xrefs: 6BCB08F0

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: Failed to record Operation Requested
API String ID: 685212868-584987773
Opcode ID: 2222f48769960a983017674aa76ac85bdb4b035db518b88cb1b7a94ffc000b1c
Instruction ID: a28579ff0130c8b96954c6fa354dfa811f63cd5bc1d916a332b3d792d5d8b4ab
Opcode Fuzzy Hash: 2222f48769960a983017674aa76ac85bdb4b035db518b88cb1b7a94ffc000b1c
Instruction Fuzzy Hash: 33F06D36520105ABDB109F75CE0AB8E3B65AF41798F108264F904DA290F77ADB11DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC5C6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCC5C73
GetLastError.KERNEL32(?,?,?,6BCC45A9,00000000,?), ref: 6BCC5C99

Part of subcall function 6BC774C1: __EH_prolog3.LIBCMT ref: 6BC774C8

Strings

WinHttpConnect, xrefs: 6BCC5C9F

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$ErrorLast
String ID: WinHttpConnect
API String ID: 1123136255-1867560646
Opcode ID: b42a367c39a666c73d17c15c5935d95c868b03bd80765276ea38cd51ea0028a2
Instruction ID: 1daecfe47d3b895ef86a9aec0433f8c10764d233a143c1bdb84694f59762f8af
Opcode Fuzzy Hash: b42a367c39a666c73d17c15c5935d95c868b03bd80765276ea38cd51ea0028a2
Instruction Fuzzy Hash: 3BF08236610600ABCB11AF75C84AE0F7AA2DFC8324F104805F6598B250E7349641DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC74D95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BC74D9C

Strings

An internal or user error was encountered., xrefs: 6BC74DCE
A StopBlock was hit or a System Requirement was not met., xrefs: 6BC74DD7

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3
String ID: A StopBlock was hit or a System Requirement was not met.$An internal or user error was encountered.
API String ID: 431132790-2578323181
Opcode ID: c74a2e5a9316ff02ffd7b8c9786919e75006b8cf37a67756d3fa37a2d0eee301
Instruction ID: 7fd4cac87dae1b8d55a814133dfbe921e8660001c66de8420d2c1c99d9de57c2
Opcode Fuzzy Hash: c74a2e5a9316ff02ffd7b8c9786919e75006b8cf37a67756d3fa37a2d0eee301
Instruction Fuzzy Hash: 99F0E5326706199BE711ABA4C806BAE72A17B20319F404041F2006F1C0FBBC4725C75E

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB0325 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB032C
GetCommandLineW.KERNEL32(00000018,6BC7C057,00000010,6BC7BCAE,?,?,?,?,?,?,DownloadInstallSetting,-0000093C,?,?,?), ref: 6BCB0331

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

Part of subcall function 6BC73A76: __EH_prolog3.LIBCMT ref: 6BC73A7D

Strings

serialdownload, xrefs: 6BCB0347

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID: serialdownload
API String ID: 1384747822-785084709
Opcode ID: 985730273034078c80cf2cf25b9c999abaa4c8161ed7b62dedf91ea06d11e976
Instruction ID: 786e785aff8ec43ffd8619e11cf76540b1a5b4d1bcc15c9a6cece3672067b75a
Opcode Fuzzy Hash: 985730273034078c80cf2cf25b9c999abaa4c8161ed7b62dedf91ea06d11e976
Instruction Fuzzy Hash: ABE08C76A6010CAACF20EBF0884AFCD33E86F09205F604021A211BB140FB3CE7099B30

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB02DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BCB02E5
GetCommandLineW.KERNEL32(0000001C,6BCA90A9,-00000960,6BC6A78C,?,6BC7BFE7,00000018,6BC7BC5C,-0000093C,?,?,?,?,?,?,UserExperienceDataCollection), ref: 6BCB02EA

Part of subcall function 6BC73ED7: __EH_prolog3.LIBCMT ref: 6BC73EDE

Part of subcall function 6BC73A76: __EH_prolog3.LIBCMT ref: 6BC73A7D

Strings

CEIPconsent, xrefs: 6BCB0300

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: H_prolog3$CommandLine
String ID: CEIPconsent
API String ID: 1384747822-2245497618
Opcode ID: 90c704d158a5a7199a1147cf8eb6d5b4df62d86397fc3b9b27b6030b70444ab6
Instruction ID: c8a4e96c0c5b2c4772d14d7d123dd9ed2c0395f77c888a40bca5a6bfbb738506
Opcode Fuzzy Hash: 90c704d158a5a7199a1147cf8eb6d5b4df62d86397fc3b9b27b6030b70444ab6
Instruction Fuzzy Hash: EEE0EC76AA0148AADF21EBF0884AFCD73A85F49226F645061E211B7150FB7CE7199A34

Uniqueness

Uniqueness Score: -1.00%

Function 6BCB6F95 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6BCB3CAC,-00000960,6BC6A78C,00000000,0000003C,6BCB1A52,-00000960,6BCAFAA0,?,00000000,?,-00000960,?,?), ref: 6BCB6FBD
LocalAlloc.KERNEL32(00000040,00000000,00000000,?,?,6BCB3CAC,-00000960,6BC6A78C,00000000,0000003C,6BCB1A52,-00000960,6BCAFAA0,?,00000000), ref: 6BCB6FD9

Memory Dump Source

Source File: 00000006.00000002.2772973178.000000006BC51000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BC50000, based on PE: true

Associated: 00000006.00000002.2772941889.000000006BC50000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773072069.000000006BCFE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773099273.000000006BCFF000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773125628.000000006BD06000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.2773152109.000000006BD0A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bc50000_Setup.jbxd

Similarity

API ID: AllocErrorLastLocal
String ID:
API String ID: 3128366072-0
Opcode ID: 60ea1c5a1baebb774894d4ef04ed177b6a8a1ce9e43b31a1d0ece47e8850484a
Instruction ID: b067dce308c2e5ee5135f2e86551299fb9675d8ccee3671cc42e2b301226da72
Opcode Fuzzy Hash: 60ea1c5a1baebb774894d4ef04ed177b6a8a1ce9e43b31a1d0ece47e8850484a
Instruction Fuzzy Hash: 15119032660206EFEF108FA5CC8AF5F7768FF15798F10406AB901E6590E779EB109B94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bitrecover-eml-to-pdf-wizard.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\66a72f.rbs

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Activate.exe (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Cells.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Email.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Pdf.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Slides.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Aspose.Words.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\EMLTOPDFWizard.exe (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\NReco.PdfGenerator.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfFocus.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\SautinSoft.PdfVision.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Compression.Base.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Licensing.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\Syncfusion.Pdf.Base.dll (copy)

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-1972F.tmp

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-53FTM.tmp

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-BLHAO.tmp

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-DRSF7.tmp

C:\Program Files (x86)\BitRecover\EML to PDF Wizard\is-GJNME.tmp

Windows Analysis Report
bitrecover-eml-to-pdf-wizard.exe

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre